- The Problem Underneath the Deadlines
- How Long PQC Migration Actually Takes
- The Compressed Window: When Migration Duration Meets Q-Day
- Where Every Major Country Stands
- Quick Reference: Global PQC Migration Deadlines
- Why the Gaps Matter More Than the Dates
- What This Means for Your Organization
- How Encryption Consulting Can Help
- Conclusion
Every organization operating internet-facing infrastructure, cloud workloads, or long-lived data has a post-quantum cryptography (PQC) exposure. Most do not yet know how large that exposure is, which systems carry it, or which regulatory deadline applies first.
Governments have been publishing migration timelines since 2022. As of June 2026, more than fifteen jurisdictions have formal roadmaps, binding compliance dates, or mandatory algorithm requirements. The dates span 2026 to 2035. The algorithms mandate contradict each other. The hybrid requirements disagree. On June 22, 2026, President Trump signed Executive Order 14412, making PQC migration a binding legal obligation for all US federal civilian agencies and their contractors by December 31, 2030.
This guide maps where every major country stands, examines how long migration actually takes, explains why the gaps between national programs create risk that no single deadline captures, and sets out what organizations need to do now.
The Problem Underneath the Deadlines
Before looking at specific country deadlines, it helps to understand the two threats driving this migration. One is Q-Day. The other is the threat that is already here.
Q-Day is the moment a cryptographically relevant quantum computer (CRQC) can break RSA-2048 and elliptic curve cryptography at scale. The Global Risk Institute’s Quantum Threat Timeline Report 2025, published March 9, 2026, found that the probability of a CRQC arriving within the next decade has reached its highest level in the survey’s seven-year history.
Recent hardware research has made the timeline more concrete. On March 31, 2026, researchers at Oratomic and Caltech (arXiv:2603.28627) showed that a neutral-atom quantum computer could run Shor’s algorithm against ECC-256 with as few as 10,000 physical qubits, depending on the speed-versus-size tradeoff. That is dramatically fewer than the 500,000 physical qubits that Google’s Quantum AI team estimated on the same day for a superconducting architecture performing the same attack.
But the more serious threat is not Q-Day itself. It is what is already happening before it. Harvest Now, Decrypt Later (HNDL), also called Store Now, Decrypt Later (SNDL), means adversaries are intercepting and archiving encrypted traffic today, planning to decrypt it once quantum computers are powerful enough. This is not theoretical. The US Department of Homeland Security, UK NCSC, ENISA, and the Australian Cyber Security Center have all published guidance that assumes nation-state actors are already doing this. The Federal Reserve’s 2025 research paper (FEDS 2025-093) called HNDL a present and ongoing operational risk.
An organization whose data must stay confidential for ten or more years has already been exposed. That exposure started on the day the data was encrypted under RSA or ECC. The real deadline is not a regulatory date. It is the point at which data retention requirements and the quantum computing roadmap intersect.
With that threat picture in mind, the next question is practical: given how long migration actually takes, how much runway does your organization actually have?
How Long PQC Migration Actually Takes
Regulatory deadlines tell you when migration must be done. They do not tell you how long it takes to get there. That gap is where most organizations are underestimating their risk.
| Enterprise Size | Typical Employees | Migration Timeline | Key Constraints | FTQC Collision Risk |
|---|---|---|---|---|
| Small Enterprise | < 500 | 5-7 years | Limited staff, constrained budget, vendor dependency | Moderate: can complete before 2032 if migration starts by 2026 |
| Medium Enterprise | 500-5,000 | 8-12 years | Hybrid IT, legacy app diversity, multi-vendor PKI | High: expected completion 2034-2038, overlapping the FTQC window |
| Large Enterprise | > 5,000 | 12-15+ years | Global infrastructure, 100,000+ cryptographic assets, ecosystem sync | Critical: expected completion after 2038, deep inside the HNDL and FTQC risk window |
PQC migration is not a standard IT upgrade. It is a global synchronization effort. Every vendor, partner, and communication counterpart in your ecosystem needs to move at the same time. Unlike past cryptographic transitions such as SHA-1 to SHA-2 or TLS 1.2 to TLS 1.3, PQC involves larger key and signature sizes that stress existing protocols, hybrid requirements that differ by country, and dependencies on hardware, software, and standards bodies that are still catching up.
