UK sets timeline for country’s transition to quantum-resistant encryption

U.K. cyber officials are urging local organizations to begin planning how to protect their systems from future threats posed by quantum computers.

Although the arrival date of quantum computers is still unknown, the U.K. National Cyber Security Centre (NCSC) issued new guidance on Thursday to help organizations transition to cryptographic algorithms and protocols that can protect data threatened by big advances in computing power.

Quantum computers are expected to be a groundbreaking development, capable of performing certain computations — including breaking encryption algorithms — far more efficiently than current technologies. 

In response, researchers are working to develop post-quantum cryptographic (PQC) algorithms designed to withstand the new technology. A handful have already been published.

“We know that PQC migration can feel like a daunting challenge for many organizations,” NCSC said. “It is a multi-year effort that will span more than one investment cycle and needs careful planning.”

NCSC’s new guidance breaks down the migration into three phases, spanning from 2028 to 2035. 

The first phase, ending in 2028, involves assessing systems and services using current cryptography and creating a migration plan focused on identifying needed upgrades. The second phase, ending in 2031, focuses on executing priority migrations and refining the plan as PQC technology evolves. The final phase, by 2035, will complete the migration to PQC. 

Smaller organizations may experience this as routine updates from providers, while larger, regulated entities will require more significant investment. “We hope that setting these dates helps with the planning and the investment cases,” NCSC said.

The U.K.’s regulated sectors, such as banking, finance and telecommunications, will likely lead the way in PQC adoption. These industries, which operate on a global scale, must coordinate with international partners to ensure the seamless integration of PQC technologies, officials said.

It is not clear what the likelihood is that organizations will follow NCSC’s recommendations. Regulators are expected to play a crucial role in driving awareness and facilitating the transition, the agency said.

Preparing in advance ensures that when robust post-quantum cryptography (PQC) solutions are ready, organizations can smoothly transition to them without causing major disruptions to their operations. This approach helps reduce security risks and lowers overall costs, NCSC added.