The UK’s National Cyber Security Centre (NCSC) has called on organizations to migrate their systems, services, and products to post-quantum cryptography (PQC) by 2035. This shift to PQC is crucial to safeguarding sensitive information from the evolving risks posed by quantum computers, which could potentially break current encryption methods. The NCSC’s new guidance provides a comprehensive roadmap for organizations to follow, outlining a phased migration approach that aims to ensure smooth, controlled transitions while avoiding rushed implementation that could lead to security gaps.
The guidance primarily targets technical decision-makers and risk owners at large organizations, including operators of critical national infrastructure and companies with bespoke IT systems.
While the transition to PQC will be routine for many small and medium-sized organizations, as service and technology providers will handle it as part of their regular upgrades, larger organizations are expected to take a more active role. NCSC’s Chief Technical Officer, Ollie Whitehouse, emphasized that while quantum computing has the potential to revolutionize technology, it also presents significant risks to the security of today’s encryption systems, making the shift to PQC essential to future-proof data protection.
The NCSC’s 10-year timeline for PQC adoption is designed to give organizations ample time to plan and implement the necessary changes. The timeline is divided into three key phases. The first phase, set to begin in 2028, focuses on discovery and assessment, during which large organizations should begin to develop migration plans. This phase will identify high-priority migration activities, dependencies on suppliers, and the investment needed to implement the transition. In the second phase, starting in 2031, organizations will execute high-priority upgrades to protect their most critical assets while refining their migration plans to ensure full transition by 2035.
The final phase, by 2035, will involve completing the full migration and integrating new cryptographic technologies, further enhancing organizations’ cyber resilience.
The urgency of adopting PQC arises from the impending threat posed by quantum computers, which will be capable of breaking current encryption protocols and exposing data and communications to cybercriminals. Furthermore, attackers are already employing “harvest now, decrypt later” strategies, where they collect and store sensitive data today with the intention of decrypting it once quantum computers are capable. The NCSC’s guidance underscores the need to act quickly, as major tech players like Microsoft, Google, and Cloudflare are already introducing quantum-safe solutions into their products. These developments emphasize the growing importance of PQC adoption, and the NCSC’s roadmap offers a clear path forward to ensure organizations are prepared for the future challenges posed by quantum computing.
