Quantum-Safe IoT: Why the Cryptography Migration Cannot Wait

Millions of IoT devices rely on encryption that quantum computers will eventually be able to break. The first international standards for quantum-safe cryptography have been in place since 2024. The EU is demanding migration of critical systems by 2030. For developers and decision-makers in the IoT space, the clock is running.

Why today’s encryption has an expiry date

Connecting an IoT device to a network means trusting encryption. TLS connections, firmware updates, authentication against cloud platforms — all of it rests on what is called asymmetric cryptography: methods like RSA or elliptic curves. The underlying principle is straightforward. Breaking a private key requires so much computational effort that it is practically impossible on classical computers. An RSA-2048 encryption would take roughly 300 trillion years to crack on today’s hardware.

Quantum computers operate on a different physical principle. Instead of classical bits that are either 0 or 1, they use qubits, which can exist in both states simultaneously thanks to quantum superposition. This allows certain algorithms to solve mathematical problems exponentially faster — including exactly those that underpin RSA and its cousins. Shor’s algorithm, named after mathematician Peter Shor, could break RSA-2048 in around eight hours using 20 million noisy qubits, according to a research paper published in 2021. More recent work from 2025 reduces the estimated resource requirement further still — to under one million qubits for the same result.

No such quantum computer exists today. But research is moving fast. According to a 2024 study by Germany’s Federal Office for Information Security (BSI), which underpins the EU roadmap, a so-called Cryptographically Relevant Quantum Computer (CRQC) — a quantum machine capable of performing cryptographically relevant calculations — is feasible within a maximum of 16 years, potentially much sooner if current progress in error correction and hardware is confirmed. For devices being installed today with a lifespan of a decade or more, that is not a distant horizon.

“Harvest Now, Decrypt Later”: the threat that already exists

More pressing than the CRQC timeline is an attack scenario that is already active today: “Harvest Now, Decrypt Later”, or HNDL. The principle is as simple as it is unsettling. Adversaries — typically state actors with the necessary resources — are capturing encrypted data streams right now, even though they cannot yet decrypt them. They wait. Once a sufficiently powerful quantum computer is available, the archived data can be cracked retrospectively.

For IoT scenarios this is concrete: an industrial sensor transmitting measurements over an encrypted connection, a medical device sending patient data to the cloud, a smart meter infrastructure aggregating consumption data — all of these are potential targets. The data may look worthless today. In five or ten years, once context has shifted or a quantum computer is available, that assessment may look very different. The EU Commission explicitly names this scenario — referred to in its documents as “Store Now, Decrypt Later” — as the reason why migration cannot wait for an actual CRQC to appear.

What NIST finalized in 2024

In August 2024, the US National Institute of Standards and Technology (NIST) published three final post-quantum cryptography standards, based on algorithms evaluated over years through an open international competition:

• FIPS 203 / ML-KEM (Module-Lattice-Based Key-Encapsulation Mechanism, formerly CRYSTALS-Kyber): the primary standard for key exchange, used in TLS connections. Compact key sizes, fast execution.
• FIPS 204 / ML-DSA (Module-Lattice-Based Digital Signature Algorithm, formerly CRYSTALS-Dilithium): the standard for digital signatures, relevant for firmware authentication and code signing.
• FIPS 205 / SLH-DSA (Stateless Hash-Based Digital Signature Algorithm, formerly SPHINCS+): a hash-based signature scheme serving as a backup, resting on different mathematical assumptions than ML-DSA.

NIST explicitly recommends starting integration now. The deadline is clear: quantum-vulnerable algorithms are to be fully removed from US federal standards by 2035.

For resource-constrained IoT hardware, a particularly relevant data point: ML-KEM running on an ARM Cortex-M0+ — the processor core found in countless low-cost microcontrollers — completes a full key exchange in around 35.7 milliseconds at an estimated energy cost of 2.83 millijoules. According to a recent benchmark paper, that is 17 times faster than the incumbent ECDH-P256 method on the same hardware. PQC and the embedded world are not fundamentally incompatible — but careful planning is required.

What the EU roadmap means in practice

Alongside NIST, the European Commission published a recommendation on a coordinated PQC migration roadmap on 11 April 2024. The NIS Cooperation Group of EU member states subsequently developed a joint roadmap with concrete milestones in June 2025:

By end of 2026, every EU member state is expected to have established a national transition plan and initiated first steps. By end of 2030, critical infrastructures — energy, telecoms, financial services, healthcare — must have completed their migration to quantum-safe cryptography. By 2035, the transition should be completed for as many remaining systems as practically feasible.

