UX Design & Webflow Agency NYC | Composite Global
All Posts

Quantum: Buy the Migration, Not the Machine

Share

Greg Cipolaro

June 26, 2026

Research

PDF
Download the full letter to print or read anytime
Download
PDF
Download the full letter to print or read anytime
Download

IN TODAY'S ISSUE:

  • Two executive orders signed on June 22, 2026, turn quantum computing from a research topic into a fixed deadline. One order, defensive, forces government and its contractors to start replacing today's encryption this decade; the other order, offensive, funds a national push to build quantum technology.
  • The money moves first to migration. The clearest opportunity is the broad set of companies that help organizations find, replace, and verify their security systems.
  • Pure quantum-computing bets are long-shot upside. The government is running this encryption-upgrade cycle ahead of any quantum breakthrough, so near-term spending flows toward migration rather than the machine-builders.
  • The risk to Bitcoin is how fast and credibly it can adapt, not an imminent break. Its conservative governance means the hard problem is not adopting post-quantum cryptography but addressing the meaningful share of supply in wallets that can't or won't be moved to quantum-safe addresses.

Executive Summary

On June 22, 2026, the White House issued two executive orders that move quantum computing from a long-term research topic to a near-term planning priority for governments and companies. The first is defensive: it requires federal agencies and their contractors to start replacing the encryption that protects today's data, communications, and software, on fixed deadlines later this decade. The second is offensive: it directs a national effort to accelerate American quantum computing, sensing, networking, and related supply chains.

The reason for urgency is not that a quantum computer capable of breaking today's encryption exists yet. It is that sensitive data stolen today could be unlocked years from now, so the work has to begin before the threat arrives. The practical takeaway for investors is that the first money will flow not to the companies promising quantum breakthroughs, but to the far larger set of companies that help organizations find, replace, and verify their encryption. This is closer to a multi-year infrastructure and compliance upgrade than a single technology bet.

The Migration Clock Starts: Quantum Policy Becomes a Procedural Investment Cycle

For years, quantum computing's (QC) promise and threat were technically credible and strategically consequential, but too far beyond investable time horizons for most allocators to underwrite. Recent advances in both quantum hardware and the algorithms that run on it have pulled those realities into sharper view. On June 22, 2026, the White House issued two executive orders that turn the quantum threat from a research problem into a procurement process. The Executive Order (EO) “Securing the Nation Against Advanced Cryptographic Attacks” is defensive: it forces federal agencies and contractors to begin replacing the cryptographic foundations that secure digital commerce, defense networks, software supply chains, cloud infrastructure, and financial markets. The EO “Ushering in the Next Frontier of Quantum Innovation” is offensive: it pushes the U.S. to accelerate quantum capability across computing, sensing, networking, and supply chains.

That distinction matters because markets chase the most spectacular version of a story. Quantum computing is bewildering. Cryptographic migration is not. The first investment cycle is unlikely to come from a broad commercial quantum-computing breakthrough. It is more likely to come from the less glamorous work of finding, replacing, validating, and governing cryptography across federal systems, contractor environments, cloud platforms, certificates, key-management systems, identity tools, payment rails, code-signing infrastructure, and long-lived data stores.

The administration's message is blunt: the quantum era is no longer a hypothetical future to monitor; it is a deadline to plan and budget. The central investment implication is equally blunt. The companies that control the migration path to mitigate quantum risk should benefit before the companies that promise quantum achievements reach their goals.

Defense: PQC Migration Turns Cryptographic Risk into an Infrastructure Cycle

The defensive executive order is the more financially actionable of the two because it stipulates dates, owners, inventories, pilots, procurement pressure, and contractor obligations. Federal agencies must transition high-value assets and high-impact systems to post-quantum cryptography (PQC) for key establishment by December 31, 2030, and for digital signatures by December 31, 2031. A National Institute of Standards and Technology (NIST) internal pilot must be completed by December 31, 2027. Those dates transform quantum security from a standards discussion into an execution cycle.

The driver is not that a cryptographically relevant quantum computer (CRQC) has arrived. The driver is that long-lived encrypted data can be stolen today and decrypted later. That “harvest now, decrypt later” risk compresses the decision window for governments, banks, defense contractors, healthcare companies, cloud providers, telecom operators, and infrastructure owners holding data with a secrecy life measured in years rather than days. The exposure is concentrated in data that must stay confidential for years, such as state secrets, long-dated contracts, health and biometric records, and key material, which is the highest-priority harvest-now target.

