Q-Day is the day a cryptographically relevant quantum computer can break the public-key cryptography that holds the modern internet together. Nobody knows the date. The honest answer from anyone serious is "later than the hype, sooner than is comfortable." That uncertainty is exactly the problem, because the migration off RSA and elliptic-curve cryptography is not a weekend job. It is a multi-year programme of inventory, replacement, testing, and re-testing, across systems that were never designed to have their cryptographic primitives swapped out. Ireland is, on the whole, behind on this. Not catastrophically behind — but behind enough that the work needs to start in earnest now, and start in the right order.
Why Ireland specifically, and why now
Ireland sits in an awkward spot. We host a meaningful chunk of European data infrastructure. We run a small number of pillar banks, a centralised health service, a tightly interconnected set of semi-states, and a public sector that — for all its faults — handles a great deal of citizen data through a small number of shared platforms. That concentration cuts both ways. It means a coordinated migration is genuinely possible here in a way it is not in larger jurisdictions. It also means that if the migration is botched, the blast radius is national rather than local.
The threat model that matters in 2026 is not "a quantum computer breaks your TLS handshake live." It is harvest now, decrypt later. An adversary records encrypted traffic — banking sessions, medical records in transit, signed government documents, VPN tunnels into semi-state networks — and stores it. When a sufficiently capable quantum machine exists, that stored traffic is decrypted retrospectively. Anything with a confidentiality lifetime longer than the time-to-Q-Day is already exposed. Health records, tax records, legal documents, intellectual property, and most state-citizen correspondence fall squarely into that category.
What "post-quantum" actually means in standards terms
The vocabulary has settled, which is helpful. The U.S. National Institute of Standards and Technology finalised its first post-quantum standards in 2024. The two names every Irish CTO should know are:
- ML-KEM (Module-Lattice Key Encapsulation Mechanism, formerly Kyber) — the replacement for RSA and ECDH key exchange. This is the one that protects new sessions and forward secrecy.
- ML-DSA (Module-Lattice Digital Signature Algorithm, formerly Dilithium) — the replacement for RSA and ECDSA signatures. This is the one that protects code-signing, document signing, and certificate chains.
There is also SLH-DSA (a stateless hash-based signature scheme, formerly SPHINCS+) for cases where you want a very conservative signature with different mathematical assumptions, and FN-DSA (Falcon) for size-constrained signatures. For most Irish institutions, the working pair to plan around is ML-KEM for confidentiality and ML-DSA / Dilithium for authenticity. Anything you read about NIST PQ migration in Ireland eventually comes back to those two.
Two things to keep in mind. First, the recommended deployment pattern in 2026 is hybrid — classical and post-quantum primitives in parallel, so a flaw in either does not compromise the channel. Second, post-quantum cryptography is not drop-in. Keys are larger, signatures are larger, handshakes are heavier. Anything that hard-codes 256-byte assumptions, anything that batches certificates into fixed-size frames, anything that runs on constrained embedded hardware, will need work.
The order that minimises pain
The single most common mistake I see in migration planning is starting with the cryptography. You start with the inventory. Without an honest crypto-bill-of-materials, you are guessing.
- Inventory. Every certificate, every key, every TLS endpoint, every signed binary, every HSM, every VPN, every database column encrypted at rest, every signed PDF workflow. Where is each algorithm used, who owns it, and what is the confidentiality lifetime of the data it protects? This is unglamorous work and it takes months. Do it anyway.
- Classify by data lifetime. Anything protecting data that must remain confidential for ten or more years goes to the front of the queue. Health records, pension records, sealed legal matters, long-term commercial contracts. Anything protecting an ephemeral session can wait.
- Replace long-lived signing roots first. Code-signing certificates, software update chains, internal CA roots. If your update mechanism is signed with a classical algorithm and that key is compromised after Q-Day, an attacker can sign malicious updates that your fleet will accept. The signing root is the keystone.
