On March 20, 2025, the UK National Cyber Security Centre (NCSC) published “Timelines for migration to post-quantum cryptography,” setting a three-phase roadmap for organizations to transition to quantum-resistant encryption by 2035. The guidance established three key milestone dates for migration activities, according to the NCSC guidance page.
By 2028, organizations should complete a full discovery phase identifying systems reliant on cryptography and draft a migration plan. By 2031, the highest-priority migration activities should be completed and plans refined for full transition. By 2035, migration should be complete across all systems, services, and products. The NCSC stated that 10 years is sufficient for PQC standards to mature, for an ecosystem of compliant products to develop, and for widespread adoption.
NCSC Chief Technical Officer Ollie Whitehouse stated that upgrading collective security “is not just important, it’s essential.” The guidance recommends ML-KEM-768 and ML-DSA-65 as providing appropriate levels of security and efficiency for most use cases, along with SLH-DSA and LMS/XMSS for specific applications. The NCSC also announced plans to launch a pilot scheme assuring consultancy companies that support PQC migration.