With quantum computing progressing, transitioning to post-quantum cryptography (PQC) is crucial. Quantum computers threaten current cryptographic systems by efficiently solving complex mathematical problems used in asymmetric Public Key Cryptography (PKC).

Post-Quantum Cryptography (PQC), or quantum-resistant cryptography, develops algorithms secure against quantum computer attacks, which uses problems quantum computers can’t solve efficiently.

The NCSC (National Cyber Security Centre) has released the “Timelines for migration to post-quantum cryptography” today (20/03/25), detailing steps organisations need to take to protect against Post Quantum Cryptography (PQC).

The national migration to PQC is a major technological shift that will take years and it is important that organisations start now. The NCSC provides guidance on early-stage migration activities and sets timelines for UK industry, government, and regulators. These timelines apply to all organisations, especially large ones, critical infrastructure operators, and those with custom IT systems.

Key Milestones

As highlighted in the report the key milestones are:

• By 2028: Define migration goals, conduct a full discovery exercise, and build an initial migration plan.
• By 2031: Carry out early, high-priority PQC migration activities and refine the migration plan.
• By 2035: Complete the migration to PQC for all systems, services, and products.

Migration Strategy Selection

Organisations have several options for migration detailed in the report.

• In-place migration: Replacing vulnerable PKC components with PQC equivalents.
• Re-platform: Switching to a new or upgraded platform that supports PQC.
• Retire the service: Setting a future date for withdrawal.
• Tolerate the risk: Continuing to operate without mitigation.

What to do next?

The report highlights a series of steps you should take next with an expectation of 2-3 years timeline to migrate to PQC.

Given the intricacies involved in PQC migration, looking at external help should be considered through a company/consultancy with expertise in cryptographic assessments and migration strategies. They can provide invaluable support in several key areas:

1. Comprehensive Assessment: Conducting a detailed discovery and assessment of your current cryptographic infrastructure, identifying vulnerabilities and dependencies that need to be addressed.
2. Tailored Migration Plan: Develop a customised migration plan that aligns with your organisation’s specific needs and regulatory requirements. This plan will include timelines, resource allocation, and risk management strategies.
3. Expert Recommendations: Leveraging deep knowledge of cryptographic technologies, can recommend the most suitable PQC algorithms and protocols for your systems. Provide guidance on integrating these new technologies without disrupting your existing operations.
4. Ongoing Support: Throughout the migration process, offering continuous support, ensuring that your transition to PQC is seamless and that any issues are promptly addressed.

Are you considering PQC migration yet?

Further Reading

NCSC Report: Timelines for migration to post-quantum cryptography