- Move to hybrid key exchange in transit. TLS 1.3 with hybrid ML-KEM is shipping in mainstream libraries. Browsers and load balancers are catching up. Get it on the perimeter first, then internal east-west traffic.
- Re-encrypt at-rest data with post-quantum-protected keys. Database encryption keys, backup encryption keys, archive keys. The data is encrypted with a symmetric algorithm — AES is fine against quantum, with caveats — but the key wrapping is usually RSA. That wrap is what needs to change.
- Address embedded and operational technology last, but plan it first. Card terminals, medical devices, industrial controllers, smart meters. These have ten- and fifteen-year deployment lifetimes and constrained compute. Some will need hardware refresh cycles to support post-quantum. Procurement decisions made in 2026 should already require crypto-agility as a contractual term.
What each sector should be doing
Banks
The pillar banks are the most exposed and, paradoxically, the best-resourced to handle it. The work in 2026 is straightforward to describe and hard to execute: get a complete cryptographic inventory across core banking, card rails, treasury, and customer channels; identify every place a key is held by a third party (and there are a lot of them); and start hybrid TLS at the perimeter. Card payment infrastructure is governed by scheme rules that will lag the standards bodies, so banks should not wait for EMVCo before moving the parts they control.
Hospitals and the HSE
The health service has the longest data lifetimes and the most fragmented estate. Patient records are confidential for the lifetime of the patient and beyond. The realistic 2026 goal is not full migration — it is full visibility. Know what cryptography is in use across the National Shared Services platforms, the hospital group systems, the GP integrations, and the medical devices. Then prioritise by data lifetime.
Semi-states
The semi-states — energy, water, transport, post — share a feature that makes them harder than banks: operational technology with long depreciation cycles. A grid controller installed today is expected to be in service in 2040. Every procurement contract signed in 2026 should require crypto-agility: the ability to swap algorithms without replacing hardware. That single contractual clause, applied consistently, saves a generation of pain.
Public sector
The Office of the Government Chief Information Officer and the NCSC have the convening authority to drive this. What is needed from them, practically, is a national post-quantum cryptography Ireland baseline — a published expectation, with timelines, that every public-sector body and every supplier to a public-sector body must meet. Without that baseline, every department writes its own plan, badly, in parallel.
Crypto-agility is the real deliverable
If you take one thing from this essay, take this. The goal of the 2026 work is not to deploy ML-KEM and Dilithium and declare victory. The goal is to build systems that can change their cryptography again, in five years, when the next algorithm wins or the current one is weakened. We have spent thirty years assuming RSA is forever. It was not. Whatever replaces it is not forever either. Crypto-agility — the architectural property of being able to rotate primitives without re-architecting — is the actual deliverable. Post-quantum is the first test of it, not the last.
That means abstraction layers around cryptographic operations, configuration-driven algorithm selection, certificate issuance pipelines that can mint hybrid certs on demand, and HSMs that support multiple algorithm families. None of this is exotic. Most of it is good engineering hygiene that has been deferred because the existing primitives kept working.
The quantum context, briefly
I will declare an interest. The reason Ireland Quantum is committed for Q2 2027 is, in part, that sovereign quantum compute capacity in this country matters for reasons well beyond cryptography — research, drug discovery, materials, optimisation. But it also matters because a country that hosts quantum capability builds the institutional muscle to reason about quantum threats. You cannot regulate or defend against a technology you do not have working examples of locally. That is a longer argument for another essay.
What to do on Monday morning
If you run security or engineering at an Irish bank, hospital, semi-state, or department, the action this week is not to buy anything. It is to commission a cryptographic inventory and give it a real budget and a named owner. Not a consultancy slide deck — an actual machine-readable list of every key, certificate, and algorithm in your estate, with data lifetimes and ownership attached. That artefact is the foundation of every decision you will make in the next five years. At IMPT we are doing the same exercise across our booking and token infrastructure, because a carbon-positive platform that gets retroactively decrypted in 2032 is not a platform anyone should trust. The runway is shorter than it looks. Start walking it.