up:: 00 Field Guide Map
The Mandates
The mandates are the laws, executive orders, and national standards that now force organizations to migrate to post-quantum cryptography on fixed calendar deadlines, led by the United States goal of 2035 with binding gates in 2027 and 2030, the European Union’s product-security law paired with a 2030-and-2035 roadmap, and the United Kingdom’s 2028, 2031, and 2035 milestones. This is the section that turns the transition from “someday” into “by this date,” which is usually the thing that actually gets a program funded, and it covers which mandate reaches you, the dates that carry the weight, and how a rule written for a government agency ends up landing on a vendor three tiers down the supply chain.
Map of content
A short overview of the post-quantum mandates, and the index that routes you to every note in this section. Skim it to get oriented, then follow the links to go deep.
The short version:
- A dated mandate is what converts post-quantum migration from a research topic into a funded program with an owner and a due date, and that funding trigger is the whole reason this section matters.
- In the United States the headline is 2035, but the gates that bite first are earlier, the CNSA 2.0 acquisition gate on January 1, 2027, the 2030 exclusive-use dates for signing and networking gear, Executive Order 14306’s TLS 1.3 date of January 2, 2030, and the annual OMB M-23-02 cryptographic inventory that has been due every year since May 2023.
- In the European Union the Cyber Resilience Act makes product security a condition of market access from December 11, 2027 and reaches any vendor worldwide that sells into the EU, while the concrete post-quantum dates (start by end of 2026, high-risk by end of 2030, complete by end of 2035) live in a separate EU roadmap.
- National authorities set their own clocks and their own strategy, the UK’s NCSC with 2028, 2031, and 2035, Germany’s BSI and France’s ANSSI both leaning on hybrid deployment, with ANSSI’s certification gate landing from 2027.
- Mandates propagate outward from government, through sector regulators, and through procurement and vendor contracts, so the deadline reaches you through the people you sell to and buy from as much as through any law that names you directly.
Think of the mandate landscape like a set of building codes for cryptography, written by different jurisdictions that mostly agree on the destination and differ on the route. One code says finish by a certain year, another says the product simply cannot be sold without a current safety rating, a third says the trusted old lock stays on the door while the new one goes in beside it. None of them tells you which brand of concrete to pour, and all of them eventually decide whether your building passes inspection.
What forces an organization to migrate to post-quantum cryptography?
The forcing function is a written deadline attached to an accountable owner, and every mandate in this section is a variation on that same mechanism. For years the honest answer to “when do we have to do this” was “before a quantum computer exists, and nobody knows when that is,” which is exactly the kind of answer that never earns a budget line. The mandates replace that open question with dates on a page, and a date is what a program manager can plan against, fund, and be measured on.
Two engineering realities are what make the deadlines start now rather than at the moment a quantum computer arrives:
- Harvest now, decrypt later. Encrypted traffic recorded today can be stored and decrypted once a CRQC exists, so any data with a long secrecy lifetime is already exposed. This is harvest-now-decrypt-later, and it is the reason nearly every mandate says “begin immediately” rather than “wait and see.”
- Migration takes years. Inventorying an estate’s cryptography, coordinating vendors, testing interoperability, and rolling out replacements is a multi-year program even for a well-run organization. The way to reason about a specific system’s urgency is Mosca’s inequality, how long your data must stay secret plus how long migration takes, measured against how long until a quantum computer arrives.
So the mandates are not arbitrary calendar pressure. They encode the judgment that if you start when the machine is announced, harvested data is already lost and the migration finishes too late.
Which mandate binds you?
The single most useful thing to know is which document actually reaches your organization, because that answer depends on where you operate, who you sell to, and what sector you’re in. The table below maps the common cases to the mandate that governs them and the dates that carry the weight.
