UK urges critical orgs to adopt quantum cryptography by 2035

The UK’s National Cyber Security Centre (NCSC) has published specific timelines on migrating to post-quantum cryptography (PQC), dictating that critical organizations should complete migration by 2035.

The new guidance aims to provide a structured migration plan with specified milestones for all organizations to follow. It will also serve to highlight the real security risks of falling behind.

“Quantum computing is set to revolutionize technology, but it also poses significant risks to current encryption methods,” stated NCSC’s CTO, Ollie Whitehouse.

“Our new guidance on post-quantum cryptography provides a clear roadmap for organizations to safeguard their data against these future threats, helping to ensure that today’s confidential information remains secure in years to come. 

“As quantum technology advances, upgrading our collective security is not just important – it’s essential.”

The NCSC’s PQC migration guidance primarily impacts government agencies, large enterprises, critical national infrastructure operators, as well as technology and software providers with bespoke IT systems that rely on cryptography.

The migration timeline defined by NCSC’s latest guidance is the following:

• By 2028, organizations must define their migration goals, conduct a full discovery and assessment of their cryptographic dependencies, and develop an initial migration plan.
• By 2031, organizations should complete their highest-priority PQC migration activities, ensure their infrastructure is ready for a post-quantum future, and refine their migration plan to provide a clear roadmap for full implementation.
• By 2035, organizations must have completed migration to PQC across all systems, services, and products.

The NCSC recommends adopting NIST-approved PQC algorithms for migration, which were standardized by the U.S. organization last year, and are expected to become the foundation for post-quantum security globally.

These algorithms are ML-KEM (FIPS 203), ML-DSA (FIPS 204), and SLH-DSA (FIPS 205). Earlier this month, NIST also announced that HQC was its officially selected backup algorithm for post-quantum encryption.

The UK organization acknowledged the numerous challenges that arise from such a migration, including legacy systems that cannot be moved to the post-quantum age, lack of in-house expertise, and supply chain complexities.

The NCSC says it will soon launch a pilot scheme aimed at connecting cryptography specialists with UK organizations migrating to PQC to assist them with asset discovery, assessment, and planning.

The United States has established a similar timeline for migrating to PQC through the National Security Memorandum 10 (NSM-10), which also sets 2035 as the target year for completing the transition across federal systems.