The standards underpinning both migration tracks are already set. NIST finalized three Federal Information Processing Standards (FIPS) for PQC in August 2024 and has a fourth in draft (see table). Key establishment, the 2030 track, runs on ML-KEM (Module-Lattice-Based Key-Encapsulation Mechanism). Digital signatures, the 2031 track, run on ML-DSA (Module-Lattice-Based Digital Signature Algorithm) and SLH-DSA (Stateless Hash-Based Digital Signature Algorithm) today, with FN-DSA (Fast-Fourier-Transform over NTRU-Lattice-Based Digital Signature Algorithm) expected to add a compact-signature option on finalization.

The investment conclusion is that the bottleneck is not algorithm selection. The bottleneck is implementation. Agencies and enterprises need to know where cryptography lives, which vendors control it, which systems break when keys and signatures change, which certificates need replacement, which hardware security modules support new algorithms, which code-signing chains are exposed, and which suppliers can attest to quantum readiness. That is an infrastructure and compliance cycle.

Offense: Quantum Industrial Policy Creates Optionality, Not Commercial Applicability

The offensive executive order is about building national capability, not hardening today's infrastructure. It pushes the government to accelerate the full quantum stack: computing, sensing, networking, components, talent, supply chains, foundry access, and allied coordination. Its centerpiece is the Quantum Computer for Application Development and Discovery Science (QC-ADDS), a national effort to deliver at least one quantum computer to a Department of Energy (DOE) facility for quantum-enabled scientific discovery.

This is strategically important, but investors should resist treating it as proof of a broad commercial QC inflection. A government-backed machine at a DOE facility can validate capability, support research, and anchor public-private partnerships. It does not, by itself, close the technical or commercial gap to a CRQC.

The near-term offensive opportunity sits in quantum sensing rather than general-purpose computing, and it has the only hard deadline that maps to implementation: the order requires identification of at least three next-generation quantum sensor projects within 60 days and fielding by September 30, 2028. Quantum sensors measure faint signals (magnetic fields, gravity, acceleration, rotation, time, electromagnetic activity) that reveal what adversaries try to hide, jam, spoof, or move. The value is operational: navigation without GPS, detection of submarines or underground facilities, timing for distributed systems, and measurement in contested environments. That 2028 fielding date gives investors a more concrete path than the open-ended race to fault-tolerant quantum computing, because sensors reach defense use cases before quantum computers reshape commercial software markets. The offensive executive order also carries an alliance and denial dimension: export-control coordination, allied market access, and limits on adversary access to quantum-enabling technology, intended to widen the U.S. lead while reducing the payoff from harvested data.

How This Fits with Prior U.S. Agency PQC Work

The executive orders did not appear in a vacuum. NIST finalized the core PQC standards in August 2024 (FIPS 203, 204, 205 above), with FIPS 206 still in draft. The Cybersecurity and Infrastructure Security Agency (CISA), the National Security Agency (NSA), and NIST had already urged organizations to build quantum-readiness roadmaps, create cryptographic inventories, assess supply chains, and engage vendors before the threat becomes operational.

The new orders do not replace prior policy. They convert it into an execution regime. Before the orders, the policy architecture told organizations what migration would likely require. After the orders, federal agencies and contractors face named deadlines, accountable leads, pilot obligations, and procurement consequences.

The 2035 horizon set by National Security Memorandum 10 (May 2022) still matters as the broad outer boundary for deprecating quantum-vulnerable public-key cryptography. But for sensitive federal systems and contractors, 2035 is no longer the operative planning date. The operative window is now 2027 for pilots, 2030 for key establishment, and 2031 for digital signatures.

Financial Implications: Federal Baseline, Commercial Upside, Hardware Dispersion The Office of Management and Budget's (OMB) July 2024 Report on Post-Quantum Cryptography to Congress, prepared with the Office of the National Cyber Director (ONCD) and in collaboration with CISA and NIST, estimated roughly $7.1 billion to migrate prioritized federal non-National Security Systems to PQC between 2025 and 2035, in 2024 dollars. OMB itself flagged the figure as a rough order-of-magnitude estimate carrying a high but expected level of uncertainty. For investors, the number is best read as a federal floor, not a market size, because it excludes classified national-security systems, contractor remediation, commercial spillover in regulated sectors, and embedded upgrades across enterprise infrastructure.

