Meta has formally completed a post-quantum cryptography (PQC) migration across its internal systems and is now sharing a detailed playbook to guide other firms through the same high-stakes transition. The social media giant warns that store now, decrypt later (SNDL) attacks already threaten sensitive data, urging immediate adoption of new cryptographic standards.
“We are proposing the concept of PQC Migration Levels to help teams manage the complexity of updating their cryptographic protocols,” said a Meta spokesperson. “Our goal is to help others navigate this transition effectively, efficiently, and economically.”
Background: The Quantum Threat
Quantum computers are expected to break conventional public-key encryption within 10 to 15 years, security experts estimate. Meanwhile, adversaries are already harvesting encrypted data today, betting that future quantum machines will decrypt it — a strategy known as SNDL.
Both the U.S. National Institute of Standards and Technology (NIST) and the UK’s National Cyber Security Centre (NCSC) have issued guidance urging organizations to target 2030 for post-quantum protections in critical systems. NIST has published the first industry-wide PQC standards, including ML-KEM (Kyber) and ML-DSA (Dilithium). Notably, Meta cryptographers are co-authors of HQC, another newly selected algorithm.
Meta’s Migration Approach
Meta’s multi-year migration began with a comprehensive risk assessment and inventory of cryptographic assets across its global infrastructure. The company then deployed post-quantum encryption in phases, implementing strict guardrails to prevent regressions.
“We have billions of users relying on our platforms every day, so we maintained strong security throughout this process,” the spokesperson added. The framework emphasizes three core phases: risk assessment, inventory, and deployment with continuous monitoring.
PQC Migration Levels
To address the complexity of different use cases, Meta has introduced a tiered classification system called PQC Migration Levels. These levels range from Level 0 (no migration) to Level 4 (full post-quantum resilience), helping teams prioritize efforts based on risk exposure.
“Not every system requires the same level of protection,” the spokesperson explained. “These levels allow organizations to allocate resources where the threat is greatest.”
Meta’s own deployment achieved Level 3 across most internal services, with plans to reach Level 4 for the most sensitive data by 2025. The company has also published guardrails to ensure new deployments don’t introduce vulnerabilities.
What This Means for Industry
For enterprises, Meta’s blueprint offers a real-world validation that large-scale PQC migration is achievable today. The framework provides a clear roadmap, from initial evaluation to full deployment, that can be adapted to any organization.
The urgency is driven by the SNDL threat: any data encrypted today with conventional methods could be exposed once quantum computers mature. By adopting PQC standards now, organizations protect both current and future data.
Learn more about the quantum threat and see what this means for your organization’s timeline. Meta’s disclosure signals that the post-quantum era has already begun — and the time to act is now.