Federal Quantum Encryption Deadlines Hit 2030: Custody Providers Face Cryptographic Audits Most Brokerages Can't Verify

The two executive orders Trump signed on June 22 set binding deadlines for federal agencies and their contractors to adopt quantum-resistant encryption. High-value assets and high-impact systems must transition to post-quantum cryptography for key establishment by December 31, 2030, and for digital signatures by December 31, 2031. Federal contractors must comply with NIST's Federal Information Processing Standards, including the new post-quantum algorithms, by the same 2030 deadline.
This is not a distant planning horizon. The order moves up a goal the Biden administration had set for 2035, responding to research that suggests computers capable of breaking today's encryption are arriving faster than expected. Under NIST IR 8547, the transition timeline calls for deprecating quantum-vulnerable algorithms by 2030 and disallowing them entirely by 2035. Algorithms providing approximately 112 bits of security, including RSA-2048 and ECC P-256, the standards that secure most financial infrastructure, are slated for deprecation by 2030.
The urgency reflects recent algorithmic breakthroughs that have compressed the threat timeline. In a May 2025 paper, Google researcher Craig Gidney estimated that a 2048-bit RSA integer could be factored in less than a week by a quantum computer with fewer than one million noisy qubits, a 20-fold reduction from his own 2019 estimate of 20 million qubits. Subsequent work from Google Quantum AI showed that elliptic-curve cryptography, which secures cryptocurrency transactions and much of the financial sector, could be broken with fewer than 500,000 physical qubits, another 20-fold improvement over prior estimates. These advances came not from better hardware but from algorithmic optimization, the kind of improvement that arrives suddenly rather than creeping in year by year.
The Global Risk Institute's 2025 survey of quantum experts now places the probability of a cryptographically relevant quantum computer emerging within the next 10 years at 28% to 49%, the highest estimate in the report's seven-year history. The expert community believes the timeline has accelerated.
For financial institutions, the exposure is already active. From a risk-management perspective, the quantum era has already begun through "harvest now, decrypt later" activity: adversaries can collect encrypted traffic today and decrypt it later once quantum capability is available. The most acute exposure is not only future breach, but retroactive loss of confidentiality for long-lived sensitive information. Payment credentials, transaction records, and customer data all carry shelf lives measured in years, long enough to remain valuable when quantum decryption arrives.
Citi Institute tried to put a number on the systemic risk. A January 2026 report modeled a single-day quantum-enabled attack on one of the five largest U.S. banks, targeting its connections to Fedwire. The estimated outcome: $2.0 to $3.3 trillion in indirect economic damage, equivalent to a 10, 17% drop in U.S. GDP over a subsequent six-month recession. According to Citi, a successful quantum-enabled attack would likely spread rapidly across sectors, undermining authentication systems, payment networks, and digital trust mechanisms. A disruption to any of these layers could impair liquidity, freeze payments, and erode confidence.
The migration to post-quantum cryptography is not a software patch. NIST acknowledges that even though no cryptographically relevant quantum computers currently exist, transitioning to new algorithms will take significant time. Past cryptographic migrations have taken over a decade, and this more complex migration will likely take at least that long. Post-quantum algorithms use larger keys and behave differently across systems. Before any institution can deploy them, it must first inventory every instance of vulnerable cryptography, buried across its own systems and those of its vendors.
As one industry observer noted, "The 2030 deadline for key establishment is a tangible compliance deadline, and the gap between where most organizations are today and where they need to be is significant. Agencies and contractors that haven't started a cryptographic inventory are already behind. The organizations that move now will have options. The ones that wait will find themselves managing a crisis."
This is where the structural problem for brokerages becomes visible. If you operate a brokerage handling pooled client accounts with custodial crypto or tokenized asset exposure, you likely bear regulatory and reputational liability for the safekeeping of those assets. But you almost certainly do not control the cryptographic key management architecture that actually secures them. That architecture belongs to your custodian, an exchange, a qualified custodian, or some combination of both.
The 2030 deadline creates a time-bound dimension to that existing control gap. When federal contractors and their vendors face mandatory compliance, the question of whether your custodian's key management systems meet post-quantum standards becomes a compliance question, not just a security preference. And unless your custody agreement includes transparency around cryptographic infrastructure, migration timelines, and fallback plans, you have no way to verify that your provider is on track, or what happens if they're not.
Within 270 days of the executive order, CISA and NIST are required to publish the minimum elements for a cryptographic bill of materials, a machine-readable list of the cryptographic assets in a piece of hardware or software. That groundwork for crypto-agility recognizes a basic truth: you cannot swap out weak algorithms on a deadline if you do not know where they are. For brokerages, the same principle applies at the vendor level: you cannot assess your cryptographic exposure if you don't have visibility into your custodian's infrastructure.
The executive order's direct mandates apply to federal agencies and contractors, not to private financial services firms broadly. But the compliance perimeter is wider than it appears. The mandate does not impose PQC migration requirements on private companies outside the federal contracting ecosystem directly. However, the mandate will accelerate industry-wide adoption: organizations that sell to the government, hold government data, or operate critical infrastructure that interfaces with federal systems will face compliance pressure by 2030. Custodians serving institutional clients often fall into one or more of these categories.
Even where there is not yet a single "drop-dead" date for financial services, regulators are pushing planning and risk management, and multiple jurisdictions have published transition roadmaps. In the U.S., federal migration milestones, carrying out high-risk migrations by 2030 and full quantum-resistant security by 2035, are shaping broader market expectations, particularly for regulated ecosystems and critical infrastructure.
The practical question for compliance officers and COOs is not whether quantum computers will arrive on schedule. It's whether your custody providers have a migration plan that you can see, verify, and factor into your own risk assessment. If they don't, or if they won't share it, you're carrying cryptographic exposure in infrastructure you can't audit, against a deadline you can't control.
That's not a technology problem. It's a governance gap with a regulatory shelf life.
References
[2] NIST, Post-Quantum Cryptography project and IR 8547
[4] Global Risk Institute, "Quantum Threat Timeline Report 2025," March 2026
[5] Citi Institute, "Quantum Threat: The Trillion-Dollar Security Race Is On," January 2026





