Security soothsayers predict we’ll reach Q-day, when quantum computers can break current encryption, sometime in the 2030s. But Google plans to be ready before that—aggressively targeting 2029 as the deadline to migrate completely to post-quantum cryptography. 

That puts Google well ahead of the NSA, which plans to move to PQC by 2031—other government agencies are aiming for 2035. 

Noting that “quantum computers will pose a significant threat to current cryptographic standards, and specifically to encryption and digital signatures,” Google wrote in a blog that “the threat to encryption is relevant today with store-now-decrypt-later attacks, while digital signatures are a future threat that require the transition to PQC before a Cryptographically Relevant Quantum Computer (CRQC).” It adjusted its timeline accordingly to “prioritize PQC migration for authentication services,” which it points out is “an important component of online security and digital signature migrations.” 

The company said it is its “responsibility to lead by example and share an ambitious timeline. By doing this, we hope to provide the clarity and urgency needed to accelerate digital transitions not only for Google, but also across the industry.” 

And Google is offering a sign of good faith, underscoring its migration plans. “As an example of our ongoing PQC commitments, Android 17 is integrating PQC digital signature protection using ML-DSA in alignment with the National Institute of Standards and Technology (NIST),” according to the blog post. “This continues to put advanced PQC technology directly into the hands of our customers, building on our Google Chrome support for PQC, providing PQC solutions in the cloud and insights and guidance for leaders on their PQC journey.” 

“Google’s announcement of a 2029 timeline for postquantum cryptography migration reinforces how quickly the cryptographic landscape is evolving,” says Jason Soroko, senior fellow at Sectigo.  

That same year, Soroko says, “the CA/Browser Forum will reduce the maximum SSL/TLS certificate lifespan to just 47 days, a 12× increase in renewal frequency that fundamentally changes how organizations must operate.” 

Currently, Sectigo’s research shows that “90% of organizations see a direct overlap between preparing for short-lived certificates and preparing for PQC adoption.” 

And, he says, the “parallel 2029 deadlines are not coincidental; they represent two sides of the same challenge: preparing for a world where cryptography must be updated far more frequently and with far greater agility.” 

Indeed, the “convergence of these deadlines is in some way harmonious: As Google advances the PQC timeline, and as certificate validity shrinks to 47 days, the ecosystem must move together,” Soroko says. 

“Continued collaboration through the IETF and the CA/Browser Forum will be essential to ensuring that organizations can rotate keys, algorithms, and certificates quickly and safely, building the agility needed to secure the quantum era,” he explains. 

Sectigo’s research indicates that organizations “appear to be taking PQC preparation more seriously than the upcoming shift to 47-day certificate lifespans, even though the deadlines attached to certificate lifespans occur sooner,” suggesting that  “PQC is viewed as a strategic, long-term imperative tied to existential threats, whereas the 47-day change is seen as a more tactical, operational hurdle.” The research found that 14% of organizations “have done a full assessment of quantum-vulnerable systems, while 90% have budgets allocated to PQC preparedness initiatives in the next 12 months and a few more than that (92 percent) plan to increase their investments in PQC over the next 2-3 years”. 

Sectigo says that taking PQC more seriously than shortened certificated lifespans “may underestimate the urgency of near-term risks: Failure to prepare for shortened certificate lifespans is far more likely to result in immediate outage, application failure, and trust disruption.” 

The shorter certificate lifespan is solvable and can be automated, the research contends, “While PQC represents a future-breaking threat, the 47-day challenge poses a present-breaking one, and both require equal prioritization in any robust crypto agile strategy.”