The 2031 deadline - what the BSI's warning about classical encryption actually means

A few months ago, I was in an internal meeting when someone asked: "Do we really need to think about quantum computers right now?" I thought about it for a second and said: yes. Because by the time we decide to think about it, now will already be gone.

In February 2026, the German Federal Office for Information Security (BSI) made this concrete: classical asymmetric encryption schemes like RSA must no longer be used on their own after the end of 2031. Hybrid is then mandatory, classical alone will no longer be sufficient.

What the BSI actually said

This is not a vague future prediction. The BSI has set concrete deadlines in its revised Technical Guideline TR-02102. Asymmetric algorithms like RSA are vulnerable to Shor's algorithm on a sufficiently powerful quantum computer. The BSI places Q-Day, the point when this becomes realistically achievable, at around 2030.

That sounds far away. But it is not, once you consider how long migrations take in mature, grown IT landscapes.

The problem that already exists today

There is an attack that rarely makes headlines but is one of the most dangerous ones: "store now, decrypt later." Attackers collect encrypted data today, cannot decrypt it yet, and simply wait for quantum computers to arrive. Then they decrypt everything retrospectively.

This means: data that is transmitted or stored today and still needs protection in five years must already be secured with quantum-resistant methods. Not in 2030. Now.

As an Information Security Coordinator (ISC), I felt this very concretely when we started inventorying systems with long data retention periods. You quickly realize how many of them use RSA or similar schemes that look fine on paper today, but represent a real risk under this attack scenario.

What this means for organizations

For organizations subject to NIS2 or operating in regulated industries, the BSI now recommends Post-Quantum Cryptography as the "state of the art" under GDPR. That is not a nice-to-have. If you ignore it and something goes wrong, you will have to explain why you did not act despite clear official guidance.

The approach the BSI recommends is hybrid: combine classical algorithms with post-quantum algorithms. This provides security on both sides and avoids having to replace everything at once, which is often technically impossible anyway.

What to do right now

Three steps I would recommend, without going into specific products:

1. Inventory. Which systems use which cryptographic methods? That sounds straightforward, but it usually is not. Certificates, VPN connections, signatures, stored encrypted data. It adds up fast.

2. Prioritize by data sensitivity and retention period. Not everything needs to migrate at once. What is most sensitive and stored the longest comes first. What will be replaced in two years anyway can wait.

3. Build a migration plan with realistic timelines. 2031 feels like a long time. Once you have finished the inventory, set priorities, got budget approved, coordinated with vendors, and run tests, 2031 is suddenly tight. Starting now means you still have room to breathe.

Closing thought

The BSI's message is clear, even if it arrives quietly. The end of classical encryption is no longer a theoretical scenario. It has a deadline. And anyone responsible for IT security who is not planning today will have to explain why in a few years.

Honestly, I find this a good situation to be in: a concrete deadline, a clear standard (NIST FIPS-203/204/205), and official guidance. That makes the internal case much easier to argue than most other security topics I have dealt with.