<?xml version="1.0" encoding="UTF-8"?><rss version="2.0" xmlns:content="http://purl.org/rss/1.0/modules/content/"><channel><title>DeployQuantum Briefings</title><description>Quantum readiness briefings: analysis of post-quantum migration, the standards, the deadlines, and the decisions they force. Published here first.</description><link>https://deployquantum.com/</link><language>en-us</language><item><title>Software Ate the World. Now Services Are Eating Software.</title><link>https://deployquantum.com/briefings/services-eating-software/</link><guid isPermaLink="true">https://deployquantum.com/briefings/services-eating-software/</guid><description>Why capital is moving from software to companies that own outcomes, and why fragmented markets like quantum reward the deployment layer most.</description><pubDate>Sun, 07 Jun 2026 08:00:00 GMT</pubDate><content:encoded>&lt;p&gt;&lt;strong&gt;Quick answer:&lt;/strong&gt; Enterprises spend roughly six dollars on services for every dollar on software. AI now performs work instead of assisting it, so the next defining companies will sell outcomes, not logins: services businesses on the invoice, software companies underneath. The test is the cost curve. If the second customer costs materially less to serve than the first, the business compounds like software. Fragmented markets such as quantum reward this deployment layer most.&lt;/p&gt;
&lt;p&gt;For every dollar companies spend on software, they spend roughly six on services. That ratio, repeated across several independent market estimates, explains where venture capital is moving in 2026.&lt;/p&gt;
&lt;p&gt;In 2011, the claim that software was eating the world sounded contrarian. It turned out right. A decade ago there were 15 SaaS unicorns; Foundation Capital now counts more than 400. Software won. The question now is what comes next, and the answer is services, though not in the traditional sense.&lt;/p&gt;
&lt;h2&gt;How much bigger is the services market than software?&lt;/h2&gt;
&lt;p&gt;When an investor at Sequoia says the next trillion-dollar company will be &amp;quot;a software company masquerading as a services firm,&amp;quot; many people picture consultants, hourly billing, and slide decks. That is the wrong mental model. The reason capital is moving is size.&lt;/p&gt;
&lt;table&gt;
&lt;thead&gt;
&lt;tr&gt;
&lt;th&gt;Source&lt;/th&gt;
&lt;th&gt;Estimate&lt;/th&gt;
&lt;/tr&gt;
&lt;/thead&gt;
&lt;tbody&gt;
&lt;tr&gt;
&lt;td&gt;NFX&lt;/td&gt;
&lt;td&gt;~$5 trillion in knowledge work vs ~$230 billion in B2B software&lt;/td&gt;
&lt;/tr&gt;
&lt;tr&gt;
&lt;td&gt;a16z&lt;/td&gt;
&lt;td&gt;~$6 trillion in white-collar services&lt;/td&gt;
&lt;/tr&gt;
&lt;tr&gt;
&lt;td&gt;Foundation Capital&lt;/td&gt;
&lt;td&gt;$4.6 trillion opportunity&lt;/td&gt;
&lt;/tr&gt;
&lt;tr&gt;
&lt;td&gt;J.P. Morgan&lt;/td&gt;
&lt;td&gt;$3 to $5 trillion&lt;/td&gt;
&lt;/tr&gt;
&lt;tr&gt;
&lt;td&gt;HFS Research&lt;/td&gt;
&lt;td&gt;$1.5 trillion&lt;/td&gt;
&lt;/tr&gt;
&lt;/tbody&gt;
&lt;/table&gt;
&lt;p&gt;The estimates differ. The conclusion does not: services dwarf software.&lt;/p&gt;
&lt;p&gt;Salesforce illustrates the gap. It generates roughly $35 billion in annual revenue while companies spend around $1.1 trillion every year on sales and marketing salaries. Software captured a fraction of the value surrounding the work. The work itself stayed outside the product.&lt;/p&gt;
&lt;p&gt;Until now.&lt;/p&gt;
&lt;h2&gt;What changed in how the work gets done?&lt;/h2&gt;
&lt;p&gt;AI increasingly performs tasks instead of assisting with them. Sequoia describes the transition as moving from copilots to autopilots. Greylock frames it as the agent completing most of the work while a human reviews the output. NFX reverses the acronym: software as a service becomes service as software.&lt;/p&gt;
&lt;p&gt;The strategic consequence matters more than the labels. A company that sells software watches every improvement in the underlying models compress its differentiation. A company that sells outcomes watches every improvement make its delivery faster, cheaper, and more scalable. The technology stops being the product and becomes the engine behind it.&lt;/p&gt;
&lt;p&gt;The model providers have reached the same conclusion. OpenAI launched a dedicated deployment company backed by more than $4 billion and acquired Tomoro to build a large forward-deployed engineering organization. Anthropic has made similar moves with partners including Blackstone, Hellman &amp;amp; Friedman, and Goldman Sachs, on the argument that enterprise demand exceeds any single delivery model. Both resemble the approach Palantir established years earlier: embed engineers with customers, solve the problem, then turn bespoke deployments into reusable products. Gravel roads become paved highways, as Palantir put it.&lt;/p&gt;
