up:: The Mandates MOC

UK NCSC Quantum-safe Cryptography

The UK NCSC’s quantum-safe cryptography guidance is the National Cyber Security Centre’s national advice for migrating off quantum-vulnerable cryptography, and it sets a three-phase timeline of completing a discovery exercise and initial plan by 2028, the highest-priority migrations by 2031, and full migration by 2035. The NCSC is the UK’s national technical authority for cyber security and is part of GCHQ, so its guidance is the reference UK government departments, Critical National Infrastructure operators, and regulated industry map their post-quantum roadmaps to.

It comes in two paired documents: the March 2025 guidance “Timelines for migration to post-quantum cryptography,” which carries the dates, and the whitepaper “Next steps in preparing for post-quantum cryptography,” which carries the algorithm recommendations (ML-KEM-768 for key establishment, ML-DSA preferred for general signing). It’s advisory rather than statute, so treat the milestone years as strong national expectation rather than legally binding deadlines.

The short version:

  • The NCSC is the UK’s national cyber authority and part of GCHQ, and its quantum-safe cryptography guidance is advisory, but UK public sector, CNI, and regulated industry treat it as the authoritative national reference.
  • The timeline runs in three phases: define goals and complete a discovery exercise plus an initial plan by 2028, carry out the highest-priority migrations by 2031, and complete migration of all systems, services, and products by 2035.
  • On algorithms it aligns with the NIST standards and names its defaults: ML-KEM-768 for key establishment, ML-DSA-65 for general-purpose signatures, and SLH-DSA reserved for narrow uses like firmware signing.
  • It treats a post-quantum/traditional hybrid scheme as an interim measure on the way to PQC-only, which diverges from national authorities that lean on hybrid as a durable default.
  • The near-term milestone that actually bites is the 2028 discovery date, not the 2035 endpoint, because a migration can’t be planned until the estate’s cryptography is inventoried.

Think of the NCSC timeline like a phased building-renovation permit with staged inspections. By the first date you have to survey the whole property and draw up the plans, by the second the critical structural work has to be finished, and by the final date the entire building has to be brought up to code. The dates look comfortable from a distance, right up until you realize the survey alone takes longer than anyone budgeted for.

What is the UK NCSC’s quantum-safe cryptography guidance?

The UK NCSC’s quantum-safe cryptography guidance is a pair of advisory publications from the National Cyber Security Centre that tell UK organizations how and when to migrate to post-quantum cryptography. The NCSC is the UK’s national technical authority for cyber security and forms part of GCHQ, which is what gives its guidance national weight even though it carries no statutory force of its own.

The two documents do different jobs, and citing them accurately means keeping them apart:

  1. “Timelines for migration to post-quantum cryptography” is the guidance published on March 20, 2025 that sets the three-phase 2028 / 2031 / 2035 roadmap. This is the load-bearing document for the dates.
  2. “Next steps in preparing for post-quantum cryptography” is the whitepaper, last updated August 14, 2024, that carries the specific algorithm and parameter recommendations (ML-KEM-768, ML-DSA-65, the hash-based signature and hybrid positions). The timelines guidance references it for the technical picks.

Source: NCSC, “Timelines for migration to post-quantum cryptography,” 20 March 2025, ncsc.gov.uk/guidance/pqc-migration-timelines.

Source: NCSC, “Next steps in preparing for post-quantum cryptography,” updated 14 August 2024, ncsc.gov.uk/whitepaper/next-steps-preparing-for-post-quantum-cryptography.

A few points about its standing are worth being precise on, because they change how you cite it:

  1. It’s guidance rather than law. The milestones are recommendations. There’s no statutory penalty attached, and the NCSC issues advice rather than binding rules. Its force is expectational and regulator-driven.
  2. It’s the national reference anyway. UK government departments and Critical National Infrastructure operators are strongly expected to follow NCSC guidance, and UK-regulated industries in finance, telecom, energy, and defense calibrate their internal roadmaps to NCSC milestones rather than to U.S. federal mandates.
  3. There’s no separate UK algorithm suite. The NCSC adopts the NIST-standardized post-quantum algorithms wholesale and layers its own parameter recommendations and national timeline on top.

Who does the NCSC guidance apply to?

The guidance is aimed at the organizations that have to plan a migration themselves, and it explicitly lifts the burden off small firms running commodity software. It’s advisory across the whole UK economy, with a clear expectation that government and CNI lead.