| Who you are | The mandate that reaches you | What it requires | Load-bearing dates |
|---|---|---|---|
| U.S. federal civilian agency | OMB M-23-02 plus NIST IR 8547 and Executive Order 14306 | Annual algorithm-level cryptographic inventory, then retire classical public-key on the NIST schedule and support TLS 1.3 | Inventory due every year since May 4, 2023; 112-bit RSA/ECC deprecated after 2030 and all classical disallowed after 2035; TLS 1.3 by January 2, 2030 |
| U.S. national-security system, DoD, or defense contractor | NSA CNSA 2.0 | The strongest post-quantum parameter set per function (ML-KEM-1024, ML-DSA-87) | New acquisitions by January 1, 2027; signing and networking gear exclusive by 2030; web, cloud, and OS by 2033; full transition by 2035 |
| Any vendor selling a connected product into the EU (any HQ) | EU Cyber Resilience Act (CRA) | State-of-the-art confidentiality plus multi-year security updates, which is crypto-agility in all but name | Reporting obligations from September 11, 2026; full obligations from December 11, 2027; EU roadmap targets high-risk migration by end of 2030 and completion by end of 2035 |
| UK large organization or Critical National Infrastructure operator | UK NCSC Quantum-safe Cryptography | Discovery and an initial plan, then priority migration, then full migration (ML-KEM-768, ML-DSA-65) | Discovery and plan by 2028; highest-priority migrations by 2031; complete by 2035 |
| German federal system, KRITIS operator, or NIS2 entity | BSI TR-02102 | Hybrid key agreement for long-term protection and conservative classical sizing (3000-bit RSA) | Annual tables; classical (EC)DHE in TLS 1.3 recommended only through end of 2031 |
| French public-sector system, Operator of Vital Importance, or ANSSI-qualified vendor | ANSSI Cryptographic Mechanisms | Hybrid-first with no security regression, applied to signatures as well as key establishment | Certification cutoff from 2027 for long-term-security products; a post-quantum objective for any mechanism used beyond January 1, 2030 |
| Mobile network operator and its telecom supply chain | GSMA PQ.1 | A five-phase migration beginning with a cryptographic inventory and risk assessment | Non-binding on its own; borrows its deadlines from NIST and national mandates |
Source: NSA, “Announcing the Commercial National Security Algorithm Suite 2.0,” September 2022, CNSA 2.0 advisory; OMB, “Migrating to Post-Quantum Cryptography,” M-23-02, November 18, 2022, M-23-02 PDF; NIST IR 8547 ipd, csrc.nist.gov; EUR-Lex, Regulation (EU) 2024/2847, EUR-Lex 2024/2847; NCSC, “Timelines for migration to post-quantum cryptography,” March 20, 2025, ncsc.gov.uk; BSI TR-02102-1, Version 2026-01, BSI PDF; ANSSI, “ANSSI views on the Post-Quantum Cryptography transition,” cyber.gouv.fr; GSMA, “Post Quantum Telco Network Impact Assessment Whitepaper,” PQ.01 v1.0, February 17, 2023, GSMA PDF.
The one that surprises people most is the CRA. It binds any manufacturer that places a connected product on the EU market, so a company headquartered in the United States or Asia with EU customers is in scope exactly as an EU manufacturer is, which is why it functions as a de facto global product-security floor.
What are the load-bearing United States deadlines?
The U.S. federal stack sits under one presidential directive, NSM-10 (May 4, 2022), which set the 2035 risk-mitigation goal and handed the implementing work to three lanes: OMB M-23-02 for civilian agencies, CNSA 2.0 for national-security systems, and NIST IR 8547 for the algorithm schedule. The statute underneath it is the Quantum Computing Cybersecurity Preparedness Act (PL 117-260) (signed December 21, 2022), which directs OMB to prioritize migration. Reading 2035 as the deadline misses the gates that land years earlier and actually drive procurement and engineering decisions today.
| Date | Instrument | What lands |
|---|---|---|
| Since May 4, 2023 (annual) | OMB M-23-02 | Prioritized algorithm-level cryptographic inventory, submitted every year through 2035 |
| December 1, 2025 | Executive Order 14306 | CISA publishes the PQC product-categories list, and NSA and OMB issue the agency TLS 1.3 requirements |
| January 1, 2027 | NSA CNSA 2.0 | CNSA 2.0 required in all new national-security-system acquisitions |
| By 2030 | NSA CNSA 2.0 | Exclusive CNSA 2.0 for software and firmware signing and for traditional networking equipment |
| January 2, 2030 | Executive Order 14306 | Federal agencies support TLS 1.3 or a successor |
| After 2030 | NIST IR 8547 | 112-bit RSA, ECDSA, and Diffie-Hellman deprecated |
| By 2033 | NSA CNSA 2.0 | Exclusive CNSA 2.0 for web browsers, servers, cloud, and operating systems |
| After 2035 | NIST IR 8547 | All classical RSA, ECC, and Diffie-Hellman signature and key-establishment schemes disallowed at any key size |
| Goal year 2035 | NSM-10 | Whole-of-government goal of mitigating as much quantum risk as is feasible |
Source: NSM-10, May 4, 2022, bidenwhitehouse.archives.gov; NSA CNSA 2.0 FAQ, December 2024 update, media.defense.gov; Executive Order 14306, June 6, 2025, whitehouse.gov; NIST IR 8547 ipd, §4 and Tables 2 and 4, csrc.nist.gov.
