July 13, 2026
Most discussion of quantum risk still follows hardware roadmaps: more qubits, better error correction, and estimates of when a quantum computer will break today's public-key cryptography.
That is not the timeline organizations should be planning against.
The deadline that matters is already measurable. It is the sum of two numbers every CISO can estimate today: how long sensitive data must remain confidential, and how long a cryptographic migration will take. If your data must remain secure for fifteen years and your migration will take ten, you are not planning fifteen years ahead. You are already five years behind.
Harvest-now, decrypt-later turns quantum from a future technology problem into a present governance problem. Adversaries can capture encrypted traffic today and store it until cryptanalytically relevant quantum computers exist. When that threshold is eventually reached, the compromise is retrospective. There is no warning event.
That is why post-quantum cryptography is becoming the first mandatory quantum market.
Unlike markets built around quantum advantage, this one does not depend on customers believing in future performance gains. The first post-quantum cryptography standards are now in place, and U.S. federal migration guidance targets today's widely used public-key algorithms for deprecation around 2030 and disallowance by 2035. The challenge is no longer waiting for standards. It is discovering where cryptography exists, planning migration, updating systems, and verifying that the work is complete.
This is where many market analyses miss the real obstacle.
Migration cost scales with sediment, not sophistication.
The institutions that led the last generation of digital transformation often face the hardest transition because they carry decades of accumulated infrastructure: cryptography embedded in firmware, undocumented dependencies, long-lived industrial devices, legacy protocols, and systems whose original architects have long since moved on. Before migration becomes an engineering exercise, it becomes an archaeology project.
That changes how we should think about emerging digital economies.
Sub-Saharan Africa now accounts for roughly two-thirds of the more than US$2 trillion processed annually through mobile money worldwide, and for millions of people a mobile money account remains their primary financial account. Much of this digital infrastructure has been built within the past two decades. Digital identity systems, digital public infrastructure, and next-generation payment rails are still evolving. That creates an opportunity to design crypto-agility into new systems instead of excavating it from old ones.
Where legacy constraints do exist, they are often different rather than smaller: narrow communication channels, memory-constrained field devices, long equipment replacement cycles, or hardware security modules with limited support for newer cryptographic schemes. Designing within those constraints develops exactly the operational discipline that large-scale post-quantum migration will require everywhere.
This perspective emerged during the recent Africa Quantum Consortium roundtable, where cryptographers, cybersecurity practitioners, and infrastructure operators examined what post-quantum readiness actually demands. One point stood out: the technical foundations are increasingly understood, but institutional readiness remains the limiting factor. Every migration requires clear ownership—for cryptographic inventories, residual risk, procurement decisions, implementation, and verification.
That leads to an uncomfortable conclusion.
If migration relies entirely on imported standards, imported vendors, and imported assurance, then "quantum-safe" simply becomes another external dependency. Recent shifts in export controls and technology access have demonstrated how quickly assumptions about supply chains can change. Sovereignty in the post-quantum era does not require developing new cryptographic algorithms. It requires the capacity to understand where cryptography exists, implement internationally accepted standards correctly, and independently verify that vendors have done what they claim.
A region that cannot check its vendors' homework has not migrated. It has outsourced trust.
For most organizations, the highest-leverage decision will not be made by cryptographers. It will be made during procurement. Requiring standardized post-quantum algorithms, hybrid deployment support, cryptographic bills of materials, and credible migration roadmaps from suppliers shapes an institution's long-term security posture before a single system is deployed.
The same lesson applies to quantum technology companies.
The first commercial winners are unlikely to be those waiting to demonstrate quantum advantage. They are more likely to be the companies that help organizations discover cryptographic assets, automate migration, validate implementations, monitor cryptographic risk, and build crypto-agile infrastructure. Those capabilities address problems organizations already face and budgets that already exist.
The first quantum market is not waiting for a quantum computer. It has already begun, driven not by breakthroughs in hardware but by the realities of confidentiality, infrastructure, and risk. Organizations that recognize that shift early will not simply be better prepared for quantum computing. They will understand where the quantum economy actually began.
Read the full readiness guide from that work - Securing Africa's Digital Backbone, the founding technical document of the Pan-African Quantum Communications and Security Alliance - being published this week at africaquantum.org
By Farai Mazhandu
We use cookies to analyze website traffic and optimize your website experience. By accepting our use of cookies, your data will be aggregated with all other user data.