Global PQC Regulatory Migration Timeline
Every enacted rule, supervisory signal, and hard deadline shaping post-quantum migration — plotted chronologically across jurisdictions and mapped to the governance clauses you will be asked to cite.
For the full narrative of each reference, see the Regulatory Radar. For the phased NIST-aligned playbook, see the NIST PQC Migration Roadmap.
NSM-10 issued
White House directs federal agencies to begin multi-year PQC migration with a 2035 mitigation horizon.
OMB M-23-02 — Migrating to PQC
OMB mandates prioritized cryptographic inventories from federal agencies; the sequencing template the private sector will inherit.
Quantum Computing Cybersecurity Preparedness Act (PL 117-260)
US statute binds federal agencies to prepare for PQC migration and complete cryptographic inventories via OMB.
CISA/NSA/NIST Quantum-Readiness factsheet
Joint tri-agency guidance: build a roadmap, inventory cryptography, engage vendors — now.
MAS Advisory on quantum readiness
Monetary Authority of Singapore's Circular MAS/TCRS/2024/01 — among the first regulator-to-institution quantum letters worldwide.
NIST finalizes FIPS 203, 204, 205
ML-KEM, ML-DSA, and SLH-DSA published as final standards. Deploy-now algorithms; procurement can cite them.
G7 Cyber Expert Group statement on quantum
G7 supervisors urge financial institutions to inventory, plan, and start migration.
MiCA fully applicable in EU
Crypto-asset service providers now bound by Article 70 operational resilience and Article 73 custody — every wallet key is ECC-vulnerable.
DORA applies to EU financial entities
ICT risk management, third-party oversight, resilience testing — the perimeter cryptographic risk lands inside.
Europol Quantum Safe Financial Forum call to action
Europol convenes banks and policymakers on the quantum transition — law enforcement now in the room.
NIST selects HQC as fifth PQC algorithm
Backup KEM to ML-KEM; final standardization expected 2027. Reinforces the case for crypto agility.
UK NCSC PQC migration timelines
Discovery and planning by 2028; highest-priority migration by 2031; completion by 2035. Guidance, not law — the clearest national timeline published.
NSA CNSA 2.0 reissued
Binding suite for National Security Systems; new NSS acquisitions must support CNSA 2.0 from Jan 1, 2027.
EU NIS Cooperation Group PQC roadmap
Three-date ladder: begin transitioning by end of 2026, critical infrastructure migrated by end of 2030, full transition by 2035.
Federal Reserve FEDS 2025-093 on HNDL
Fed research documents the irreversibility of harvest-now-decrypt-later exposure on distributed-ledger data.
BIS Project Leap Phase 2 completed
Bank of Italy, Banque de France, Bundesbank, Nexi-Colt, and Swift run PQC signatures on live liquidity transfers.
NCUA 2026 supervisory priorities
Risk-based compliance, payment systems, cybersecurity, vendor oversight — the foundations quantum readiness depends on.
Citi Institute quantum threat analysis
$2.0–3.3T Fedwire GDP-at-risk from a one-day disruption; 60–82% probability of a CRQC by 2044.
G7 CEG coordinated PQC financial-sector roadmap
Non-binding operational roadmap aligned to mid-2030s horizon, critical systems earlier — signed across seven economies.
COM(2026) 13 — proposed NIS2 amendment
Would embed PQC migration planning into national cybersecurity strategies and bring EUDI Wallet providers into NIS2 scope.
NIST HQC final standard expected
Backup KEM diversification lands as a finalized FIPS.
NIST deprecates RSA-2048 and ECC-256
NIST IR 8547 (IPD): classical asymmetric algorithms move to deprecated status. Auditors begin flagging.
UK NCSC — highest-priority systems migrated
Second NCSC milestone: identity, high-value customer-facing, and machine-credential surfaces on PQC.
EU — full PQC transition
Roadmap horizon: full transition for as many systems as practically feasible.
UK NCSC — migration complete
Third and final NCSC milestone: PQC migration complete across UK organizations.
Where does your posture sit on this calendar?
Score your migration readiness against the deadlines above and generate a board-ready briefing aligned to QCI-QS1.
Turn Timeline Awareness Into Action
Regulatory Radar
Track live regulatory movement across 12+ frameworks
Critical Infrastructure Sector
CISA and sector-specific PQC obligations
Financial Services Sector
PCI DSS 4.0 and NYDFS quantum deadlines
Strategic Implementation Roadmap
Board-ready 24-month PQC migration plan
Quantum Readiness Checklist
40-item actionable readiness self-audit
Credit Union PQC Guide
NCUA-aligned migration playbook