Quantum Threat Timeline Report 2025: Record Predictions, But Can the Survey Keep Up?

5 Apr 2026 – The Global Risk Institute (GRI) and evolutionQ Inc. have published the seventh edition of their annual Quantum Threat Timeline Report, the longest-running expert survey dedicated to estimating when a quantum computer will be capable of breaking widely deployed public-key cryptography.

The report, dated 9 March 2026 and authored by Dr. Michele Mosca (co-founder and CEO of evolutionQ, professor at the University of Waterloo) and Dr. Marco Piani (senior research analyst at evolutionQ), surveyed 26 international experts across academia and industry. Its central finding: the averaged expert estimate of the probability of a cryptographically relevant quantum computer (CRQC) emerging within the next 10 years now ranges between 28% and 49%, depending on how responses are interpreted — the highest 10-year estimate in the report’s seven-year history.

The GRI Quantum Threat Timeline series has become a standard reference for CISOs, government agencies, and risk committees seeking to calibrate their PQC migration timelines. Published annually since 2019, it is one of only a handful of systematic, longitudinal efforts to quantify the proximity of Q-Day – the point at which a quantum computer can break RSA-2048 or equivalent cryptographic schemes within a practical timeframe.

This year’s edition arrives against a backdrop of accelerating technical progress. Recent months have delivered a cluster of results – from Gidney’s sub-million-qubit RSA factoring estimates to Google Quantum AI’s ECC resource reductions to demonstrations of error correction beyond break-even on multiple hardware platforms – that have materially shifted the field’s assumptions about how much hardware a CRQC actually requires. The report captures expert sentiment shaped by these developments, and the numbers reflect it.

What the Report Says

The Headline Numbers

The core question of the report has remained unchanged since the series began in 2019: how likely is it that a quantum computer capable of factoring a 2048-bit RSA integer in under 24 hours will be built within various timeframes?

The results represent a meaningful shift.

At the 10-year horizon, the averaged expert likelihood now sits between 28% (pessimistic interpretation) and 49% (optimistic interpretation). This is the highest 10-year estimate in the report’s history. Half the respondents (13 out of 26) placed the probability at approximately 50% or higher. A substantial majority (19 of 26, or 73%) rated it above 5%. Six experts assessed the 10-year likelihood as greater than 70%, including one each at “very likely” and “extremely likely.”

At the 15-year mark, 18 of 26 respondents (69%) assessed the probability of a cryptographically relevant quantum computer (CRQC) at 50% or higher, with 15 (58%) calling it “likely” or better. By 20 years, the numbers approach near-certainty: 92% of respondents placed the probability at 50% or above, and nearly half judged it “extremely likely” (greater than 99%).

The report frames these numbers through the Mosca Inequality – the relationship between data shelf-life, migration time, and quantum threat time – and concludes that many organizations may already be exposed to intolerable risk levels that demand immediate action.

The Year-over-Year Trend

Perhaps more telling than the absolute numbers is the trend. When plotted against the six prior surveys (2019–2024), the 2025 results show the sharpest upward shift in the 10-year window since the report’s inception. The averaged optimistic estimate for a CRQC within 10 years jumped from 34% in 2024 to 49% in 2025 – a 15-percentage-point leap in a single year. Even the pessimistic floor rose from 14% to 28%.

The report’s authors note that the 2019–2021 surveys actually showed higher absolute estimates for the mid-2030s timeframe, but caution against reading this as evidence of a slowdown. They attribute the 2022–2023 dip to a post-pandemic recalibration of expectations, influenced by the COVID-era tightening of venture capital and a temporary pause in some research programs. The 2025 numbers, in this view, represent a restoration and acceleration of the pre-pandemic trajectory, powered by recent breakthroughs.

What’s Driving the Optimism

The experts pointed to several recent developments as catalysts for their revised estimates.

On the experimental front, Google’s “Willow” processor (published in Nature as Acharya et al. 2025) was highlighted as a major milestone – demonstrating error correction beyond the break-even point with distance-5 and distance-7 surface code memories, where the distance-7 logical qubit survived more than twice as long as the best physical qubit. Progress in neutral atom platforms was described as “truly spectacular,” particularly Rydberg atom arrays, though clock speed remains a recognized constraint. Ion-trap platforms and bosonic cat qubit concatenation also drew praise.

On the theoretical side, Craig Gidney’s May 2025 paper – showing that RSA-2048 could be factored with fewer than one million physical qubits (down from 20 million in the 2019 estimates) – was identified as a potentially transformative development. The Chevignard, Fouque, and Schrottenloher paper (CRYPTO 2025) – which reduced the logical qubit count for factoring RSA-2048 to just 1,730, providing the algorithmic foundation that Gidney’s work then compiled into physical resource estimates – was also highlighted as a key theoretical advance.

The respondents were notably candid about the engineering challenges that remain. Bill Coish of McGill University provided a platform-by-platform assessment of scaling bottlenecks – from photon loss in photonic systems to interconnect quality in superconducting architectures to the slow clock rates of neutral atoms – but still concluded that the limitations are “primarily at the level of engineering” and that, given the incentives, RSA will likely be broken within 15–20 years.

