Trump Order Sets 2030 Deadline for Post-Quantum Cryptography

On June 22, Trump signed two executive orders on quantum computing. Two very different bets. One pours federal resources into building the first science-enabling quantum computer. The other - EO 14409 - tells agencies they have until December 31, 2030, to migrate key establishment to post-quantum cryptography, and until December 31, 2031, for digital signatures. Adversaries can collect encrypted data today and decrypt it once a large enough quantum machine exists - the executive order names that attack directly: harvest now, decrypt later. The deadline exists because that collection is already happening.

One Order Builds Quantum Computers. The Other Guards Against Them.

One order establishes the Quantum Computer for Application Development and Discovery Science effort. Departments of Energy, Commerce, and the Intelligence Community coordinate the build alongside U.S. industry. Federal agencies and NASA have five years to deploy quantum-enabled sensors and networks. No qubit target appears in the public fact sheet - the goal is a machine capable of accelerating scientific discovery, with an assessment of required resources to follow.

Funding the build and mandating protection from it on the same day is a coherent position - it acknowledges that capable quantum computers will arrive and tries to control both sides of the equation. Whether both timelines hold is a separate question.

Key Establishment by 2030. Digital Signatures by 2031.

Federal agencies previously had until 2035, set by the 2022 National Security Memorandum 10. EO 14409 compresses that by four to five years. Key establishment - the handshake that secures most encrypted sessions - must move to quantum-resistant algorithms by December 31, 2030. Digital signatures follow by December 31, 2031.

NIST finalized the three target algorithms in August 2024. Key establishment moves to ML-KEM, also known as CRYSTALS-Kyber, standardized as FIPS 203. Digital signatures use ML-DSA (FIPS 204) and SLH-DSA (FIPS 205). Both break under Shor's algorithm when quantum computers reach sufficient scale, a threshold that our quantum computing explainer covers in detail. The standards have been ready for almost two years. EO 14409 turns them into a schedule with consequences.

Agency clocks start fast. Within 30 days, each agency head names a PQC migration lead who reports to the CIO. Within 90 days, OMB issues guidance requiring agencies to inventory high-value assets, plan migrations, and submit those plans. NIST runs a complete pilot migration on its own systems by December 31, 2027 - going first to set the template. Within 270 days, CISA and NIST publish minimum elements for a cryptographic bill of materials: a machine-readable inventory of every cryptographic asset in a piece of hardware or software. Mandating a cryptographic bill of materials is practical in a way most cybersecurity orders are not - you cannot migrate algorithms you do not know you are running.

The Threat Behind Both Orders Is Already Active

Harvest now, decrypt later is not theoretical. Nation-state actors collect encrypted government and corporate data today, store it, and wait for quantum hardware capable of breaking the encryption retroactively. Any data encrypted with RSA or elliptic curve that adversaries have already captured becomes readable once a powerful enough quantum computer arrives - regardless of when that data was originally transmitted.

Federal contractors face their own deadline. The Federal Acquisition Regulatory Council has 180 days to propose a FAR clause requiring covered contractors to meet NIST FIPS standards - including the new post-quantum algorithms - by December 31, 2030. A second proposed FAR rule, due within 270 days, would fold cryptographic failures into contractor vulnerability disclosure programs. Agencies that miss their own deadlines must report to OMB explaining why.

Google moved its internal post-quantum cryptography deadline to 2029, ahead of the new federal requirement. Commerce announced $2.1 billion in federal financing incentives for nine quantum companies in May 2026 under the CHIPS and Science Act. Both moves predate the orders - signals the administration had been building toward this moment for months.

Bitcoin Has 7 Million Vulnerable Addresses and No Migration Deadline

Bitcoin, Ethereum, and most major blockchain protocols rely on ECDSA - elliptic curve digital signature algorithm - to secure wallets and sign transactions. A March 2026 paper estimated that breaking the elliptic curve cryptography behind Bitcoin could require fewer than 500,000 physical qubits. Current quantum computers sit well below 1,000 qubits. Real gap. Real direction.

Coinbase's quantum advisory council estimates about 7 million BTC - roughly $440 billion - sits in addresses where the public key is permanently exposed on-chain, making those coins vulnerable when capable quantum hardware arrives. Addresses that have only ever received funds expose only a hash. Any address that has sent a transaction exposes its public key forever.

Two Bitcoin Improvement Proposals are in active development. BIP-360, built by BTQ Technologies, introduces quantum-resistant address types and is running on a testnet. BIP-361 goes further - it proposes freezing Bitcoin in legacy vulnerable addresses unless owners migrate by a set date, a proposal that drew sharp debate because it would lock out anyone who lost access to their original keys. Ripple's engineering team has been investigating post-quantum cryptography standards for the XRP Ledger since 2024.

No blockchain protocol has set a migration deadline. EO 14409 applies to federal agencies and their contractors - private infrastructure carries no mandate yet. But a federal 2030 deadline, a FAR clause covering contractors, and $2.1 billion in quantum industry financing all point in one direction. How long before "encouraged" becomes something else is the question neither order answers.