The commercial opportunity is probably larger than standalone PQC forecasts suggest, but harder to see in reported revenue. A bank may spend on hardware security module (HSM) refreshes, certificate automation, cloud key management systems (KMS), vendor assessments, public key infrastructure (PKI) redesign, code-signing changes, virtual private network (VPN) upgrades, network security, and consulting without labeling any of it “PQC.” That weakens the clean total addressable market (TAM) attribution.

Quantum hardware has the widest forecast dispersion. Some observers imply a large 2030 quantum-computing market; others imply a modest adoption curve. The gap reflects unresolved questions around error correction, system uptime, benchmarking, cloud access, application fit, and willingness to pay before quantum advantage becomes repeatable across commercial workloads.

The financial hierarchy is therefore clear. PQC migration has the clearest deadline. Federal services have the clearest procurement channel. Cloud, key management, identity, PKI, HSMs, network security, and certificate automation have the clearest enterprise control points. Quantum hardware has the most upside convexity and the least near-term revenue certainty.

Institutional Investor Playbook: Migration Control Points Benefit Before Pure Quantum

The investable question is not which company is most exposed to quantum, but which company controls the migration path. The answer points toward cyber platforms, hyperscale cloud providers, identity vendors, certificate and PKI infrastructure, HSM and KMS providers, network security, zero-trust architecture, code-signing infrastructure, federal systems integrators, test-and-validation providers, and selected quantum-enabling component suppliers. The highest-confidence basket helps organizations inventory cryptography, manage certificates, rotate keys, validate modules, secure identities, modernize Transport Layer Security (TLS) and VPNs, update code-signing chains, and document compliance. These are not speculative quantum revenues. They are the workstreams that sit between a federal mandate and operational readiness. The cryptographic bill of materials that CISA must define turns invisible dependencies into auditable procurement facts, pulling discovery and inventory tooling to the front of the spend. Timing matters for sequencing. Federal systems integrators should see assessment and remediation-planning dollars first, in roughly 2026 to 2028, because migration begins with inventory, documentation, architecture, and testing. Software and platform vendors benefit later through upgrades, renewals, and retention. Hyperscalers may capture a large share of enterprise uplift because most companies consume cryptography through managed services rather than in-house cryptographic engineering.

The single highest-leverage catalyst to watch is the forthcoming Federal Acquisition Regulation (FAR) contractor rule. By extending NIST FIPS compliance to covered contractors on a fixed clock (compliance targeted by December 31, 2030), it is the mechanism that converts federal spend into commercial TAM. Its proposal and scope will affect the migration enablers more than any single agency milestone.

Pure-play quantum hardware should be sized as long-duration optionality, not the core expression of the orders. The policy tailwind is real, but the bridge from current hardware standards to those that are commercially viable remains technical and unsolved.

Crypto Investor Playbook: Price Governance Speed, Exposed-Key Risk, Custody Readiness

For crypto investors, quantum risk is not that Bitcoin or major networks break in 2026 or even the next few years. It is expected that markets will increasingly value the speed and credibility of cryptographic migration before any catastrophic event. Because technical solutions are already in the works, the relevant risk will shift from technical to governance, operational, and institutional

Nearly all major crypto assets rely on classical digital signatures. The exposed surfaces are revealed public keys, whether through address reuse or keys exposed natively on-chain. The assets most at risk are those with the slowest governance, largest exposed-value surfaces, and weakest migration incentives.

Bitcoin is the central case study because its monetary credibility rests partly on conservatism. That conservatism is a strength until migration becomes necessary. Roughly one third of the bitcoin supply sits in quantum-vulnerable form, concentrated in early pay-to-public-key (P2PK) coins and reused or otherwise exposed-pubkey addresses. The harder problem is not the supply held in active wallets that can be moved to quantum-safe addresses ahead of a credible threat. It is the unmovable coins: lost-key balances and Satoshi-era P2PK outputs that no coordinated migration can forcibly move, which become a standing bounty the moment a CRQC exists. A post-quantum transition would require coordination across developers, miners, nodes, wallets, exchanges, custodians, institutions, and users. Post-quantum signatures already exist. The hard part is moving a global monetary network to PQC without fracturing trust and deciding what happens to coins that cannot or will not move.

Investors should separate who sells the migration from who absorbs it. Custodians, wallets, and exchanges face PQC as a cost on their own infrastructure. The clearer beneficiaries sell the migration as their product: exposed-key analytics, audit firms, and migration-coordination services.

