Cookie Preferences

    We use cookies to ensure our website functions properly and to improve your experience. Essential cookies are always active. You can choose to enable other categories below. Learn more

    Global PQC calendar · Reviewed quarterly

    Global PQC Regulatory Migration Timeline

    Every enacted rule, supervisory signal, and hard deadline shaping post-quantum migration — plotted chronologically across jurisdictions and mapped to the governance clauses you will be asked to cite.

    For the full narrative of each reference, see the Regulatory Radar. For the phased NIST-aligned playbook, see the NIST PQC Migration Roadmap.

    Showing 29 of 29
    Region
    Framework
    Status
    2022
    May 2022
    Enacted
    US
    NIST

    NSM-10 issued

    White House directs federal agencies to begin multi-year PQC migration with a 2035 mitigation horizon.

    QCI-QS1 · Clause 4Q-Risk · Governance
    Nov 2022
    Effective
    US
    OMB

    OMB M-23-02 — Migrating to PQC

    OMB mandates prioritized cryptographic inventories from federal agencies; the sequencing template the private sector will inherit.

    QCI-QS1 · Clause 4.5 (QASI)Q-Risk · Inventory
    Dec 2022
    Enacted
    US
    OMB

    Quantum Computing Cybersecurity Preparedness Act (PL 117-260)

    US statute binds federal agencies to prepare for PQC migration and complete cryptographic inventories via OMB.

    QCI-QS1 · Clause 4Q-Risk · Governance
    2023
    Aug 2023
    Milestone
    US
    NIST

    CISA/NSA/NIST Quantum-Readiness factsheet

    Joint tri-agency guidance: build a roadmap, inventory cryptography, engage vendors — now.

    QCI-QS1 · Clause 4.5, 7Q-Risk · Inventory, Vendor
    2024
    Feb 2024
    Milestone
    International
    MAS

    MAS Advisory on quantum readiness

    Monetary Authority of Singapore's Circular MAS/TCRS/2024/01 — among the first regulator-to-institution quantum letters worldwide.

    QCI-QS1 · Clause 4, 6Q-Risk · Governance
    Aug 13, 2024
    Enacted
    US
    NIST

    NIST finalizes FIPS 203, 204, 205

    ML-KEM, ML-DSA, and SLH-DSA published as final standards. Deploy-now algorithms; procurement can cite them.

    QCI-QS1 · Clause 6Q-Risk · Algorithm posture
    Sept 2024
    Milestone
    International
    G7 / BIS

    G7 Cyber Expert Group statement on quantum

    G7 supervisors urge financial institutions to inventory, plan, and start migration.

    QCI-QS1 · Clause 4Q-Risk · Governance
    Dec 30, 2024
    Effective
    EU
    MiCA

    MiCA fully applicable in EU

    Crypto-asset service providers now bound by Article 70 operational resilience and Article 73 custody — every wallet key is ECC-vulnerable.

    QCI-QS1 · Clause 6, 7Q-Risk · Algorithm posture
    2025
    Jan 2025
    Effective
    EU
    DORA

    DORA applies to EU financial entities

    ICT risk management, third-party oversight, resilience testing — the perimeter cryptographic risk lands inside.

    QCI-QS1 · Clause 7, 8Q-Risk · Vendor, Governance
    Feb 2025
    Milestone
    EU
    NIS2

    Europol Quantum Safe Financial Forum call to action

    Europol convenes banks and policymakers on the quantum transition — law enforcement now in the room.

    Q-Risk · Governance
    Mar 2025
    Milestone
    US
    NIST

    NIST selects HQC as fifth PQC algorithm

    Backup KEM to ML-KEM; final standardization expected 2027. Reinforces the case for crypto agility.

    QCI-QS1 · Clause 6Q-Risk · Algorithm posture
    Mar 2025
    Milestone
    UK
    UK NCSC

    UK NCSC PQC migration timelines

    Discovery and planning by 2028; highest-priority migration by 2031; completion by 2035. Guidance, not law — the clearest national timeline published.