  1. Large organizations and risk owners. The primary audience is the technical decision-makers and risk owners of large organizations, especially those with bespoke IT and long-life systems that vendors won’t quietly upgrade for them.
  2. Critical National Infrastructure. CNI operators, including industrial control systems (ICS) environments, are squarely in scope. These estates carry long-lived hardware and roots of trust that need the most lead time.
  3. Small and medium enterprises on commodity IT. The NCSC states that for SMEs using commodity IT, the migration “should happen seamlessly, as services are updated by their vendors.” The responsibility sits with the vendors, not the SME.
  4. Non-UK organizations. This is UK guidance. It doesn’t bind organizations outside the UK and carries no statutory penalty. A UK organization selling connected products into the EU still picks up separate EU market obligations under the EU Cyber Resilience Act, which is a distinct instrument.

Source: NCSC, “Timelines for migration to post-quantum cryptography,” 20 March 2025, ncsc.gov.uk/guidance/pqc-migration-timelines.

What does the NCSC guidance require?

The guidance is built around a discovery-first migration path. It doesn’t “require” anything in the legal sense; it sets out what a well-run migration looks like and when each stage should be done. The sequence matters more than the individual dates, because each phase depends on the one before it.

  1. Discovery first. The foundational activity is a full discovery exercise: assessing the estate to understand which services and infrastructure depend on cryptography and need upgrading to PQC. This is the same cryptographic-inventory work the U.S. mandates front-load, and a CBOM is the natural artifact for capturing it.
  2. Plan, then prioritize. After discovery, build an initial migration plan that identifies the highest-priority and earliest activities, dependencies on suppliers and physical infrastructure, the investment needed, and any requirement to migrate long-lived hardware roots of trust.
  3. Migrate the highest-priority assets first. Carry out the early, highest-priority migration activities to protect the most critical assets, and ready the infrastructure to support a post-quantum future.
  4. Complete migration. Finish migrating all systems, services, and products, using the effort as an opportunity to build broader cyber resilience along the way.

The NCSC’s rationale for a ten-year runway is that the decade “is a sufficient period for a rich set of PQC standards to appear, for an ecosystem of products that uses them to be developed, and for uptake to become widespread,” which is what makes the eventual deprecation of most quantum-vulnerable traditional public-key cryptography realistic. That reasoning is a direct expression of Mosca’s theorem: the migration time plus the remaining shelf life of the data you’re protecting has to fit inside the window before a cryptographically relevant quantum computer arrives.

Source: NCSC, “Timelines for migration to post-quantum cryptography,” 20 March 2025, ncsc.gov.uk/guidance/pqc-migration-timelines.

What is the NCSC’s post-quantum migration timeline?

The timeline is three phases anchored to three years. Discovery and an initial plan by 2028, the hardest and most critical work by 2031, and everything by 2035. This is the table a UK migration program anchors its phases to:

MilestoneWhat the NCSC recommends be complete
By 2028Define your migration goals. Carry out a full discovery exercise, assessing the estate to understand which services and infrastructure that depend on cryptography need upgrading to PQC. Build an initial plan for migration.
By 2031Carry out your early, highest-priority PQC migration activities. Refine the plan into a thorough roadmap for completing migration.
By 2035Complete migration to PQC of all your systems, services, and products.

Source: NCSC, “Timelines for migration to post-quantum cryptography,” 20 March 2025, ncsc.gov.uk/guidance/pqc-migration-timelines.

Two details about these dates trip people up, so they’re worth stating plainly:

  1. They’re recommended milestones, not statutory deadlines. There’s no penalty for missing them. The pressure is expectational, reinforced by UK sector regulators translating NCSC expectations into their own supervisory language.
  2. The 2028 date is the one that constrains you, not 2035. A discovery exercise and an initial plan have to be finished years before migration can complete, so an organization that anchors on the 2035 endpoint will start far too late. By its own national authority’s standard, a UK organization that hasn’t inventoried its cryptography within roughly the next couple of years is already behind.

The 2035 endpoint lines up with the broad international consensus, and specifically with the U.S. National Security Memorandum 10 (NSM-10) risk-mitigation goal of 2035 and the deprecation horizon in NIST IR 8547, so the national timelines converge at the end even though the governance instruments differ.

Which algorithms does the NCSC recommend?

The NCSC adopts the NIST-standardized post-quantum algorithms and names specific parameter sets as its sensible defaults. This is the section a UK organization uses to choose algorithms, and the picks are precise enough to cite directly.

