The NCSC has released new guidance to help key industries prepare for the threat posed by quantum computing to current encryption standards.

The guidance outlines a phased approach for organisations to transition to post-quantum cryptography (PQC) over the next decade, ensuring sensitive data remains secure against future cyber threats.

Three Phases

In this guidance, the NCSC is urging industries to consider adopting quantum-resistant encryption. Specifically, this guidance consists of three phases. The first phase, to be completed in three years, focuses on identifying cryptographic dependencies and creating a migration strategy.

The second phase (2028–2031) involves replacing vulnerable systems with PQC-compatible alternatives. The final phase aims for full migration by 2035.

Therefore the NCSC guidance:

• Sets out the necessary steps towards PQC migration

• Describes how the preparatory work might vary across different sectors

• Advises on timescales for key activities on the long journey to PQC

The NCSC said this guidance is primarily aimed at technical decision-makers and risk owners of large organisations, operators of critical national infrastructure systems including industrial control systems, and companies that have bespoke IT (such as proprietary communications systems).

“In this guidance, we have set detailed expectations for the early parts of PQC migration, as well as target completion dates for migration,” the NCSC said.

“Carrying out preparatory activities ensures that, once robust implementations of PQC in products become available, you will be able to carry out a principled, staged migration, in a way that limits any disruption to your organisation's business, reduces the risk of insecurity and ultimately reduces total cost.

Not Trivial

Daniel Shiu, chief cryptographer at Arqit, praised the launch of the timelines, calling the advice “concise, specific, and achievable.”

He said: “The capability to act on the advice will vary from organisation to organisation. It's not trivial even to complete the first step of understanding your current usage of cryptography. The challenges of then understanding which systems will need changing, which have an easy fix, which are less urgent, and which will require significant effort starting as soon as possible require specialised skills that may be outside of the expertise of highly-qualified security experts.”

Avishai Sharlin, division president at Amdocs Technology, said: “Preparing for a post-quantum era will be a massive undertaking for organisations, and the NCSC’s deadline for migration couldn’t come at a better time. However, what the industry urgently needs are clear post-quantum standards.

“Organisations must begin preparing for the post-quantum shift as early as this year. Securing computing environments will require a massive effort, starting with mapping all applications, dependencies, and processes to identify vulnerabilities.

“Next, companies must focus on building relevant skills. Quantum computing is still an emerging field, and the expertise needed today will differ vastly from what will be required in the next decade. Businesses should encourage teams to experiment with quantum technologies and develop strategies for a quantum-safe environment—potentially guided by a centre of excellence."

Dan Raywood

Dan Raywood is a B2B journalist with 25 years of experience, including covering cybersecurity for the past 17 years. He has extensively covered topics from Advanced Persistent Threats and nation-state hackers to major data breaches and regulatory changes.

He has spoken at events including 44CON, Infosecurity Europe, RANT Forum, BSides Scotland, Steelcon and the National Cyber Security Show, and served as editor of SC Media UK, Infosecurity Magazine and IT Security Guru. He was also an analyst with 451 Research and a product marketing lead at Tenable.