What Is Q-Day and Why Should You Care Now?
Q-Day is the point at which a sufficiently powerful quantum computer can break the public-key cryptography that protects virtually everything online: TLS connections, VPNs, digital signatures, certificate authorities, banking transactions, and government communications. RSA-2048 and elliptic curve cryptography, the algorithms that underpin modern digital trust, will become trivially breakable by a cryptographically relevant quantum computer running Shor's algorithm. Most credible estimates place Q-Day between 2030 and 2035. That sounds far away until you consider two things. First, migrating cryptographic infrastructure across an enterprise takes years, not months. Second, the most dangerous attack is already happening today.
Harvest Now, Decrypt Later
Nation-state adversaries and advanced threat groups are intercepting and storing encrypted data today, with the explicit intention of decrypting it once quantum computers become available. If your organisation transmits data that will still be sensitive in ten years, that data is already at risk.
The NIST Post-Quantum Standards Are Here
The National Institute of Standards and Technology finalised its first set of post-quantum cryptography standards in 2024 after an eight-year evaluation process. Three algorithms were standardised: ML-KEM for key encapsulation, ML-DSA for digital signatures, and SLH-DSA as a hash-based signature backup. These are not theoretical. They are production-ready standards with implementations available in major cryptographic libraries. Google, Cloudflare, and Apple have already begun deploying hybrid post-quantum key exchange in production systems.
2030-2035
estimated timeline for cryptographically relevant quantum computers
5-10 years
typical enterprise cryptographic migration timeline
< 5%
of SA enterprises have begun post-quantum readiness assessments
Why South African Financial Services Must Lead
South Africa's financial services sector processes trillions of rands in transactions annually, all protected by classical cryptography. The South African Reserve Bank, the JSE, and the major retail banks operate infrastructure where cryptographic failure would be catastrophic. POPIA requires organisations to implement appropriate measures to protect personal information. Once post-quantum standards exist, failing to adopt them will increasingly be seen as a failure to meet that standard of appropriateness.
You do not need a quantum computer to be a victim of the quantum threat. You only need an adversary who is patient enough to wait.
Crypto-Agility: The Architecture That Buys You Time
The single most important concept in post-quantum readiness is crypto-agility: the ability to swap cryptographic algorithms across your infrastructure without rebuilding systems from scratch. Most enterprises today have cryptographic dependencies hardcoded into applications, embedded in hardware security modules, baked into firmware, and scattered across thousands of TLS certificates. Crypto-agility requires a centralised cryptographic inventory, abstraction layers that decouple applications from specific algorithms, and governance processes that allow rapid algorithm rotation.
The Bottom Line
Q-Day is not a question of if, but when. The data you transmit today may be decrypted by adversaries within the decade. South African organisations, particularly in financial services, healthcare, and government, cannot afford to treat this as a future problem. Start now.
Sources & Further Reading
Start your crypto-agility assessment
Talk to our security advisory team about your specific environment.
Book a Briefing