top of page

PQC Timelines Provide Direction, but Not Action

  • Apr 14
  • 6 min read
April 2026, Daryl Flack, Partner
Published on: EE Times

Regulation lags as quantum threats loom.


Current post-quantum cryptography (PQC) adoption timelines in the U.K. and the European Union provide direction, but they do not compel action. That distinction is becoming one of the most important and underappreciated risks in cybersecurity today.


In the U.K., the National Cyber Security Centre (NCSC) has set out a clear roadmap: discovery and planning by 2028, priority system migration by 2031, and full adoption by 2035. Across the European Union, guidance from the European Commission and the NIS Cooperation Group moves slightly faster, with expectations that critical infrastructure will begin adopting PQC by 2030.


These timelines are helpful. They provide structure and signal intent. But they are not regulatory mandates. There are no widespread enforceable requirements compelling organizations to act today, and as a result, many are not.


The widening gap between awareness and preparedness

For years, cryptography has been one of the most stable components of digital infrastructure. The algorithms securing communications, financial transactions, and sensitive data have remained largely unchanged, creating a sense that encryption is a solved problem.


That stability has bred complacency.


Recent research from ISACA highlights the scale of the challenge across Europe: 67% of IT professionals are concerned that quantum computing will increase or shift cybersecurity risks, yet only 4% say their organization has a defined strategy. Just 5% report a strong understanding of emerging PQC standards.


This disparity is striking. Organizations are aware of the risk, but very few are taking meaningful steps to address it. In the absence of regulatory pressure, PQC in the U.K. continues to be treated as a future issue despite clear evidence that preparation must begin now.


The prevailing risk: long-lived and confidential data

When we talk about the quantum threat, it is easy to picture a futuristic risk: an ultra-powerful computer suddenly rendering all encryption obsolete overnight. The reality is more nuanced and more immediate. The most immediate danger lies in long-lived, confidential data: Information that must remain confidential and verifiable for the life of the data, and therefore, the cryptography used to protect it needs to have a similar lifespan. Quantum computing and the risk it poses to classical cryptography are impinging on the useful life of many of the cryptographic algorithms used today.


Legal records, genomic data, state secrets, medical research, and sensitive corporate archives all fall into the confidential data category. These are not transient data sets. They underpin justice systems, scientific progress, and national security. If they are decrypted or compromised before the useful life of that data has passed, the damage may be severe or even irreparable.


Adversaries know this. Many are already pursuing “harvest now, decrypt later” strategies, stealing encrypted information today with the expectation that it can be decrypted once quantum capabilities mature.


Without regulatory urgency, many organizations will continue to rely on cryptographic algorithms that are known to be vulnerable in a quantum future. This creates a growing backlog of exposed data. Information that is secure today but may not remain so tomorrow.

The absence of mandated timelines risks extending this exposure window unnecessarily.


Regulation lagging behind risk

The lack of enforceable PQC requirements in the U.K. has created a systemic delay. Many vendors are waiting for customer demand before prioritizing quantum-safe solutions, while organizations are waiting for regulation before committing to investment.

This creates a cycle of inaction at precisely the moment when early preparation is most critical.


Over time, this dynamic is likely to shift. As quantum risks become more tangible, failing to plan for PQC migration may increasingly be seen as a failure to manage cybersecurity risk appropriately. Organizations could find themselves exposed not only technically, but also from a compliance and governance perspective.


However, by the time regulatory expectations catch up, many may already be behind. Given that the first deadline for migration planning is just over 18 months away, many organizations have not even begun or budgeted to begin the work to look at this.

Compounding this issue is uncertainty around the quantum timeline itself. Advances in quantum computing, error correction, and cryptographic research suggest that the arrival of a cryptographically relevant quantum computer may come sooner than previously anticipated. If that timeline accelerates, the window for safe and orderly migration may narrow significantly.


Diverging timelines, global complexity

While the U.K. and EU timelines differ slightly, most multinational organizations will adapt by aligning to the most demanding schedule. In that sense, divergence between regions is manageable.


The greater challenge lies in global fragmentation. PQC adoption timelines are evolving not just in Europe, but across jurisdictions, including Singapore, Australia, Canada, and the U.S. Each is moving at a different pace, with varying levels of guidance and regulatory intent.


This creates complexity for organizations operating across borders.

Without global coordination, organizations may be forced to manage multiple parallel cryptographic strategies. An approach that increases cost, complexity, and risk.


Supply chains under strain

Encryption sits at the heart of modern supply chains, securing everything from operational technology and industrial systems to digital identities and financial transactions.

Fragmented PQC adoption driven by inconsistent timelines and a lack of regulatory alignment introduces several risks:


  • Operational complexity, as organizations support multiple cryptographic environments.

  • Interoperability challenges, where systems operating under different standards struggle to communicate securely.

  • Compliance burdens, as organizations navigate inconsistent regulatory expectations.

  • Extended vulnerability, where lagging systems remain exposed to future quantum attacks.


Supply chains depend on trust and consistency. If partners move at different speeds, trust can be undermined. One single weak link of an organization that delays PQC adoption in the supply chain can introduce risk across the entire ecosystem.


Industry moving ahead of regulation

While regulatory frameworks remain in development, parts of the private sector are already accelerating their timelines. Google, for example, is not waiting for regulation as a viable strategy and has set a 2029 target for transitioning key systems to PQC.

The company has cited advances in quantum computing and the growing threat of “store now, decrypt later” attacks as reasons for accelerating its plans. Its focus on securing authentication and digital signatures reflects the critical role these systems play in maintaining trust across digital ecosystems.


As major technology providers move ahead, they will influence the broader ecosystem. Organizations that fail to keep pace may find themselves out of alignment with their suppliers, partners, or customers.


Taking ownership of PQC readiness

Responsibility for PQC readiness ultimately sits with individual organizations, most critically in how they manage and secure their supply chain ecosystems. Vendors may provide tools and standards bodies may define algorithms, but implementation and risk management cannot be outsourced.


Cryptography is deeply embedded across systems, applications, networks, IoT devices, and operational technology. Many organizations lack visibility into where and how it is used, particularly across legacy environments and supply chains.

To move forward, cyber leaders should begin with key questions:


  • What cryptographic assets do we rely on, and where are the gaps in visibility?

  • Which systems and data sets require immediate protection?

  • Are our suppliers and partners aligned with our PQC adoption strategy?

  • Do we have crypto-agility built into our systems and transformation programs?

  • Is there clear executive ownership of PQC readiness?


Taking action with a structured approach

Organizations that act now will be better positioned to manage both risk and complexity. A structured approach should include:


  • Mapping cryptographic usage across systems and identifying long-lived, sensitive data

  • Prioritizing migration to quantum-resistant algorithms where risk is highest

  • Building crypto-agility to enable future transitions without major disruption

  • Embedding PQC adoption requirements into supply chain and procurement strategies

  • Aligning PQC enterprise risk management, governance, investment planning, and existing or planned technology upgrade and refresh programs


Delaying these steps will increase both cost and disruption. Retrofitting systems under time pressure is far more complex than planning proactively.


Global coordination vs. global fragmentation

The divergence between the U.K. and EU timelines is a symptom of a broader lack of global alignment.


To avoid fragmentation, regulators and industry bodies must work toward coordinated timelines, consistent standards, and clear expectations. Without this, organizations will face a patchwork of requirements that complicates compliance and weakens security outcomes.


Global coordination will serve as a mandate for efficient and effective PQC readiness, enabling long-lived, confidential data to be protected consistently across borders and remain secure for decades.


bottom of page