Migration Is Happening – With or Without You
“There’s no cryptographically relevant quantum computer yet. But the standards are here. The implementations are real. The migration is happening.”
That’s the no-nonsense message from Dr Jeremy Bradley., Principal Technical Director at the UK’s National Cyber Security Centre (NCSC), on the latest episode of Shielded: The Last Line of Cyber Defense. And it’s a message organisations can’t afford to ignore. For years, conversations around post-quantum cryptography (PQC) have hinged on one question: When will a quantum computer capable of breaking today’s encryption actually arrive? But according to Jeremy, that framing misses the point. “The thing we do have certainty about is the existence of standards, the existence of implementations of those standards,” he said. “What we really want to do is pitch the migration to PQC as a large-scale technology change programme. That’s the thing most organisations know how to do and have some experience of.”
A Guidance-First Approach, Not a Mandate
Unlike other government bodies, the NCSC doesn’t create policy, it provides technical guidance. But that hasn’t stopped it from influencing change across the UK’s critical national infrastructure. Through sector-specific relationships and advisory frameworks, the NCSC supports regulators and policymakers by embedding technical knowledge in the systems that matter most. “We have teams responsible for each of the major critical national infrastructure sectors,” Jeremy explained. “We work closely with departments like finance, telecoms, energy, and transport to build forward-looking strategies that don’t rely on enforcement, but still create real movement.” That includes PQC migration. The NCSC’s recently published Timelines for Migration to Post-Quantum Cryptography lays out a practical roadmap stretching to 2035, with sector readiness, not quantum hype, driving the timeline.
The Real Threat Is Legacy Infrastructure
According to Jeremy, waiting for a CRQC is not only risky, it’s irrelevant. “In some numbers of years’ time, classical public key cryptography will effectively become a legacy technology,” he said. That’s where the real danger lies. The longer organisations wait, the more likely they are to be left with unsupported infrastructure and fragmented systems. “The risk isn’t a quantum computer will be here by year end,” Jeremy said. “It is that without action, they’ll run the risk of holding substantial legacy IT estates.” And legacy risk, as he points out, brings two major challenges: technology that becomes increasingly difficult to maintain, and complexity from running outdated systems in parallel with modern ones.
Discovery First, Then Migration
So, where should organisations begin? “Understanding what your critical systems are. Who the suppliers are for those systems. What’s your supply chain. Which ones are you responsible for managing and owning,” Jeremy advised. He emphasised that this isn’t just about cryptographic algorithms, it’s about systems thinking. Start with visibility, inventory, and architecture. Know how your data moves, how it’s protected, and where long-lived roots of trust exist. And if you rely on external vendors, now is the time to apply pressure. “Individual companies may not be able to directly affect how an individual supplier plans their migration, but groups of companies within the sector certainly can,” Jeremy noted.
Align PQC With Your Tech Refresh
Budget concerns are a reality. But Jeremy’s advice is clear: “Trying to drive a cryptography programme independently of a broader technology refresh programme isn’t gonna work, that’s effectively asking for two sets of investment.” Instead, organisations should align PQC migration with existing hardware or system upgrade cycles. Especially for long-lifecycle environments, like healthcare, utilities, or industrial systems, the migration must ride alongside infrastructure renewal. Because for many of these environments, downtime isn’t even an option. “In the IT space, we’re used to thinking about confidentiality, integrity, authenticity,” Jeremy said. “But for services that people’s lives depend on, availability is a critical property. And managing migration in systems that have to be always online is an interesting challenge.”
Build the Ecosystem
Migration can’t happen in silos, which is why the NCSC is also launching a pilot programme to certify consultancies in PQC readiness. The aim is to build a strong base of skilled advisors who can support public and private sector organisations through the discovery, planning, and implementation phases. “It’ll encourage larger consultancies to build cryptographic expertise,” Jeremy said. “And it’ll give lines of work to smaller or more bespoke consultancies.” This kind of support will be critical in the years ahead. As global standards evolve and compliance expectations tighten, organisations will need partners who understand both the technical detail and the operational strategy behind a successful migration.
Final Advice: Keep It Simple, Stay Strategic
When asked what advice he’d give to organisations just beginning their PQC journey, Jeremy kept it practical:
“Carry out good cyber hygiene. Good cyber practice. For many SMEs and commercial businesses, migration will be delivered by service providers. But you still need to ask the right questions. Understand your infrastructure. Know your vendors. And don’t wait.”
Because the message is clear:
Migration isn’t a future threat. It’s today’s responsibility.
You can hear the full conversation with Jeremy B. on Shielded: The Last Line of Cyber Defense, available now on Apple Podcasts, Spotify, and YouTube.