Time is Running Out: IT Systems Lag Behind the Quantum Threat

• 9 out of 10 surveyed companies in Germany and the US are already actively advancing Post-quantum cryp-tography – from pilot projects to full migration
• The majority expect a breakthrough in powerful quantum computers (“Q-Day”) within the next five to ten years
• Time is tight: migrating to new encryption typically takes 2-5 years, and complex legacy systems further slow the transition
• Germany and the US are broadly on par in PQC progress, though structural differences exist in the details

Ludwigsburg – Companies face a strategic dilemma: Quantum computers will soon be able to break today’s encryption – while many organizations will take years to upgrade to new security standards. A recent survey by MHP, among 1,060 IT experts in Germany and the US shows: the window of opportunity is closing – including for German companies.

The most critical point is the “Q-Day” – the moment when quantum computers can compromise existing encryption. The threat is already present through the “store now, decrypt later” scenario: data is intercepted and stored today to be decrypted later. This makes it more important than ever for companies and organizations to engage with Post-quantum cryptography (PQC) and to make their products and systems quantum-resistant.

Quantum threat turns concrete: US ahead in automation

More attention is being paid to PQC in companies than the public debate suggests. Around 86.6 percent of organizations in Germany are getting to grips with the subject of Post-quantum cryptography – with measures ranging from strategic planning and pilot projects to active migration. Furthermore, 14.3 percent even state that they have already migrated their critical systems to quantum-resistant encryption.

Dr Jan Wehinger, Partner at MHP: “This development cannot be halted, which makes it all more important to focus even more on the subject of PQC. The impact of quantum computing on cybersecurity is real and not some distant future scenario.”

It is a similar picture in the US, where 87.3 percent of companies are dealing with PQC and 15.4 percent of them have already taken corresponding security measures. Just 9.8 percent of German and 8.9 percent of US organizations are yet to undertake any kind of activities in this area.

There are differences when it comes to making an inventory of cryptographic assets and their locations. Among German companies, 41.7 percent only keep manual lists of critical systems, while 32.7 percent keep automatic lists. The US is much further ahead in this respect, with just 30.1 percent still manually managing their lists and 50.8 percent using automated inventories. 

The awareness is there – but not the time

Companies are aware of the urgency and impact of quantum computers. In Germany, 45.3 percent expect Q-Day to come within the next five years – by 2031 – while in the US the figure is as high as 55.2 percent. Another 39 percent in Germany and 33.5 percent in the US expect it within the next ten years – by 2036.

At the same time, almost all companies surveyed say they have considerable quantities of sensitive data that need to be backed up for ten or more years – so if Q-Day comes within the next five years, as assumed by most respondents, some of this data will already be compromised.

The estimated time needed to complete the technical migration to PQC is particularly critical. At 53.4 percent, more than half of German companies expect it to take two to five years, while 27.5 percent even think it will take five to ten years. The picture is almost identical in the US, with 51.8 percent expecting to achieve it in two to five years and 21.8 percent in five to ten years. Those who are yet to do anything at all or are still in the planning phase could be left behind in the future. 

Complex legacy systems the main factor in slow implementation

Several factors are slowing down or preventing companies from making the transition to PQC. Prime among them are complex legacy systems, cited by 33.8 percent of respondents in Germany and 35 percent in the US. They are hampering companies in many places and are difficult to overcome. There is no significant difference here in the sectors surveyed. In second place in Germany is a lack of budget or resources, cited by 19.6 percent of companies, while 21.5 percent of respondents in the US point to a lack of internal cryptography expertise. Insufficient awareness of the urgency of the situation is the factor in second-last place, cited by 13.8 percent of respondents in Germany and 11.3 percent in the USA.

“Those who manage to bring their legacy systems under control can also make the transition to PQC in a timely manner – but they shouldn’t lose any more time,” explained Christian Zgardea, Partner at MHP. “There is nothing to lose. Even aside from the issue of PQC, it is worth keeping your own systems under control at all times and preventing things getting out of hand.”

The full survey can be found here: How well prepared companies are for the end of classical encryption

Key data used in the survey

The survey was conducted online from February 5 to 16, 2026. In Germany and the US, 1,060 IT experts from companies with at least 500 employees were surveyed. The results are representative and have been evaluated using quotas, taking into account a statistical margin of error of 4.3 percentage points.