The 2030 and 2035 Encryption Deadlines Meet Your Decades-Long Duty of Confidentiality
NIST has published a timeline that would deprecate today's classical public-key encryption after 2030 and disallow it after 2035. That schedule collides directly with the legal profession's obligations, because privilege, trade secrets, and sealed matters routinely have to stay confidential for decades. Data captured today can be decrypted after the transition, which turns those deadlines into a present-day confidentiality question for any record that must outlive them.
NIST has published a timeline that would deprecate today's classical public-key encryption after 2030 and disallow it after 2035, and that schedule collides directly with the legal profession's confidentiality duties. Attorney-client privilege, trade secrets, and sealed settlements often have to stay confidential for decades, well past those dates. Because encrypted data captured today can be decrypted after the transition, records that must remain secret past roughly 2030 to 2035 are already inside the exposure window, which makes these deadlines a present concern rather than a distant one.
This article maps the National Institute of Standards and Technology (NIST) cryptographic transition dates onto the way law firms actually hold information, explains why long-lived legal records are the natural target, and describes how a firm can rank its data by confidentiality lifetime and protect the longest-lived material first. It aims to be plain about what is known, what is anticipated, and what does not exist yet. It is general information and not legal advice.
Two dates from NIST now sit on a collision course with legal confidentiality
NIST plans to deprecate classical public-key encryption after 2030 and disallow it after 2035. Legal confidentiality duties routinely run longer than that, so the collision is between a fixed transition calendar and obligations measured in decades.
The short version is this. NIST has moved post-quantum cryptography from research into published standards and has drafted a timeline for retiring the classical public-key algorithms that protect most data today. In its draft internal report IR 8547, NIST indicates that these classical algorithms are to be deprecated after 2030 and disallowed after 2035 [1]. Those two dates are the anchor for everything that follows.
For most organizations, a cryptographic transition is an infrastructure chore. For a law firm, it is something closer to an ethics problem, because the confidentiality obligations a firm carries do not run on the same clock as the encryption protecting them. A record that must stay sealed for twenty or thirty years is protected today by encryption that NIST intends to disallow within about a decade. The question a firm has to answer is not whether it can swap algorithms before 2035, but whether the material it is bound to keep secret will still be safe if today's encryption is captured and read after the transition.
That framing turns an abstract quantum worry into an ordinary risk-management exercise with a defined calendar. The dates are published, the replacement algorithms are published, and the only open variables are which of a firm's records must survive past those dates and how long they must survive.
What NIST published and why 2030 and 2035 are the dates that matter
NIST has taken two steps that together define the transition. First, in August 2024 it finalized its principal post-quantum standards: FIPS 203 (ML-KEM) for key encapsulation, FIPS 204 (ML-DSA) for digital signatures, and FIPS 205 (SLH-DSA) for a second, hash-based signature scheme [2]. NIST has since selected HQC as an additional key-encapsulation algorithm, and that standardization work is underway [3]. These are the algorithms organizations are expected to adopt as classical cryptography is phased out.
Second, in its draft IR 8547, published in November 2024, NIST set out a transition timeline for the classical public-key algorithms in wide use today, including RSA, elliptic-curve signatures such as ECDSA, and Diffie-Hellman key establishment [1]. The timeline marks these algorithms as deprecated after 2030 and disallowed after 2035. Deprecation and disallowance are different events, and the distinction matters for legal records, which is covered further below.
The reason these dates carry weight is that they remove the guesswork. Before the standards existed, a firm that wanted to prepare faced a research problem about which algorithm to trust. With the standards finalized and the deprecation timeline drafted, the algorithms are named and the calendar is written down. The table below summarizes how the draft timeline treats the common classical public-key algorithm classes.
| Classical public-key algorithm class | Deprecated after | Disallowed after |
|---|---|---|
| RSA (encryption and signatures) | 2030 | 2035 |
| Elliptic-curve signatures (ECDSA, EdDSA) | 2030 | 2035 |
| Elliptic-curve key establishment (ECDH) | 2030 | 2035 |
| Finite-field key establishment and DSA (DH, DSA) | 2030 | 2035 |
The table reflects the transition timeline in NIST's draft IR 8547 for the commonly deployed classical public-key algorithm classes [1]. It is a draft, and a firm should confirm the current status and any final wording against NIST's own publication.
