Full Report
The UK's National Cyber Security Centre (NCSC) has published specific timelines on migrating to post-quantum cryptography (PQC), dictating that critical organizations should complete migration by 2035. [...]
Analysis Summary
# Regulation/Compliance: UK Quantum Cryptography Migration Guidance (PQC Transition)
## Overview
This addresses guidance issued by the UK government urging critical organizations to begin and complete the migration from current cryptographic standards to Quantum-Resistant Cryptography (PQC) to protect data against future quantum computer threats.
## Key Details
- Issuing Authority: UK Government / National Cyber Security Centre (NCSC)
- Effective Date: Guidance is immediate, with a final compliance deadline set for 2035.
- Jurisdiction: United Kingdom (UK)
- Status: Guidance / Recommendation (Mandate implied for "critical orgs")
## Requirements
### Mandatory Requirements
*Note: While presented as "urging," the context strongly suggests these timelines are mandatory requirements for organizations deemed "critical" by the UK government.*
1. **By 2035:** Completion of migration to Post-Quantum Cryptography (PQC) across *all* systems, services, and products.
2. **By 2031:** Completion of highest-priority PQC migration activities and refitting infrastructure to be PQC-ready.
3. **During Migration:** Adoption of NIST-approved PQC algorithms (ML-KEM (FIPS 203), ML-DSA (FIPS 204), and SLH-DSA (FIPS 205)) as the foundation for security, supplemented by NIST's selected backup algorithm, HQC.
### Recommended Practices
1. **Asset Discovery and Assessment:** Identify all cryptographic dependencies and analyze current state preparedness.
2. **Migration Planning Refinement:** By 2031, finalize a clear roadmap for the final phase of implementation (2031–2035).
3. **Addressing Legacy Systems:** Develop specific strategies to handle legacy systems that cannot easily be moved to post-quantum standards.
4. **Expertise Development:** Address potential skill gaps concerning PQC migration within internal teams.
## Affected Organizations
- Industries: Critical organizations (implied sectors handling sensitive long-lived data).
- Organization Size: Not explicitly defined by size, but targets entities critical to national infrastructure/security.
- Geographic Scope: United Kingdom.
## Compliance Timeline
- **Immediate:** Begin assessment, planning, and initial migration activities.
- **By 2031:** Complete highest-priority PQC migration activities and prepare infrastructure; refine the full implementation roadmap.
- **Final deadline (By 2035):** Full migration to PQC required across all systems, services, and products.
## Implementation Guidance
### Assessment Phase
- Conduct comprehensive asset discovery to inventory all current cryptographic usage.
- Assess the cryptographic agility of existing systems, prioritizing items with the longest data retention periods ("crypto-agility" assessment).
### Implementation Phase
- Prioritize migration based on risk and the lifespan of the data being protected ("highest-priority PQC migration activities").
- Initiate the transition using the NIST-approved algorithms as the primary standard.
- Seek assistance via the forthcoming NCSC pilot scheme for asset discovery, assessment, and planning if in-house expertise is limited.
### Validation Phase
- (Not explicitly detailed in the article, but implied): Verify that newly migrated systems correctly utilize the NIST-approved PQC standards and can withstand known quantum attack vectors.
## Technical Requirements
1. **Algorithm Adoption:** Must migrate to *NIST-approved PQC algorithms* (primarily ML-KEM, ML-DSA, SLH-DSA).
2. **Backup Algorithm:** HQC is selected as an officially supported backup algorithm for post-quantum encryption.
3. **Infrastructure Readiness:** Infrastructure must be modernized to support the new cryptographic standards by 2031.
## Penalties & Enforcement
- Fines: Not specified in the article, as this is guidance, but non-compliance for "critical organizations" implies potential regulatory action, loss of necessary accreditation, or security breaches incurring liability.
- Other Consequences: Increased risk of long-term data compromise due to cryptanalytic breakthroughs.
- Enforcement: Likely enforced through existing cybersecurity and critical national infrastructure (CNI) regulatory bodies, though mechanisms are not detailed here.
## Related Standards
- **NIST Standards:** The guidance explicitly anchors migration to the specific standardized PQC algorithms released by NIST (FIPS 203, 204, 205).
- **US Alignment:** The timeline mirrors the US transition strategy set by CISA’s National Security Memorandum 10 (NSM-10), which also targets 2035 for federal system transition.
## Resources
- Official Documentation: NIST-approved PQC algorithm announcements and NIST PQC transition strategy documents (via links provided to NIST resources).
- Guidance Documents: NCSC is expected to launch a pilot scheme to assist organizations with asset discovery and planning.
- Tools: Access to cryptography specialists via the upcoming NCSC pilot scheme.
## Practical Recommendations
1. **Immediate Inventory:** Start comprehensive cataloging of all cryptographic assets and their associated key lifespans.
2. **Consult NIST:** Organizations should immediately familiarize themselves with the FIPS 203, 204, and 205 algorithms.
3. **Engage NCSC:** Monitor for the launch of the NCSC pilot scheme to secure consultative support for the complex assessment and planning phases.
4. **Budget & Personnel:** Allocate resources for overcoming challenges related to legacy hardware limitations and developing necessary PQC expertise internally or through specialized vendors.