Six factors consistently push timelines past initial estimates: legacy system complexity; shortage of specialist staff; slow procurement and budget cycles; incomplete cryptographic inventories; vendor unreadiness; and the need to synchronize with external partners. These do not take turns. They all apply at once.
These timelines make clear that when migration starts is just as important as what the deadline says. The next section explains how the hardware research from early 2026 has tightened that window further.
The Compressed Window: When Migration Duration Meets Q-Day
When you put the migration timelines from the previous section alongside the latest quantum hardware research, the risk picture becomes very clear.
The Oratomic/Caltech research and Google’s 2029 deadline announcement both point to 2028 to 2029 as the credible lower bound for when a CRQC could arrive. The NIST NCCoE Migration to PQC Project confirms that discovery alone takes 12 to 24 months for large enterprises. That means an organization starting its inventory now, in mid-2026, will spend most of 2026 and 2027 just mapping what it has, before migration itself begins.
Organizations starting in 2026 still have enough runway to secure their highest-priority systems before 2030. Organizations delaying until 2028 may face substantially greater migration risk. Every month of delay at this stage is harder to recover from than a month of delay would have been in 2023.
The 2026 to 2030 window is not mainly a compliance problem. It is an execution problem. The deadlines are public. The migration durations are well documented. The math points in one direction: start now.
Now that the urgency is clear, the next section maps the specific mandates and deadlines that apply in each major jurisdiction.
Where Every Major Country Stands
Every deadline below comes from an official government or regulatory source, verified as of June 24, 2026.
United States: Standards Published; Binding Federal Mandate Now Law
The US has the most layered PQC mandate structure of any country, and as of this week, it also has the most recent binding action. On August 13, 2024, NIST published three finalized post-quantum standards: FIPS 203 (ML-KEM), FIPS 204 (ML-DSA), and FIPS 205 (SLH-DSA), concluding an eight-year evaluation. A fourth standard, FIPS 206 (FN-DSA, based on FALCON), was under active preparation at NIST as of mid-2026 and is expected to be published as an Initial Public Draft in 2026 and finalized in late 2026 or early 2027. For National Security Systems, CNSA 2.0 requires specific high-security parameter sets: ML-KEM-1024 and ML-DSA-87.
On June 22, 2026, President Trump signed Executive Order 14412. EO 14412 requires federal civilian agencies to complete PQC for key establishment by December 31, 2030, and for digital signatures by December 31, 2031. EO 14412 directs the FAR Council to propose a rule requiring covered federal contractors to comply with NIST FIPS standards incorporating PQC algorithms by December 31, 2030. The rule is pending formal rulemaking and has not yet been finalized. National Security Systems are handled separately under CNSA 2.0 and are not subject to EO 14412.
- 2025: CNSA 2.0 first compliance window opens for certain new NSS acquisitions
- 2027: All new NSS acquisitions must use NSA-approved quantum-resistant algorithms
- 2027 (Dec 31): NIST must complete a PQC migration pilot project under EO 14412
- 2030 (Dec 31): Federal civilian agencies and covered contractors must complete PQC for key establishment
- 2031 (Dec 31): Federal civilian agencies must complete PQC for digital signatures
- 2035: All federal systems fully quantum-resistant; classical algorithms disallowed under NIST IR 8547
Note: NIST IR 8547 (Initial Public Draft, November 2024) proposes disallowing classical public-key algorithms after 2035; this remains draft guidance and has not been finalized.
United Kingdom: Phased Three-Stage Migration
The UK NCSC published its migration guidance on March 20, 2025, with three clear phases. It targets large organizations, critical national infrastructure operators, and organizations with complex IT environments. Recommended algorithms are ML-KEM-768 and ML-DSA-65. Hybrid is encouraged during the transition period; the end goal is pure PQC.
