Cloudflare establishes 4 critical points in its transition to post-quantum cryptography.
With quantum computing, any login key is a potential threat.
Cloudflare announced today, April 7, 2026, a drastic restructuring of its security roadmap, setting 2029 as the new goal to achieve comprehensive post-quantum protection.
The web infrastructure company justifies this acceleration after the recent advances reported by Google and Oratomicwhich suggest that “Q Day” — the moment when quantum computing breaks current cryptographic encryption — could occur as early as 2030, with attacks targeting high-value targets as early as 2029.
According to Bas Westerbaan, head of Cloudflare’s post-quantum strategy, computing based on neutral atoms has demonstrated superior scalability.
While in superconducting systems approximately 1,000 physical qubits are required to generate a logical qubit (with error correction), Oratomic showed that with neutral atoms the ratio is only 3 to 4 physical qubits for each logical qubit. This reduces the hardware needed to break the P-256 encryption to just 10,000 qubits, significantly lower than previous projections that placed the threat within the next decade.
It is explained in the release from Cloudflare that, until now, the industry was focused on mitigating “immediate collection and subsequent decryption” (HNDL) attacks, where adversaries save data today to decrypt it in the future. Cloudflare claims that 65% of its human traffic already uses PQ encryption to neutralize this risk.
However, the new schedule prioritizes authentication. With a Q Day imminent, The concern shifts to the possibility of attackers using quantum computers to impersonate servers, forge code signatures, and compromise root certificates.
“Any remote login key becomes an access point,” the company warns, noting that compromised authentication is “catastrophic” and requires years of migration into third-party dependency chains.
Cloudflare has established four critical milestones for its transition:
- Mid-2026: PQ authentication support (ML-DSA algorithm) for connections between Cloudflare and origin servers.
- Mid-2027: Implementation of Merkle Tree certificates for connections between visitors and the Cloudflare network.
- Early 2028: Full PQ security in the Cloudflare One (SASE) suite.
- 2029: Full post-quantum security availability on all services and plans.
The Google report referred to by Cloudflare has been reviewed by CriptoNoticias. It shows that quantum computing would take approximately 9 minutes to break Bitcoin’s cryptography, although, it is worth clarifying, the technology to perform such an action does not yet exist.
An essential update with global impact
To measure the impact of this transition, it is necessary to specify that cloudflare It is one of the fundamental pillars of modern internet infrastructure.
The company processes approximately 20% of all global web traffic and provides services to more than 25 million internet properties, ranging from government portals and financial entities to cryptocurrency exchanges.
Its core functions include massive denial-of-service (DDoS) mitigation, content delivery network (CDN) management, and DNS resolution.
Because it acts as an intermediate node (proxy) for a fifth of global navigation, Its migration to post-quantum standards ensures that a vast portion of economic and data activity on the network is natively protected before quantum hardware is capable of compromising current security.