&lt;p&gt;Investors are rewarding that model with software valuations. Sierra, Harvey, Abridge, EvenUp, and Decagon each own outcomes in a single vertical rather than selling seats, and most operate in regulated industries: law, healthcare, accounting, insurance.&lt;/p&gt;
&lt;h2&gt;What separates a deployment layer from services with AI on top?&lt;/h2&gt;
&lt;p&gt;The objections deserve a hearing. Better Tomorrow Ventures argues that AI makes services firms more efficient without turning them into software companies, because clients still pay for trust, credentials, and liability. Valere makes the same point in margin terms: a business that depends entirely on rented foundation models keeps its margin pinned to the spread between what customers pay and what the models cost. Software businesses run gross margins of 70 to 85 percent. Traditional professional services often run closer to 30 to 40.&lt;/p&gt;
&lt;p&gt;The distinction is the cost curve, and one test captures it. Does serving the second customer cost materially less than serving the first? If yes, the business is accumulating proprietary advantage and starting to behave like software. If not, it is a services business with AI layered on top.&lt;/p&gt;
&lt;p&gt;Three elements have to be present for the test to come out yes.&lt;/p&gt;
&lt;ol&gt;
&lt;li&gt;A technology stack that performs the work, rather than people assisted by tools.&lt;/li&gt;
&lt;li&gt;Reusable product modules that make every deployment easier than the last. By the third or fourth engagement, software carries most of the delivery and humans supervise exceptions. That is when a services cost curve starts behaving like a software cost curve.&lt;/li&gt;
&lt;li&gt;Value capture across the funnel: a free layer that identifies the problem, a paid layer that executes the work, and a product layer that compounds knowledge into reusable IP after the engagement ends.&lt;/li&gt;
&lt;/ol&gt;
&lt;p&gt;We call that combination the deployment layer. A deployment layer sells outcomes instead of logins.&lt;/p&gt;
&lt;h2&gt;Why is quantum the clearest case?&lt;/h2&gt;
&lt;p&gt;The trend is global. One market makes it unusually clear.&lt;/p&gt;
&lt;p&gt;AI is converging around a handful of dominant architectures. Quantum is diverging: multiple hardware modalities, sensing platforms, software stacks, post-quantum cryptography schemes, and industry-specific applications, with no standard toolchain connecting them. McKinsey estimates the sector attracted $12.6 billion in 2025. Very little of that capital has gone toward making the technology deployable inside enterprises.&lt;/p&gt;
&lt;p&gt;For buyers, fragmentation is the bottleneck, not hardware. Building qubits is one problem. Integrating systems, managing migrations, producing evidence, and satisfying regulators is another, and that second problem exists today regardless of future hardware progress. DORA is already in force across EU financial institutions, and post-quantum cryptography migration is already on regulatory timetables. That second problem is deployment work, the kind &lt;a href=&quot;/build/grow/&quot;&gt;our build engagements&lt;/a&gt; are scoped to deliver.&lt;/p&gt;
&lt;p&gt;The more fragmented a market becomes, the more valuable its deployment layer becomes.&lt;/p&gt;
&lt;p&gt;Software ate the world by replacing tools. Services are eating software by owning outcomes. The defining companies of the next decade will look like services businesses to their customers and operate like software companies underneath. The rest will be consulting firms with better marketing. In a market as fragmented as quantum, that difference is worth the most.&lt;/p&gt;
</content:encoded><category>Deployment Thesis</category></item><item><title>The $7.1 billion floor: what the US federal PQC migration estimate leaves out</title><link>https://deployquantum.com/briefings/federal-pqc-migration-floor/</link><guid isPermaLink="true">https://deployquantum.com/briefings/federal-pqc-migration-floor/</guid><description>OMB and ONCD priced US civilian PQC migration at $7.1 billion, excluding defense and intelligence. The constraint that compounds is calendar, not budget.</description><pubDate>Wed, 20 May 2026 08:00:00 GMT</pubDate><content:encoded>&lt;p&gt;&lt;strong&gt;Quick answer:&lt;/strong&gt; The US federal estimate for migrating civilian systems to post-quantum cryptography is $7.1 billion, per the OMB and ONCD report of July 2024 mandated by the Quantum Computing Cybersecurity Preparedness Act. Defense and intelligence are excluded, so the figure is a floor. With Gartner dating current asymmetric cryptography unsafe by 2029 and Google targeting 2029 internally, the binding constraint is calendar: inventory, dependency mapping, and firmware replacement do not compress.&lt;/p&gt;
