Internationally, it’s becoming clear that there is now a critical need for timely, comprehensive, and co-ordinated transition to PQC.
With the threat of ‘harvest now, decrypt later’ in play, and the fact that complex systems or devices with long lifespans require significant time for transition, many international governments, cyber agencies and departments have identified this as a serious risk, given the shortening quantum timeline. That’s why, the EU’s PQC Workstream has now published Part 1 of ‘A Co-ordinated Implementation Roadmap for the Transition to Post-Quantum Cryptography’, the first deliverable from the NIS Cooperation Group (NISCG) in response to the European Union’s recommendations set out in April 2024.
The Roadmap presents a comprehensive approach for Member States to navigate the transition both on a political level, and with collaboration between industry and academics. It aims to connect high level strategy with key technical requirements, and importantly, specifies milestones for implementation.
Milestone 1: December 31, 2026. Member States are required to lay the groundwork for national PQC transition. This includes: identifying stakeholders, completing inventories that support cryptographic asset management and dependency maps. It’s important to include the supply chain, and create a national awareness and communication program.
Milestone 2: December 31, 2030. Implement next steps. By this date, a quantum-safe upgrade path is required, supporting PQC transition for all high-risk use cases. Resources should be allocated, and there needs to be dialogue with the private sector regarding services, PQC training alongside international collaboration.
Milestone 3: December 31, 2035. In line with the USA’s NSM-10 and the NCSC recommendations, by this date PQC transition for medium-risk use cases is required, and either hybrid or fully standardized and tested PQC should be completed for as many systems as possible.
Interestingly, the document emphasizes that for high-risk use cases, “quantum-vulnerable public key mechanisms shall not be used stand-alone after the end of 2030.” Clearly, for critical data requiring confidentiality for at least 10 years, or products with an expected lifetime beyond 2030, any upgrade mechanism itself must incorporate post-quantum signature schemes.
The Roadmap gives helpful classification of high, medium and low risk (based on section 2.4 of The PQC Migration Handbook), and outlines in detail the First Steps (Milestone 1) and Next Steps (Milestone 2). It makes it clear that regardless of the threat from quantum computing, these steps increase the resilience of systems – emphasizing that the actions we take today protect us tomorrow as the threat landscape evolves.
The EU is acting as a major catalyst for this change, and as the roadmaps increasingly align on both sides of the Atlantic, it’s a key reminder of the way in which international collaboration and co-operation are essential to the effort – something which we value highly at PQShield. We’re building solutions for the supply chain that enhance cryptographic agility, deploy the latest standardized PQC algorithms, and are designed to keep hardware and software protected from the threats of tomorrow.