Post-quantum cryptography: time window is running out

The survey was conducted by the management and IT consultancy MHP among 1060 IT experts in Germany and the USA. According to the survey, the "Q-Day" - the moment when quantum computers can break existing encryption - is particularly critical. The "store now, decrypt later" scenario still poses a threat today: data is intercepted and stored so that it can be decrypted later. This makes it all the more important that companies and organizations deal with post-quantum cryptography (PQC) promptly and make their products and systems quantum-safe.

USA ahead in automation

PQC receives significantly more attention in companies than the public debate would suggest. Around 86.6% of organizations in Germany are driving the topic of post-quantum cryptography forward - from strategic planning and pilot projects to active migration. 14.3 percent even state that they have already migrated their critical systems to quantum-resistant encryption.

The picture is similar in the USA: 87.3% of companies there are concerned with PQC, 15.4% of which have already implemented corresponding security measures. Companies without any activities are clearly in the minority - with 9.8 percent in Germany and 8.9 percent in the USA.

However, there are clear differences in operational implementation. While many German companies still rely on manual inventory (41.7%), automated approaches already dominate in the USA (50.8%). This is precisely where the speed and scalability of the transition to new crypto standards will be decided.

Time is running against the companies

companies are aware of the urgency and impact of quantum computers. In Germany, 45.3% expect Q-Day within the next five years until 2031, in the USA even 55.2%. A further 39 percent in Germany and 33.5 percent in the USA expect it to happen in the next ten years by 2036.

At the same time, almost all of the companies surveyed stated that they have large amounts of sensitive data that must be backed up for ten years or more. So if Q-Day comes within the next five years, as most respondents assume, some of this data will already be compromised.

The estimated time required to complete the technical migration to PQC is particularly critical. For the most part, 53.4 percent of German companies anticipate two to five years, with 27.5 percent even expecting five to ten years. The picture is almost similar in the USA, with 51.8 percent expecting two to five years and 21.8 percent five to ten years. Those who have not yet done anything or are just in the planning phase could be left behind in the future.

Complex legacy systems as the main factor for slow implementation

Several factors are slowing down or preventing companies from switching to PQC: complex legacy systems are at the forefront, accounting for 33.8% in Germany and 35% in the USA. They slow companies down in many areas and are difficult to overcome. There is hardly any significant difference between the sectors surveyed. In second place in Germany is a lack of budget or resources at 19.6 percent, while in the USA it is primarily a lack of internal cryptography expertise at 21.5 percent. A lack of perception of urgency comes in second to last place in Germany with 13.8% and in the USA with 11.3%.

"If you get your legacy systems under control, you can also make the switch to PQC in good time - but you shouldn't waste any more time," explains Christian Zgardea, Partner at MHP. "There is nothing to lose. Even apart from PQC, it is worth keeping your own systems under control and limiting uncontrolled growth."

Framework data of the survey

The survey was conducted online from February 5 to 16, 2026. 1,060 IT experts from companies with at least 500 employees in Germany and the USA were surveyed. The results are representative, were analyzed using quotas and take into account a statistical error of 4.3 percentage points.