Final Thought: An Infrastructure Cycle Disguised as a Quantum Headline

The market will call this a quantum story because quantum is the headline, but the investable structure is an infrastructure cycle with a fixed regulatory clock and an uncertain threat date. The 2030 and 2031 migration deadlines matter because encrypted data stolen today cannot be unstolen if a CRQC arrives later. That asymmetry forces spending before proof of the threat, which is why the first revenue pool should sit in cryptographic inventory, key management, certificate automation, cloud security, identity, code signing, federal integration, and compliance tooling rather than pure quantum hardware.

The orders do not say quantum supremacy has arrived. They say yesterday’s public-key cryptography now has an expiration schedule. The investment question is whether the systems that secure money, identity, software, defense communications, cloud workloads, and digital property can migrate before the old cryptographic base becomes a standing liability. The first phase of the quantum era will not be won by the best machine narrative. It will be won by the companies that turn invisible cryptography into visible budgets, procurement rules, vendor selection, and recurring revenue pools.

Market Update

Bitcoin fell 5.8% this week, ending at $59,220, and hit a new cycle low near $58K. This extended a drawdown that increasingly resembles the drawdown phase of prior 4-year cycles. The depth and duration of the drawdown and on-chain metrics reinforce the cycle theory. ETF outflows, weak CME futures basis, and long liquidations drove another de-risking leg. The pressure was broader than crypto, with the AI trade reversing before stabilizing on Micron’s earnings and SpaceX giving back much of its post-IPO gains. The S&P 500 fell 1.9%, and the Nasdaq Composite was down 4.4%. Oil dropped 6.1% as Iran-related risk premium faded. Traditional fixed income held up better, with IG credit up 0.3%, HY flat, and long Treasuries up 0.7%.

MSTR and STRC added to the negative tone after STRC fell to an all-time low of $74 versus its intended $100 price, raising concerns about MSTR’s interest burden and liability growth. Much of the public discourse seems hyperbolic as MSTR still has $52B of assets against $22B of liabilities. With STRC well below $100 and the equity now trading at its NAV, 2 ATM funding channels are effectively shut, limiting incremental bitcoin purchases and the ability to squirrel away cash. Investors should know that MSTR traded below NAV for many months during the last bitcoin drawdown, so the current compression looks less like an idiosyncratic credit event and more like another marker of where we are in the bitcoin cycle.

Important News This Week

Investing:

The Debasement Trade Is Unraveling and Kevin Warsh Is One Big Reason - Bloomberg

Regulation and Taxation:

In Clarity Act's Final Weeks, its Path Through U.S. Senate not Getting Much Clearer - CoinDesk

Companies & Technology:

All Eyes on Strategy's June 30 Ex-Dividend Date and Monthly STRC Dividend Rate Reset - CoinDesk

BitGo Cuts 15% of Staff to Refocus on AI Infrastructure and Stablecoins - The Block

The Runes Revival: Bitcoin Traffic Hits a Two-Year High as Transactions Blast Past 820,000 - CoinDesk

Upcoming Events

July 14 - CPI release
July 29 - FOMC interest rate decision
July 31 - CME expiry

Start Reading
Start Reading

IN TODAY'S ISSUE:

  • Two executive orders signed on June 22, 2026, turn quantum computing from a research topic into a fixed deadline. One order, defensive, forces government and its contractors to start replacing today's encryption this decade; the other order, offensive, funds a national push to build quantum technology.
  • The money moves first to migration. The clearest opportunity is the broad set of companies that help organizations find, replace, and verify their security systems.
  • Pure quantum-computing bets are long-shot upside. The government is running this encryption-upgrade cycle ahead of any quantum breakthrough, so near-term spending flows toward migration rather than the machine-builders.
  • The risk to Bitcoin is how fast and credibly it can adapt, not an imminent break. Its conservative governance means the hard problem is not adopting post-quantum cryptography but addressing the meaningful share of supply in wallets that can't or won't be moved to quantum-safe addresses.

Executive Summary

On June 22, 2026, the White House issued two executive orders that move quantum computing from a long-term research topic to a near-term planning priority for governments and companies. The first is defensive: it requires federal agencies and their contractors to start replacing the encryption that protects today's data, communications, and software, on fixed deadlines later this decade. The second is offensive: it directs a national effort to accelerate American quantum computing, sensing, networking, and related supply chains.

