The Road to Post-Quantum Cryptography (PQC) - A Migration Timeline

_(Based on guidance from the UK National Cyber Security Centre, 2025)_ #### Background Quantum computing is poised to revolutionize many industries, but it also poses a serious risk to current cryptographic systems. Today’s encryption methods rely on mathematical problems that quantum computers could potentially solve with ease, rendering them obsolete. To mitigate this threat, organizations worldwide are preparing to transition to **Post-Quantum Cryptography (PQC)** - a new generation of cryptographic standards designed to withstand quantum attacks. However, this migration is a massive undertaking, requiring years of planning and execution. #### Key Milestones on the PQC Migration Timeline 1️⃣ **By 2028: Laying the Foundation** Organizations should begin by **assessing their current cryptographic landscape** - identifying which systems, services, and infrastructure rely on vulnerable encryption. This phase includes defining migration goals and drafting an initial roadmap. Businesses must also **engage with suppliers** to ensure their technology stack aligns with PQC readiness. 2️⃣ **By 2031: Prioritizing and Executing Early Migrations** Once critical assets are identified, early migration activities should commence, focusing on **high-risk and long-lived data** that could be compromised by "harvest now, decrypt later" attacks. Companies will need to refine their migration plans as PQC-compatible products and standards mature. Ensuring system **flexibility and interoperability** is key, as traditional and post-quantum cryptographic solutions will likely need to coexist temporarily. 3️⃣ **By 2035: Full Transition to PQC** By this stage, all systems, services, and products should have completed the migration to PQC. While some legacy technologies may still pose challenges, organizations should aim for **a fully post-quantum secure environment**. This final phase is not just about replacing cryptographic mechanisms - it presents an opportunity to **enhance overall cybersecurity resilience**. #### So What? The transition to PQC is **not optional**; it's a necessity for long-term data security. Organizations that delay risk being left with vulnerable, outdated systems. **Proactive planning, investment in cryptographic agility, and collaboration with industry partners** will ensure a smooth migration. Now is the time to start preparing - because quantum computing isn’t a matter of "if" but "when" 🚀 Dive Deeper: - [[Why Cryptographic Inventory Matters]] - [[Hybrid Cryptography as the bridge to Post Quantum Security]] - [[The Pillars of Cryptographic Discovery and Inventory - A Blueprint for Post-Quantum Security]] - [[U.S. Government Accelerates Transition to Quantum-Resistant Cybersecurity]] - [[Misconceptions about Post Quantum Cryptography]]