&lt;p&gt;$7.1 billion is the federal estimate for migrating US civilian systems to post-quantum cryptography. The figure comes from the OMB and ONCD report mandated by the Quantum Computing Cybersecurity Preparedness Act, published July 2024. Defense and intelligence are excluded; national security systems are scoped separately and their costs are not disclosed.&lt;/p&gt;
&lt;p&gt;The conversation has moved past whether to migrate, and past when. What remains open is the sequencing, and who still has room on the calendar to sequence at all.&lt;/p&gt;
&lt;h2&gt;Why is the figure a floor, not a ceiling?&lt;/h2&gt;
&lt;p&gt;The estimate covers civilian agencies over the 2025 to 2035 window, per the same report. Classified systems sit outside it. So does every private-sector system, and the report flags inventory-driven uncertainty in its own number. Each exclusion pushes the true total in one direction: up.&lt;/p&gt;
&lt;h2&gt;Which clocks set the schedule?&lt;/h2&gt;
&lt;p&gt;Per Gartner research, current asymmetric cryptography is dated unsafe by 2029 and fully breakable by 2034. Per the Google security blog of March 2026, Google has set its internal migration target to 2029. The NIST IR 8547 transition plan deprecates RSA-2048 and ECC P-256 by 2030 and phases them out by 2035.&lt;/p&gt;
&lt;table&gt;
&lt;thead&gt;
&lt;tr&gt;
&lt;th&gt;Clock&lt;/th&gt;
&lt;th&gt;Year&lt;/th&gt;
&lt;th&gt;Source&lt;/th&gt;
&lt;/tr&gt;
&lt;/thead&gt;
&lt;tbody&gt;
&lt;tr&gt;
&lt;td&gt;Current asymmetric cryptography dated unsafe&lt;/td&gt;
&lt;td&gt;2029&lt;/td&gt;
&lt;td&gt;Gartner research&lt;/td&gt;
&lt;/tr&gt;
&lt;tr&gt;
&lt;td&gt;Google internal migration target&lt;/td&gt;
&lt;td&gt;2029&lt;/td&gt;
&lt;td&gt;Google security blog, March 2026&lt;/td&gt;
&lt;/tr&gt;
&lt;tr&gt;
&lt;td&gt;RSA-2048 and ECC P-256 deprecated&lt;/td&gt;
&lt;td&gt;2030&lt;/td&gt;
&lt;td&gt;NIST IR 8547&lt;/td&gt;
&lt;/tr&gt;
&lt;tr&gt;
&lt;td&gt;Current asymmetric cryptography fully breakable&lt;/td&gt;
&lt;td&gt;2034&lt;/td&gt;
&lt;td&gt;Gartner research&lt;/td&gt;
&lt;/tr&gt;
&lt;tr&gt;
&lt;td&gt;RSA-2048 and ECC P-256 phased out&lt;/td&gt;
&lt;td&gt;2035&lt;/td&gt;
&lt;td&gt;NIST IR 8547&lt;/td&gt;
&lt;/tr&gt;
&lt;/tbody&gt;
&lt;/table&gt;
&lt;p&gt;The 2030 deprecation and the 2035 phase-out now sit downstream of the 2029 clocks, not upstream.&lt;/p&gt;
&lt;h2&gt;What does waiting actually cost?&lt;/h2&gt;
&lt;p&gt;Waiting reprices the project. The same migration, started later, runs inside a compressed window with fewer vendors available, and the difference shows up in three places.&lt;/p&gt;
&lt;p&gt;An organization starting today has time to identify legacy systems where cryptographic functions are buried in firmware and cannot be patched in place. A late starter does not. The early mover chooses between three certificate authorities; the 2028 entrant takes whoever has capacity. Piloting, measuring, and retiring approaches that do not work is a calendar privilege; the compressed alternative ships once.&lt;/p&gt;
&lt;h2&gt;What is the structural work?&lt;/h2&gt;
&lt;p&gt;The standards are settled, so algorithm selection is not the project. The project is the cryptographic inventory, the dependency map, the embedded-firmware replacement, and the supply-chain coordination. None of those scale linearly with budget. They scale with calendar.&lt;/p&gt;
&lt;p&gt;The federal estimate carries an explicit note about uncertainty driven by inventory. Most organizations do not yet know which of their systems use which cryptographic algorithms, where the keys live, or how dependencies cascade through their supply chain. That uncertainty does not improve with time; it compounds. A &lt;a href=&quot;/learn/pqc/scan/&quot;&gt;free PQC assessment&lt;/a&gt; is one way to start replacing that uncertainty with a list.&lt;/p&gt;
&lt;p&gt;$7.1 billion is what one government has put in writing as a floor, for civilian systems alone. The private-sector total is not yet costed at that resolution. When it is, the math will not flatter the late movers.&lt;/p&gt;
</content:encoded><category>Regulation</category></item><item><title>CNN&apos;s Q-Day story of 17 May 2026 moved post-quantum migration into the mainstream</title><link>https://deployquantum.com/briefings/q-day-mainstream-deployment-gap/</link><guid isPermaLink="true">https://deployquantum.com/briefings/q-day-mainstream-deployment-gap/</guid><description>CNN ran a Q-Day explainer on 17 May 2026. With Google and Cloudflare on 2029 targets and over 90% of businesses without a roadmap, the gap is execution.</description><pubDate>Mon, 18 May 2026 08:00:00 GMT</pubDate><content:encoded>&lt;p&gt;&lt;strong&gt;Quick answer:&lt;/strong&gt; CNN published a Q-Day explainer on its science vertical on 17 May 2026, putting harvest-now-decrypt-later and the 2029 migration targets of Google and Cloudflare in front of a general audience. More than 90% of businesses still lack a quantum-security roadmap, per a McKinsey figure cited in the piece. The bottleneck has moved from awareness to execution: turning roadmaps into deployed code and signed audits.&lt;/p&gt;