- By 2028: complete discovery phase and produce an initial migration plan
- By 2031: Migrate highest-priority services and refine the plan
- By 2035: Complete PQC migration across all systems, services, and products
European Union: Coordinated Roadmap, Binding Obligation Proposed
The EU NIS Cooperation Group published its Coordinated Implementation Roadmap in June 2025. In January 2026, the European Commission published COM(2026) 13, which proposes making PQC transition a binding legal obligation under the NIS2 Directive for all covered entities across the 27 member states. Once adopted, which is expected in late 2026 or early 2027, the advisory roadmap becomes law. Hybrid PQ/T schemes are recommended during transition; ETSI TS 103 744 is the technical specification for hybrid TLS.
- End of 2026: Member states publish national PQC strategies and initiate cryptographic inventories
- End of 2030: Critical infrastructure must have transitioned for high-risk use cases
- End of 2035: Full migration complete
Germany (BSI): Strictest Hybrid Requirements Globally
Germany’s BSI has the most demanding hybrid requirements of any country. BSI TR-02102-1 Version 2026-01 requires a dual-algorithm hybrid for key encapsulation (ML-KEM combined with FrodoKEM) for federal agencies and regulated sectors. BSI TR-02102-1 Version 2026-01 sets a clear sunset date for classical-only key agreement: December 31, 2031, with a tighter 2030 deadline for high-protection applications. No other country currently imposes this combination as a binding technical requirement.
- 2026: Federal agencies begin PQC deployment
- 2030: Critical infrastructure and high-protection systems migrated
- 2031: Classical-only key agreement sunset for regulated use
Recommended algorithms: ML-KEM + FrodoKEM hybrid for key encapsulation; Classic McEliece for very long-term confidentiality; ML-DSA, SLH-DSA, and XMSS for signatures.
France (ANSSI): Mandatory Hybrid, Closely Aligned with BSI
ANSSI requires hybrid for all PQC mechanisms, with limited exceptions for hash-based signatures such as XMSS, LMS, and SLH-DSA. For key exchange, it recommends ML-KEM combined with FrodoKEM. For digital signatures, hybrid ML-DSA with a classical scheme is required. Like Germany, France does not accept standalone post-quantum algorithms as sufficient during the transition period. This is a direct contrast with Australia, which actively discourages hybrids. Deadlines mirror the EU roadmap: 2026 for deployment to begin, 2030 for high-risk use cases, and 2035 for full transition.
Canada: Formal Roadmap with Binding Annual Reporting
The Canadian Center for Cyber Security published ITSM.40.001 in June 2025 for non-classified federal IT systems. The approach is risk-based, prioritizing systems by data sensitivity, data lifespan, and the potential impact if compromised.
- April 2026: All federal departments submit initial PQC migration plans
- Annually from April 2026: Progress reporting required
- End of 2031: High-priority systems migrated
- End of 2035: Full PQC migration of all remaining systems
Australia (ASD): Most Aggressive Deadline for Classical Crypto Elimination
Australia has one of the most aggressive deadlines of any major jurisdiction. The ASD’s Information Security Manual requires all classical asymmetric cryptography to be eliminated from government systems by the end of 2030, five years ahead of the UK’s 2035 target. The ASD allows but does not recommend hybrid implementations, primarily for legacy compatibility situations. This stands in direct contrast to Germany and France, both of which mandate a dual-algorithm hybrid.
- End of 2026: Refined PQC transition plan in place
- End of 2028: Migration begins for critical systems and long-lived sensitive data
- End of 2030: All classical asymmetric cryptography eliminated from government systems
Japan (CRYPTREC): Accelerating Ahead of Its Formal Roadmap
In April 2026, CRYPTREC completed its external evaluation of ML-KEM and cleared it for the CRYPTREC Ciphers List, removing the main procurement barrier for Japanese government deployments. A national migration roadmap is expected in 2027. The full migration target is approximately 2035, though this has not yet been officially confirmed.
India (DST / National Quantum Mission): Phased Deadlines Established
India’s Department of Science and Technology published its Task Force Report, “Implementation of Quantum Safe Ecosystem in India,” in February 2026 under the National Quantum Mission. The Telecommunications Engineering Center leads testing and certification, aligned with NIST PQC standards. India’s roadmap also uses migration as an opportunity to upgrade AES-128 deployments to AES-256.