The reason for urgency is not that a quantum computer capable of breaking today's encryption exists yet. It is that sensitive data stolen today could be unlocked years from now, so the work has to begin before the threat arrives. The practical takeaway for investors is that the first money will flow not to the companies promising quantum breakthroughs, but to the far larger set of companies that help organizations find, replace, and verify their encryption. This is closer to a multi-year infrastructure and compliance upgrade than a single technology bet.

The Migration Clock Starts: Quantum Policy Becomes a Procedural Investment Cycle

For years, quantum computing's (QC) promise and threat were technically credible and strategically consequential, but too far beyond investable time horizons for most allocators to underwrite. Recent advances in both quantum hardware and the algorithms that run on it have pulled those realities into sharper view. On June 22, 2026, the White House issued two executive orders that turn the quantum threat from a research problem into a procurement process. The Executive Order (EO) “Securing the Nation Against Advanced Cryptographic Attacks” is defensive: it forces federal agencies and contractors to begin replacing the cryptographic foundations that secure digital commerce, defense networks, software supply chains, cloud infrastructure, and financial markets. The EO “Ushering in the Next Frontier of Quantum Innovation” is offensive: it pushes the U.S. to accelerate quantum capability across computing, sensing, networking, and supply chains.

That distinction matters because markets chase the most spectacular version of a story. Quantum computing is bewildering. Cryptographic migration is not. The first investment cycle is unlikely to come from a broad commercial quantum-computing breakthrough. It is more likely to come from the less glamorous work of finding, replacing, validating, and governing cryptography across federal systems, contractor environments, cloud platforms, certificates, key-management systems, identity tools, payment rails, code-signing infrastructure, and long-lived data stores.

The administration's message is blunt: the quantum era is no longer a hypothetical future to monitor; it is a deadline to plan and budget. The central investment implication is equally blunt. The companies that control the migration path to mitigate quantum risk should benefit before the companies that promise quantum achievements reach their goals.

Defense: PQC Migration Turns Cryptographic Risk into an Infrastructure Cycle

The defensive executive order is the more financially actionable of the two because it stipulates dates, owners, inventories, pilots, procurement pressure, and contractor obligations. Federal agencies must transition high-value assets and high-impact systems to post-quantum cryptography (PQC) for key establishment by December 31, 2030, and for digital signatures by December 31, 2031. A National Institute of Standards and Technology (NIST) internal pilot must be completed by December 31, 2027. Those dates transform quantum security from a standards discussion into an execution cycle.

The driver is not that a cryptographically relevant quantum computer (CRQC) has arrived. The driver is that long-lived encrypted data can be stolen today and decrypted later. That “harvest now, decrypt later” risk compresses the decision window for governments, banks, defense contractors, healthcare companies, cloud providers, telecom operators, and infrastructure owners holding data with a secrecy life measured in years rather than days. The exposure is concentrated in data that must stay confidential for years, such as state secrets, long-dated contracts, health and biometric records, and key material, which is the highest-priority harvest-now target.

The standards underpinning both migration tracks are already set. NIST finalized three Federal Information Processing Standards (FIPS) for PQC in August 2024 and has a fourth in draft (see table). Key establishment, the 2030 track, runs on ML-KEM (Module-Lattice-Based Key-Encapsulation Mechanism). Digital signatures, the 2031 track, run on ML-DSA (Module-Lattice-Based Digital Signature Algorithm) and SLH-DSA (Stateless Hash-Based Digital Signature Algorithm) today, with FN-DSA (Fast-Fourier-Transform over NTRU-Lattice-Based Digital Signature Algorithm) expected to add a compact-signature option on finalization.

The investment conclusion is that the bottleneck is not algorithm selection. The bottleneck is implementation. Agencies and enterprises need to know where cryptography lives, which vendors control it, which systems break when keys and signatures change, which certificates need replacement, which hardware security modules support new algorithms, which code-signing chains are exposed, and which suppliers can attest to quantum readiness. That is an infrastructure and compliance cycle.

Offense: Quantum Industrial Policy Creates Optionality, Not Commercial Applicability

The offensive executive order is about building national capability, not hardening today's infrastructure. It pushes the government to accelerate the full quantum stack: computing, sensing, networking, components, talent, supply chains, foundry access, and allied coordination. Its centerpiece is the Quantum Computer for Application Development and Discovery Science (QC-ADDS), a national effort to deliver at least one quantum computer to a Department of Energy (DOE) facility for quantum-enabled scientific discovery.