&lt;p&gt;CNN published a Q-Day explainer on its science vertical on 17 May 2026. The numbers inside the piece were familiar to anyone working on post-quantum migration. The placement was the news: when a mass-market outlet runs the story, the conversation is no longer specialist.&lt;/p&gt;
&lt;h2&gt;What did the CNN piece cover?&lt;/h2&gt;
&lt;p&gt;For most of the last decade, post-quantum cryptography lived inside infosec teams, standards bodies, and a small ring of academic centres. The audience was self-selected and the deadlines were soft.&lt;/p&gt;
&lt;p&gt;The CNN piece walks a general reader through harvest-now-decrypt-later, the NIST PQC standards, Google&apos;s 2029 internal migration target, Cloudflare&apos;s 2029 target, and a McKinsey figure that more than 90% of businesses still do not have a quantum-security roadmap. It also quotes the NIST PQC lead on precedent: historical cryptographic migrations have taken 10 to 20 years. By the middle of the article, a general reader holds the vocabulary a CISO held two years ago.&lt;/p&gt;
&lt;h2&gt;Why does mainstream coverage matter for boards?&lt;/h2&gt;
&lt;p&gt;Boards, innovation committees, and family-office principals read CNN. The lag between a topic appearing in general business news and a chairman raising it on a Monday morning is brief. Once a topic is mainstream enough to land in an inbox, it is mainstream enough to land in a board paper, and the first question that follows is whether a plan exists.&lt;/p&gt;
&lt;p&gt;Directors building that vocabulary from a standing start can work through the &lt;a href=&quot;/learn/quantum-ready/explore/courses/&quot;&gt;free quantum readiness courses&lt;/a&gt; at their own pace.&lt;/p&gt;
&lt;h2&gt;What is already settled?&lt;/h2&gt;
&lt;p&gt;Awareness was the bottleneck for a decade. The record below shows why it no longer is.&lt;/p&gt;
&lt;table&gt;
&lt;thead&gt;
&lt;tr&gt;
&lt;th&gt;Date&lt;/th&gt;
&lt;th&gt;Milestone&lt;/th&gt;
&lt;th&gt;Source&lt;/th&gt;
&lt;/tr&gt;
&lt;/thead&gt;
&lt;tbody&gt;
&lt;tr&gt;
&lt;td&gt;2022&lt;/td&gt;
&lt;td&gt;White House memo sets a 2035 PQC target for federal agencies&lt;/td&gt;
&lt;td&gt;M-23-02&lt;/td&gt;
&lt;/tr&gt;
&lt;tr&gt;
&lt;td&gt;2024&lt;/td&gt;
&lt;td&gt;NIST finalises the PQC standards, FIPS 203 (ML-KEM) and FIPS 204 (ML-DSA)&lt;/td&gt;
&lt;td&gt;NIST&lt;/td&gt;
&lt;/tr&gt;
&lt;tr&gt;
&lt;td&gt;25 March 2026&lt;/td&gt;
&lt;td&gt;Google publishes a 2029 internal migration target&lt;/td&gt;
&lt;td&gt;Google blog&lt;/td&gt;
&lt;/tr&gt;
&lt;tr&gt;
&lt;td&gt;March 2026&lt;/td&gt;
&lt;td&gt;Cloudflare publishes a 2029 migration target&lt;/td&gt;
&lt;td&gt;Cloudflare roadmap&lt;/td&gt;
&lt;/tr&gt;
&lt;tr&gt;
&lt;td&gt;April 2026&lt;/td&gt;
&lt;td&gt;Meta publishes its migration framework&lt;/td&gt;
&lt;td&gt;Meta Engineering blog&lt;/td&gt;
&lt;/tr&gt;
&lt;tr&gt;
&lt;td&gt;17 May 2026&lt;/td&gt;
&lt;td&gt;Q-Day reaches a mass-market science vertical&lt;/td&gt;
&lt;td&gt;CNN&lt;/td&gt;
&lt;/tr&gt;
&lt;/tbody&gt;
&lt;/table&gt;
&lt;p&gt;The reference clock moved from 2035 to 2029 inside four years, and operators set the new pace ahead of regulators.&lt;/p&gt;
&lt;h2&gt;Where is the gap now?&lt;/h2&gt;
&lt;p&gt;Execution. The distance between deciding to migrate and having migrated is the work that does not make press releases: turning a roadmap into deployed code, a signed audit, and a migration plan a custodian will accept.&lt;/p&gt;
&lt;p&gt;That work is the deployment layer. The category exists because the standards are finished, the demand is now visible from the general press, and the in-house teams to run the work are scarce. CNN coverage is the demand signal; what happens after the reader closes the tab is the supply question. Both sides of that equation became visible in the same week.&lt;/p&gt;
&lt;p&gt;The next question a chairman asks is whether there is a plan. The useful preparation is having the answer ready before the question arrives.&lt;/p&gt;
</content:encoded><category>Quantum Market</category></item><item><title>LayerQu, the post-quantum readiness reference for L1 and L2 chains</title><link>https://deployquantum.com/briefings/layerqu-launch-blockchain-pqc/</link><guid isPermaLink="true">https://deployquantum.com/briefings/layerqu-launch-blockchain-pqc/</guid><description>LayerQu launched on 12 May 2026 with 67 chains scored under the v3.1 methodology at launch, open scores, and evidence drawn only from public artefacts.</description><pubDate>Tue, 12 May 2026 08:00:00 GMT</pubDate><content:encoded>&lt;p&gt;&lt;strong&gt;Quick answer:&lt;/strong&gt; LayerQu, the post-quantum readiness reference for L1 and L2 chains, launched on 12 May 2026. 67 chains were scored under the v3.1 methodology at launch (May 2026). The methodology, the scores, and the evidence behind every score are open, sourced only from public artefacts: client code, governance proposals, foundation announcements, and peer-reviewed papers. There are no paid listings and no sponsored upgrades.&lt;/p&gt;
