On March 20, 2025, the National Cyber Security Centre (NCSC) released guidance for organizations to update their cryptography. Due to the growing threat the field of quantum computing poses to traditional cryptography, organizations will need to migrate to new Post-Quantum Cryptography (PQC), which will remain immune to attacks by quantum computers.
In a previous white paper on PQC, the NCSC has recommended using the NIST standardized PQC algorithms. The focus of this new document Timelines for migration to post-quantum cryptography was on the complexities that a PQC migration entails, including migrations of Public Key Infrastructures (PKI) and Industrial Control Systems (ICS), and the resulting multi-year migration timeline.
The NCSC states the need of doing both a top-down and bottom-up approach. Our cryptographic experts at InfoSec Global can help with a top-down analysis, which focuses on “your core services and architectural interdependencies.” We can also provide a bottom-up approach, “a more low-level exploration of the use of cryptography on your networks to identify components that will need updating,” with our cryptographic inventory tool AgileSec Analytics.
The NCSC states that, “except for the very simplest systems … you will likely find that you need traditional (Public Key Cryptography) PKC and PQC to co-exist for a while within your environment … You should therefore seek solutions that offer cryptographic agility; that is, the ability to readily support alternative suites of cryptographic algorithms.” This can be achieved by using a crypto agile API, which acts as an interface between the cryptographic algorithms and the applications that use them, as is done with InfoSec Global’s AgileSec SDK.
Another reason for crypto agility is that although PQC algorithms have been standardized by NIST, the protocol that utilize them are still undergoing standardization. Moreover, the NCSC states, “it will take time for assurance in implementations of these algorithms within protocols and systems to be developed.” With the time until a quantum computer is capable of breaking traditional cryptography closing in, it is important to be able to deploy PQC seamlessly as soon as PQC products become available.
Due to the large scale of a PQC migration, the NCSC states:
NCSC Timelines for PQC migration
Carrying out preparatory activities, including building a cryptographic inventory, creating a migration plan and deploying crypto agile products “ensures that, once robust implementations of PQC in products become available, you will be able to carry out a principled, staged migration, in a way that limits any disruption to your organisation's business, reduces the risk of insecurity and ultimately reduces total cost.”
This is a great example, that although the procedures could slightly differ, different countries have roughly same timelines and similar strategies and of course show the inevitable need to transition to quantum-safe cryptography.
