EU Defines Clear Roadmap for Post Quantum Cryptography Transition by 2035
The European Commission has recently published “A Coordinated Implementation Roadmap for the Transition to Post Quantum Cryptography,” outlining a unified strategy to prepare Europe’s digital infrastructure for the challenges posed by quantum computing.
This roadmap sets out clear expectations and timelines for Member States to begin and progress their migration away from vulnerable classical cryptographic algorithms toward quantum-resistant solutions.
Three Milestones Define the Transition Timeline
The document organizes the PQC migration into three key milestones, providing a clear framework for coordinated action across Europe:
By 2026: Complete Initial Steps and Begin Pilots for High and Medium Risk Use Cases
Member States are expected to initiate or update national PQC transition plans, incorporating several foundational activities:
- Engaging relevant stakeholders including government CTOs, CISOs, cybersecurity authorities, and research institutions.
- Developing detailed inventories of cryptographic assets using standardized formats.
- Mapping dependencies across applications, platforms, and supply chains.
- Conducting quantum risk assessments to prioritize systems based on vulnerability and impact.
- Involving supply chain partners to align product and service roadmaps.
- Launching awareness and communication programs tailored to different stakeholder groups.
- Sharing knowledge and coordinating via EU cybersecurity groups.
- Creating implementation plans with timelines reflecting national priorities.
By this milestone, pilots for high and medium-risk use cases should be underway, enabling practical testing of PQC solutions.
By 2030: Implement Next Steps and Finalize Transition for High-Risk Use Cases
The roadmap anticipates that by 2030, Member States will have completed the PQC migration for all high-risk systems. Key actions include:
- Ensuring cryptographic agility in all new products, with upgrade paths supporting post-quantum algorithms.
- Allocating adequate resources, both budgetary and human, to sustain the transition.
- Updating certification and regulatory frameworks to incorporate PQC standards.
- Revising national laws and procurement policies to enforce quantum-safe cryptography.
- Engaging with private sector stakeholders, training programs, and funding initiatives to strengthen the PQC ecosystem.
- Participating in EU-supported testing centers and pilot projects to validate interoperability.
High-risk systems are those protecting data requiring confidentiality for at least 10 years or systems with significant potential impact if compromised.
By 2035: Complete Transition for Medium- and Low-Risk Use Cases
The final milestone aims for the completion of the PQC transition for medium-risk use cases and as many low-risk systems as feasible. This aligns with international goals set by authorities such as NIST and the UK NCSC, which envision retiring vulnerable cryptography by this date.
Understanding Quantum Risk and Prioritization
The roadmap introduces a risk classification framework to guide prioritization:
- High risk: Use cases with long-term confidentiality needs and critical impact.
- Medium risk: Important use cases with moderate urgency.
- Low risk: Systems with less impact or shorter confidentiality requirements.
Organizations are encouraged to integrate quantum risk analysis into existing cybersecurity risk management processes.
Key Themes for a Successful PQC Transition
- Cryptographic agility: Products and systems should support seamless upgrades to quantum-resistant algorithms.
- Stakeholder collaboration: Cross-border and cross-sector cooperation is vital.
- Regulatory alignment: Laws, certifications, and procurement must evolve to support PQC adoption.
- Awareness and training: Tailored education initiatives should involve all organizational levels.
- Resource planning: Budget and personnel must be dedicated to transition efforts.
- Testing and validation: Coordinated pilot programs and interoperability testing are essential.
How Encryption Consulting Can Support Your Post Quantum Cryptography Journey
Encryption Consulting offers specialized Post-Quantum Cryptography Advisory Services designed to help organizations assess their quantum risk, develop tailored transition strategies, and implement cryptographic agility aligned with global and EU standards.
Our expert team assists with risk assessments, roadmap development, vendor evaluations, and proof-of-concept testing to facilitate a smooth and compliant migration to quantum-safe cryptography.