Two cautions on these dates keep a program honest. The IR 8547 years live in an Initial Public Draft, so they are NIST’s stated intent rather than settled law, and the specific years could shift in the final. And EO 14306’s January 2, 2030 TLS date is a transport-readiness milestone, the on-ramp that lets agency traffic carry ML-KEM, rather than a completed migration, since it leaves PKI, code signing, and data-at-rest untouched.
How do the international mandates differ from the U.S. approach?
The rest of the world is converging on the same 2030-to-2035 horizon and diverging sharply on how to get there, and the differences are the kind of detail that decides an architecture. The U.S. drives migration through named algorithms and named years; the EU drives it through outcome-based product law; France and Germany add a standing preference for hybrid that the U.S. does not share.
- The European Union runs on two instruments at once. The CRA (Regulation (EU) 2024/2847, in force December 10, 2024) names no algorithm and sets no PQC date. It requires state-of-the-art confidentiality and multi-year security updates, and those two obligations together make crypto-agility and post-quantum readiness a market-access question. The concrete dates live in the separate EU Coordinated Implementation Roadmap (June 2025), which asks member states to start transitioning by the end of 2026, migrate high-risk use cases by the end of 2030, and complete by the end of 2035.
- The United Kingdom leads with discovery. The NCSC guidance (March 20, 2025) is advisory, and the milestone that actually constrains a UK organization is 2028, the date a full cryptographic discovery exercise and an initial plan should be complete, because a migration cannot be sequenced until the estate is inventoried. It treats hybrid as an interim measure on the way to PQC-only.
- France and Germany want the old lock kept on the door. ANSSI is hybrid-first as a standing rule, combining a proven classical scheme with a post-quantum one so the pair is never weaker than the classical scheme alone, and it applies that rule to signatures as well as key establishment, with a certification gate from 2027. BSI recommends hybrid for long-term confidentiality and is the most conservative of the three on classical sizing, recommending 3000-bit RSA rather than 2048. France and Germany co-led the EU roadmap, so their positions largely agree, and both diverge from the U.S. willingness to deploy standalone ML-KEM on a schedule.
The practical consequence is that a single global cryptographic pattern does not satisfy every jurisdiction at once. A U.S. federal system can run standalone ML-KEM on the CNSA 2.0 schedule, while a French qualified product needs the same protection delivered as a no-regression hybrid ahead of the 2027 gate. An organization operating on both sides of the Atlantic holds both positions, and crypto-agility is what lets one codebase serve both.
Source: EUR-Lex, Regulation (EU) 2024/2847, EUR-Lex 2024/2847; European Commission, “A Coordinated Implementation Roadmap for the Transition to Post-Quantum Cryptography,” ec.europa.eu; NCSC, “Timelines for migration to post-quantum cryptography,” March 20, 2025, ncsc.gov.uk; ANSSI, “ANSSI views on the Post-Quantum Cryptography transition,” cyber.gouv.fr; BSI TR-02102-1, Version 2026-01, BSI PDF.
The EU Quantum Act is a different kind of instrument again. It is a proposed EU industrial-policy measure to build Europe’s quantum sector, so it belongs in the international picture as context, and it is not a post-quantum migration mandate.
How do mandates reach you if you’re not a government agency?
