Cloudflare has announced a major acceleration of its post-quantum security roadmap, committing to achieve full quantum-resistant protection across its global network by 2029. The move reflects mounting evidence that advances in quantum computing could threaten today’s encryption standards sooner than previously anticipated.
The company’s updated roadmap expands beyond encryption to include post-quantum authentication — a critical but more complex layer of internet security that ensures identities, certificates, and digital signatures remain trustworthy in a quantum era. Cloudflare emphasized that while significant progress has already been made, the industry must act with urgency to safeguard the internet’s foundational trust systems.
Rising Urgency Driven by Breakthroughs in Quantum Computing
Recent developments in quantum research have significantly shortened the expected timeline for “Q-Day” — the moment when quantum computers can break widely used cryptographic systems. New findings suggest that algorithms capable of compromising elliptic curve cryptography and RSA encryption may require far fewer resources than previously believed.
Cloudflare’s decision aligns with similar moves by industry leaders, including Google, signalling a broader consensus that the transition to post-quantum cryptography must happen within the next few years rather than decades.
“Credible new research and rapid industry developments suggest that the deadline to migrate is much sooner than expected,” Cloudflare noted, highlighting the need for organizations to accelerate their own readiness efforts.
From Encryption to Authentication: The Next Frontier
Cloudflare has already made substantial progress in deploying post-quantum encryption. Since 2022, the company has enabled quantum-resistant encryption for all websites and APIs on its platform, helping mitigate “harvest now, decrypt later” attacks — where encrypted data is captured today and decrypted once quantum capabilities mature.
Today, more than 65% of human-generated traffic on Cloudflare’s network is already protected using post-quantum encryption.
However, encryption alone is not sufficient. The company’s new roadmap prioritizes post-quantum authentication — the systems that verify identities and establish trust across the internet. These systems are significantly harder to upgrade due to their reliance on certificates, legacy infrastructure, and complex dependencies across vendors and devices.
Security experts warn that authentication vulnerabilities could allow attackers to forge credentials and gain direct access to systems once quantum capabilities mature, making this layer a top priority.
A Phased Roadmap to 2029
Cloudflare outlined a multi-stage plan to achieve full post-quantum security:
- Mid-2026: Introduction of post-quantum (PQ) authentication using ML-DSA for Cloudflare-to-origin connections.
- Mid-2027: Deployment of PQ authentication for visitor-to-Cloudflare connections, enabled through Merkle Tree Certificates.
- Early 2028: Integration of PQ authentication into the Cloudflare One SASE suite, achieving full PQ security across the platform.
- 2029: Completion of Cloudflare’s transition to a fully post-quantum secure network
The company plans to deploy these capabilities by default, ensuring customers benefit from enhanced security without requiring manual configuration — continuing its long-standing approach of making advanced security broadly accessible.
What Cloudflare Recommends
Cloudflare recommends that businesses make post-quantum support a requirement for any procurement. Common best practices, such as keeping software updated and automating certificate issuance, remain meaningful and can go a long way. The company also advises organizations to assess critical vendors early to understand the potential business impact if those vendors fail to take action.
For regulatory agencies and governments, Cloudflare notes that leading with early timelines has been crucial for industry-wide progress to date. The company emphasizes that the industry is now at a pivotal moment, where fragmentation in standards and efforts—both between and within jurisdictions—could put progress at risk. Cloudflare recommends that governments assign and empower a lead agency to coordinate the migration on a clear timeline, maintain a strong focus on security, and promote the use of existing international standards. While there is no need for panic, governments are encouraged to lead the transition with confidence.
For Cloudflare customers, the company states that no mitigating action is required with respect to its services. Cloudflare is closely monitoring advancements in quantum computing and taking proactive steps to protect customer data. As with previous security upgrades, post-quantum protections will be enabled by default, with no action required from users. However, the company notes that elements outside its control—such as browsers, applications, and origin infrastructure—will also need to upgrade. For corporate network traffic, Cloudflare highlights that Cloudflare One provides end-to-end protection when traffic is tunneled through its post-quantum encrypted infrastructure.
Cloudflare underscores that privacy and security are foundational to the Internet. As such, every post-quantum upgrade it develops will be made available to all customers, across all plans, at no additional cost. The company believes that making post-quantum security the default is essential to protecting the Internet at scale.
Cloudflare also points to its past efforts, noting that free TLS helped encrypt the web, and that free post-quantum cryptography will play a similar role in securing the Internet for the future.