- 2026: National PQC Testing and Certification Program established
- 2027: Critical Information Infrastructure (CII) sectors complete inventory, governance, and initial pilots
- 2028: Non-CII enterprises complete foundational steps; CII sectors begin full migration
- 2030: High-priority CII systems migrated
- 2033: PQC adopted as default across all communication systems
China (OSCCA): Parallel Track, Deliberate Incompatibility
China is not following the NIST process. OSCCA is developing its own PQC algorithms as part of a broader cryptographic sovereignty strategy. No public migration deadline has been published. Any system using Chinese-standard algorithms will be incompatible with FIPS 203/204/205, requiring translation layers at every cross-border interface.
South Korea (KPQC): Domestic Standards with NIST Cross-Compatibility
South Korea completed its KPQC standardization competition in 2025, selecting domestic algorithms (HAETAE and AIMer for signatures, SMAUG-T and NTRU+ for key encapsulation) designed to work alongside NIST standards. Mandated public sector rollout began in 2026.
UAE and Gulf States: Policy Issued, Enforcement Framework Forming
The UAE approved its National Encryption Policy in 2025, requiring government entities to develop formally approved transition plans with cryptographic discovery and inventory as prerequisites. Compliance-critical entities must formalize migration plans in 2026.
The country-by-country picture is useful, but reading them as isolated items misses the bigger risk. The next section explains why the gaps between these programs matter just as much as the programs themselves.
Quick Reference: Global PQC Migration Deadlines
| Country / Region | First Hard Deadline | Critical Systems | Full Migration | Hybrid Required | Enforcement Status |
|---|---|---|---|---|---|
| United States (CNSA 2.0 / EO 14412) | 2025 (new NSS) | 2030 (key estab.) 2031 (sigs) | 2035 | No (optional) | Binding: EO 14412 (June 22, 2026) mandates 2030/2031 for federal civilian agencies and contractors; NSS under CNSA 2.0; voluntary for private sector |
| United Kingdom (NCSC) | 2028 (plan due) | 2031 | 2035 | Encouraged (not mandatory) | Mandatory for CNI operators under NIS Regulations 2018; recommended for all others |
| European Union (NIS CG) | 2026 (strategy) | 2030 | 2035 | Recommended (hybrid PQ/T) | COM(2026) 13 proposes binding NIS2 obligation; expected late 2026/early 2027; currently member state-determined |
| Germany (BSI TR-02102-1 v2026-01) | 2026 | 2030 | 2031 (key agreement sunset) | Yes: dual-algorithm ML-KEM + FrodoKEM required | Binding for federal agencies and regulated sectors |
| France (ANSSI) | 2026 | 2030 | 2035 | Yes: ML-KEM + FrodoKEM for KEM; hybrid ML-DSA for signatures | Binding for regulated entities |
| Canada (CCCS ITSM.40.001) | Apr 2026 (plan due) | 2031 | 2035 | Encouraged | Binding for federal departments; annual progress reporting from April 2026 |
| Australia (ASD / ISM) | 2026 (plan due) | 2030 | 2030 | No (allowed but not recommended) | Binding for government systems; refined plan by end of 2026; full migration by end of 2030 |
| Japan (CRYPTREC) | 2026 (ML-KEM cleared) | TBD | ~2035 (estimated) | TBD | Advisory; national roadmap expected 2027 |
| India (DST / NQM) | 2027 (CII foundations) | 2030 (CII migration) | 2033 | Optional | Framework forming; TEC leads certification aligned with NIST standards |
| South Korea (KPQC) | 2026 (rollout) | TBD | TBD | TBD | Mandated for public sector; domestic KPQC algorithms cross-compatible with NIST |
| United Arab Emirates | 2026 (plans due) | TBD | TBD | No | Policy-level; enforcement framework forming; National Encryption Policy approved 2025 |
| China (OSCCA) | Not published | Not published | Not published | N/A | Sovereign standard; incompatible with FIPS 203/204/205; no external enforcement timeline published |
Why the Gaps Matter More Than the Dates
The table above shows that different countries have different deadlines, different algorithm requirements, and different enforcement mechanisms. For any organization operating across borders, the problem is not just keeping up with the strictest deadline. There are four structural issues that the individual deadlines do not address.