&lt;p&gt;LayerQu, the post-quantum readiness reference for L1 and L2 chains, launched on 12 May 2026. 67 chains were scored under the v3.1 methodology at launch (May 2026), with the methodology, the scores, and the evidence behind every score published in the open. DeployQuantum is the deployment company for the quantum era; LayerQu is the part of that work aimed at public chains.&lt;/p&gt;
&lt;h2&gt;Why do public chains fall out of quantum-readiness roadmaps?&lt;/h2&gt;
&lt;p&gt;Most quantum-readiness work assumes a familiar shape: a CISO who owns the cryptographic estate, an audit committee that asks for a plan, a board that signs the budget. Almost every published methodology fits that shape. Public blockchains do not.&lt;/p&gt;
&lt;p&gt;Ethereum has no CISO. No audit committee reads Solana&apos;s GitHub. Bitcoin holds no quarterly governance call where a vendor presents the migration plan. A chain has a foundation, a developer community, a DAO, and a hard fork process that is not a procurement question.&lt;/p&gt;
&lt;p&gt;The cryptography is not what differs. The same elliptic-curve and hash assumptions everyone else depends on sit at the bottom of every Layer 1 and Layer 2. What is missing is the governance container for the migration: the named owner, the audit deadline, and the public scorecard an institutional buyer can quote. So blockchain quietly drops out of most quantum-readiness roadmaps.&lt;/p&gt;
&lt;h2&gt;What does LayerQu publish?&lt;/h2&gt;
&lt;p&gt;Open scores, an open methodology, and the evidence behind every score. Everything is sourced from public artefacts the chain itself has already published: client code, governance proposals, foundation announcements, and peer-reviewed papers. There are no paid listings, no sponsored upgrades, and no foundation reviewers behind the curtain.&lt;/p&gt;
&lt;table&gt;
&lt;thead&gt;
&lt;tr&gt;
&lt;th&gt;Launch fact&lt;/th&gt;
&lt;th&gt;Value&lt;/th&gt;
&lt;/tr&gt;
&lt;/thead&gt;
&lt;tbody&gt;
&lt;tr&gt;
&lt;td&gt;Chains scored at launch (May 2026)&lt;/td&gt;
&lt;td&gt;67, under the v3.1 methodology&lt;/td&gt;
&lt;/tr&gt;
&lt;tr&gt;
&lt;td&gt;Methodology revisions in the six weeks before launch&lt;/td&gt;
&lt;td&gt;3&lt;/td&gt;
&lt;/tr&gt;
&lt;tr&gt;
&lt;td&gt;Paid listings, sponsored upgrades, foundation reviewers&lt;/td&gt;
&lt;td&gt;0&lt;/td&gt;
&lt;/tr&gt;
&lt;/tbody&gt;
&lt;/table&gt;
&lt;p&gt;LayerQu extends the public surfaces DQ already maintains: post-quantum migration assessments, quantum readiness scoring for organisations, and vendor and research mapping published as &lt;a href=&quot;/learn/quantum-ready/explore/&quot;&gt;open research data&lt;/a&gt;.&lt;/p&gt;
&lt;h2&gt;Who is the reference for?&lt;/h2&gt;
&lt;p&gt;People inside chains who already get the quantum question and need somewhere to point a serious answer. Sometimes the question arrives from an institutional partner, sometimes from a journalist, sometimes from an auditor. The head of ecosystem, the head of community, and the head of security have mostly known it was coming; few have had a public reference they could hand over. That reference now exists.&lt;/p&gt;
&lt;p&gt;It is deliberately unfinished. The methodology was revised three times in the six weeks before launch, and it will be revised again the moment a chain disputes a call with a primary source. That is the design.&lt;/p&gt;
&lt;p&gt;Chain foundations, DAOs, ecosystem teams, research collectives, and institutional desks that touch digital assets get the same invitation: come and look, push back on a score, contribute a primary source, or propose a new gate.&lt;/p&gt;
</content:encoded><category>Blockchain</category></item><item><title>Meta&apos;s five-level post-quantum migration framework, April 2026</title><link>https://deployquantum.com/briefings/meta-pqc-migration-levels/</link><guid isPermaLink="true">https://deployquantum.com/briefings/meta-pqc-migration-levels/</guid><description>Meta&apos;s April 2026 framework defines five PQC migration levels and a six-phase programme, with ML-KEM-768 and ML-DSA-65 as the settled algorithm picks.</description><pubDate>Sat, 09 May 2026 08:00:00 GMT</pubDate><content:encoded>&lt;p&gt;&lt;strong&gt;Quick answer:&lt;/strong&gt; On 16 April 2026 Meta published the framework guiding its own post-quantum migration: five maturity levels, from PQ-Unaware to PQ-Enabled, and a six-phase programme that starts with cryptographic inventory. Meta recommends ML-KEM-768 for key encapsulation and ML-DSA-65 for signatures, both finalised in NIST FIPS 203 and 204 in August 2024. Most enterprise systems today sit at the first or second maturity level.&lt;/p&gt;
