Harvest now, decrypt later
the migration business
Key facts
- 2029Google, Mar 2026
- CRQC estimate
- 8-12xvs product spend
- Services share
- Few $bnPQC migration
- Market 2026
- Tens of $bnprojected
- Market 2036
- 20 yrsconfidentiality at risk
- Data horizon
The migration business. The threat model that drives every deadline.
The threat model
Harvest now, decrypt later is the threat model that quietly drives every post-quantum deadline. The premise is uncomfortable but simple: an adversary who can intercept and store encrypted traffic today does not need to break it today. It can wait. The assumption security agencies now work to is that well-resourced attackers are already collecting encrypted data and filing it away, betting that a future quantum computer will unlock it. Under harvest now, decrypt later, any information captured in 2026 that has to stay secret for twenty years is, for practical purposes, already exposed.
Mosca’s framework
That reframing changes the arithmetic of risk. The standard tool for thinking it through is Mosca’s framework, which lines up three durations against one another: how long an organisation will take to migrate its systems to quantum-safe cryptography, how long its data has to remain confidential, and how many years remain before a cryptographically relevant quantum computer exists. If the migration time plus the confidentiality lifetime is longer than the time to a capable machine, the organisation is already losing data to harvest now, decrypt later. The awkward part is the third number, which no one knows for certain. Google research published in March 2026 suggested such a machine could arrive as early as 2029, a date early enough to collapse the comfortable assumption that this is a problem for the 2040s.
The migration business
The response has grown into a substantial industry, and its shape is revealing. The migration framework documents issued by the National Security Agency, NIST, ENISA and the large consultancies broadly agree that the spending will be dominated by services and integration rather than products, by a margin of something like eight to twelve times. The software libraries that implement the new algorithms are, in a sense, the easy part; the expensive part is the human work of finding, testing and replacing cryptography that is buried across decades of systems. Estimates put the market at a few billion dollars in 2026, rising towards tens of billions by 2036.
Discovery and crypto agility
The reason the bill falls so heavily on services is that most of the work is discovery and inventory rather than cryptography as such. Before an organisation can protect itself against harvest now, decrypt later, it has to know where its cryptography actually lives: in applications, in network appliances, in embedded devices, in contracts with suppliers, in protocols no one has examined in years. Building that inventory, and keeping it current, is slow, unglamorous and unavoidable. This is why the idea of crypto agility has become central, meaning the ability to swap cryptographic algorithms in future without rebuilding everything from scratch, so the next transition is less painful than this one.
What to watch
The signals that will sharpen the picture are concrete. Any firmer estimate of when a cryptographically relevant quantum computer might exist moves every Mosca calculation at once, so hardware milestones are read closely by security planners as well as physicists. On the defensive side, the useful measures are how many organisations have completed a genuine cryptographic inventory, how much of the market really flows to services as predicted, and whether crypto agility becomes standard practice or remains an aspiration.
Harvest now, decrypt later is, in the end, a bet about time, and the uncomfortable feature of the bet is that the defender has to act before the threat is proven. Waiting for a quantum computer to be demonstrated before starting to migrate would, by the logic of the model, be waiting far too long. That is why regulators have chosen firm deadlines over caution, and why the migration business is booming well ahead of the machine that justifies it. For the cryptography being replaced, see our crypto explainers; for the hardware timeline, our quantum explainers.