The Quantum Threat
Your encryption has an expiration date. Quantum computers running Shor’s algorithm will be able to break RSA, ECC, and other widely-used public-key cryptographic systems by efficiently factoring large integers and computing discrete logarithms.
The threat is already active. Harvest Now, Decrypt Later (HNDT) attacks mean adversaries are capturing encrypted data today — financial transactions, health records, government communications, critical infrastructure controls — to decrypt once quantum computers are powerful enough. Data with long confidentiality requirements is at risk right now.
NIST finalised the first post-quantum cryptography standards in August 2024: ML-KEM (FIPS 203) for key encapsulation, ML-DSA (FIPS 204) for digital signatures, and SLH-DSA (FIPS 205) for hash-based signatures. A fourth standard, FN-DSA (FIPS 206), is expected late 2026 or early 2027. The building blocks for quantum-safe migration exist. The question is whether organisations will act in time.
Quantum Australia is already telling their organizations 2026 is the year planning should start happening. Google just announced they are bringing forward their timeline to 2029 for PQC.
Quantum computers might not be there yet with the power needed to break today’s encryption, but there is no denying the momentum and the signals saying that now is the time to planning and getting ready.
Global Regulatory Landscape
Governments worldwide are setting PQC migration deadlines. Organisations that delay risk non-compliance, operational disruption, and exposure to quantum-enabled threats.
| Jurisdiction | Framework | Key Deadlines |
|---|---|---|
| United States | CNSA 2.0 | Software/firmware signing 2025-2030; browsers/servers/cloud 2025-2033; full migration by 2035 |
| United Kingdom | NCSC PQC Roadmap | Discovery by 2028; high-priority migration by 2031; complete by 2035 |
| European Union | NIS2 + PQC Roadmap | Strategies by 2026; high-risk migrations by 2030; full migration by 2035 |
| Australia | ASD Guidance | Refined plan by end 2026; commence migration 2028; complete by 2030 |
| Singapore | CSA Guidance | Guidance issued; sector-specific timelines developing |
| Japan | CRYPTREC | Monitoring PQC standards; guidance in development |
| New Zealand | NZISM Section 2.4 | Preparation mandated; no migration deadline set |
New Zealand’s NZISM Section 2.4 requires agencies to monitor PQC developments, inventory cryptographic systems, and develop migration plans. However, no PQC algorithms have been approved for NZISM use, and unlike every other Five Eyes nation, New Zealand has not set a migration deadline.