What the order actually mandates

On 22 June 2026 a US executive order set fixed timelines for moving federal cryptography to post-quantum standards. Sensitive federal systems, described in the order as high value assets and high impact systems, must transition to post-quantum key establishment by 31 December 2030, with digital signatures, the mechanism behind authentication, following by the end of 2031. The order frames this as protection against a future in which large-scale quantum computers can break the encryption in wide use today.

The part that reaches beyond government is procurement. The order directs the responsible council to publish a proposed rule requiring covered federal contractors to comply with the relevant NIST FIPS standards, including those incorporating post-quantum algorithms, by 31 December 2030. That contractor rule is still at proposed stage, so its precise scope can shift before it is final. The direction of travel, however, is clear: post-quantum readiness is moving from a specialist topic into a condition of doing business with the US federal government.

Why a US mandate lands on a German owner

A German company is not directly bound by a US executive order. The mechanism that matters is the supply chain. When a requirement is written into US federal contracts, it tends to flow down through prime contractors to their subcontractors and vendors, wherever those sit. A Mittelstand supplier, a service provider, or a family-office vehicle that touches a US federal contract can find a post-quantum clause arriving from a customer rather than a regulator, on the customer's timeline rather than one you chose.

The harvest-now-decrypt-later warning is the reason this cannot simply wait until 2030. The order states plainly that adversaries may collect encrypted information now and decrypt it later once quantum computers are capable. That reframes today's protected data as already at risk if it must stay confidential for years. Contracts, financial records, health and personal data, and anything with a long secrecy life are the exposed categories, because they still need to hold when the encryption around them may no longer.

What is worth doing now, and what to wait on

The measured response is not to rush into buying new cryptography. Because the contractor rule is still a proposal and standards are still settling, the technical migration can follow the timeline the order sets out. What should not wait is the inventory work that every later step depends on. That means knowing which of your data flows are genuinely sensitive, how long each must stay confidential, and which customer relationships could carry a post-quantum requirement down to you. None of that requires deep technical decisions yet.

This is a governance question before it is an IT project, and it is one an owner is well placed to frame. Treating 2030 as the deadline understates the point, because the data you send today is what a decrypt-later adversary is interested in now. A short, honest map of long-life sensitive data and exposed contracts turns a distant foreign mandate into a set of decisions you can make deliberately, in the order that suits your business rather than a customer's contract cycle. This is reporting on what the order says and what it implies, not legal advice on your specific obligations.