The mechanism that makes this section matter to a bank, a hospital, a software vendor, or a device maker with no federal contract is propagation. A mandate starts inside government and moves outward through the market until it lands on organizations the original text never named, and it arrives through procurement and contracts as much as through law.
| Stage | The mechanism | Who it reaches |
|---|---|---|
| 1. Government sets the rule | Presidential directive, agency memo, or national standard | Federal agencies and national-security systems directly |
| 2. Regulators translate it | Sector supervisors in finance, telecom, energy, and health adopt the federal template | Regulated industries in each sector |
| 3. Procurement carries it | Contract terms, RFP language, CE marking, and BSI or ANSSI certification become purchase conditions | Any vendor selling to government or to regulated buyers |
| 4. Vendors pass it down | Suppliers get asked for a CBOM or SBOM and for crypto-agility commitments | The whole supply chain, several tiers deep |
| 5. Insurers and auditors price it | The published guidance becomes the reasonable-prudent-organization baseline | Everyone else, through underwriting and audit |
Source: NSA CNSA 2.0 FAQ (the January 1, 2027 acquisition gate that reaches vendors through procurement), media.defense.gov; OMB M-23-02 (the inventory reaches vendor-operated and cloud-hosted systems), M-23-02 PDF; CISA NSA NIST, “Quantum-Readiness: Migration to Post-Quantum Cryptography,” August 21, 2023 (vendor engagement as a core step), cisa.gov.
Three of these paths are worth watching because they move fastest. The CNSA 2.0 acquisition gate on January 1, 2027 means any company that wants to keep selling into the national-security market ships post-quantum support well before then. The CRA’s extraterritorial reach pulls in every vendor with EU customers from December 11, 2027. And the non-binding NIST joint guidance sets the “reasonable” bar that insurers and regulators reach for, so an organization that took none of its recommended first steps after August 2023 answers a harder question when something goes wrong.
What do all the mandates agree on?
Underneath the differences in strategy and date, the mandates converge on one instruction so consistently that it is the safest first move regardless of which one binds you: build a cryptographic inventory before anything else. You cannot plan, price, or prioritize a migration for systems whose cryptography you have not mapped, and most existing asset inventories do not capture cryptography at the algorithm level.
- OMB M-23-02 makes an annual algorithm-level inventory the center of gravity of the entire U.S. civilian program.
- The Quantum-Readiness Joint Guidance puts the project team and cryptographic discovery first and treats the inventory as the thing that unlocks everything downstream.
- The NCSC anchors its whole timeline on completing a discovery exercise by 2028.
- GSMA PQ.1 names a cryptographic inventory and a risk assessment as the first two concrete deliverables of its five-phase plan.
That shared starting point is why the inventory work, captured as a CBOM, is the one move that pays off no matter how the specific deadlines shift, and it connects the mandates directly to the practical work in migration architecture.
Common misconceptions
- “2035 is the deadline, so we have a decade.” The gates that actually bite land years earlier, the CNSA 2.0 acquisition gate on January 1, 2027, the 2030 exclusive-use dates, EO 14306’s January 2, 2030 TLS date, and the OMB inventory that has been due every year since 2023. Any system holding long-lived secrets is on a faster clock still, because of harvest-now-decrypt-later.
- “Mandates only apply to the government.” They reach private organizations through sector regulators, through procurement and CE marking, and through insurers who treat the published guidance as the reasonable-prudent baseline.
- “We’re not a U.S. company, so U.S. rules don’t touch us.” Selling a connected product into the EU triggers the CRA regardless of where you are headquartered, and selling to the U.S. government inherits CNSA 2.0 timelines through procurement.
- “The EU has one quantum law.” The CRA is product-security law that names no algorithm and sets no PQC date, the concrete PQC dates live in the separate Coordinated Implementation Roadmap, and the EU Quantum Act is industrial policy rather than a migration mandate.
- “One global plan satisfies everyone.” The U.S. accepts standalone ML-KEM on a schedule, while France and Germany want hybrid, and the parameter picks differ (CNSA 2.0 requires Level V, the NCSC recommends ML-KEM-768). A single pattern does not clear every jurisdiction.
- “Guidance isn’t binding, so we can ignore it.” A non-binding factsheet like the Joint Guidance still defines what a reasonable organization was expected to be doing, and that is the reference a regulator, auditor, or insurer reaches for.
Questions people ask
Which mandate actually applies to my organization? It depends on where you operate and who you sell to. A U.S. civilian agency answers to OMB M-23-02 and NIST IR 8547; a national-security system or defense contractor answers to CNSA 2.0; any vendor selling into the EU answers to the CRA; and UK, German, and French organizations map to the NCSC, BSI, and ANSSI respectively. Many organizations sit under more than one at once.
