Most Irish CISOs I talk to know the post-quantum problem exists, and most of them have done nothing about it yet. That is not negligence — it is the reasonable response to a transition with shifting NIST drafts, ambiguous vendor roadmaps, and no obvious owner inside the org chart. But the runway is shorter than the calendar suggests. Harvest-now-decrypt-later is already happening against Irish traffic, and the cryptographic primitives we sign code, TLS sessions, and S/MIME with today have a defined obsolescence horizon. The 2026–2027 window is when the work has to actually move from policy decks into production TLS terminators, HSMs, and CI pipelines.
Why the Irish timeline is not the US timeline
NIST finalised FIPS 203 (ML-KEM), FIPS 204 (ML-DSA, the Dilithium-derived signature standard), and FIPS 205 (SLH-DSA) in 2024. The US federal mandate to begin migration is now in motion through CNSA 2.0. Ireland is not bound by CNSA, but we are bound by NIS2, by the EU Cyber Resilience Act, and by ENISA's post-quantum guidance — and crucially, by whichever cryptographic profile our largest counterparties enforce on us. For most Irish enterprises that means a US Fortune 500 customer or an EU regulator will pull the migration trigger before any domestic mandate does.
The practical effect: PQ migration in Ireland is going to feel like a supply-chain compliance exercise rather than a sovereign cryptographic transition. ML-KEM will arrive at your TLS edge because Cloudflare, Akamai, and AWS turn it on. ML-DSA will arrive in your code-signing because your IDE vendor or your CI runner ships it. The risk is that you treat the transition as something that happens to you, and you miss the parts — long-lived data at rest, embedded device firmware, internal PKI — that no upstream vendor will fix on your behalf.
What "harvest now, decrypt later" actually means for Irish data
The threat model is straightforward. An adversary with storage capacity and patience captures encrypted traffic today — TLS 1.3 sessions, IPsec tunnels, encrypted backups in transit — and stores the ciphertext until a cryptographically relevant quantum computer (CRQC) becomes available. At that point, classical Diffie-Hellman and RSA key-establishment are broken via Shor's algorithm, and the session keys can be recovered, decrypting the captured payloads.
The architecture that breaks them does not exist yet. Estimates for the logical qubit count required to run Shor against RSA-2048 range from a few thousand fault-tolerant logical qubits upward, which translates to millions of physical qubits under current surface-code overheads — roughly 1,000:1 physical-to-logical at realistic error rates around 10⁻³. The 100-physical-qubit class machine we are building in Tipperary as part of Ireland Quantum 100 is nowhere near that threshold, and neither is anything else commercially available globally. But the threat is the integral: how long is your data sensitive for? If the answer is ten years — patient health records, M&A correspondence, IP, certain government datasets — then the harvest-now timeline is already inside your sensitivity window.
For Irish organisations the practical filter is: identify any data class with a confidentiality lifetime that extends past 2032, and treat that traffic as the priority for ML-KEM hybrid key-establishment now, not in 2027.
The 2026 work: cryptographic inventory and the easy wins
You cannot migrate what you have not catalogued. The first six to nine months of 2026 should be spent building a real cryptographic bill of materials. That means:
- Every TLS terminator, load balancer, and reverse proxy, with its negotiated cipher suites and the library version behind them (
OpenSSL 3.x,BoringSSL,rustls,wolfSSL). - Every certificate authority you operate or consume, with key algorithm and validity period.
- Every code-signing pipeline, including macOS notarisation, Authenticode, JAR signing, container image signing (
cosign), and OS package signing. - Every VPN and IPsec endpoint, with IKE proposal lists.
- Every embedded device or OT system with hard-coded crypto — these are the ones that will hurt in 2027.
- Every long-lived encrypted archive: backups, S3 buckets with SSE, encrypted database dumps.
