.webp?width=300&name=1200x800_0063_arqit_new_brand_general-(02).webp)
This month (April 2026) two large tech companies announced that they're bringing forward their PQC timelines. Roberta Faux, Arqit's Head of Cryptography breaks down what's happened and what it actually means for enterprises.
.png?width=300&name=Heading%20(1).png)
What happened
Google disclosed it had materially improved a quantum algorithm for breaking elliptic curve cryptography - the crypto underpinning much of the TLS authentication on the internet today. They didn't publish the algorithm, but released a zero-knowledge proof that it exists.
The same day, a quantum computing company called Oratomic published a resource estimate showing that breaking P-256, one of the most widely deployed elliptic curves in the world, might require as few as 10,000 qubits.
To put that into context: the industry has been planning around a requirement of millions of qubits. 10,000 is a different conversation entirely.
Cloudflare looked at that and moved their internal Q-Day estimate from "probably 2035 or later" to "possibly 2030. Or earlier." Google did the same. Both set hard 2029 internal deadlines.
I think that's the right call. And I'll go further - it's overdue.
What does it mean?
But let's be honest about what a 2029 deadline actually means - because Google and Cloudflare can do something most enterprises cannot. They control their own infrastructure. They have the engineering teams, the budget, and the ability to update their own systems on their own schedule.
Most enterprises are running cryptography they don't fully control. It’s embedded in vendor software, legacy systems, OT environments, and devices that haven’t been updated in years. And most organizations have no idea where their RSA-2048 or ECC P-256 exposure actually is.
What should enterprises do?
There are guidelines around where to start. The first step starts with visibility.
Understand where RSA and ECC live in your environment - your TLS certificates, your code signing infrastructure, your authentication systems, your third-party dependencies, the hardware you can't update. That inventory is the non-negotiable starting point. Without it, you're reacting to a deadline you're not positioned to meet.
2029 is three years away. Cryptographic migrations in complex enterprise environments typically take longer than that. Google and Cloudflare just told you the runway is shorter than you thought.
Arqit can help your organization prepare for PQC migration by understanding where cryptographic risks lie as a starting point.
14 April 2026
Roberta Faux, US Head of Cryptography, Arqit
