SSH Blog | Defensive Cybersecurity

Key Drivers Behind the Push for PQC by Regulatory Bodies | SSH

Written by Jani Virkkula | Jun 10, 2025 9:39:31 AM

The urgency to prepare for post-quantum cryptography (PQC) is no longer theoretical — it's real, and it’s now. While quantum computers capable of breaking classical encryption, called cryptographically relevant quantum computers (CRQM), aren't mainstream yet, the threat landscape has changed.  

There are several important industry, governmental, and international bodies that are now recommending or even requiring organizations to begin planning or actively migrating to (PQC). Here's a quick rundown of the key drivers behind this push: 

 

1. NIST (U.S. National Institute of Standards and Technology) 

NIST has been leading the global standardization effort for post-quantum algorithms. In 2022, they announced the first group of PQC algorithms selected for standardization, and some of them have been officially published as standards. 

NIST encourages organizations to begin testing and integrating PQC algorithms now, so they’re ready once final standards are published. 

 2. U.S. Government Executive Orders & Memos  

While the following are U.S. mandates, it affects **all vendors and partners working with the U.S. government — including tech providers worldwide. 

Executive Order 14028** ("Improving the Nation’s Cybersecurity") and National Security Memorandum NSM-10 direct U.S. federal agencies to: 

  • Inventory their cryptographic systems, 
  • Identify where quantum-vulnerable algorithms are used, 
  • And prepare migration plans to PQC. 

The NSA and CISA (Cybersecurity and Infrastructure Security Agency) have published roadmaps for when and how federal systems should start adopting PQC. 

3. ENISA (European Union Agency for Cybersecurity) 

ENISA has issued guidance on post-quantum risk management, recommending that: 

  • Organizations inventory cryptographic assets, 
  • Perform risk assessments, 
  • And ensure algorithm agility to prepare for PQC. 

 

The EU is actively monitoring quantum threats, particularly for critical infrastructure and financial services. 

4. Great Britain  

In Great Britain, the National Cyber Security Centre (NCSC) highlights the importance of post-quantum cryptography (PQC) in their latest guidance. 

The three-phase roadmap encourages organizations to start preparing for the PQC transition now to avoid rushed migration and pave the way for a smooth and managed transition.   

 

  1. To 2028 – identify cryptographic services needing upgrades and build a migration plan.  
  2. From 2028 to 2031 – execute high-priority upgrades and refine plans as PQC evolves.  
  3. From 2031 to 2035 – complete migration to PQC for all systems, services and products.
     

5. Financial Sector Pressure

Banks and insurance companies have been forerunners in improving their cybersecurity posture for years, and now they’ve been accompanied by fintechs. This is because they have: 

  • Long data-retention requirements (i.e., needing encryption that will hold for decades), 
  • an increased risk of the “harvest now, decrypt later” risk — where attackers steal encrypted data today to decrypt it later when quantum computers are ready. 

Financial regulators in some jurisdictions are beginning to mention PQC readiness in cyber risk expectations.

6. Private Sector and Standards Organizations 

Groups like ISO, ETSI, and the Cloud Security Alliance have issued whitepapers and draft standards encouraging early preparation for PQC.  

Large tech vendors, many of whom also develop quantum computers (e.g., Google, IBM, Microsoft, Amazon), are already testing or piloting PQC integration in their services — e.g., hybrid TLS in Chrome and Cloud services. 

 

7.  The Monetary Authority of Singapore (MAS)

The Monetary Authority of Singapore (MAS) has issued an advisory urging financial institutions to prepare for the transition to post-quantum cryptography (PQC). The key recommendations from MAS include: 

  1. Stay Informed: Financial institutions should keep updated on the latest developments in quantum computing and their cybersecurity risks. 
  2. Assess Risks: Evaluate the potential impact of quantum computing on current cryptographic systems and identify vulnerabilities that may arise. 
  3. Develop Transition Plans: Create comprehensive strategies for migrating to quantum-resistant cryptographic algorithms.

 

8. Japan

The Cryptography Research and Evaluation Committees (CRYPTREC) set up by the Japanese Government have published the "CRYPTREC Cryptographic Technology Guideline - Post-Quantum Cryptography - 2024 Edition," offering comprehensive recommendations for transitioning to quantum-resistant algorithms.   

Summary: Why Migration Is Being Recommended Now 

  1. Standards are nearly finalized – time to prepare for implementation.
  2. Security risk is real – especially for long-lived or high-value data.
  3. Government mandates are rolling out – particularly in the U.S. and EU.
  4. Enterprises need time – especially large or complex environments.
  5. Tooling and vendor support is maturing – making migration more feasible.

The good news is that migration post quantum cryptography is feasible today.

 

Learn more in our blog post about the topic >>>

 

 
View full post