Covert Research and the Geopolitical Dimension

A majority of the 22 experts who weighed in on “under the radar” research – state-backed labs, stealth-mode companies, or malicious actors – indicated that covert efforts could shift the timeline by two or more years. Twenty-seven percent estimated the impact at more than three years. The report warns that covert successes would remain invisible, and that it is safer to assume the true threat is closer than what open publications suggest.

On the geopolitical front, North America’s position as the dominant quantum computing region has strengthened over the past two surveys, driven largely by U.S.-based error correction results and the DARPA Quantum Benchmarking Initiative. China is seen as the most likely challenger within five years, while Europe, despite currently being ranked on par with China, is viewed pessimistically for the future, with many respondents doubting it will maintain frontrunner status. As Daniel Gottesman of the University of Maryland observed, Europe lacks both the large-company investment seen in North America and the government-scale commitment seen in China.

Government Mandates Are Already Moving

The report situates its findings against a backdrop of accelerating government action. Canada’s recently released PQC roadmap requires every federal department to draft a migration plan by April 2026 and complete high-priority system transitions by end of 2031. The European Commission’s Coordinated PQC Transition Roadmap mandates deployment of post-quantum encryption across all EU member states beginning in 2026, with critical infrastructure operators completing their transition by end of 2030.

What the Report Doesn’t Say – My Analysis

I need to be upfront about something. The GRI report was published several weeks ago, and in previous years, I would have covered it the same week. This time, I hesitated – and the reason for that hesitation is, I think, worth examining.

In the weeks surrounding the report’s release, the quantum cryptanalysis landscape moved faster than at any point I can recall. With papers that were published and papers I heard about and was expecting them to be published any day. Google Quantum AI published new ECC resource estimates. The Oratomic/Caltech neutral atom results landed. The Pinnacle Architecture paper pushed RSA-2048 below 100,000 physical qubits under aggressive assumptions. Each of these developments told us something concrete and measurable about where the CRQC threshold actually sits. And each time I sat down to write about the GRI report, I found myself asking: does a survey of 26 people’s opinions about when RSA-2048 will be broken still move the needle, when we can increasingly measure the answer directly?

What sharpened that question was something I noticed when reading the report alongside the papers that had landed in the weeks surrounding its publication. When the experts cited recent theoretical advances, they referenced Gidney’s May 2025 sub-million-qubit estimate and Chevignard, Fouque, and Schrottenloher’s CRYPTO 2025 paper – both important, both published months before the survey closed. What they did not reference, and, to be fair, in most cases could not have referenced, were the results that arrived in the weeks after the survey’s close Chevignard et al.’s follow-on EUROCRYPT 2026 paper (which further reduced logical qubit counts for ECDLP), the Pinnacle Architecture‘s order-of-magnitude compression using qLDPC codes, Google Quantum AI’s new ECC resource estimates for cryptocurrency, or the Oratomic/Caltech demonstration of Shor’s algorithm at cryptographically relevant scales on neutral atoms.

I want to stress: this is not a criticism of the individual experts. You cannot reasonably fault someone for not mentioning a paper that hadn’t been published yet. But that is precisely the point. The fact that this many landscape-reshaping results – collectively redrawing the resource requirements for quantum cryptanalysis more dramatically than anything in the preceding two years – could land in the narrow window of a few weeks after survey closing illustrates the fundamental limitation of an annual opinion-based methodology. By the time the GRI report reached readers with its 28–49% ten-year estimate, the technical inputs to that estimate had already shifted materially. An opinion snapshot ages in ways that a capability-driven measurement does not.

I want to be fair to Dr. Mosca and Dr. Piani, whose work I have referenced for years and whose Mosca Inequality remains one of the most effective tools in quantum risk communication. The GRI report has served an important function: it gave the cybersecurity community a credible, citable number to put in front of boards and risk committees when “when should we worry about quantum?” was still an abstract question. That function was valuable. The question is whether, in 2026, we need something more.

Twenty-Six Experts Is Not Enough

The most immediate concern is the shrinking respondent pool. The 2025 survey collected responses from 26 experts, down from 32 in 2024 and 37 in 2023. In a survey where individual responses can swing aggregate averages – and where the report’s own authors acknowledge that “skewed distributions and/or outliers may affect the significance and interpretability of averages” – this matters.

The report uses coarse-grained likelihood bins (the middle bin, “neither likely nor unlikely,” spans 30% to 70%), and with only 26 respondents, a shift of two or three individuals between bins can produce headline-grabbing changes in the averaged estimates. The 15-percentage-point jump in the optimistic 10-year average (from 34% to 49%) sounds dramatic – but with a pool this small and bins this wide, it is difficult to distinguish genuine shifts in expert sentiment from statistical noise.

The report’s authors deserve credit for transparency about this limitation. They explicitly caution against over-interpreting trends and note the challenges of isolating confounding factors. But the headline numbers travel without those caveats. When a CISO cites “a 49% chance of CRQC by 2036” in a board presentation, the margin of error and the sample size tend to disappear.