&lt;p&gt;On 16 April 2026, Meta published the framework it uses to migrate its own infrastructure to post-quantum cryptography, on its engineering blog. Public, in-progress migration accounts from operators at that scale are rare. The substance is more useful than any vendor whitepaper published this quarter.&lt;/p&gt;
&lt;h2&gt;What are the five migration levels?&lt;/h2&gt;
&lt;p&gt;The framework defines five maturity levels: PQ-Unaware, PQ-Aware, PQ-Ready, PQ-Hardened, and PQ-Enabled. Most enterprise systems today sit at the first or second level.&lt;/p&gt;
&lt;p&gt;The path from there to PQ-Enabled is not a vendor selection. Meta describes a six-phase programme that starts with cryptographic inventory and ends with PQC components integrated into production protocols. The timeline is stated in plain language: &amp;quot;years of phased work across protocols, products, and infrastructure.&amp;quot;&lt;/p&gt;
&lt;p&gt;Two implications follow from Meta&apos;s account. The binding artefact of the migration is the inventory, not the roadmap. And the algorithm choices are now stable, which removes the standing reason for waiting. The two sections below take each in turn.&lt;/p&gt;
&lt;h2&gt;Why is the inventory the binding artefact?&lt;/h2&gt;
&lt;p&gt;A migration plan written on top of an unknown inventory is fiction. Per the 2026 Entrust and Ponemon Institute Global State of Post-Quantum and Cryptographic Security study (n=4,000), only 43% of surveyed organisations report full visibility into the certificates inside their own enterprise. 41% name limited cryptographic visibility as the top barrier to readiness.&lt;/p&gt;
&lt;p&gt;The roadmap is the artefact boards ask for. The inventory is the artefact the roadmap depends on. Organisations that want a first read on their own position before commissioning the full inventory can take DQ&apos;s free &lt;a href=&quot;/learn/pqc/scan/&quot;&gt;PQC scan&lt;/a&gt;.&lt;/p&gt;
&lt;h2&gt;Are the algorithm choices still moving?&lt;/h2&gt;
&lt;p&gt;No. The recommendations are specific and the standards behind them are final.&lt;/p&gt;
&lt;table&gt;
&lt;thead&gt;
&lt;tr&gt;
&lt;th&gt;Function&lt;/th&gt;
&lt;th&gt;Meta recommendation&lt;/th&gt;
&lt;th&gt;Standard&lt;/th&gt;
&lt;th&gt;Date&lt;/th&gt;
&lt;/tr&gt;
&lt;/thead&gt;
&lt;tbody&gt;
&lt;tr&gt;
&lt;td&gt;Key encapsulation&lt;/td&gt;
&lt;td&gt;ML-KEM, with ML-KEM-768 at NIST Security Level 3&lt;/td&gt;
&lt;td&gt;NIST FIPS 203&lt;/td&gt;
&lt;td&gt;Finalised August 2024&lt;/td&gt;
&lt;/tr&gt;
&lt;tr&gt;
&lt;td&gt;Digital signatures&lt;/td&gt;
&lt;td&gt;ML-DSA, with ML-DSA-65&lt;/td&gt;
&lt;td&gt;NIST FIPS 204&lt;/td&gt;
&lt;td&gt;Finalised August 2024&lt;/td&gt;
&lt;/tr&gt;
&lt;tr&gt;
&lt;td&gt;Backup KEM&lt;/td&gt;
&lt;td&gt;HQC&lt;/td&gt;
&lt;td&gt;NIST selection&lt;/td&gt;
&lt;td&gt;March 2025&lt;/td&gt;
&lt;/tr&gt;
&lt;/tbody&gt;
&lt;/table&gt;
&lt;p&gt;The &amp;quot;wait for the standards to settle&amp;quot; position no longer maps to anything real. The standards settled in August 2024, and the backup KEM was named in March 2025.&lt;/p&gt;
&lt;h2&gt;What is the board question this quarter?&lt;/h2&gt;
&lt;p&gt;Which migration level the organisation can defend at the next audit, and what evidence backs the answer. For most enterprises the honest answer today is PQ-Aware at best. Defending that answer with evidence is still a stronger position than presenting a roadmap the inventory cannot support.&lt;/p&gt;
&lt;p&gt;The work that moves the level up is dull and specific: inventory, hybrid deployment, guardrails, and integration, years of it on Meta&apos;s own account. Organisations that land at PQ-Enabled by the end of the decade will be the ones that started the inventory in 2026. Those that did not will still be defending PQ-Aware in 2030.&lt;/p&gt;
</content:encoded><category>PQC Migration</category></item><item><title>DORA&apos;s implicit post-quantum mandate: RTS 2024/1774, Articles 6 and 7</title><link>https://deployquantum.com/briefings/dora-implicit-pqc-mandate/</link><guid isPermaLink="true">https://deployquantum.com/briefings/dora-implicit-pqc-mandate/</guid><description>DORA never names post-quantum cryptography. RTS 2024/1774 Articles 6 and 7 still set the requirement more than 22,000 EU financial entities must meet.</description><pubDate>Thu, 07 May 2026 08:00:00 GMT</pubDate><content:encoded>&lt;p&gt;&lt;strong&gt;Quick answer:&lt;/strong&gt; DORA does not mandate post-quantum cryptography by name. Commission Delegated Regulation (EU) 2024/1774, Articles 6 and 7, requires in-scope financial entities to monitor cryptographic threats, named in the preamble to include quantum advancements, and to mitigate them through a flexible, risk-based approach. More than 22,000 EU financial entities are in scope, per the European Commission&apos;s DORA impact assessment. Supervisors read the RTS as requiring a dated migration plan toward NIST FIPS 203, 204 and 205.&lt;/p&gt;
