In our 2023 white paper, the NCSC emphasized the necessity of preparing for the transition to post-quantum cryptography (PQC) in light of the risks posed by advancements in quantum computing on current cryptographic systems.
Beyond the technical insights provided in that paper, we outlined our commitment to assist the UK government and our regulated Critical National Infrastructure (CNI) sectors, while also fostering an expansion of the UK’s capabilities in PQC.
PQC migration may seem like a formidable task for many organizations. It represents a multi-year initiative that will extend over multiple investment cycles and requires strategic planning. Consequently, we are releasing new guidance titled ‘Timelines for migration to post-quantum cryptography’, which outlines essential milestones in the planning and execution of your migration.
The transition to PQC can be likened to any significant technological shift. In our guidance, we outline critical steps for such a transition and detail specific cryptography and PQC-related considerations that need to be addressed at each stage of the initiative. Furthermore, we examine how the challenges may differ across various sectors and explore how the PQC landscape is expected to evolve as a result of contributions from industry developers and international standards organizations.
Key Dates for PQC Migration in the UK
The guidance delineates three phases for migration.
The initial phase entails conducting a comprehensive discovery process to assess your environment and identify services reliant on cryptography that require upgrading to PQC. This will facilitate the development of an initial migration strategy prioritizing services for migration. The target date for completing this phase is 2028.
The second phase involves executing the highest priority migration activities identified and adjusting your plan in accordance with the evolving PQC ecosystem to establish a comprehensive roadmap for migration. This phase should be completed by 2031.
The final phase involves achieving the full migration to PQC for all your systems, services, and products, aiming for completion by 2035.
Establishing Robust Cybersecurity Practices
For many small to medium-sized enterprises (SMEs), the migration process will be straightforward, as service providers will implement PQC as part of their routine upgrades. However, larger organizations may face substantial investment requirements for PQC migration. Some companies might possess a diverse technology environment, with the majority of migration being manageable, yet certain systems may require specialized focus. We hope these timelines facilitate effective planning and support investment decisions.
Regardless of organization size, the activities supporting migration—such as vigilant management of technology assets, a thorough understanding of systems and services, and awareness of supplier capabilities—are integral to cultivating and sustaining strong cybersecurity practices. Although our guidance primarily targets risk owners of larger enterprises, CNI operators, and firms with custom IT solutions, the key insights and critical timelines presented are applicable to all organizations.
Jeremy B
Principal Technical Director for Crypt and High Threat Technologies
Based on an article from ncsc.gov.uk: https://www.ncsc.gov.uk/blog-post/setting-direction-uk-migration-to-pqc
