As we begin 2026, its only 2 years until the first key milestone highlighted in the NCSC (National Cyber Security Centre) “Timelines for migration to post-quantum cryptography(PQC)”. Quantum computers have the potential to crack widely used cryptographic algorithms, threatening the confidentiality and integrity of critical data. Enterprise Architecture (EA) can play a pivotal role in enabling organisations to prepare for and adopt post-quantum security measures.
Key Milestones
As highlighted in the report the key milestones are:
- By 2028: Define migration goals, conduct a full discovery exercise, and build an initial migration plan.
- By 2031: Carry out early, high-priority PQC migration activities and refine the migration plan.
- By 2035: Complete the migration to PQC for all systems, services, and products.
The Role of Enterprise Architecture
Enterprise Architecture provides a holistic framework for aligning IT strategy with business objectives. By mapping out systems, processes and data flows, EA enables organisations to identify vulnerabilities and plan for robust security solutions. When it comes to post-quantum security, EA serves as the blueprint for integrating new cryptographic standards across the enterprise.
Key Ways EA Facilitates Post Quantum Security
The Open Group Architecture Framework (TOGAF) provides a comprehensive methodology for developing, managing, and governing enterprise architecture and I have used this below to show where it adds value.
- Strategic Planning: EA helps assess the current cryptographic landscape and develop a roadmap for migrating to PQC resistant solutions. This includes prioritising systems and data that are most at risk. TOGAF’s Preliminary and Architecture Vision phases guide in establishing the architectural capability and defining high-level aspirations. EA enables a thorough assessment of existing cryptographic assets and sets the direction for a quantum-resistant roadmap. This phase can be used to prioritise critical systems and data, aligning security goals with business objectives and stakeholder needs.
- Standardisation: By enforcing architectural standards, EA ensures consistency in the adoption of post quantum algorithms across different platforms and departments. TOGAF’s core architecture domains (Business, Application, Data and Technology) provide a structured approach for enforcing architectural standards. EA ensures that post quantum algorithms are consistently adopted across platforms and the business, promoting interoperability and compliance. Standardisation is achieved through reference models, common principles and governance structures defined in these domains.
- Risk Management: EA supports comprehensive risk assessments, enabling an understanding of the potential impact of quantum threats and allows them to be addressed proactively. TOGAF incorporates continuous requirements management and robust governance processes. EA, in alignment with these practices, supports in conducting comprehensive risk assessments to understand quantum threats, evaluate their impact and proactively implement mitigating controls. Regular reviews and compliance checks ensure risks are managed throughout the architecture lifecycle.
- Change Management: Transitioning to post-quantum security requires significant organisational change. EA facilitates this by coordinating stakeholders, processes, and technologies to ensure smooth implementation. TOGAF’s Implementation Governance and Migration Planning phases are vital for orchestrating organisational change. EA coordinates stakeholder engagement, process redesign and technology upgrades, facilitating a smooth transition to PQC. Formal change management ensures all parties are informed, prepared and equipped to adapt to new protocols and standards.
- Future-Proofing: EA promotes adaptability, ensuring that the architecture can evolve as PQC standards mature and new threats emerge. TOGAF emphasises continuous improvement and adaptability through its Opportunities and Solutions and Architecture Change Management phases. EA leverages these to monitor the evolution of post quantum standards and emerging threats, updating architectures as needed. This ensures the enterprise remains resilient and can quickly respond to new challenges, maintaining a robust security posture over time.
Steps for Enterprises to Take Now
- Begin by inventorying all systems and data that rely on cryptography.
- Engage with industry standards bodies and stay informed on PQC developments.
- Update the Enterprise Architecture to reflect quantum security requirements and plan for phased adoption.
- Train technical teams and stakeholders on the implications of quantum threats and the need for new security protocols.
Max Hemingway 