Harvest now, decrypt later is an anticipatory risk, not a present capability
Harvest now, decrypt later separates the theft from the payoff. The ciphertext is copied today and read later. No cryptographically relevant quantum computer exists yet and no source names a date, so the risk is anticipatory and turns on how long a record must stay secret.
The reason a future deprecation date creates a present problem is a strategy usually called harvest now, decrypt later. An adversary captures encrypted traffic or copies encrypted files today, stores them, and waits to decrypt them once a capable quantum computer exists. The data is unreadable at the moment it is taken, so the theft can pass without an alarm, a ransom demand, or any obvious sign that something of value has left the building.
It is important to be precise about the state of the threat. A cryptographically relevant quantum computer, one powerful enough to break today's classical encryption, does not exist yet, and no honest source names the day one will. The risk is anticipatory. It does not depend on predicting a date. It depends only on the observation that data captured today can be read later, combined with the fact that some records must stay confidential long enough for that later moment to arrive. The 2030 and 2035 dates are the transition NIST has scheduled, not a prediction of when decryption becomes feasible.
That is why the attack is a poor fit for short-lived data and a natural fit for long-lived data. Information that must stay secret for a few weeks is a weak target, because any future decryption arrives long after the value is gone. Information that must stay secret for decades keeps its value long enough to be worth harvesting and waiting on.
Why legal records sit inside the harvest window
Legal data sits at the far end of the confidentiality-lifetime spectrum, which places much of it inside the harvest window by default. Attorney-client privilege does not expire. Trade secrets keep their value only so long as they stay secret, which can be indefinitely. Sealed settlements are meant to stay sealed. Estate and minor matters, and long litigation holds, can keep records active for many years. Each of these is exactly the profile the harvest strategy is built to exploit.
Consider the comparison with the businesses a firm advises. A retailer's payment data loses most of its value within a short window, so an adversary who harvests it gains little by waiting. A firm's obligation to protect a client's privileged communications does not run on a timer, and the material it is bound to keep confidential is often the same material that would be most damaging if it surfaced years from now. The value of the secret and the duration of the duty rise together, and that alignment is precisely what harvest now, decrypt later rewards.
The practical consequence is that a firm cannot treat the 2030 and 2035 dates as a routine IT deadline it can meet at the last minute. For any record meant to stay sealed well beyond 2035, the protection wrapped around it today is the protection an adversary could capture today. If that protection is a classical algorithm on the deprecation list, the record is already exposed to a patient adversary, regardless of when the migration is eventually completed.
The categories of legal data that must outlive 2035
Not every file a firm holds is a harvest target, and the point of naming categories is to separate the durable records from the disposable ones. The records that must outlive the transition window are the ones to identify first, because their exposure window stays open the longest and their value survives until a decryption capability could plausibly exist. These tend to fall into a small number of recognizable groups.
Mapping data this way converts a hard-to-picture future threat into a concrete list a firm can work from, and it sets the migration order at the same time. The records with indefinite or decades-long confidentiality duties move first. Everything with a shorter duty can follow behind them.
- Privileged communications, which remain protected for as long as the privilege holds.
- Trade secrets and confidential business information, whose value depends on never being disclosed.
- Sealed settlements and protective-order material that are meant to stay sealed indefinitely.
- Estate, trust, and minor matters, where confidentiality can be required for decades.
- Long litigation holds and matter files that outlive the engagements that created them.
The groups above describe confidentiality lifetimes, not breach statistics. The common thread is a duty that extends past the 2030 to 2035 transition window [1].
