Harvest now, decrypt later

the migration business

3 min readQuantum Explained

Key facts

2029Google, Mar 2026
CRQC estimate
8-12xvs product spend
Services share
Few $bnPQC migration
Market 2026
Tens of $bnprojected
Market 2036
20 yrsconfidentiality at risk
Data horizon

The migration business. The threat model that drives every deadline.

The threat model

Harvest now, decrypt later is the threat model that quietly drives every post-quantum deadline. The premise is uncomfortable but simple: an adversary who can intercept and store encrypted traffic today does not need to break it today. It can wait. The assumption security agencies now work to is that well-resourced attackers are already collecting encrypted data and filing it away, betting that a future quantum computer will unlock it. Under harvest now, decrypt later, any information captured in 2026 that has to stay secret for twenty years is, for practical purposes, already exposed.

Mosca’s framework

That reframing changes the arithmetic of risk. The standard tool for thinking it through is Mosca’s framework, which lines up three durations against one another: how long an organisation will take to migrate its systems to quantum-safe cryptography, how long its data has to remain confidential, and how many years remain before a cryptographically relevant quantum computer exists. If the migration time plus the confidentiality lifetime is longer than the time to a capable machine, the organisation is already losing data to harvest now, decrypt later. The awkward part is the third number, which no one knows for certain. Google research published in March 2026 suggested such a machine could arrive as early as 2029, a date early enough to collapse the comfortable assumption that this is a problem for the 2040s.

The migration business

The response has grown into a substantial industry, and its shape is revealing. The migration framework documents issued by the National Security Agency, NIST, ENISA and the large consultancies broadly agree that the spending will be dominated by services and integration rather than products, by a margin of something like eight to twelve times. The software libraries that implement the new algorithms are, in a sense, the easy part; the expensive part is the human work of finding, testing and replacing cryptography that is buried across decades of systems. Estimates put the market at a few billion dollars in 2026, rising towards tens of billions by 2036.

Discovery and crypto agility

The reason the bill falls so heavily on services is that most of the work is discovery and inventory rather than cryptography as such. Before an organisation can protect itself against harvest now, decrypt later, it has to know where its cryptography actually lives: in applications, in network appliances, in embedded devices, in contracts with suppliers, in protocols no one has examined in years. Building that inventory, and keeping it current, is slow, unglamorous and unavoidable. This is why the idea of crypto agility has become central, meaning the ability to swap cryptographic algorithms in future without rebuilding everything from scratch, so the next transition is less painful than this one.

What to watch

The signals that will sharpen the picture are concrete. Any firmer estimate of when a cryptographically relevant quantum computer might exist moves every Mosca calculation at once, so hardware milestones are read closely by security planners as well as physicists. On the defensive side, the useful measures are how many organisations have completed a genuine cryptographic inventory, how much of the market really flows to services as predicted, and whether crypto agility becomes standard practice or remains an aspiration.

Harvest now, decrypt later is, in the end, a bet about time, and the uncomfortable feature of the bet is that the defender has to act before the threat is proven. Waiting for a quantum computer to be demonstrated before starting to migrate would, by the logic of the model, be waiting far too long. That is why regulators have chosen firm deadlines over caution, and why the migration business is booming well ahead of the machine that justifies it. For the cryptography being replaced, see our crypto explainers; for the hardware timeline, our quantum explainers.