On April 7, 2026, Cloudflare said it is now targeting 2029 to be fully post-quantum secure across its product suite, including the harder and more consequential piece: post-quantum authentication. That matters because this is not just about encrypting traffic in transit. It is about upgrading the trust layer of the Internet itself.

And this did not happen in isolation.

Just days earlier, Google announced its own 2029 timeline for post-quantum cryptography migration and said it is prioritizing PQC migration for authentication services, arguing that encryption is already a present-day issue because of store-now-decrypt-later attacks, while digital signatures and authentication must be upgraded before a cryptographically relevant quantum computer arrives.

That is the signal.

When two of the most technically sophisticated companies in the world independently converge on essentially the same date, enterprise leaders should stop asking whether post-quantum migration is real and start asking whether their own timelines are already too slow.

Cloudflare’s message is especially important because it is operational, not theoretical.

The company says it already provides post-quantum encryption for the majority of its products, and that more than 65% of human traffic to Cloudflare is post-quantum encrypted. But it also says the job is not finished until authentication is upgraded too, and that deep dependency chains plus third-party vendor complexity mean this migration will take years, not months.

That should land hard in every boardroom.

Because most enterprises are not one environment. They are an ecosystem: cloud providers, SaaS tools, browsers, APIs, certificates, IAM layers, contractors, suppliers, telecom links, managed security partners, internal legacy systems, and business processes that were never designed for cryptographic replacement at scale. Cloudflare explicitly recommends making post-quantum support a procurement requirement and assessing critical vendors early based on what their inaction would mean to the business.

This is exactly why 2029 is not just a technology date. It is a governance date.

It is also why many enterprises are still underestimating the problem.

Too many teams still think PQC is only about swapping algorithms someday. It is not. NIST finalized its first three PQC standards in August 2024: FIPS 203 (ML-KEM) for general encryption, FIPS 204 (ML-DSA) for digital signatures, and FIPS 205 (SLH-DSA) as a backup signature standard. NIST also says quantum-vulnerable algorithms will be deprecated and ultimately removed from standards by 2035, with high-risk systems moving earlier.

So the issue is no longer “Are there standards?”

The issue is: Can your organization actually execute the migration before the deadline compresses further?

Cloudflare’s roadmap makes that challenge concrete. Its published milestones point to PQ authentication support for Cloudflare-to-origin connections in mid-2026, visitor-to-Cloudflare connections using Merkle Tree Certificates in mid-2027, Cloudflare One SASE becoming fully PQ secure in early 2028, and full post-quantum security in 2029. Separately, Cloudflare has already been extending hybrid ML-KEM across Cloudflare One’s TLS, MASQUE, and IPsec paths to protect traffic against harvest-now-decrypt-later risk.

That roadmap is useful because it shows what serious migration looks like: staged, standards-based, dependency-aware, and tied to real infrastructure.

This is where enterprise strategy needs to mature.

First, protect data that has long shelf life. If sensitive data needs to remain secret for 7, 10, or 15 years, then waiting for perfect certainty is already the wrong move. Store-now-decrypt-later risk means adversaries can collect encrypted traffic and data today, then wait for future capabilities. Both Google and Cloudflare are treating this as real enough to accelerate.

Second, stop treating cryptography like a one-time project. The winners here will not just be the companies that “adopt PQC.” The winners will be the companies that build cryptographic agility: the ability to discover where cryptography lives, prioritize exposure, and change algorithms and policies without ripping apart production systems. QuSecure’s positioning is directly aligned with this need; it frames crypto-agility as the ability to swap and layer algorithms, keys, and protocols quickly, and emphasizes migration with minimal disruption rather than rip-and-replace.

Third, test before you certify yourself as ready. This is where an evidence-first approach matters. AI PQ Audit should sit in the workflow as a readiness and assurance layer: validating where quantum-vulnerable cryptography still exists, where migration plans break, how exposed systems behave under realistic attack and dependency scenarios, and whether leadership is getting measurable proof instead of slideware.

Fourth, do not ignore identity. If authentication is becoming the priority, then identity assurance becomes more important, not less. iValt fits here as a control point for high-risk approvals and sensitive workflows, helping ensure that as cryptographic trust models shift, human and machine approvals are not left as the weakest link.

That last point is the one many miss.

Post-quantum migration is not only a cryptography problem. It is a trust architecture problem.

You can upgrade tunnels and certificates, but if your approval flows, admin actions, privileged access paths, and third-party identities remain weak, you have only modernized one layer of the stack. Quantum resilience without identity assurance and governance is incomplete.

That is why the most important line in the Cloudflare announcement may not be the 2029 target itself. It is the statement that upgrading to post-quantum cryptography is not enough and that vulnerable cryptography must also be turned off to prevent downgrades. In other words: partial migration is not the end state. Real migration means removing fallback risk, rotating exposed secrets, and dealing with the ugly operational truth of dependencies.

This is also why boards and executive teams should care now.

Because once the market leaders start anchoring dates, those dates begin to shape customer expectations, procurement standards, insurance questions, regulator scrutiny, and competitive positioning. The companies that move early will look prudent. The companies that wait may suddenly look negligent.

We are watching the shift happen in real time.

First Google. Now Cloudflare.

Not panic. Not hype. But a very clear directional message from two companies with deep cryptographic expertise and global-scale infrastructure:

The timeline is tightening. The trust layer is being re-architected. And 2029 is starting to look a lot less like an aspiration and a lot more like a planning assumption.

What enterprises should do now

Inventory where quantum-vulnerable cryptography lives across apps, networks, certificates, APIs, devices, and third-party dependencies. Prioritize high-value data and systems exposed to harvest-now-decrypt-later risk. Require post-quantum roadmaps from critical vendors and make PQ support part of procurement. Build cryptographic agility so migration can happen without massive rip-and-replace disruption. QuSecure is one example of the type of platform category enterprises should be evaluating. Use an evidence-first validation layer such as AI PQ Audit to test exposure, readiness, and actual migration execution. Strengthen identity assurance for sensitive approvals and machine-to-machine trust paths with architectures such as iValt. Put this on the board-level risk agenda now, before the deadline gets even shorter.

Hashtags

PostQuantumCryptography #PQC #QuantumSecurity #Cybersecurity #Cloudflare #Google #Cryptography #CryptoAgility #QuantumComputing #ZeroTrust #IdentitySecurity #MachineIdentity #DigitalTrust #EnterpriseSecurity #CISO #BoardRisk #HNDL #HarvestNowDecryptLater #QuSecure #AIPQAudit #iValt

Source links

Cloudflare post-quantum roadmap: https://blog.cloudflare.com/post-quantum-roadmap/

Google PQC migration timeline: https://blog.google/innovation-and-ai/technology/safety-security/cryptography-migration-timeline/

Google quantum-era security overview: https://blog.google/innovation-and-ai/technology/safety-security/the-quantum-era-is-coming-are-we-ready-to-secure-it/

NIST finalized PQC standards announcement: https://www.nist.gov/news-events/news/2024/08/nist-releases-first-3-finalized-post-quantum-encryption-standards

NIST PQC project page: https://csrc.nist.gov/projects/post-quantum-cryptography

Cloudflare One post-quantum SASE update: https://blog.cloudflare.com/post-quantum-sase/

QuSecure crypto-agility overview: https://www.qusecure.com/cryptographic-agility-crypto-agility/