The easy wins in 2026 are at the TLS edge. OpenSSL 3.5 has ML-KEM hybrid key exchange built in. AWS, Cloudflare, and the major CDNs are rolling out X25519MLKEM768 as a hybrid group. Turning this on for inbound TLS is essentially a configuration change, and it gets your most-exposed traffic onto a quantum-resistant key-establishment immediately, with classical X25519 still in the loop as a hedge against ML-KEM cryptanalysis surprises. There is no reason for any Irish enterprise to leave 2026 without hybrid TLS on its public edge.
The 2027 work: signatures, PKI, and the hard parts
Signatures are harder than KEMs. ML-DSA signatures are large — roughly 2.4 KB for ML-DSA-65, versus 64 bytes for Ed25519 — and verification cost is non-trivial. This matters in three places where Irish deployments will feel pain:
Internal PKI. If you run an internal CA — and most regulated Irish organisations do, for mTLS between services — you have to plan a dual-trust period where issued certificates carry both a classical and a PQ signature, or you operate parallel hierarchies. Microsoft ADCS, HashiCorp Vault, and step-ca are at varying levels of readiness. Expect 2027 to be when the migration playbooks for these stabilise, and budget engineering time accordingly.
Code signing and software supply chain. SLH-DSA (the hash-based SPHINCS+ derivative) is the conservative choice here because its security rests on hash-function assumptions rather than lattice problems. The signatures are larger again — tens of kilobytes — but for code signing the overhead is acceptable and the long-term confidence is higher. Sigstore's roadmap toward PQ is the one to watch.
Embedded and OT. This is where Irish manufacturing, pharma, and utilities have the most exposure. Field devices with 10-15 year lifecycles, signed firmware, and constrained microcontrollers cannot easily accommodate ML-DSA's memory footprint. The honest answer is that some of these devices will not be migrated — they will be replaced at end-of-life, and the migration plan is really a procurement plan.
How sovereign quantum capability fits into the migration story
There is a reasonable question: why does an Irish sovereign quantum machine matter to PQ migration at all, given that the threat is from much larger machines elsewhere? Two reasons.
First, the same superconducting-transmon architecture, dilution refrigeration below 15 mK, and heavy-hex topology that we are commissioning in Tipperary is the architectural family that will, at scale, eventually run Shor. Having domestic engineers who have actually operated cryostats, calibrated qubits, run randomised benchmarking, and worked through surface-code decoders means Ireland develops a realistic internal sense of what is and is not near-term. That tempers both the panic and the complacency. The climate-workload programme we are prioritising on first-light is variational chemistry — orders of magnitude away from Shor — but the operational expertise transfers.
Second, sovereignty matters for the threat-modelling itself. If your PQ migration plan is built on assumptions about adversary capability, you want those assumptions informed by people who can be subpoenaed in this jurisdiction, not by vendor whitepapers from companies with conflicting commercial interests in the timeline.
What the regulator is likely to want
ENISA's post-quantum guidance, the EU's Coordinated Implementation Roadmap, and the Central Bank's operational resilience expectations under DORA are converging on a few common asks. Expect any Irish auditor in 2027 to want to see: a documented cryptographic inventory, a written migration plan with prioritisation by data sensitivity lifetime, evidence of hybrid PQ deployment on externally-facing services, and a roadmap for internal PKI. Financial services and critical infrastructure will be first; everyone else will follow within 12-24 months.
The organisations that get this wrong will be the ones who treated PQ as a 2030 problem and discovered in 2027 that their largest customer's procurement questionnaire now requires a CBOM and a migration roadmap as a condition of contract renewal.
Where to start this week
Open a spreadsheet. List every public-facing TLS endpoint your organisation operates. For each one, find out which TLS library and version sits behind it and whether it supports X25519MLKEM768. That is your week-one deliverable. It is unglamorous, and it is the single piece of work that most determines whether your 2026–2027 migration runs ahead of the regulator or behind them. Everything else — internal PKI, code signing, embedded fleet — flows from having that inventory habit established. Start there, this week, before the next quarter's roadmap planning closes the window.