&lt;p&gt;More than 22,000 financial entities fall under the Digital Operational Resilience Act, Regulation (EU) 2022/2554, per the European Commission&apos;s impact assessment (SWD(2020) 198 final). DORA has applied since 17 January 2025. Its text never names post-quantum cryptography.&lt;/p&gt;
&lt;p&gt;The cryptography requirements sit one layer down. Commission Delegated Regulation (EU) 2024/1774, the regulatory technical standards on ICT risk management adopted under DORA, sets the operational rules in Articles 6 and 7. The preamble names cryptographic threats, including those arising from quantum advancements, and requires a flexible approach based on mitigation and monitoring. That wording traces to the ESAs Joint Committee final report on the draft RTS (JC 2023 86, January 2024).&lt;/p&gt;
&lt;h2&gt;Does DORA mandate post-quantum cryptography?&lt;/h2&gt;
&lt;p&gt;Not by name. The distance between the two honest readings of that fact is where the supervisory dialogue of the next three years will play out.&lt;/p&gt;
&lt;p&gt;Counsel tends to read the RTS as &amp;quot;PQC is not mandated.&amp;quot; True, narrowly. Supervisors read the same text as &amp;quot;cryptographic agility is mandated, and quantum is the named test of that agility.&amp;quot; Also true, and more useful. The first reading produces a clean memo for the risk committee. The second produces a funded roadmap.&lt;/p&gt;
&lt;p&gt;We expect supervisory dialogue to reward the second reading by 2027 and to penalise the first. The cost of holding the narrow reading is not a fine. It is the slow narrowing of the acceptable answer to a routine ICT risk question, until &amp;quot;we are monitoring developments&amp;quot; stops landing.&lt;/p&gt;
&lt;h2&gt;What are the institutions ahead of the requirement doing?&lt;/h2&gt;
&lt;p&gt;They are not running quantum research programmes. The institutions ahead of this treated the RTS preamble as an instruction and produced three artefacts: a cryptographic asset inventory, a classification of systems by data shelf-life, and a dated migration plan pointing at NIST FIPS 203, 204 and 205 as the destination.&lt;/p&gt;
&lt;p&gt;NIST finalised those three standards in August 2024, so the destination has stopped moving. The shelf-life classification decides sequence: systems carrying data whose confidentiality must outlive the transition window come first. DQ collects documented migration cases in its open &lt;a href=&quot;/learn/pqc/explore/&quot;&gt;PQC case intelligence&lt;/a&gt;.&lt;/p&gt;
&lt;h2&gt;How does the EU calendar compare with other jurisdictions?&lt;/h2&gt;
&lt;table&gt;
&lt;thead&gt;
&lt;tr&gt;
&lt;th&gt;Jurisdiction&lt;/th&gt;
&lt;th&gt;Instrument&lt;/th&gt;
&lt;th&gt;Milestone&lt;/th&gt;
&lt;/tr&gt;
&lt;/thead&gt;
&lt;tbody&gt;
&lt;tr&gt;
&lt;td&gt;European Union&lt;/td&gt;
&lt;td&gt;Commission Recommendation on a Coordinated Implementation Roadmap, 11 April 2024&lt;/td&gt;
&lt;td&gt;2030 for high-risk systems, 2035 for full transition&lt;/td&gt;
&lt;/tr&gt;
&lt;tr&gt;
&lt;td&gt;United States&lt;/td&gt;
&lt;td&gt;NIST FIPS 203, 204 and 205&lt;/td&gt;
&lt;td&gt;Standards finalised August 2024&lt;/td&gt;
&lt;/tr&gt;
&lt;tr&gt;
&lt;td&gt;Canada&lt;/td&gt;
&lt;td&gt;Canadian Centre for Cyber Security ITSM.40.001&lt;/td&gt;
&lt;td&gt;April 2026 federal planning deadline&lt;/td&gt;
&lt;/tr&gt;
&lt;tr&gt;
&lt;td&gt;Australia&lt;/td&gt;
&lt;td&gt;ASD/ACSC post-quantum planning guidance&lt;/td&gt;
&lt;td&gt;End-2030 cessation of classical asymmetric cryptography&lt;/td&gt;
&lt;/tr&gt;
&lt;/tbody&gt;
&lt;/table&gt;
&lt;p&gt;The cluster is real and the calendar is tight. A financial entity that waits for an explicit PQC mandate inside DORA will reach the 2030 milestone unprepared, because the work the milestone assumes, inventory, classification and a dated plan, consumes the years in between.&lt;/p&gt;
&lt;p&gt;The narrow reading of DORA buys two budget cycles of comfort. The wider reading buys a 2030 audit that closes clean. Either way, the choice sits on the board paper this quarter, named or unnamed.&lt;/p&gt;
</content:encoded><category>Regulation</category></item><item><title>The 11-to-1 gap: $12.6 billion into quantum in 2025, just over $1 billion back</title><link>https://deployquantum.com/briefings/quantum-capital-revenue-gap/</link><guid isPermaLink="true">https://deployquantum.com/briefings/quantum-capital-revenue-gap/</guid><description>Quantum drew $12.6 billion of investment in 2025 against just over $1 billion of revenue. The gap marks the deployment layer as the open layer.</description><pubDate>Mon, 04 May 2026 08:00:00 GMT</pubDate><content:encoded>&lt;p&gt;&lt;strong&gt;Quick answer:&lt;/strong&gt; Quantum attracted $12.6 billion of investment in 2025 against just over $1 billion of revenue, an 11-to-1 gap, per the McKinsey Quantum Technology Monitor, April 2026. The hardware layer is consolidating while more than 300 companies already pay for quantum work. What is missing is the deployment layer that turns committed capital and committed buyers into shipped use cases inside a single budget cycle.&lt;/p&gt;