How a firm can rank its records by confidentiality lifetime
The organizing idea is to protect the longest-lived records first, which means a firm needs a way to rank data by how long it must stay confidential rather than by how sensitive it feels today. The following sequence turns that idea into an ordered exercise, using the categories above and the transition dates NIST has published [1][2].
- Set the lifetime questionFor each class of records, ask a single question: how many years are we obligated to keep this confidential. Sort classes into short, medium, long, and indefinite lifetimes.
- Flag everything past the windowMark any class whose confidentiality duty runs past roughly 2030 to 2035, since those records are the ones a harvest strategy would still profit from after the transition.
- Locate the current protectionNote where classical algorithms such as RSA or elliptic-curve signatures protect those flagged records, because those are the algorithm classes NIST marks for deprecation after 2030 and disallowance after 2035 [1].
- Order the migration by lifetimeMove the indefinite and long-lived records onto the standardized post-quantum algorithms first, then work down toward shorter-lived data. The exposure window, not the file's daily importance, sets the order.
- Keep the calendar in viewTreat 2030 and 2035 as the outer boundary for records that must stay sealed well beyond them, not as a finish line that can be reached at the last minute.
Reading the deprecation dates the way a firm should
The two dates in the draft timeline are not a single event, and the difference between them maps neatly onto the confidentiality problem. Deprecation after 2030 signals that the classical algorithms named there are on their way out and should no longer be chosen for new protection. Disallowance after 2035 signals the end of their sanctioned use altogether [1]. For a record that only needs to stay secret for a short time, both dates are administrative. For a record that must stay sealed for decades, they mark the point by which the protection around it should already have been replaced.
Read this way, the dates are less a deadline for the firm's systems and more a boundary for the firm's obligations. A migration that finishes by 2035 satisfies the standard. It does not, on its own, undo a harvest that already happened. If a durable record was captured while still wrapped in a deprecated algorithm, completing the migration afterward does not retrieve the copy an adversary is holding. That is the reason the ranking exercise puts the longest-lived records at the front of the line rather than treating the whole estate as one deadline to hit in 2035.
What quantum-safe means, and what it does not
Quantum-safe means designed to resist a foreseeable quantum attack under current standards. It is not quantum-proof, and no cryptographically relevant quantum computer exists yet.
Quantum-safe means cryptography designed to resist attack by a future quantum computer. It does not mean quantum-proof, and the distinction is deliberate rather than cosmetic. A cryptographically relevant quantum computer does not exist yet, and describing an algorithm as resistant to a foreseeable quantum attack under current standards is an honest claim, while calling it quantum-proof would promise a permanence no one can guarantee. Cryptography is a moving field, and the accurate posture is the narrower one.
The reason to hold that line is practical, not pedantic. A firm evaluating its own posture, or a vendor's, is better served by a claim it can defend. Quantum-safe is a statement about design intent and resistance. Quantum-proof is a superlative that overstates what any algorithm can deliver, and it invites exactly the kind of scrutiny a careful firm should want to survive. When the underlying facts are that no capable quantum computer exists and no Q-Day date is known, the modest framing is also the truthful one.
Why QRNG and QKD are not post-quantum cryptography
Three terms share the word quantum and are easy to blur, so it helps to separate them. Post-quantum cryptography (PQC) refers to the standardized algorithms, such as ML-KEM, ML-DSA, and SLH-DSA, that run on ordinary computers and are designed to resist quantum attack [2]. Quantum random number generation (QRNG) and quantum key distribution (QKD) are different technologies that use quantum physics for other purposes. Neither is post-quantum cryptography, and neither is a substitute for the standardized algorithms.
The consequence for a firm is that a claim built on QRNG or QKD does not answer the question that actually matters. The material question about any durable legal record is whether the signatures and key encapsulation protecting it are built on the NIST-standardized post-quantum algorithms. A product can be genuinely described as quantum and still not be using PQC, which is why the vocabulary alone cannot settle whether a protection is fit for records that must outlive 2035. When evaluating a vendor, the useful test is narrow: are ML-KEM, ML-DSA, and SLH-DSA, the published standards, the algorithms doing the work.