PurposeNCSC recommendationNIST standard
Key establishmentML-KEM-768 as an appropriate balance of security and efficiency for most use casesFIPS 203
General-purpose signaturesML-DSA-65 for most use cases; ML-DSA is the preferred general signature schemeFIPS 204
Firmware and software signingSLH-DSA and the stateful hash-based schemes LMS/XMSS, for narrow uses onlyFIPS 205, SP 800-208

Source: NCSC, “Next steps in preparing for post-quantum cryptography,” updated 14 August 2024, ncsc.gov.uk/whitepaper/next-steps-preparing-for-post-quantum-cryptography.

The reason SLH-DSA is kept to firmware and similar cases rather than made a general default is a practical one: the NCSC notes hash-based signatures “are not suitable for general purpose use as the signatures are large and the algorithms are much slower than ML-DSA.” So they’re the conservative choice for a small number of long-lived, high-assurance signing roots, and ML-DSA carries the everyday signing load.

On what’s being migrated away from, the guidance keeps its language general. It refers to “asymmetric public key cryptography,” “traditional PKC,” and “quantum-vulnerable traditional PKC” rather than naming RSA, ECDH, or ECDSA one by one. Those are the quantum-vulnerable schemes in practice, but the NCSC text stays generic. [OPERATOR VERIFY: the whitepaper’s exact wording on named legacy algorithms; the timelines guidance itself does not enumerate RSA/ECC by name.]

Why does the NCSC treat hybrid as an interim measure?

A hybrid scheme combines a classical algorithm and a post-quantum one in a single session, so the connection stays secure as long as either component holds. The NCSC’s stated position is that if a post-quantum/traditional hybrid scheme is chosen, “it is used as an interim measure, and it should be used within a flexible framework that enables a straightforward migration to PQC-only in the future.”

Source: NCSC, “Next steps in preparing for post-quantum cryptography,” updated 14 August 2024, ncsc.gov.uk/whitepaper/next-steps-preparing-for-post-quantum-cryptography.

This is a genuine point of national divergence worth understanding. The NCSC treats PQC-only as the destination and hybrid as a transitional bridge, so an organization architecting hybrid as a permanent end-state is building in future rework by UK standards. Some other national authorities, notably several in the EU, lean toward hybrid as a durable default because it hedges against a flaw being found in a young post-quantum algorithm. An organization operating on both sides of the Channel has to hold both positions at once, and the divergence is exactly the kind of detail that decides an architecture. This is where crypto-agility earns its keep: a flexible framework lets you run hybrid now and drop the classical half cleanly later without re-architecting.

How does the NCSC guidance relate to the NIST standards and other mandates?

The NCSC guidance is UK-national but sits on top of the NIST standards and runs parallel to the U.S. and EU frameworks. It inherits the algorithms and adds a national timeline and parameter picks.

  1. NIST FIPS standards. The NCSC adopts FIPS 203, FIPS 204, FIPS 205, and the stateful hash-based schemes wholesale. There’s no separate UK algorithm suite.
  2. NIST IR 8547 (U.S.). NIST IR 8547 sets the deprecation and disallowance schedule for quantum-vulnerable algorithms. The NCSC timeline is compatible with it but expressed as organizational migration milestones rather than algorithm-disallowance dates.
  3. NSM-10 (U.S.). The UK’s 2035 endpoint aligns with the U.S. NSM-10 risk-mitigation goal of 2035, so the two national timelines converge at the end even though the instruments differ: advisory NCSC guidance on one side, a binding U.S. national security memorandum on the other.
  4. NSA CNSA 2.0 (U.S.). CNSA 2.0 is the U.S. national-security-systems mandate with its own earlier, harder deadlines. The NCSC guidance is broader and softer: economy-wide advice rather than a mandate for a specific class of systems.
  5. EU Cyber Resilience Act. A UK organization selling connected products into the EU also picks up the CRA’s product-security obligations. The NCSC timeline is the UK’s migration guidance; the CRA is a separate EU market-access instrument.
  6. UK sector regulators. Financial (PRA/FCA), telecom (Ofcom), and energy regulators are expected to translate NCSC expectations into sector-specific supervisory pressure, which is how advisory guidance acquires practical force for UK-regulated organizations.

What does the 2028 milestone actually force?