&lt;p&gt;Quantum attracted $12.6 billion of investment in 2025 and returned just over $1 billion in revenue. The figures come from the McKinsey Quantum Technology Monitor, April 2026. Eleven dollars in for every dollar out, and that ratio is the most useful single number for reading the quantum market this year.&lt;/p&gt;
&lt;h2&gt;Where did the capital concentrate?&lt;/h2&gt;
&lt;p&gt;Per the same report, annual investment ran 6.3x year over year. Capital markets supplied 44% of the total, and the top 10 deals consumed roughly 60% of the year&apos;s capital. Read together, those three numbers describe a hardware layer consolidating in real time: fewer, larger bets on the companies building the processors.&lt;/p&gt;
&lt;p&gt;The deployment layer shows no such consolidation. No comparable concentration of capital, talent, or tooling exists at the layer where quantum work gets integrated into production systems. That asymmetry is the structural fact of the 2025 market.&lt;/p&gt;
&lt;h2&gt;Who is already paying for quantum work?&lt;/h2&gt;
&lt;p&gt;McKinsey counts more than 300 companies already paying for quantum work. The median use-case budget sits near $6 million, willingness to pay reaches about $13 million per use case, and 7% of buyers run programs above $200 million. The same report puts $1.3 to $2.7 trillion of value at stake across industries by 2035.&lt;/p&gt;
&lt;table&gt;
&lt;thead&gt;
&lt;tr&gt;
&lt;th&gt;Measure&lt;/th&gt;
&lt;th&gt;Figure&lt;/th&gt;
&lt;/tr&gt;
&lt;/thead&gt;
&lt;tbody&gt;
&lt;tr&gt;
&lt;td&gt;Investment into quantum, 2025&lt;/td&gt;
&lt;td&gt;$12.6 billion&lt;/td&gt;
&lt;/tr&gt;
&lt;tr&gt;
&lt;td&gt;Quantum revenue, 2025&lt;/td&gt;
&lt;td&gt;just over $1 billion&lt;/td&gt;
&lt;/tr&gt;
&lt;tr&gt;
&lt;td&gt;Year-over-year investment growth&lt;/td&gt;
&lt;td&gt;6.3x&lt;/td&gt;
&lt;/tr&gt;
&lt;tr&gt;
&lt;td&gt;Share of investment from capital markets&lt;/td&gt;
&lt;td&gt;44%&lt;/td&gt;
&lt;/tr&gt;
&lt;tr&gt;
&lt;td&gt;Share of the year&apos;s capital in the top 10 deals&lt;/td&gt;
&lt;td&gt;roughly 60%&lt;/td&gt;
&lt;/tr&gt;
&lt;tr&gt;
&lt;td&gt;Companies already paying for quantum work&lt;/td&gt;
&lt;td&gt;more than 300&lt;/td&gt;
&lt;/tr&gt;
&lt;tr&gt;
&lt;td&gt;Median use-case budget&lt;/td&gt;
&lt;td&gt;about $6 million&lt;/td&gt;
&lt;/tr&gt;
&lt;tr&gt;
&lt;td&gt;Willingness to pay per use case&lt;/td&gt;
&lt;td&gt;near $13 million&lt;/td&gt;
&lt;/tr&gt;
&lt;tr&gt;
&lt;td&gt;Buyers running programs above $200 million&lt;/td&gt;
&lt;td&gt;7%&lt;/td&gt;
&lt;/tr&gt;
&lt;tr&gt;
&lt;td&gt;Value at stake across industries by 2035&lt;/td&gt;
&lt;td&gt;$1.3 to $2.7 trillion&lt;/td&gt;
&lt;/tr&gt;
&lt;/tbody&gt;
&lt;/table&gt;
&lt;p&gt;All figures per the McKinsey Quantum Technology Monitor, April 2026.&lt;/p&gt;
&lt;h2&gt;What is missing between capital and revenue?&lt;/h2&gt;
&lt;p&gt;Capital is committed. Buyers are committed. The layer that turns commitment into shipped use cases inside a single budget cycle is the one still missing at scale.&lt;/p&gt;
&lt;p&gt;McKinsey&apos;s integration framing points at where this resolves. Quantum compute belongs alongside CPU and GPU in the existing HPC stack, with software-defined layers routing workloads dynamically. On that reading, the QPU is a new accelerator inside a grid that already runs, and the work of the next phase is integration work: scheduling, routing, validation, and the operational plumbing that lets a quantum workload sit inside an existing compute budget.&lt;/p&gt;
&lt;p&gt;That deployment layer is the un-consolidated layer of the quantum economy.&lt;/p&gt;
&lt;h2&gt;Why is 2026 the year this stops being speculative?&lt;/h2&gt;
&lt;p&gt;The sanity checks now sit outside the market itself. NIST has closed the PQC standards. The EU FS-PQC schedule is firm. US federal procurement is mandated to PQC by 2030. Each of those is a fixed point that does not move with sentiment, and together they put a calendar under decisions that used to float.&lt;/p&gt;
&lt;p&gt;The window before the late-mover premium starts to compound is open and narrowing. Organisations that want to locate themselves on that calendar can start with the &lt;a href=&quot;/learn/quantum-ready/scan/&quot;&gt;QR8 readiness scan&lt;/a&gt;, free and self-serve.&lt;/p&gt;
&lt;p&gt;If a 2026 plan still treats quantum as a 2030 question, it is built on the wrong calendar.&lt;/p&gt;
</content:encoded><category>Quantum Market</category></item></channel></rss>