President Trump signed an executive order on June 22, 2026 that sets hard federal deadlines for moving to post-quantum cryptography. High-value systems must switch to quantum-resistant key establishment by December 31, 2030 and to post-quantum digital signatures by the end of 2031. The order, Securing the Nation Against Advanced Cryptographic Attacks, pulls the government's timeline forward by four to five years from the 2035 target set in 2022. It does not mention satellites once. For the space sector it may be the most consequential cryptographic policy of the year, because a satellite launching in 2026 will still be in orbit long after the deadline passes, and no one can climb up to reprogram its cryptography.
What the order actually requires
The near-term clock starts fast. Within 30 days each agency has to name a migration lead who owns its cryptographic inventory. Within 90 days the Office of Management and Budget issues guidance requiring agencies to inventory their high-value assets, plan the migration, and submit that plan. NIST runs a pilot migration on a subset of its own systems, to be finished by December 31, 2027, part of a sequence of deadlines that reaches well past federal networks. The Federal Acquisition Regulatory Council has 180 days to propose a rule giving covered contractors until the end of 2030 to meet NIST's Federal Information Processing Standards, and a second proposed rule would require contractors to test for missing encryption and non-approved algorithms as part of their vulnerability disclosure programs. Most large US satellite operators hold government contracts, which puts them inside that contractor perimeter. National security systems run on a separate track under the NSA.
Why harvest-now-decrypt-later is worse in orbit
The threat driving those deadlines does not need a working quantum computer today. In a harvest-now-decrypt-later attack, an adversary records encrypted traffic now and stores it until a machine large enough to break the keys exists, a point most estimates place between 2033 and 2037. The order states plainly that adversaries may already be collecting this data. Anything that must stay secret into the 2030s is exposed the moment it is transmitted, and migrating in 2030 does nothing for what was captured in 2026.
Satellites sit at the far end of that problem. Their data stays valuable for a long time, since reconnaissance imagery, telemetry and intercepted communications can hold intelligence value for twenty to thirty years. Their command links are worse still, because telemetry, tracking and command (TT&C) traffic is a control channel rather than a data feed. It is what an operator uses to steer, reconfigure and update a spacecraft. An adversary who harvests encrypted TT&C now and decrypts it after quantum hardware arrives gains not old messages but insight into the commands that fly the satellite, and a path toward forging them.
The hardware makes it harder
Post-quantum algorithms are heavier than the ones they replace. NIST finalized its first three standards in August 2024: FIPS 203 (ML-KEM) for key establishment, FIPS 204 (ML-DSA) for digital signatures, and FIPS 205 (SLH-DSA) as a hash-based backup. Their keys and signatures are larger than the RSA and elliptic-curve versions they replace, which means more bandwidth, more memory and more processing for every secured exchange. On the ground that is a software update. On a power-limited, compute-limited spacecraft with a fixed radio budget it is a real engineering constraint, and the strain on satellite hardware is part of why a more compact signature scheme based on Falcon, known as FN-DSA, is still moving through standardization for bandwidth-constrained uses. Older satellites already in orbit may lack the headroom to run the new algorithms at all, which turns migration into a question of what to launch next rather than what to patch.
Who is already moving
Some operators now treat quantum-safe design as a launch requirement rather than a retrofit. In June 2026 SEALSQ described a Quantum Spatial Orbital Cloud, an orbital platform meant to deliver post-quantum-secure services from space, with a first satellite planned for the fourth quarter of 2026 and a constellation of up to 100 by 2033. Its sister company WISeKey has been testing post-quantum cryptography on small satellites since late 2025. In Europe, the Swiss Armed Forces have said publicly that satellite systems must move beyond traditional cryptography, and that future architectures will have to add quantum-safe methods without breaking day-to-day operations.
The common thread in serious plans is crypto-agility, the ability to swap algorithms without redesigning the whole system, usually deployed first as a hybrid that runs a classical and a post-quantum key exchange together so a flaw in either one does not break the link. In space that agility has to be built in before launch, because the alternative is a fifteen-year asset that cannot be changed.
Where satellites land in the order's scope
Two channels pull space systems into the order even though it never names them. The first is procurement, since the coming acquisition rule will require FIPS compliance from covered contractors by the end of 2030, and the satellite operators that sell capacity and services to the US government are covered contractors. The second is critical infrastructure. The order directs the agencies that manage risk for each infrastructure sector to work with CISA on migration plans, and commercial satellite networks sit inside the communications sector. A ground segment built on ordinary IT is the most exposed part of that chain and the easiest to bring into line. The spacecraft already in orbit are the part no rule can reach.
The executive order was signed on June 22, 2026 and reported by Cybersecurity Dive, Federal News Network and The Hacker News.




