open_in_newOriginal article
NCSC Sets 2035 Deadline for Post-Quantum Cryptography Migration

NCSC Sets 2035 Deadline for Post-Quantum Cryptography Migration

  • 20.03.2025 16:47
  • infosecurity-magazine.com
  • Keywords: Quantum Computing, Cybersecurity Threats

The UK's NCSC has set a 2035 deadline for organizations to migrate to post-quantum cryptography (PQC), outlining a three-phase approach to protect against quantum computing threats. The guidance aims to ensure secure and timely transitions, particularly for critical systems and large organizations.

Microsoft ProductsMSFTsentiment_satisfiedNETsentiment_satisfied

Estimated market influence

NCSC

Positivesentiment_satisfied
Analyst rating: N/A

The NCSC is urging organizations to migrate to PQC by 2035 and has provided a three-phase plan. They are also collaborating with vendors and updating their guidance.

Microsoft

Microsoft

Positivesentiment_satisfied
Analyst rating: Strong buy

Announced Majorana 1, a breakthrough in quantum computing that could lead to scalable quantum computers within years.

NIST

Positivesentiment_satisfied
Analyst rating: N/A

Finalized PQC standards in 2024 and supported developments in quantum-secure solutions.

vendors

Positivesentiment_satisfied
Analyst rating: N/A

Achieved validated testing of PQC algorithms through NIST’s program, contributing to ecosystem development.

Cloudflare

Cloudflare

Positivesentiment_satisfied
Analyst rating: Buy

Announced support for quantum-safe digital signatures in their zero trust platform.

Google

Positivesentiment_satisfied
Analyst rating: N/A

Incorporated PQC into communications stacks, enhancing security against future quantum threats.

Context

Analysis of NCSC's Post-Quantum Cryptography Migration Guidelines

Overview

The UK’s National Cyber Security Centre (NCSC) has issued a directive mandating the migration to post-quantum cryptography (PQC) by 2035. This transition is critical as quantum computing poses significant risks to current encryption methods, potentially exposing sensitive data.

Phased Migration Strategy

1. Discovery and Assessment (2028)

  • Organizations must create initial migration plans within the next two to three years.
  • Key activities include:
    • Identifying high-priority migration tasks.
    • Assessing dependencies on suppliers and infrastructure.
    • Determining required investments.
    • Planning for long-lived hardware root of trust migration.

2. Execute High Priority Upgrades (2031)

  • Organizations should complete critical upgrades to protect vital assets over the next two to three years.
  • Refine initial plans to align with ecosystem developments and ensure full migration by 2035.

3. Complete PQC Migration (2035)

  • Implement final cryptographic changes, incorporating new technologies into systems.
  • Enhance overall cyber resilience during this phase.

Why PQC Adoption is Critical

  • Quantum Computing Threats: Commercially available quantum computers could break current encryption, exposing data and communications.
  • Cybercriminal Activity: Attackers are storing encrypted data for future decryption.
  • Technological Breakthroughs: Microsoft's Majorana 1 promises scalable quantum computing within years.

Market Trends and Developments

  • NIST PQC Standards: Finalized in 2024, driving vendor adoption of validated PQC implementations.
  • Vendor Readiness: Cryptographic hardware roots of trust (e.g., HSMs) are expected by late 2025.
  • Browser Support: Leading browsers are integrating PQC into their communications stacks.

Strategic Considerations

  • Early Adoption Benefits: Organizations that act sooner gain a competitive edge, avoiding potential security gaps.
  • Supplier Collaboration: Effective migration requires close coordination with suppliers and infrastructure providers.
  • Investment in Innovation: Businesses must allocate resources to develop and implement PQC solutions.

Long-Term Effects and Industry Implications

  • Shift to Quantum-Resistant Systems: The cybersecurity landscape will transition to quantum-resistant technologies, altering industry dynamics.
  • Regulatory Compliance: Governments may enforce stricter compliance standards as deadlines approach.

Conclusion

The NCSC's 2035 deadline underscores the urgency for organizations to adopt PQC. Early planning and strategic investments in cryptographic solutions are essential to mitigate future risks posed by quantum computing. Businesses must prioritize migration to maintain data security and stay ahead of emerging threats.