- Ask whether the NIST-standardized post-quantum algorithms (ML-KEM, ML-DSA, SLH-DSA) are actually in use [2].
- Treat quantum-safe as a design claim about resistance, not a guarantee of permanent invulnerability.
- Do not accept QRNG or QKD as evidence of post-quantum cryptography, since they are separate technologies.
- Be wary of quantum-proof and similar superlatives, because no cryptographically relevant quantum computer exists yet.
How a firm can begin migrating its longest-lived records
From a ranked inventory, the practical move is to adopt cryptography built on the NIST-standardized post-quantum algorithms for the certifications, attestations, and records that must survive the transition, starting with the indefinite and decades-long material [2]. RankShield Legal signs and seals records with composite post-quantum signatures that pair ML-DSA and SLH-DSA, so that a record's integrity and provenance hold against a future quantum attack. A quantum-safe legal vault aimed at the longest-lived records is on the roadmap and in development rather than a finished product, and it is described that way deliberately.
Stated plainly, the posture is anticipatory and bounded. No one can name the day a cryptographically relevant quantum computer will exist, and this work does not depend on naming it. It depends only on two published facts: legal confidentiality obligations routinely outlast the transition NIST has scheduled, and the standardized algorithms to carry those obligations forward now exist [1][2]. Migrating the most durable records first is a reasonable response to a risk that is straightforward to prepare for and impossible to reverse once a record has already been harvested. For related background, see our notes on quantum-safe practices for law firms, the quantum-safe legal vault, the connection between data breaches and ransomware, and post-quantum encryption for law firms.
This article is general information about encryption transition timelines and post-quantum cryptography, and it is not legal advice. A firm should evaluate its own confidentiality obligations and security posture with qualified counsel and technical advisers.
Post-quantum deadlines self-test
Four questions on the NIST transition timeline and what it means for long-lived legal records.
-
1In NIST's draft IR 8547, after which year are classical public-key algorithms disallowed?
Answer: 2035
IR 8547 marks classical public-key algorithms as deprecated after 2030 and disallowed after 2035.
-
2Which records should a firm migrate to post-quantum protection first?
Answer: The longest-lived confidential records
The exposure window, not daily importance, sets the order, so indefinite and decades-long records move first because harvest now, decrypt later targets them.
-
3Which term does the post describe as the accurate, defensible claim?
Answer: Quantum-safe
Quantum-safe means designed to resist a foreseeable quantum attack under current standards. Quantum-proof overstates what any algorithm can deliver, and no cryptographically relevant quantum computer exists yet.
-
4Are QRNG and QKD the same as post-quantum cryptography?
Answer: No, they are separate technologies
QRNG and QKD use quantum physics for other purposes and are not substitutes for the NIST-standardized algorithms ML-KEM, ML-DSA, and SLH-DSA.
Honest self-check. There is no sign-up, and nothing is stored.
Straight answers to the common questions
The questions readers ask about this topic, answered directly. No forms, no sales pitch.
Pick a question on the left, or search above. You will get the direct answer, the way an answer engine would give it.
References
- NIST. IR 8547 (Initial Public Draft): Transition to Post-Quantum Cryptography Standards. Nov 2024. https://csrc.nist.gov/pubs/ir/8547/ipd
- NIST. FIPS 203 (ML-KEM), FIPS 204 (ML-DSA), and FIPS 205 (SLH-DSA), finalized. Aug 2024. https://csrc.nist.gov/projects/post-quantum-cryptography
- NIST. Post-Quantum Cryptography project (HQC selected for standardization). 2026. https://csrc.nist.gov/projects/post-quantum-cryptography
Check a citation against live case-law
Paste a citation from an AI-drafted brief and see whether the case actually exists, resolved against live case-law. Free, no sign-up. Then request early access to certify a full filing.
Try the citation checker