1. The Weakest-Link Problem in Cross-Border Data Flows
A data flow is only as secure as its least-protected node. A European bank with a strong PQC infrastructure that transmits data to a supply chain partner in a jurisdiction with no mandate has extended its exposure to that partner’s cryptographic posture. Adversaries do not attack the strongest point. They find the weakest one.
2. Algorithm and Hybrid Divergence Creates Implementation Paralysis
Germany requires ML-KEM + FrodoKEM dual-algorithm hybrid. Australia allows but does not recommend a hybrid. CNSA 2.0 makes hybrid optional. France requires ML-KEM + FrodoKEM for key exchange and hybrid ML-DSA for signatures. South Korea requires its own domestic KPQC algorithms. China’s OSCCA algorithms are incompatible with all of the above. There is no single design that satisfies every jurisdiction at once. A hardware security module or TLS library deployed globally must support a superset of all mandated algorithm combinations, which increases the chances of misconfiguration.
3. HNDL Asymmetry Between Advanced and Developing Nations
Nation-states with quantum programs collect traffic from the entire global network, not just from their own citizens. A jurisdiction with no PQC mandate and no migration plan is generating years of harvestable encrypted data with no path to closing that exposure window. For large enterprises that cannot finish migration before a CRQC arrives, the question is not whether their historical data will eventually be exposed. It is how many years of data will be.
4. The Financial Sector Mandate Gap
As of June 24, 2026, no sector-specific PQC mandate has been issued by HIPAA/HHS, PCI DSS, the Basel Committee, the FCA, or APRA. The December 2025 CEPS Task Force report identified quantum computers as a systemic risk to financial systems but stopped short of issuing binding requirements. US financial institutions that are federal contractors now fall under EO 14412’s 2030 deadline, but sector-wide financial regulation does not exist yet. Financial data is one of the highest-value HNDL targets globally.
Knowing where the gaps are is only useful if it leads to action. The next section sets out the four things organizations need to do now.
What This Means for Your Organization
Whether your organization is subject to EO 14412, BSI requirements, ASD guidance, or none of the above, the same four steps apply.
1. Start with Cryptographic Discovery
You cannot plan a migration without knowing what you have. Cryptographic inventory completeness is one of the six main drivers of how long migration takes. Standard tools have blind spots: certificate management platforms only see registered certificates, vulnerability scanners miss east-west microservice traffic, and CMDBs miss shadow IT and acquired infrastructure. A proper inventory needs purpose-built discovery across network traffic, source code, binaries, configuration files, and hardware.
2. Determine Which Deadlines Actually Bind You
Not all deadlines carry the same legal weight, and the specific parameter sets matter. CNSA 2.0 requires ML-KEM-1024 and ML-DSA-87 specifically for National Security Systems, not the lower parameter sets that are sufficient for general enterprise use. EO 14412 creates binding 2030 and 2031 deadlines for all US federal civilian agencies and covered contractors. Germany’s BSI Technical Guidelines bind German federal agencies and regulated sectors. For most private-sector organizations outside those frameworks, the binding constraints arrive through procurement: if your customer is subject to a mandate, that mandate effectively extends to you.
3. Build for Crypto-Agility
Cryptographic agility means your systems can swap algorithms without a full re-architecture. NIST CSWP 39 (“Considerations for Achieving Crypto Agility: Strategies and Practices,” finalized December 19, 2025) makes this an explicit recommendation. The need for agility is not theoretical. In March 2025, NIST selected HQC as a fifth algorithm, a code-based backup to ML-KEM using different mathematics. NIST expects to finalize it in 2027. Meanwhile, FIPS 206 (FN-DSA) is still in draft. In a migration that takes 12 to 15 years for large enterprises, the algorithm landscape will keep changing. An agile architecture handles those changes through configuration, not code rewrites.
4. Engage Your Cryptographic Supply Chain Now
Your migration can only move as fast as your slowest critical vendor. Every unmitigated third-party component extends your HNDL exposure regardless of what you have done internally. Ask every hardware vendor, software vendor, cloud provider, and certificate authority for their PQC migration plan. Treat readiness as a procurement requirement before compliance pressure makes those conversations reactive.
