The National Cyber Security Centre has issued a ‘three-phase’ timetable for organisations to become secure against future quantum computing threats.

The NCSC – which guards the UK against nation state and criminal cyber gangs – are encouraging organisations to move to quantum-resistant encryption standards by 2035.

In new guidance, the NCSC, which is part of the nation’s signals intelligence agency GCHQ, emphasises the importance of ‘post-quantum cryptography’ (PQC), which is a new type of encryption designed to safeguard sensitive information from the future risks posed by quantum computers. 

“While today’s encryption methods – used to protect everything from banking to secure communications – rely on mathematical problems that current-generation computers struggle to solve, quantum computers have the potential to solve them much faster, making current encryption methods insecure,” the agency says.

“Migrating to PQC will help organisations stay ahead of this threat by deploying quantum-resistant algorithms before would-be attackers have the chance to exploit vulnerabilities.”

Cybersecurity experts have been warning for some time that the world is rapidly approach a so-called ‘Q-Day’ – a point at which quantum computers – which can perform calculations exponentially faster than classical computers.

Most modern encryption, such as RSA, ECC (Elliptic Curve Cryptography), and Diffie-Hellman, relies on the difficulty of factoring large numbers or solving discrete logarithms.

However, quantum computers can run Shor’s algorithm, which can factor large numbers in polynomial time, making RSA and ECC encryption obsolete.

Once sufficiently powerful quantum computers exist, they could break RSA encryption in minutes instead of thousands of years.

The new guidance encourages organisations to begin preparing for the transition now to allow for a smoother, more controlled migration that will reduce the risk of rushed implementations and related security gaps. It outlines three phases for migration: 

  • To 2028 – identify cryptographic services needing upgrades and build a migration plan. 
  • From 2028 to 2031 – execute high-priority upgrades and refine plans as PQC evolves. 
  • From 2031 to 2035 – complete migration to PQC for all systems, services and products. 

NCSC Chief Technical Officer Ollie Whitehouse said: “Quantum computing is set to revolutionise technology, but it also poses significant risks to current encryption methods.

“Our new guidance on post-quantum cryptography provides a clear roadmap for organisations to safeguard their data against these future threats, helping to ensure that today’s confidential information remains secure in years to come.

“As quantum technology advances, upgrading our collective security is not just important – it’s essential.”

The agency said that for many small and medium-sized businesses, the transition will be relatively straightforward, as third party tech suppliers will provide the upgrades as normal, but larger companies will need to plan and make ‘significant investment’.