The Respondent Pool Has Blind Spots

Composition matters as much as size. Of the 26 respondents, the geographic distribution tilts heavily toward North America (9) and Europe (12), with only 3 from Asia and 2 from Oceania. There are zero respondents based in China – the country the report itself identifies as a rising quantum power that could match or exceed North American leadership within five years. This is a striking absence in a report that asks experts to assess timelines that will be shaped, in part, by Chinese research progress that operates with reduced transparency.

The institutional mix also raises questions. University-affiliated researchers dominate (10 at universities, with additional overlaps), and while several academics have industry connections, the report includes relatively few respondents from the companies actually building fault-tolerant quantum computers or from the national laboratories conducting classified research that the report acknowledges could shift timelines by years.

This is not a criticism of the individuals involved – the respondent list includes genuine luminaries like Peter Shor, Daniel Gottesman, and Ignacio Cirac. But a methodology that effectively asks “when do you think quantum computers will break RSA?” and averages the responses of 26 people is fundamentally different from tracking the engineering capabilities required to do so.

Opinion Surveys Cannot Track Exponential Progress

The timing problem I just described is not an accident – it is structural. The quantum computing landscape in 2025–2026 is moving faster than an annual opinion survey can capture. The papers that landed between survey close and publication are not incremental improvements. They represent order-of-magnitude reductions in the hardware required for cryptanalysis, arriving within weeks of each other. The report itself acknowledges that “respondents took part in the survey during a period when new results were announced, so their input may reflect a slightly different state of the field.” That is an understatement.

This is why I have advocated for a capability-driven approach to tracking CRQC readiness – one based on measurable engineering parameters rather than subjective probability estimates. My CRQC Quantum Capability Framework decomposes the path to Q-Day into nine specific technical capabilities, each with observable milestones and technology readiness levels. The CRQC Readiness Benchmark compresses these into three measurable levers – Logical Qubit Capacity (LQC), Logical Operations Budget (LOB), and Quantum Operations Throughput (QOT) – that anyone can track against published results. When Google publishes a new resource estimate or Quantinuum demonstrates a new error correction milestone, the impact on the readiness score can be assessed immediately using my Q-Day Estimator, rather than waiting for the next annual survey.

Expert opinion is not valueless – far from it. But opinion is a lagging indicator when the underlying science is accelerating. A capability-driven framework provides the leading indicators that opinion surveys, by design, cannot.

The RSA-2048 Focus Misses the Faster-Moving Target

The report asks exclusively about factoring RSA-2048 in 24 hours – a deliberate choice for consistency with previous editions. But the cryptographic landscape has shifted. For most organizations, the more immediate quantum threat targets elliptic curve cryptography (ECC), which underpins TLS, SSH, digital signatures, cryptocurrency, and most modern public-key infrastructure.

Breaking ECC-256 (the de facto standard for much of today’s encryption) requires significantly fewer quantum resources than breaking RSA-2048. As the recent Google cryptocurrency whitepaper demonstrated, the physical qubit estimates for ECC are roughly half those for RSA at comparable security levels. An organization benchmarking its quantum risk against RSA-2048 timelines may be systematically underestimating the threat to its ECC-dependent systems.

The report’s authors are well aware of this – the Mosca Inequality framework is algorithm-agnostic – but the survey instrument itself does not ask about ECC timelines, which leaves a meaningful gap in the data available to risk managers.

What This Means for Security Leaders

None of these methodological concerns change the fundamental message: the quantum threat is real, the timeline is tightening, and organizations that have not begun PQC migration planning are already behind. Whether the 10-year probability is 28% or 49% or something higher, the Mosca Inequality makes the calculus unforgiving. For any organization with data shelf-life extending beyond 2035 and migration timelines measured in years, the moment to act was already yesterday.

But the way you track the quantum threat matters. A single annual survey with 26 respondents cannot be the sole basis for a risk model. Security leaders should be triangulating across multiple data sources: the GRI report for expert sentiment, the BSI’s Status of Quantum Computer Development for hardware assessment (which estimated CRQCs within 15 years, possibly 10 with qLDPC advances), vendor roadmaps for near-term milestones, published resource estimates for the shrinking gap between available and required qubits, and capability-driven benchmarks for real-time progress tracking.

The GRI report remains a valuable input. It should not be the only one.

The Uncomfortable Question

There is one more observation worth making. The report states that even its pessimistic interpretation yields a 28% average probability of a CRQC within 10 years. It then notes that risk tolerance varies by organization.

Let me reframe that. If I told a CISO that there was a 28% chance their perimeter firewall would be rendered useless by 2036, they would not wait until 2035 to act. They would not form a committee to study the issue. They would begin remediation immediately.

The quantum threat is no different. The debate over whether the probability is 28% or 49% is, for practical purposes, irrelevant. Both numbers are far above the threshold that any competent risk management framework would flag as requiring immediate action. The fact that we are still debating timelines – rather than executing migrations – is itself the most dangerous finding in this report.

Related Content

How ECC Became the Easiest Quantum Target

A New Algorithm Shrinks the Quantum Attack Surface for ECC

Shor’s Algorithm: A Quantum Threat to Modern Cryptography

Post-Quantum Cryptography (PQC) Standardization – 2025 Update