The UK’s National Centre for Cyber Security (NCSC) has released updated guidance on PQC migration in its new publication, Timelines for migration to post-quantum cryptography – specifying three key milestones for 2028, 2031, and 2035.
The guidance, following NCSC’s article ‘Next steps in preparing for post-quantum cryptography‘ is aimed at stakeholders and technical decision makers, and focuses on proactive planning, managing the cryptography ecosystem, and building cyber resilience into future systems. Significantly, it provides a defined roadmap, and important advice to UK industry, government and regulators, and while sectors may vary, the publication outlines the necessary steps and activities ahead, on the journey towards quantum security.
The key milestones are as follows:
- By 2028 – Define migration goals and build an initial plan. This phase includes assessing services and infrastructure to plan for upgrade to PQC, and could include:
- By 2031 – Early, high-priority migration activity. The NCSC also suggest refining the plan to show a ‘thorough roadmap’ for completion of migration.
- By 2035 – Complete migration of PQC to all systems, services and products. While some rarely-used technologies might be harder to upgrade by this deadline, NCSC points out that all organizations should work towards this target.
This three-phase focus on developing, implementing, and refining a robust plan for migration is important. The NCSC emphasizes that PQC migration should be done carefully, strategically, and without introducing new security risks. For this reason, the report also provides a number of helpful stages for developing a plan, including an understanding of your current estate, prioritizing activities based on sensitive or most-valuable assets or data, and emphasizing testing and validation throughout.
With the standardization of PQC algorithms underway, alongside vendor validation of these algorithms in 2025, it’s inevitable that adoption and efficiency of post-quantum algorithms will increase over the next couple of years. In fact, some of the mechanisms that drive security for web browsers and messaging apps have already been bolstered with PQC defenses, and there are major updates on the way from standards defining organizations, and in several sectors. The NCSC advises organizations to build flexibility into migration plans with future adaptation in mind.
“A successful migration,” concludes the report, “will be underpinned by good asset management, clear views into your systems, services and infrastructure, and actively managed supply chains. All these are aspects of good cyber security governance… and provide a natural framework for a large cryptographic migration alongside broader improvements to cyber resilience.“
It’s interesting to note the timeline, coalescing around a 10-year time scale, particularly with NIST’s 2024 recommended deprecation of vulnerable cryptographic algorithms by 2035, and the White House push for federal systems to upgrade in the same timeframe.
The NCSC believes that 10 years is sufficient for the maturity of PQC standards, product ecosystems, and widespread adoption – a view that resonates with us at PQShield, driving the urgency to build solutions that meet the compliance timelines, and helping the world move forwards to quantum security.
“This transition to new cryptographic standards will be the most significant technological shift we have faced this century. IT leaders in every business need to have the PQC transition on their agenda and allocate the time and resources necessary to deliver it, or they risk falling behind the timeline.” – Ali El Kaafarani, PQShield founder.