This is strategically important, but investors should resist treating it as proof of a broad commercial QC inflection. A government-backed machine at a DOE facility can validate capability, support research, and anchor public-private partnerships. It does not, by itself, close the technical or commercial gap to a CRQC.

The near-term offensive opportunity sits in quantum sensing rather than general-purpose computing, and it has the only hard deadline that maps to implementation: the order requires identification of at least three next-generation quantum sensor projects within 60 days and fielding by September 30, 2028. Quantum sensors measure faint signals (magnetic fields, gravity, acceleration, rotation, time, electromagnetic activity) that reveal what adversaries try to hide, jam, spoof, or move. The value is operational: navigation without GPS, detection of submarines or underground facilities, timing for distributed systems, and measurement in contested environments. That 2028 fielding date gives investors a more concrete path than the open-ended race to fault-tolerant quantum computing, because sensors reach defense use cases before quantum computers reshape commercial software markets. The offensive executive order also carries an alliance and denial dimension: export-control coordination, allied market access, and limits on adversary access to quantum-enabling technology, intended to widen the U.S. lead while reducing the payoff from harvested data.

How This Fits with Prior U.S. Agency PQC Work

The executive orders did not appear in a vacuum. NIST finalized the core PQC standards in August 2024 (FIPS 203, 204, 205 above), with FIPS 206 still in draft. The Cybersecurity and Infrastructure Security Agency (CISA), the National Security Agency (NSA), and NIST had already urged organizations to build quantum-readiness roadmaps, create cryptographic inventories, assess supply chains, and engage vendors before the threat becomes operational.

The new orders do not replace prior policy. They convert it into an execution regime. Before the orders, the policy architecture told organizations what migration would likely require. After the orders, federal agencies and contractors face named deadlines, accountable leads, pilot obligations, and procurement consequences.

The 2035 horizon set by National Security Memorandum 10 (May 2022) still matters as the broad outer boundary for deprecating quantum-vulnerable public-key cryptography. But for sensitive federal systems and contractors, 2035 is no longer the operative planning date. The operative window is now 2027 for pilots, 2030 for key establishment, and 2031 for digital signatures.

Financial Implications: Federal Baseline, Commercial Upside, Hardware Dispersion The Office of Management and Budget's (OMB) July 2024 Report on Post-Quantum Cryptography to Congress, prepared with the Office of the National Cyber Director (ONCD) and in collaboration with CISA and NIST, estimated roughly $7.1 billion to migrate prioritized federal non-National Security Systems to PQC between 2025 and 2035, in 2024 dollars. OMB itself flagged the figure as a rough order-of-magnitude estimate carrying a high but expected level of uncertainty. For investors, the number is best read as a federal floor, not a market size, because it excludes classified national-security systems, contractor remediation, commercial spillover in regulated sectors, and embedded upgrades across enterprise infrastructure.

The commercial opportunity is probably larger than standalone PQC forecasts suggest, but harder to see in reported revenue. A bank may spend on hardware security module (HSM) refreshes, certificate automation, cloud key management systems (KMS), vendor assessments, public key infrastructure (PKI) redesign, code-signing changes, virtual private network (VPN) upgrades, network security, and consulting without labeling any of it “PQC.” That weakens the clean total addressable market (TAM) attribution.

Quantum hardware has the widest forecast dispersion. Some observers imply a large 2030 quantum-computing market; others imply a modest adoption curve. The gap reflects unresolved questions around error correction, system uptime, benchmarking, cloud access, application fit, and willingness to pay before quantum advantage becomes repeatable across commercial workloads.

The financial hierarchy is therefore clear. PQC migration has the clearest deadline. Federal services have the clearest procurement channel. Cloud, key management, identity, PKI, HSMs, network security, and certificate automation have the clearest enterprise control points. Quantum hardware has the most upside convexity and the least near-term revenue certainty.

Institutional Investor Playbook: Migration Control Points Benefit Before Pure Quantum

The investable question is not which company is most exposed to quantum, but which company controls the migration path. The answer points toward cyber platforms, hyperscale cloud providers, identity vendors, certificate and PKI infrastructure, HSM and KMS providers, network security, zero-trust architecture, code-signing infrastructure, federal systems integrators, test-and-validation providers, and selected quantum-enabling component suppliers. The highest-confidence basket helps organizations inventory cryptography, manage certificates, rotate keys, validate modules, secure identities, modernize Transport Layer Security (TLS) and VPNs, update code-signing chains, and document compliance. These are not speculative quantum revenues. They are the workstreams that sit between a federal mandate and operational readiness. The cryptographic bill of materials that CISA must define turns invisible dependencies into auditable procurement facts, pulling discovery and inventory tooling to the front of the spend. Timing matters for sequencing. Federal systems integrators should see assessment and remediation-planning dollars first, in roughly 2026 to 2028, because migration begins with inventory, documentation, architecture, and testing. Software and platform vendors benefit later through upgrades, renewals, and retention. Hyperscalers may capture a large share of enterprise uplift because most companies consume cryptography through managed services rather than in-house cryptographic engineering.

