UK NCSC Establishes 2035 Target for Transition to Post-Quantum Security

The UK’s National Cyber Security Centre (NCSC) is urging critical infrastructure operators to transition to post-quantum cryptography by 2035. This call to action comes as government agencies prepare for the impending arrival of quantum computers, which have the potential to compromise existing encryption algorithms.

The recently published guidance outlines a three-step migration plan aimed primarily at technical decision-makers and those responsible for risk management in organizations that operate critical national infrastructure, including industrial control systems. Following the NCSC’s recommendations, organizations should assess their IT systems and outline migration strategies by 2028, implement post-quantum encryption for high-priority systems by 2031, and complete their full transition by 2035.

According to the NCSC, this migration should not merely be a compliance exercise; it represents an opportunity for organizations to enhance their overall cyber resilience. The guidance stresses the importance of using this transition to reinforce security measures across systems.

While quantum computing remains primarily a research endeavor, experts predict that a functional “cryptanalytically relevant quantum computer” could emerge within the next few years. Such advancements could lead any nation that controls this technology to unlock sensitive information secured by traditional encryption methods.

In light of these developments, the U.S. National Institute of Standards and Technology (NIST) finalized three post-quantum encryption algorithms in August 2024, which serve as a global benchmark for cryptographic standards. Major tech companies like Google and Microsoft are actively planning to integrate post-quantum capabilities into their products.

Organizations are advised to upgrade their infrastructures to support post-quantum cryptography, with special emphasis on replacing outdated public key cryptography components and discontinuing vulnerable IT services during the migration process. However, the shift will face challenges, particularly in updating existing web public key infrastructure and industrial control system protocols, which are incompatible with new cryptographic schemes.

Tim Callan, Chief Compliance Officer at Sectigo, cautions that systems relying on RSA and ECC algorithms may face significant difficulties in adopting new post-quantum algorithms. He emphasized the need for organizations to act swiftly, planning meticulous transitions to maintain data security and compliance in an increasingly complex quantum landscape.