As advances in quantum computing accelerate, the cryptographic systems that protect today’s digital infrastructure are becoming increasingly vulnerable. In response, the UK’s National Cyber Security Centre (NCSC) has outlined a clear roadmap to help organisations transition to post-quantum cryptography (PQC) by 2035. This roadmap sets expectations for preparation, action, and long-term transformation across sectors.
Starting Now: Discovery and Planning
Organisations are expected to begin by identifying where cryptography is used, which systems are at risk, and which assets are most critical. By 2028, all organisations should have completed this discovery phase and built an initial migration plan—highlighting priorities, supplier dependencies, and areas needing investment.
Early Migration and Continuous Refinement
From 2028 to 2031, high-priority systems—those handling sensitive or business-critical data—should be migrated first. During this phase, plans will need to adapt as suppliers update their products and standards evolve. Testing and validation are essential to ensure PQC is implemented correctly and not falling back to older, vulnerable cryptography.
Metrics such as adoption rates across systems and services will help track progress and highlight where additional work is needed.
Sector-Specific Challenges
Sectors like finance and telecoms are expected to lead early PQC adoption, thanks to their global exposure and common standards. Sectors with operational technology (OT), like energy and manufacturing, will face more complex migrations due to legacy systems, limited device upgradeability, and physical constraints.
Industrial control systems (ICS) need particular attention, with secure remote access and data integrity being top priorities. PQC planning must be tightly aligned with OT/IT integration and long-term infrastructure upgrades.
PQC Readiness: Where Are We Now?
The foundations for PQC are already in place. In 2024, NIST standardised the core algorithms: ML-KEM for encryption, and ML-DSA and SLH-DSA for digital signatures. Vendors are now building products around these standards.
Some browsers and cloud services already support PQC in hybrid modes—combining quantum-safe and traditional encryption—but universal standards for protocols like TLS are still under development and expected by 2027–2028.
Special cases like WebPKI and legacy ICS protocols will require more than just swapping algorithms—they may need new architectures entirely. Flexibility in planning is key to managing these uncertainties.
Looking to 2035: A Mandatory Secure Digital Future
The NCSC expects most systems to be quantum-safe by 2035. Organisations are encouraged to:
- Complete a full discovery phase by 2028 to assess which services need to be updated to PQC
- Finish early migrations by 2031
- Fully complete migration by 2035 of all systems, services and products
The transition to PQC will be global and unavoidable. Starting early reduces cost, disruption, and security risk—and positions organisations as leaders in a secure quantum future.
The UK’s PQC roadmap offers a clear and actionable framework for navigating the transition to quantum-secure cryptography. It highlights the need for early engagement, cross-sector collaboration, strong asset visibility, and ongoing assurance.
At QBN, we help enterprises and governments to become quantum ready, defining a clear strategy addressing the threat and leveraging the potential of quantum computing and developing a proof-of-concept (PoC).
QBN’s holistic approach to quantum-readiness, its deep expertise and global network ensure the best preparation you can get for a secure digital future.
Act now and be safe tomorrow!
Read the full NSCS roadmap: Timelines for migration to post-quantum cryptography – NCSC.GOV.UK