A dated recommendation from the national authority is what turns “someday” into a funded program. For years the honest answer to “when do we have to do this” was “before a quantum computer exists, and nobody knows when,” which is exactly the kind of answer that never gets a budget line. The NCSC timeline replaces that open question with three years on a page, and the first one is close.

The forcing function is the 2028 discovery milestone, not the 2035 endpoint. Because discovery and an initial plan have to be complete before any migration can be sequenced, the real work starts now: inventory the cryptography across the estate, including embedded systems, ICS, and long-lived hardware roots of trust that have lead times measured in hardware refresh cycles. Long-retention and harvest-now-decrypt-later-exposed data should move ahead of the general 2035 endpoint, because an adversary can record encrypted traffic today and decrypt it once a quantum computer exists, which means the clock on that data is already running.

Common misconceptions

  1. “NCSC guidance is law.” It’s advisory. The milestones are recommendations with no statutory penalty. Their force comes from national expectation and from UK sector regulators layering their own supervisory pressure on top.
  2. “2035 is the deadline.” The date that constrains you is 2028, the discovery-and-plan milestone. Anchoring on 2035 means starting years too late, because you can’t plan a migration of cryptography you haven’t inventoried.
  3. “Our vendors will handle it.” True for SMEs on commodity IT, which the NCSC explicitly says are covered by vendor updates. It’s false for large organizations with bespoke systems, CNI, or ICS, which own the migration themselves.
  4. “Hybrid is the end state.” The NCSC treats hybrid as an interim measure and PQC-only as the destination. Architecting hybrid as permanent diverges from UK guidance and builds in future rework.
  5. “There’s a UK-specific algorithm set.” There isn’t. The UK adopts the NIST-standardized algorithms and adds its own parameter picks (ML-KEM-768, ML-DSA-65) and timeline.
  6. “Discovery can wait until we’ve picked algorithms.” The NCSC path is discovery-first for a reason. Jumping to algorithm selection before inventorying the estate is the most common way UK organizations fall behind their own timeline.

Questions people ask

Does the NCSC guidance apply to my organization? If you’re a UK large organization, a CNI operator, or a business running bespoke or long-life systems, yes, you’re in the intended audience and should map to the 2028/2031/2035 milestones. If you’re a small firm on commodity, vendor-maintained software, the NCSC expects your vendors to carry the migration for you.

Is it law or guidance? Guidance. It’s advisory and carries no statutory penalty. In practice UK government, CNI, and regulated industry treat it as the authoritative national reference, and sector regulators reinforce it, so it functions as a strong expectation rather than an optional suggestion.

What’s the actual deadline? The endpoint is 2035 for completing migration of all systems, services, and products, but the milestone that should drive your planning is 2028: define migration goals, complete a full cryptographic discovery exercise, and build an initial plan by then.

Which algorithms does the NCSC recommend? ML-KEM-768 for key establishment and ML-DSA-65 for general-purpose signatures are the named defaults. SLH-DSA and the stateful hash-based schemes are reserved for narrow uses like firmware signing, because their signatures are large and slow for everyday use.

Should I deploy hybrid or PQC-only? The NCSC’s position is that hybrid is an interim measure and PQC-only is the destination, and that any hybrid deployment should sit in a flexible framework that allows a clean move to PQC-only later. That’s a deliberate divergence from national authorities that favor hybrid as a durable default, so if you operate in the EU as well, hold both positions.

How does this line up with the U.S. mandates? The UK’s 2035 endpoint aligns with the U.S. NSM-10 2035 goal and is compatible with NIST IR 8547’s deprecation schedule. The difference is instrument and posture: the NCSC issues economy-wide advisory guidance, while the U.S. side runs binding mandates like NSM-10 and CNSA 2.0 for defined classes of systems.

What do I do first? Start the cryptographic discovery exercise now. Nothing downstream can be planned accurately until the estate’s cryptography is inventoried, and discovery of embedded systems, ICS, and long-lived roots of trust takes longer than most teams expect.

Has the NCSC issued newer timeline guidance? This note reflects the March 20, 2025 “Timelines for migration to post-quantum cryptography” as the current version. Re-verify against ncsc.gov.uk at review, since national milestones and parameter recommendations can be revised.


Everything here is the map, given freely. When your team needs the NCSC’s 2028/2031/2035 timeline translated into a phased migration sequenced against your own estate, that’s what an alignment briefing is for.

Last verified 2026-07-09 · Maintained by Addie LaMarr, LaMarr Labs.