Full Report
New NCSC guidance sets out a three-phase migration to post-quantum cryptography, designed to ensure all systems are protected from quantum attacks by 2035
Analysis Summary
# Regulation/Compliance: Post-Quantum Cryptography Migration Mandate (NCSC)
## Overview
This guidance from the UK's National Cyber Security Centre (NCSC) mandates that organizations migrate their critical systems, services, and products to Post-Quantum Cryptography (PQC) to safeguard sensitive information against future threats posed by quantum computers.
## Key Details
- Issuing Authority: National Cyber Security Centre (NCSC), part of GCHQ (UK Government).
- Effective Date: While the guidance is published now (March 2025 reference), the critical compliance deadline is set for 2035.
- Jurisdiction: Primarily focuses on organizations within the UK context, particularly those handling sensitive data or operating critical national infrastructure.
- Status: Finalized Guidance/Mandate.
## Requirements
### Mandatory Requirements
1. **Complete Migration to PQC:** All relevant systems, services, and products must fully transition to PQC standards by the year 2035.
2. **Follow Phased Approach:** Organizations must adhere to the three phases of migration set out in the NCSC guidance to ensure a controlled transition and minimize security gaps caused by rushing implementation.
3. **Risk Owners Engagement:** Technical decision-makers and risk owners must actively engage with the NCSC guidance.
### Recommended Practices
1. **Proactive Planning:** Organizations should not wait until the deadline, especially given the complexity of cryptographic agility and lifecycle management.
2. **Service Provider Integration:** Smaller and medium-sized organizations (SMEs) should anticipate that PQC migration will often be delivered passively as part of routine upgrades provided by their existing service and technology vendors.
## Affected Organizations
- **Industries:** Operators of **Critical National Infrastructure (CNI)** systems, including Industrial Control Systems (ICS).
- **Organization Size:** Primarily targets **large organizations** and those with **bespoke IT**. However, all organizations handling long-term sensitive data are implicitly affected.
- **Geographic Scope:** United Kingdom (UK).
## Compliance Timeline
- **Immediate/Ongoing (Starting 2025):** Organizations must begin using the NCSC's phased guidance roadmap.
- **Interim Milestones:** Organizations must adhere to milestones outlined within the three defined migration phases (details not fully specified in the summary but mandatory to follow the published roadmap).
- **Final deadline:** **2035:** Full migration of all systems, services, and products to Post-Quantum Cryptography (PQC) is required.
## Implementation Guidance
### Assessment Phase
- **Identify Sensitive Data:** Determine which data requires protection against future quantum attack capabilities (i.e., data with a long secrecy requirement).
- **Inventory Cryptographic Assets:** Catalog all current cryptographic protocols, algorithms, and hardware dependencies across the organization.
### Implementation Phase
- **Develop PQC Roadmap:** Create a project plan aligning with the NCSC's three-phase migration strategy.
- **Prioritize CNI/Bespoke Systems:** Focus initial migration efforts on the most critical or complex bespoke IT systems.
- **Ensure Cryptographic Agility:** Implement systems capable of supporting multiple cryptographic standards during the transition period.
### Validation Phase
- **Testing:** Thoroughly test PQC implementations in pre-production environments to ensure functionality and performance meet operational needs.
- **Verification:** Confirm that legacy systems scheduled for decommissioning are either retired or successfully migrated before 2035.
## Technical Requirements
The core technical requirement is the **migration to Post-Quantum Cryptography (PQC)**, which involves adopting new, quantum-resistant algorithms for encryption and key exchange processes. Technical decision-makers must utilize NCSC-specified PQC standards once they are finalized.
## Penalties & Enforcement
- **Fines:** The article does not specify direct financial penalties for non-compliance with NCSC guidance.
- **Other Consequences:** Failure to comply by the 2035 deadline will leave an organization's long-term sensitive data vulnerable to future compromise by advanced quantum computers. Given the focus on CNI, non-compliance could lead to severe operational disruption and regulatory scrutiny under existing critical infrastructure protection regimes.
- **Enforcement:** Driven by the NCSC, which typically operates through technical advice, formal direction, and oversight for CNI operators.
## Related Standards
- **NIST PQC Standardization Process:** While not explicitly mentioned, PQC migration universally relies on the algorithms selected through the US NIST standardization process (which the NCSC would align with).
- **Risk Management Frameworks:** Organizations should integrate the PQC transition into existing risk management activities (e.g., ISO 27001/27002 practices).
## Resources
- **Official Documentation:** NCSC Guidance on Post-Quantum Cryptography Migration (Organizations must consult the current, official NCSC publications for the detailed three phases).
- **Guidance Documents:** NCSC technical handbooks related to cryptographic standards.
- **Tools:** Tools supporting cryptographic agility assessment and crypto discovery.
## Practical Recommendations
1. **Executive Buy-in:** Secure immediate commitment from leadership and risk owners, emphasizing the 12-year implementation window.
2. **Inventory & Assess:** Begin immediately inventorying all systems that use public-key cryptography.
3. **Vendor Engagement:** Engage technology vendors to understand their PQC migration roadmaps to plan for integration or replacement cycles.
4. **Develop Agility:** Design system updates to be "crypto-agile," allowing for rapid swapping of algorithms as standards mature over the next decade.