The U.K. National Cyber Security Centre (NCSC) presented a strategic roadmap for key sectors and organisations as they transition to post-quantum cryptography (PQC) to safeguard against future quantum computing threats. The NCSC guidance sets out the necessary steps towards PQC migration, describes how the preparatory work might vary across different sectors, and advises on timescales for key activities on the long journey to PQC. It also includes a three-phase timeline to assist organizations in adopting quantum-resistant encryption techniques by 2035.
Designed to help critical sectors and organizations transition to these advanced encryption methods within the set timeframe, the NCSC guidance encourages organizations to begin preparing for the transition now to allow for a smoother, more controlled migration that will reduce the risk of rushed implementations and related security gaps. It outlines three phases for migration – to 2028 to identify cryptographic services needing upgrades and build a migration plan; from 2028 to 2031 to execute high-priority upgrades and refine plans as PQC evolves; and from 2031 to 2035 to complete migration to PQC for systems, services, and products.
“Quantum computing is set to revolutionise technology, but it also poses significant risks to current encryption methods,” Ollie Whitehouse, chief technical officer at the NCSC, said in a Thursday media statement. “Our new guidance on post-quantum cryptography provides a clear roadmap for organisations to safeguard their data against these future threats, helping to ensure that today’s confidential information remains secure in years to come.”
He added that as “quantum technology advances, upgrading our collective security is not just important – it’s essential.”
Existing encryption techniques, which safeguard activities ranging from banking to secure communications, depend on complex mathematical problems that are challenging for current-generation computers to solve. However, quantum computers can solve these problems much more rapidly, potentially rendering existing encryption methods vulnerable. Transitioning to PQC will enable organizations to proactively counter this threat by implementing quantum-resistant algorithms before potential attackers can exploit any weaknesses.
“We know that PQC migration can feel like a daunting challenge for many organisations,” Jeremy B, principal technical director for crypt and high threat technologies at the NCSC, wrote in an accompanying blog post. “It is a multi-year effort that will span more than one investment cycle and needs careful planning. So, we are introducing new guidance, ‘Timelines for migration to post-quantum cryptography’, that sets out some of the key milestones in planning and delivering your migration.”
He added that migration to PQC can be viewed as any large technology transition. “In the guidance, we describe the key steps in such a transition and illustrate some of the cryptography and PQC-specific elements required at each stage of the programme. We also discuss how the challenge will vary between different sectors, and how the PQC ecosystem is likely to evolve following the work of industry developers and international standards bodies.”
The NCSC guidance recognized that some of the U.K.’s regulated sectors include companies that operate in truly global markets, with a need for some level of technology convergence across those markets. This includes many (but not all) banking and financial services organizations and companies in the telecoms sector. In these sectors (and others whose services are mostly internet-facing and using common protocols), NCSC expects an earlier focus on migration (in line with the availability of well-implemented PQC); and an alignment with global partners in the same sector.
For other sectors, particularly those with complex physical infrastructure that rely on OT (operational technology), the path for PQC migration may initially be less clear, with fewer PQC products becoming available soon. However, any necessary changes to physical infrastructure will need significant planning and should be done, as far as possible, to coincide with other infrastructure maintenance and improvements. Furthermore, continued OT / IT convergence means that, increasingly in these sectors, planning for conventional IT upgrades to support PQC will need to be a core part of the business.
The NCSC document identified two areas where it believes the development of post-quantum secure protocols will be more challenging than a simple replacement of traditional cryptographic mechanisms with their PQC equivalents. “One is the WebPKI which relies on an ecosystem of trusted roots, Certificate Authorities, Certificate Transparency (CT) log providers, and Certificate Revocation List (CRL) providers.”
It added that there is not yet agreement on how to incorporate post-quantum signatures into WebPKI certificates while maintaining compatibility with traditional WebPKI components. Since the WebPKI is by its nature decentralized, coordination of migration of all its components is likely to be hard to sequence.
The second area of risk picked out in the NCSC document for the development of PQC standards is ICS protocols. There are legacy protocols in use in ICS (industrial control systems) that have never been brought up to modern cryptographic standards. As these are replaced, not only will the new algorithms need to be used, but architectures will need to evolve around them to enable the use of modern key management solutions.
The NCSC guidance identified that since 2024, a steady, and growing, stream of vendors has achieved validated testing of implementations of PQC algorithms through NIST’s Cryptographic Algorithm Validation Program. “During 2025, we expect to see the first cryptographic modules validated to FIPS 140-3 under the NIST’s Cryptographic Module Validation Program. These will then form a basis for building implementations of PQC into future security systems,” it added.
