Y2Q — Year to Quantum — is the enterprise security community's term for the moment a cryptographically relevant quantum computer arrives and renders today's public-key encryption obsolete. It is, in essence, the same event that this site calls Q-Day. But the framing matters: where Q-Day is a physics and engineering milestone, Y2Q is a business risk and organizational readiness deadline. And by that framing, Y2Q is not something that happens in the future. For many organizations, it has already begun.
The origin of the term
Y2Q was coined as a deliberate echo of Y2K — the millennium bug that required global systems remediation in the years leading up to January 1, 2000. The parallel is instructive but imperfect. Y2K had a fixed, known deadline: midnight on December 31, 1999. Every organization knew exactly how long they had. Y2Q has an uncertain deadline — experts place it somewhere between 2029 and 2035, with a 28–49% probability of arrival within the next decade according to the Global Risk Institute's most recent assessment, published in March 2026.
The term was popularized by security researchers including Dr. Michele Mosca of the University of Waterloo and the evolutionQ institute, and has since been adopted by IBM's security division, Deloitte, KPMG, and major financial regulators as the standard enterprise framing for quantum cryptographic risk. Unlike "Q-Day" — which emphasizes the technical threshold — "Y2Q" emphasizes the organizational migration challenge: the gap between when a threat arrives and when a given organization has successfully prepared for it.
How Y2Q differs from Y2K — and why it is harder
The most dangerous difference is retroactivity. Y2K required fixing systems before January 1, 2000 — but data processed before that date was never at risk. Y2Q is different in a fundamental way: state actors and sophisticated attackers are already collecting encrypted data today, betting they can decrypt it once a capable quantum computer exists. This "harvest now, decrypt later" strategy means that data you encrypt today — medical records, financial transactions, state secrets, intellectual property — is already at risk if it will still be sensitive in three to ten years.
This transforms Y2Q from a future deadline into a present-tense threat. The exposure window did not open when the first quantum computer was announced. It opened when the first adversary with sufficient resources and motivation began storing encrypted traffic. Security researchers believe that window opened several years ago.
What Y2Q means for RSA, ECC, and TLS
The specific cryptographic standards threatened by Y2Q are those based on mathematical problems that quantum computers can solve efficiently using Shor's algorithm. This includes RSA (used to secure the majority of HTTPS connections and certificate signing), ECC and ECDSA (used in TLS 1.3, Bitcoin, Ethereum, code signing, and mobile authentication), and Diffie-Hellman key exchange (used to establish encrypted sessions across the internet). Symmetric encryption such as AES is not directly broken by Shor's algorithm — though Grover's algorithm halves its effective key length, meaning AES-256 effectively becomes AES-128 in a post-quantum world, which remains secure.
The practical scope of RSA and ECC dependence is enormous. Every HTTPS website, every VPN, every SSH connection, every software update signature, every payment terminal, and every secure messaging application depends on one or more of these algorithms. A complete Y2Q migration is not a software patch — it is a multi-year cryptographic replacement project across every layer of an organization's technology stack.
The Y2Q timeline in 2026
The timeline has compressed materially since 2020. Google's security team internally targets 2029 as the planning horizon for a fault-tolerant quantum computer. The NSA's CNSA 2.0 framework sets 2027 as the first hard migration deadline for national security systems and 2033 as the final deadline for all quantum-vulnerable algorithms. The Global Risk Institute's March 2026 report — surveying 26 leading quantum computing experts — found a 28–49% probability of Y2Q arriving within the next ten years, up from prior assessments. Three papers published between May 2025 and March 2026 reduced the estimated qubit threshold for breaking RSA-2048 by a factor of twenty.
At the same time, hardware is advancing. Google's Willow chip (2024) demonstrated exponential error reduction. Microsoft's Majorana 1 (February 2025) introduced topological qubits that could reduce physical qubit overhead by an order of magnitude. China's Wukong-180 (May 2026) demonstrated 180-qubit operation with full technological independence. The US government committed $2.013 billion in CHIPS Act funding to quantum hardware in May 2026. The pace of progress is not slowing.
Why "Year to Quantum" is the right frame for enterprise security
The reason the security industry uses Y2Q rather than Q-Day is strategic: it foregrounds the migration challenge rather than the hardware milestone. A CISO does not need to know exactly when a quantum computer will break RSA. They need to know how long their organization's post-quantum migration will take, and therefore how much advance notice they require. For large enterprises — banks, insurers, healthcare systems, critical infrastructure — that migration is estimated to take three to seven years from initiation to completion. If Y2Q arrives in 2029, that organization needed to begin in 2022. If it arrives in 2032, they need to begin now.
The term also captures the asymmetry of the risk. An organization that completes its post-quantum migration one year before Y2Q arrives has fully avoided the threat. An organization that misses the deadline by one day faces potentially catastrophic retroactive exposure across years of collected encrypted traffic. There is no partial credit for being almost ready when the clock reaches zero.
The standards are ready. The window is open.
NIST finalized its first post-quantum cryptography standards in August 2024: ML-KEM for key encapsulation, and ML-DSA, FN-DSA, and SLH-DSA for digital signatures. In March 2025, NIST selected HQC as a fifth backup algorithm. In May 2026, nine additional signature candidates advanced to a third evaluation round, with standardization expected around 2028. The cryptographic toolkit for a post-quantum migration exists. The migration guidance from NIST, NSA, and CISA is published and freely available. The only remaining variable is whether organizations act before Y2Q arrives — or after.