Encryption Consulting helps organizations work through all four of these steps, from discovery through to implementation.
How Encryption Consulting Can Help
Migrating to Post-Quantum Cryptography is not just a security upgrade, it’s a foundational transformation in how organizations protect sensitive data. Navigating a multi-jurisdiction PQC environment requires more than periodic scanning. It requires continuous discovery, a governed inventory, and an architecture that can absorb algorithm changes as standards evolve.
If you are wondering where and how to begin your post-quantum journey, Encryption Consulting is here to support you through our PQC Advisory Services. We act as your trusted partner, guiding you through every step with clarity, confidence, and real-world expertise.
We start with a Cryptographic Discovery and Inventory, scanning your entire environment to locate certificates, keys, algorithms, and protocols across endpoints, applications, APIs, and infrastructure. This gives you the baseline visibility that any migration depends on.
From there, we run a PQC Assessment to measure your exposure to quantum threats, pinpoint RSA- and ECC-dependent systems, and produce a prioritized report of vulnerable assets ranked by risk severity.
With that picture in hand, we build a PQC Strategy and Roadmap: a phased migration plan shaped around your risk appetite, regulatory requirements, and long-term security goals, with cryptographic agility built in so your systems can adapt as standards continue to develop.
We then support Vendor Evaluation and Pilot Testing, helping you choose the right tools, run proof-of-concept tests, and confirm interoperability before any full-scale rollout begins.
Finally, we oversee Full Implementation, deploying hybrid classical and quantum-safe models, rolling out PQC across your PKI and infrastructure, and putting monitoring in place for long-term cryptographic health.
CertSecure Manager
On the execution side, CertSecure Manager delivers the certificate lifecycle automation that makes large-scale PQC migration operationally feasible. The platform continuously discovers RSA and ECDSA certificates across cloud services, servers, applications, and load balancers, consolidating them into a centralized inventory with a single view of status, ownership, and expiration risk. Automated renewal workflows reduce manual effort and the risk of outage-causing lapses, while proactive expiration alerts ensure teams are acting before certificates become service-impacting incidents.
Conclusion
Twelve major jurisdictions have now published PQC migration requirements. They disagree on algorithms, hybrid mandates, scope, and deadlines. The global financial sector, which holds some of the highest-value HNDL targets on the planet, still has no binding mandate.
What makes 2026 the critical year is the combination of three things arriving at once: realistic migration timelines that run longer than most organizations plan for, quantum hardware research that is compressing the Q-Day window, and a binding law in the world’s largest economy. A large enterprise starting today faces a completion date around 2039 if a CRQC arrives by 2030, as Google, Cloudflare, and the White House now treat as a credible planning assumption, that the organization runs on broken cryptography for nearly a decade after Q-Day.
The path forward is the same for every organization: inventory first, prioritize by exposure, build for agility, and move now. The deadlines are set. The migration durations are well understood. What remains is execution.
For US federal contractors, the 2030 key establishment deadline is now law. For every other organization, 2026 is the last point at which a timely migration is still achievable.
- The Problem Underneath the Deadlines
- How Long PQC Migration Actually Takes
- The Compressed Window: When Migration Duration Meets Q-Day
- Where Every Major Country Stands
- United States: Standards Published; Binding Federal Mandate Now Law
- United Kingdom: Phased Three-Stage Migration
- European Union: Coordinated Roadmap, Binding Obligation Proposed
- Germany (BSI): Strictest Hybrid Requirements Globally
- France (ANSSI): Mandatory Hybrid, Closely Aligned with BSI
- Canada: Formal Roadmap with Binding Annual Reporting
- Australia (ASD): Most Aggressive Deadline for Classical Crypto Elimination
- Japan (CRYPTREC): Accelerating Ahead of Its Formal Roadmap
- India (DST / National Quantum Mission): Phased Deadlines Established
- China (OSCCA): Parallel Track, Deliberate Incompatibility
- South Korea (KPQC): Domestic Standards with NIST Cross-Compatibility
- UAE and Gulf States: Policy Issued, Enforcement Framework Forming