What this means for IoT products is made concrete by the EU Cyber Resilience Act (CRA): from December 2027, the CRA applies mandatorily to all products with digital elements placed on the EU market, explicitly requiring the capability for cryptographic updates. Anyone developing an industrial controller, smart meter, or connected medical device today without building in the ability to update cryptographic mechanisms is heading for compliance problems.

No global lockstep: what algorithm divergence means for global products

The good news first: the 2030/2035 timeline is not a purely European phenomenon. Japan’s National Cybersecurity Office (NCO) has set a binding deadline of 2035 for government agencies, explicitly recommending the same concepts as the EU — crypto agility and hybrid approaches. Australia is moving even more aggressively: the Australian Signals Directorate calls for the retirement of classical public-key cryptography by 2030. The USA, UK, Canada, Japan and Australia all follow NIST algorithms at their core. For IoT products sold in these markets, the common denominator is clear: implement ML-KEM.

The picture gets more complex once South Korea or China enter the picture. South Korea concluded its own national PQC competition in January 2025, standardizing four homegrown algorithms: SMAUG-T and NTRU+ for key encapsulation, HAETAE and AIMer for digital signatures. Mathematically, these schemes are closely related to the NIST algorithms. SMAUG-T, for instance, is built on the same mathematical foundations as ML-KEM — so-called lattice problems, meaning computations in high-dimensional point grids that even quantum computers cannot solve efficiently. But they are different implementations, different key sizes, different certification paths. A global product targeting South Korea needs to support them separately.

China is the real outlier. The national standardization body ICCS launched its own PQC algorithm competition in February 2025 — explicitly independent of NIST, driven in part, according to expert assessments, by political distrust of potential backdoors in US-led standards. China’s GB/T national standards for PQC algorithms have not yet been published, which means: anyone shipping IoT devices into China today is operating in a grey zone. Mandatory PQC requirements do not yet exist — but they are coming, and they will almost certainly be built on different algorithms than those of the West.

For manufacturers of global IoT products, this creates an architectural requirement that goes beyond crypto agility in the traditional sense. It is not enough to keep algorithms updateable. The connection negotiation itself needs to support multiple algorithms simultaneously. The IETF is working on exactly this — hybrid cipher suite negotiation for TLS 1.3 allows a device and its counterpart to agree on the best common algorithm from a shared pool of supported options, much like TLS today negotiates between classical cipher suites. Building IoT architectures this way today means being prepared for a world with multiple parallel PQC standards — and avoiding the scenario of maintaining a separate firmware variant for every target market.

What developers and decision-makers can do now

Three concepts define the pragmatic approach to PQC migration in the IoT space.

The first is crypto agility: the ability of a system to swap out cryptographic algorithms without replacing the entire hardware or firmware stack. Anyone designing new devices today should treat cryptographic mechanisms as a replaceable layer — not hardwired into the code.

The second is hybrid schemes: NIST and ENISA both recommend running classical and quantum-safe algorithms in parallel during the transition period. A hybrid TLS handshake uses both ECDH and ML-KEM simultaneously. If one algorithm develops a weakness, the other provides cover. This increases data overhead in the short term, but protects in both directions.

The third is a cryptographic inventory: a structured overview of every system and connection in the organization’s ecosystem that uses cryptographic mechanisms. Anyone who does not know where RSA or ECDSA lives in their stack cannot plan a migration. For larger deployments, the EU roadmap recommends maintaining a Cryptographic Bill of Materials (CBOM) — a standardized format for documenting cryptographic assets across the supply chain.

One uncomfortable truth remains: some low-cost IoT devices already in the field, or currently being planned, will not be upgradeable to PQC. Too little RAM, too little flash storage, no update mechanism. For these devices, hardware replacement will eventually be necessary. That is not a reason for panic, but it is an argument for making this decision consciously and documenting it — rather than inheriting it unintentionally.

No reason for panic — but every reason to act

A cryptographically relevant quantum computer does not exist today. The threat is real, but not immediate. What is immediate is the lifespan of the devices being developed and deployed right now. A sensor with a ten-year operational life, commissioned in 2025, will still be running in 2035 — the year by which NIST intends to have removed quantum-vulnerable algorithms from its standards entirely.

The tools are available. NIST standards are finalized, early implementations for embedded hardware exist, and the regulatory framework in the EU points clearly in one direction.

What is missing, in many organizations, is still the prioritization.