NIST finalized three post-quantum cryptographic standards in August 2024. That was twenty months ago. And as of April 2026, the majority of commercial VPN services still haven’t shipped quantum-resistant encryption to their users. I think that’s indefensible.
The argument for waiting (that quantum computers capable of breaking RSA-2048 or elliptic-curve Diffie-Hellman are still a decade away) misses the point so completely it’s almost suspicious. The threat model that matters right now isn’t a quantum computer cracking your tunnel in real time. It’s someone capturing your encrypted traffic today and storing it until the hardware catches up. Intelligence agencies, state-sponsored groups, and well-funded criminal operations have been doing exactly this for years. The NSA’s own targeting procedures, which surfaced again in March 2026 during the FISA 702 renewal debate, treat any traffic routed through foreign infrastructure as presumptively foreign. Your encrypted VPN session traveling through a server in Amsterdam doesn’t just look like foreign traffic. Under current US intelligence doctrine, it is foreign traffic.
That stored session becomes a liability the moment a sufficiently powerful quantum machine comes online.
“Harvest Now, Decrypt Later” Stopped Being a Thought Experiment Around 2023
The phrase gets thrown around in marketing copy, but the underlying attack has a boring, practical history. Telecom backbone taps, submarine cable interception programs, cooperative agreements with transit providers: bulk data collection infrastructure has existed and expanded for decades. What changed is the storage economics. Keeping petabytes of encrypted traffic used to be expensive. It isn’t anymore. And the NIST standardization of ML-KEM (formerly CRYSTALS-Kyber), ML-DSA, and SLH-DSA in 2024 happened specifically because the US government concluded the threat was real enough to formalize the response.
NordVPN understood this early. They shipped post-quantum encryption on Linux via NordLynx back in September 2024, collected performance data for months, then rolled it across Windows, macOS, iOS, and Android by May 2025. ExpressVPN integrated PQE into its Lightway protocol in January 2025 and launched it across all platforms simultaneously. Mullvad, characteristically, had been working on quantum-resistant tunnels since 2017 and was arguably ahead of the standards themselves.
Those three moved. Everyone else is still talking about roadmaps.
Who’s Actually Shipping, and Who’s Writing Blog Posts About It
Surfshark finally added PQE to WireGuard in January 2026, but only on macOS, Linux, and Android. iOS and Windows support is listed as “coming soon,” which in product roadmap language could mean anything from next month to never. Their implementation is solid, a layered approach using ML-KEM on top of the existing Curve25519 handshake, but partial platform coverage in Q1 2026 is late. Gizmodo’s recent comparison of vpn providers breaks down which services have actually delivered PQE across all platforms versus those still promising it, and the gap is wider than most people assume.
Proton VPN is the most interesting case because they’re simultaneously the most trusted name in privacy-focused VPN infrastructure and the most conspicuously absent from the PQE conversation. Their fall/winter 2025-2026 roadmap mentions post-quantum encryption under the header “in the future,” buried beneath a new Linux CLI and server selection improvements. David Peterson, Proton’s General Manager, told TechRadar in early 2025 that developing PQE is “a marathon, not a sprint” and that they want to “battle-test these quantum-resistant algorithms.” I respect the caution. But NordVPN’s Linux rollout was explicitly designed as a battle-test, and it took them eight months to go from Linux-only to full platform coverage.
Proton is rebuilding their entire VPN architecture from scratch, which is the stated reason for the delay. Fair enough. But “we’re building something better” is also what companies say when they’re behind.
PureVPN and Windscribe offer partial PQE support. IPVanish announced plans for a 2025 release (per Tom’s Guide, May 2025), but no public confirmation of a shipped product has surfaced since. CyberGhost and Private Internet Access remain entirely without quantum-resistant options.
The Protocol Problem No One Wants to Acknowledge
Here’s what bothers me most about the current state of PQE in VPNs. Every implementation so far is WireGuard-only (or, in ExpressVPN’s case, Lightway-only). NordVPN’s PQE requires NordLynx and is incompatible with OpenVPN, obfuscated servers, dedicated IPs, and Meshnet. Surfshark’s PQE activates automatically on WireGuard but doesn’t touch OpenVPN connections.
This matters because OpenVPN remains the protocol of choice for users in censored environments. WireGuard’s traffic signature is easier to fingerprint and block than OpenVPN running over TCP port 443 with obfuscation. The people who need quantum-resistant encryption most urgently — journalists, activists, dissidents routing traffic through foreign servers that intelligence agencies are specifically watching — are frequently the same people forced to use OpenVPN because WireGuard gets blocked.
A Surfshark study from January 2026 found that only 8% of the 40 most popular consumer apps had implemented any form of post-quantum cryptography. The banking and shopping categories scored zero. If the apps your VPN is protecting don’t have PQE either, you might reasonably ask what the point is. The answer: the VPN tunnel is the one piece of infrastructure you actually control. You can’t make your bank adopt ML-KEM. You can choose a provider that already has.
What This Means If You’re Choosing a Provider in 2026
The calculus has shifted. Twelve months ago, PQE was a nice-to-have differentiator for early adopters. Now, with NIST standards finalized, multiple providers shipping production-ready implementations, and the FISA 702 debate reminding everyone that captured VPN traffic has legal implications, quantum resistance belongs on the requirements list.
NordVPN has the most complete implementation. ExpressVPN matched it on timeline. Mullvad was first but operates with a smaller server footprint. Surfshark is catching up but hasn’t finished the job. Proton is building something ambitious that doesn’t exist yet.
If you’re running a development team with remote contributors pushing code over VPN tunnels, or managing cloud infrastructure from networks you don’t fully trust, the encryption protecting those sessions needs to survive longer than five years. That’s not a prediction about quantum computing timelines. It’s a statement about how long sensitive source code, credentials, and infrastructure configurations remain valuable to an attacker.The providers that shipped PQE in 2024 and 2025 made a bet that their users’ traffic has a shelf life longer than the time remaining before quantum decryption becomes practical. I think that bet was correct. And the providers still waiting are making the opposite bet with their customers’ data.