The single highest-leverage catalyst to watch is the forthcoming Federal Acquisition Regulation (FAR) contractor rule. By extending NIST FIPS compliance to covered contractors on a fixed clock (compliance targeted by December 31, 2030), it is the mechanism that converts federal spend into commercial TAM. Its proposal and scope will affect the migration enablers more than any single agency milestone.

Pure-play quantum hardware should be sized as long-duration optionality, not the core expression of the orders. The policy tailwind is real, but the bridge from current hardware standards to those that are commercially viable remains technical and unsolved.

Crypto Investor Playbook: Price Governance Speed, Exposed-Key Risk, Custody Readiness

For crypto investors, quantum risk is not that Bitcoin or major networks break in 2026 or even the next few years. It is expected that markets will increasingly value the speed and credibility of cryptographic migration before any catastrophic event. Because technical solutions are already in the works, the relevant risk will shift from technical to governance, operational, and institutional

Nearly all major crypto assets rely on classical digital signatures. The exposed surfaces are revealed public keys, whether through address reuse or keys exposed natively on-chain. The assets most at risk are those with the slowest governance, largest exposed-value surfaces, and weakest migration incentives.

Bitcoin is the central case study because its monetary credibility rests partly on conservatism. That conservatism is a strength until migration becomes necessary. Roughly one third of the bitcoin supply sits in quantum-vulnerable form, concentrated in early pay-to-public-key (P2PK) coins and reused or otherwise exposed-pubkey addresses. The harder problem is not the supply held in active wallets that can be moved to quantum-safe addresses ahead of a credible threat. It is the unmovable coins: lost-key balances and Satoshi-era P2PK outputs that no coordinated migration can forcibly move, which become a standing bounty the moment a CRQC exists. A post-quantum transition would require coordination across developers, miners, nodes, wallets, exchanges, custodians, institutions, and users. Post-quantum signatures already exist. The hard part is moving a global monetary network to PQC without fracturing trust and deciding what happens to coins that cannot or will not move.

Investors should separate who sells the migration from who absorbs it. Custodians, wallets, and exchanges face PQC as a cost on their own infrastructure. The clearer beneficiaries sell the migration as their product: exposed-key analytics, audit firms, and migration-coordination services.

Final Thought: An Infrastructure Cycle Disguised as a Quantum Headline

The market will call this a quantum story because quantum is the headline, but the investable structure is an infrastructure cycle with a fixed regulatory clock and an uncertain threat date. The 2030 and 2031 migration deadlines matter because encrypted data stolen today cannot be unstolen if a CRQC arrives later. That asymmetry forces spending before proof of the threat, which is why the first revenue pool should sit in cryptographic inventory, key management, certificate automation, cloud security, identity, code signing, federal integration, and compliance tooling rather than pure quantum hardware.

The orders do not say quantum supremacy has arrived. They say yesterday’s public-key cryptography now has an expiration schedule. The investment question is whether the systems that secure money, identity, software, defense communications, cloud workloads, and digital property can migrate before the old cryptographic base becomes a standing liability. The first phase of the quantum era will not be won by the best machine narrative. It will be won by the companies that turn invisible cryptography into visible budgets, procurement rules, vendor selection, and recurring revenue pools.

Market Update

Bitcoin fell 5.8% this week, ending at $59,220, and hit a new cycle low near $58K. This extended a drawdown that increasingly resembles the drawdown phase of prior 4-year cycles. The depth and duration of the drawdown and on-chain metrics reinforce the cycle theory. ETF outflows, weak CME futures basis, and long liquidations drove another de-risking leg. The pressure was broader than crypto, with the AI trade reversing before stabilizing on Micron’s earnings and SpaceX giving back much of its post-IPO gains. The S&P 500 fell 1.9%, and the Nasdaq Composite was down 4.4%. Oil dropped 6.1% as Iran-related risk premium faded. Traditional fixed income held up better, with IG credit up 0.3%, HY flat, and long Treasuries up 0.7%.

