The U.K. National Cyber Security Centre (NCSC) has outlined a roadmap to help critical sectors and organizations transition to quantum-resistant encryption methods (post-quantum cryptography, or PQC) by 2035. The guidance provides a three-phase timeline for migration: from 2024 to 2028 to identify services needing upgrades, from 2028 to 2031 to implement high-priority upgrades, and from 2031 to 2035 to complete migration. The NCSC stresses the importance of early preparation to avoid rushed implementations and security gaps.
Quantum computing poses risks to current encryption methods, so transitioning to PQC will help protect against these threats. The NCSC acknowledges that PQC migration is complex and requires careful planning, but it encourages organizations to start early. It also emphasizes that sectors with complex infrastructure, such as industrial control systems, will face unique challenges, particularly as PQC products become available.
The guidance also highlights the challenges in areas like WebPKI and industrial control systems, where legacy protocols will need to evolve. Additionally, the NCSC expects that by 2025, the first validated cryptographic modules will form the foundation for PQC implementation. The migration plan must include clear milestones, testing, and validation processes to ensure a smooth transition.
Ultimately, the NCSC urges organizations to prioritize the migration of systems that handle sensitive data, as delays in adopting PQC could lead to security risks. The U.K. government is launching a pilot scheme to assist consultancy firms in helping organizations with this transition.
