The UK’s National Cyber Security Centre (NCSC) has issued new guidance urging organizations to fully transition to post-quantum cryptography (PQC) by 2035. This strategic shift aims to protect sensitive data from the emerging threat of quantum computing, which could render current encryption methods obsolete.
A Phased Approach to PQC Migration
To ensure a smooth transition, the NCSC has outlined a three-phase migration strategy. This structured approach minimizes security risks associated with rushed implementation and ensures a stable transition period.
According to the NCSC, the guidance is primarily intended for technical decision-makers, cybersecurity risk owners, and operators of critical national infrastructure (CNI). Organizations with customized IT systems are also encouraged to follow the roadmap. For small and medium-sized enterprises (SMEs), the transition to PQC will likely occur as part of routine service provider upgrades.
NCSC’s Chief Technical Officer, Ollie Whitehouse, emphasized the urgency of migration: “Quantum computing is set to revolutionize technology, but it also poses significant risks to current encryption methods. Our new guidance on PQC provides a clear roadmap for organizations to safeguard their data against these future threats.”
Timeline for PQC Adoption
The NCSC has set a 10-year timeline to ensure a structured transition. This period allows for the development and adoption of PQC standards, as well as the availability of secure cryptographic solutions. The US National Institute of Standards and Technology (NIST) standardized the most widely used PQC algorithms in 2024, forming the foundation for this shift.
The three-stage transition plan includes:
2028: Discovery and Assessment
Large organizations and those managing in-house IT infrastructure should initiate migration planning within the next two to three years. Key tasks include:
Identifying high-priority areas for early migration
Assessing dependencies on suppliers and infrastructure
Communicating needs to vendors
Evaluating investment requirements for implementation
Planning for the transition of long-term hardware roots of trust
Organizations should conduct a full cryptographic inventory to understand where and how encryption is currently applied. This will help them determine which systems require the most urgent upgrades. Companies operating in highly regulated industries, such as finance and healthcare, may need to coordinate with industry regulators to ensure compliance with future PQC requirements.
2031: High-Priority Upgrades and Refinements
Over the next three years, organizations should complete priority migration activities, securing their most critical assets. During this phase, they should also refine their transition strategy, ensuring compatibility with future cryptographic advancements.
This phase should also include testing and validation of PQC solutions. Many organizations will need to work with cybersecurity vendors to integrate quantum-resistant encryption protocols into their existing infrastructure. Businesses should also train their cybersecurity teams on new cryptographic methods and threat mitigation strategies.
2035: Full Migration to PQC
By 2035, organizations should have fully integrated PQC into their systems. Additionally, this period should be used to enhance overall cybersecurity resilience.
During the final phase, organizations should ensure that all legacy encryption methods are phased out to prevent security vulnerabilities. Continuous monitoring and regular updates will be essential to adapt to emerging threats in the post-quantum era.
Why PQC Adoption is Crucial
PQC adoption is an urgent cybersecurity priority. The arrival of powerful quantum computers capable of breaking traditional encryption poses a major risk to data security. Without PQC, sensitive information, communications, and system integrity could be compromised.
A growing concern is the “harvest now, decrypt later” tactic used by cybercriminals, in which attackers steal encrypted data today and decrypt it once quantum computing becomes viable. This method puts long-term sensitive data at significant risk.
Industries at High Risk
Industries that handle highly confidential data are particularly vulnerable to quantum threats. These include:
Financial services: Banks and payment processors rely heavily on encryption to protect transactions and sensitive financial data.
Healthcare: Hospitals and pharmaceutical companies store vast amounts of patient records and proprietary medical research.
Government and defense: National security agencies and military operations depend on encryption to safeguard classified communications.
Energy and utilities: Critical infrastructure, including power grids and water supply systems, could be exposed to cyberattacks if encryption is compromised.
Recent Advancements Highlighting the Urgency
Recent advancements in quantum computing technology underscore the need for rapid PQC adoption:
Microsoft introduced Majorana 1, the first quantum chip, in February 2025, accelerating the development of scalable quantum computers.
Google announced quantum-safe digital signatures in its Cloud Key Management Service (Cloud KMS) for software-based keys, integrating two PQC algorithms from the NIST standards.
Cloudflare launched PQC protections in its zero-trust platform in March 2025, securing corporate network traffic from quantum threats without requiring individual system upgrades.
Cryptographic Hardware Roots of Trust, such as Hardware Security Modules (HSMs) and secure boot solutions using NIST’s PQC standards, are expected to be widely available later in 2025.
Web browsers have begun incorporating PQC into their communication stacks to enhance security.
Steps Organizations Can Take Today
Organizations should begin preparing for PQC migration now by taking the following steps:
Conduct a cryptographic inventory: Identify where encryption is used and which systems need priority upgrades.
Engage with cybersecurity vendors: Work with security providers to evaluate PQC solutions and develop an integration strategy.
Stay informed on evolving standards: Follow updates from NIST, NCSC, and industry experts to ensure compliance with the latest recommendations.
Invest in workforce training: Educate IT and security teams on post-quantum encryption methods.
Implement hybrid cryptographic solutions: Deploy cryptographic approaches that combine classical and quantum-resistant algorithms to ease the transition.
The Future of Post-Quantum Security
As quantum computing capabilities continue to evolve, the urgency for organizations to act grows stronger. The NCSC’s structured timeline offers a clear path for transitioning to quantum-resistant cryptography while minimizing operational disruptions.
By 2035, organizations that follow the NCSC’s guidance will have safeguarded their digital assets against the looming quantum threat. Those who delay risk exposing their critical data to unprecedented vulnerabilities. Now is the time for businesses, governments, and critical infrastructure operators to prioritize their migration to PQC and ensure a secure digital future.
Follow us on 
(Twitter) for real time updates and exclusive content.
Interesting Article : CVE-2025-23120, Veeam Fixes High-Risk Flaw Targeted by Ransomware Gangs