MSTR and STRC added to the negative tone after STRC fell to an all-time low of $74 versus its intended $100 price, raising concerns about MSTR’s interest burden and liability growth. Much of the public discourse seems hyperbolic as MSTR still has $52B of assets against $22B of liabilities. With STRC well below $100 and the equity now trading at its NAV, 2 ATM funding channels are effectively shut, limiting incremental bitcoin purchases and the ability to squirrel away cash. Investors should know that MSTR traded below NAV for many months during the last bitcoin drawdown, so the current compression looks less like an idiosyncratic credit event and more like another marker of where we are in the bitcoin cycle.

Important News This Week

Investing:

The Debasement Trade Is Unraveling and Kevin Warsh Is One Big Reason - Bloomberg

Regulation and Taxation:

In Clarity Act's Final Weeks, its Path Through U.S. Senate not Getting Much Clearer - CoinDesk

Companies & Technology:

All Eyes on Strategy's June 30 Ex-Dividend Date and Monthly STRC Dividend Rate Reset - CoinDesk

BitGo Cuts 15% of Staff to Refocus on AI Infrastructure and Stablecoins - The Block

The Runes Revival: Bitcoin Traffic Hits a Two-Year High as Transactions Blast Past 820,000 - CoinDesk

Upcoming Events

July 14 - CPI release
July 29 - FOMC interest rate decision
July 31 - CME expiry

Start Reading
Start Reading

This report has been prepared solely for informational purposes and does not represent investment advice or provide an opinion regarding the fairness of any transaction to any and all parties nor does it constitute an offer, solicitation or a recommendation to buy or sell any particular security or instrument or to adopt any investment strategy. Charts and graphs provided herein are for illustrative purposes only. This report does not represent valuation judgments with respect to any financial instrument, issuer, security or sector that may be described or referenced herein and does not represent a formal or official view of New York Digital Investment Group or its affiliates (collectively NYDIG).It should not be assumed that NYDIG will make investment recommendations in the future that are consistent with the views expressed herein, or use any or all of the techniques or methods of analysis described herein. NYDIG may have positions (long or short) or engage in securities transactions that are not consistent with the information and views expressed in this report. The information provided herein is valid only for the purpose stated herein and as of the date hereof (or such other date as may be indicated herein) and no undertaking has been made to update the information, which may be superseded by subsequent market events or for other reasons. The information in this report may contain forward-looking statements regarding future events, targets or expectations. NYDIG neither assumes any duty to nor undertakes to update any forward-looking statements. There is no assurance that any forward-looking events or targets will be achieved, and actual outcomes may be significantly different from those shown herein. The information in this report, including statements concerning financial market trends, is based on current market conditions, which will fluctuate and may be superseded by subsequent market events or for other reasons. Information furnished by others, upon which all or portions of this report are based, are from sources believed to be reliable. However, NYDIG makes no representation as to the accuracy, adequacy or completeness of such information and has accepted the information without further verification. No warranty is given as to the accuracy, adequacy or completeness of such information. No responsibility is taken for changes in market conditions or laws or regulations and no obligation is assumed to revise this report to reflect changes, events or conditions that occur subsequent to the date hereof. Nothing contained herein constitutes investment, legal, tax or other advice nor is it to be relied on in making an investment or other decision. Legal advice can only be provided by legal counsel. NYDIG shall have no liability to any third party in respect of this report or any actions taken or decisions made as a consequence of the information set forth herein. By accessing this report, the recipient acknowledges its understanding and acceptance of the foregoing terms.

newsletter

Sign up for weekly research

Subscribe now to learn what’s driving bitcoin markets, track significant regulatory developments, and get the data that deserves your attention.

Featured Research & Insights

Quantum: Buy the Migration, Not the Machine

Quantum: Buy the Migration, Not the Machine

Quantum: Buy the Migration, Not the Machine
Research
June 26, 2026
Read Now
Cycle Narratives and What Comes Next

Cycle Narratives and What Comes Next

Cycle Narratives and What Comes Next
Research
June 12, 2026
Read Now
What’s Weighing on Bitcoin?

What’s Weighing on Bitcoin?

What’s Weighing on Bitcoin?
Research
June 5, 2026
Read Now
Let's Connect

Want to learn more about NYDIG?

Please complete the contact form, and we will help you find the right person to learn more.