The NCSC guidance identified that primarily, migration to PQC serves as a mitigation strategy against a cybersecurity threat, specifically the cryptographic risk posed by quantum computing. As PQC adoption becomes more widespread in the future, organizations that do not migrate promptly will face the challenge of managing significant legacy systems, along with the associated risks. Therefore, primary functional goals will include establishing a robust cryptographic infrastructure as part of broader cyber resilience objectives. Sector- and business-specific risks and drivers will influence these goals, and in many cases, there will be a need to meet regulatory requirements.
Any technical system migration needs to start with building a clear understanding of the current estate. This includes identifying key services and applications. A record of the data held should be formed, including its expected lifetime and its value to an adversary. It is important to identify how data is protected in transit and at rest. Mapping the systems that operate these services, and through which data is processed, is necessary. Processes for identifying and managing assets, both software and hardware, effectively should be ensured.
It also detailed that organizations need to decide on an approach for the migration of each system, service, or product they are responsible for. Where there is complete reliance on commodity platforms, upgrades to PQC will likely be delivered by the service provider. In such cases, wholesale changes beyond routine improvements will not be necessary, as these will come through the normal, timely refresh of the commodity hardware.
Then comes the point at which organizations need to develop a set of migration activities. They will have identified their priority services. Dependencies on long-lived hardware, supply chains, and service providers with current risks from legacy systems will be addressed. Several steps will be involved in the migration of each system. The migration plan should include timelines for each step. These steps could include researching available technology options, procurement, commissioning, testing, data backup, and migration, leading up to the actual rollout.
The NCSC document outlined that except for the very simplest systems (which can be replaced in a single effort with a ‘big bang’ uplift to PQC), “you will likely find that you need traditional PKC and PQC to co-exist for a while within your environment.”
It added that because the introduction of PQC involves making compatibility-breaking changes to encryption, organizations may need new PQC systems also to support traditional PKC algorithms as an option during the migration period. They should therefore seek solutions that offer cryptographic agility; that is, the ability to readily support alternative suites of cryptographic algorithms, and identify the criteria they will use to determine when to end support for the traditional algorithms. Additionally, complete security against the quantum computing threat will be ensured when reliance on traditional public key cryptography (PKC) is eliminated.
The NCSC guidance determined that the focus is on future planning, prioritizing high-priority activities as per the migration plan, and refining it as suppliers and the PQC ecosystem evolve. Testing and validation are crucial, ensuring extensive coverage of PQC-supporting libraries, software, hardware, and interoperability with other services. Additional tests are necessary to verify cryptography performance, especially with the introduction of standardized PQC cipher suites for TLS (Transport Layer Security).
Also, a rigorous assurance process is needed to ensure the migration meets core goals, with metrics to measure success, track software client usage of PQC, and identify those not yet transitioned. These metrics help assess migration progress, determine necessary remedial actions, and decide when to discontinue traditional algorithms.
The existence of algorithm standards is vitally important, as they are a building block on which cryptographic protocols, products, and services will be constructed. As technical standards evolve, the NCSC will issue specific guidance on patterns and configurations for common cryptographic technologies when they become ready for use, and continue to provide organizations and regulators with up-to-date advice.
While there is likely to be a tail of technologies for which migration will take longer, it is reasonable to expect all organizations to focus on this 2035 target, prioritizing those systems that process business and personally sensitive data, or that manage critical communications and systems.
“The activities described in planning your migration are substantial and are critical to reducing cyber risks,” according to the NCSC guidance. “Migration will happen, globally. It will not be possible to avoid PQC migration, so preparing and planning now will mean you can migrate securely and in an orderly fashion.”
The NCSC will soon launch a pilot scheme to assure those consultancy companies that offer support to the discovery, assessment, and planning activities. This will ensure that skills are accessible within the U.K. to help organizations with their migration to PQC. The agency would also be keen to see organizations share their own experiences, and examples of good practice – perhaps through their relevant industry bodies, or in regulator forums.
A successful migration will be underpinned by good asset management, clear views into systems, services, and infrastructure, and actively managed supply chains. All these are aspects of good cyber security governance for the organization, so provide a natural framework for a large cryptographic migration alongside broader improvements to cyber resilience.
Last April, the European Commission published a Recommendation that encourages Member States on a Coordinated Implementation Roadmap for the transition to PQC. The move works towards developing and implementing a harmonized approach as the EU transitions to PQC. The Commission Recommendation urges Member States to formulate a robust strategy for integrating PQC, aiming to facilitate a harmonized and unified transition across the various Member States and their public sectors.