What’s the real first deadline? For most organizations it is not a migration date, it is the discovery date. The U.S. inventory has been due annually since May 2023, the UK expects discovery complete by 2028, and the CNSA 2.0 acquisition gate for vendors is January 1, 2027. The endpoint years of 2030 and 2035 come later.
Is 2035 a hard cutoff? In the U.S. it is a qualified policy goal, “mitigating as much of the quantum risk as is feasible by 2035,” rather than an absolute switch-off. The dated cutoffs for specific algorithms live in NIST IR 8547, where 112-bit public-key is deprecated after 2030 and all classical public-key is disallowed after 2035, and even those years sit in a draft.
Do these apply if I’m a private company with no government contracts? Directly, most do not. In practice they reach you through your regulated customers, through procurement requirements and CE marking, and through insurers and auditors who use the federal guidance as the baseline for reasonable quantum-risk management.
Does the EU require post-quantum cryptography? Not by name. The CRA requires state-of-the-art confidentiality and multi-year security updates, which is a crypto-agility and PQC-readiness obligation in all but name for any product whose supported life reaches into the 2030s. Europe’s explicit PQC dates come from the separate Coordinated Implementation Roadmap, targeting a start by end of 2026 and completion by end of 2035.
What’s the difference between a binding mandate and guidance here? A binding mandate (CNSA 2.0, OMB M-23-02, the CRA) carries a compliance obligation and a consequence for missing it. Guidance (the Joint Guidance, the NCSC advice, GSMA PQ.1, SP 1800-38) sets the reasonable baseline and the how-to. You cite guidance for the roadmap and the mandates for the dates.
Why do the U.S. and EU disagree on hybrid? The U.S. CNSA 2.0 accepts the standardized post-quantum algorithms on their own on a fixed schedule. France’s ANSSI and Germany’s BSI treat those algorithms as young and want a proven classical scheme kept in place as insurance, so they recommend running both together with no security regression through the transition.
What do I do first, no matter which mandate binds me? Build a cryptographic inventory. Every mandate and every piece of guidance in this section starts there, because prioritizing and planning both depend on seeing your own cryptography clearly, and a CBOM is the artifact that captures it.
Go deeper
United States, binding: NSM-10 · Executive Order 14144 · Executive Order 14306 · Executive Order 14412 · OMB M-23-02 · OMB M-26-15 · NSA CNSA 2.0 · NIST IR 8547 · NIST SP 800-131A (Transitioning Cryptographic Algorithms and Key Lengths) (the settled NIST instrument carrying classical-algorithm deprecation, Revision 2 setting today’s 112-bit floor and the draft Revision 3 proposing the end-of-2030 phase-out that aligns with IR 8547) · Quantum Computing Cybersecurity Preparedness Act (PL 117-260)
United States, guidance: NIST SP 1800-38 (Migration to Post-Quantum Cryptography) · CISA Post-Quantum Cryptography Initiative · CISA NSA NIST Quantum-Readiness Joint Guidance · NIST Cybersecurity Framework (CSF) · FedRAMP and PQC (how the PQC mandate reaches cloud providers)
International: EU Cyber Resilience Act (CRA) · EU Quantum Act (EU industrial policy, not a PQC migration mandate) · ENISA (the EU cybersecurity agency behind the certification schemes the CRA leans on, whose 2021 and 2022 PQC reports set the European hybrid-and-integration framing) · UK NCSC Quantum-safe Cryptography · BSI (Germany) · ANSSI (France) · CCCS (Canada) (Canada) · ACSC (Australia) (Australia) · CRYPTREC (Japan) (Japan)
Standards bodies: ETSI (European telecom and hybrid-key-exchange specifications) · IETF PQUIP WG (internet-protocol PQC coordination) · IEC 18033 (the international encryption-algorithm standard and its multi-KEM post-quantum amendment)
Sector: GSMA PQ.1 (Post-Quantum Telco Network Impact Assessment) (telecom)
The algorithms these deadlines make mandatory are in the new standards; the threat the deadlines respond to is in the threat; and the discovery-then-migration work every mandate points to is in migration architecture.
Everything here is the map, given freely. When your team needs this landscape of mandates turned into a single migration plan sequenced against your own systems, your own vendors, and the specific deadlines that bind you, that’s the work I do, and there’s an alignment briefing for it.
Last verified 2026-07-09 · Maintained by Addie LaMarr, LaMarr Labs.