- Attackers probing backdoor flaw in popular Cisco Smart Licensing Utility, warns SANS
- The best noise-canceling earbuds I've tested are at a record discount
- These wireless speakers deliver gloriously smooth sound for any style of music - and they're $200 off
- These phishing attacks are now terrorizing Mac browsers - here's how to protect yourself
- This Garmin smartwatch is at its lowest price yet - get it while the deal lasts
NCSC Sets 2035 Deadline for Post-Quantum Cryptography Migration
The UK’s National Cyber Security Centre (NCSC) has urged organizations to completely migrate their systems, services and products to post-quantum cryptography (PQC) by 2035.
The new guidance sets out three phases for migration to PQC, a type of encryption designed to safeguard sensitive information from the future risks posed by quantum computers.
The phased approach is designed to ensure a smooth, controlled migration that reduces the risk of rushed implementation and resultant security gaps.
Read now: Most Organizations Unprepared for Post-Quantum Threat
The NCSC said that the guidance is primarily aimed at technical decision-makers and risk owners at large organizations, operators of critical national infrastructure systems, including industrial control systems, and companies that have bespoke IT.
The agency, part of GCHQ, noted that for many small and medium-sized organizations, migration to PQC will be routine as service and technology providers will deliver it as part of their normal upgrades.
NCSC Chief Technical Officer, Ollie Whitehouse, said: “Quantum computing is set to revolutionize technology, but it also poses significant risks to current encryption methods.”
“Our new guidance on PQC provides a clear roadmap for organizations to safeguard their data against these future threats, helping to ensure that today’s confidential information remains secure in years to come.”
Timeline for PQC Adoption
The new guidance sets out a 10-year period for organizations to fully transition to PQC, as this should provide a sufficient period for detailed PQC standards to appear, an ecosystem of products that uses them to be developed, and for uptake to become widespread.
The PQC algorithms that will be most widely used were standardized by the US National Institute of Standards and Technology (NIST) in 2024.
The NCSC plans to issue specific guidance on patterns and configurations for common cryptographic technologies when they become ready for use and continue to update this advice going forward.
The three-stage timeline is as follows:
2028 – Discovery and Assessment
Large organizations and those who run their own IT infrastructure are expected to create an initial migration plan in the next two to three years. This should identify:
- The highest-priority, earliest migration activities
- Dependencies on your suppliers and physical infrastructure, with all needs communicated to suppliers
- Investment needed to implement the migration activities
- Requirement to migrate any long-lived hardware roots of trust
2031 – Execute High Priority Upgrades and Refine Plans
Over the following two to three years, relevant organizations should complete their priority migration activities to protect their most critical assets.
This period should also be used to ready the organization’s infrastructure to support a PQC future.
Refinements should be made to the initial migration plan to ensure a clear route to full migration by 2035, taking into account future ecosystem developments.
2035 – Complete PQC Migration
In the following four years, organizations should implement the plan, incorporating new cryptographic technologies.
Additionally, they should be using this period to build more robust general cyber resilience into their systems.
Why PQC Adoption is a Cybersecurity Priority
The adoption of PQC is essential before powerful quantum computers become commercially available. These computers will be capable of breaking current encryption protocols.
This will leave data, connections and components used by all organizations exposed.
Cybercriminals are also using harvest now, decrypt later attacks to harvest and store data today for later decryption.
In February 2025, Microsoft unveiled the world’s first ever quantum chip, Majorana 1. This breakthrough offers a path to developing quantum computers that can scale to a million qubits in “years, not decades,” according to the tech giant.
Since the NIST PQC Standards were finalized in 2024, there have been significant developments in quantum-secure solutions.
A number of vendors have achieved validated testing of implementations of PQC algorithms through NIST’s Cryptographic Algorithm Validation Program.
Later in 2025, the NCSC expects to see cryptographic hardware roots of trust become available, such as hardware security modules (HSMs) and secure boot solutions using the new NIST standards.
Additionally, several of the most popular internet browsers have now incorporated support for PQC into their communications stacks.
In February 2025, Google announced the availability of quantum-safe digital signatures in its Cloud Key Management Service (Cloud KMS) for software-based keys. The signatures will support two PQC algorithms included in the NIST standards.
In March 2025, Cloudflare announced it has introduced PQC protections in its zero trust platform, allowing organizations to safeguard their corporate network traffic from potential quantum computing attacks without individually upgrading each application or system.