    QCI-QS1 · Clause 6, 8Q-Risk · Roadmap
    May 30, 2025
    Effective
    US
    NSA/CNSA

    NSA CNSA 2.0 reissued

    Binding suite for National Security Systems; new NSS acquisitions must support CNSA 2.0 from Jan 1, 2027.

    QCI-QS1 · Clause 6, 7Q-Risk · Vendor
    Jun 23, 2025
    Milestone
    EU
    EU PQC Roadmap

    EU NIS Cooperation Group PQC roadmap

    Three-date ladder: begin transitioning by end of 2026, critical infrastructure migrated by end of 2030, full transition by 2035.

    QCI-QS1 · Clause 6, 8Q-Risk · Roadmap
    Sept 2025
    Milestone
    US
    NIST

    Federal Reserve FEDS 2025-093 on HNDL

    Fed research documents the irreversibility of harvest-now-decrypt-later exposure on distributed-ledger data.

    Q-Risk · Data lifetime
    Dec 11, 2025
    Milestone
    International
    G7 / BIS

    BIS Project Leap Phase 2 completed

    Bank of Italy, Banque de France, Bundesbank, Nexi-Colt, and Swift run PQC signatures on live liquidity transfers.

    Q-Risk · Algorithm posture
    2026
    2026
    Effective
    US
    HIPAA

    NCUA 2026 supervisory priorities

    Risk-based compliance, payment systems, cybersecurity, vendor oversight — the foundations quantum readiness depends on.

    Q-Risk · Vendor
    Jan 2026
    Milestone
    US
    NIST

    Citi Institute quantum threat analysis

    $2.0–3.3T Fedwire GDP-at-risk from a one-day disruption; 60–82% probability of a CRQC by 2044.

    Q-Risk · Board reporting
    Jan 2026
    Milestone
    International
    G7 / BIS

    G7 CEG coordinated PQC financial-sector roadmap

    Non-binding operational roadmap aligned to mid-2030s horizon, critical systems earlier — signed across seven economies.

    Q-Risk · Roadmap
    Jan 20, 2026
    Proposal
    EU
    NIS2

    COM(2026) 13 — proposed NIS2 amendment

    Would embed PQC migration planning into national cybersecurity strategies and bring EUDI Wallet providers into NIS2 scope.

    QCI-QS1 · Clause 4, 8Q-Risk · Governance
    2027
    Jan 1, 2027
    Deadline
    US
    NSA/CNSA

    CNSA 2.0 required for new NSS acquisitions

    All new National Security System acquisitions must support CNSA 2.0. Defense-adjacent supply chain moves first.

    QCI-QS1 · Clause 7Q-Risk · Vendor
    2027
    Milestone
    US
    NIST

    NIST HQC final standard expected

    Backup KEM diversification lands as a finalized FIPS.

    Q-Risk · Algorithm posture
    2028
    By 2028
    Deadline
    UK
    UK NCSC

    UK NCSC — discovery and planning complete

    First NCSC milestone: cryptographic discovery finished, migration plan documented.

    QCI-QS1 · Clause 4.5Q-Risk · Inventory
    2030
    After 2030
    Deadline
    US
    NIST

    NIST deprecates RSA-2048 and ECC-256

    NIST IR 8547 (IPD): classical asymmetric algorithms move to deprecated status. Auditors begin flagging.

    QCI-QS1 · Clause 6Q-Risk · Algorithm posture
    End of 2030
    Deadline
    EU
    EU PQC Roadmap

    EU critical infrastructure migrated

    NIS Cooperation Group milestone: critical infrastructures across member states migrated to PQC.

    QCI-QS1 · Clause 6, 8Q-Risk · Roadmap
    2031
    By 2031
    Deadline
    UK
    UK NCSC

    UK NCSC — highest-priority systems migrated

    Second NCSC milestone: identity, high-value customer-facing, and machine-credential surfaces on PQC.

    Q-Risk · Roadmap
    2035
    After 2035
    Deadline
    US
    NIST

    NIST disallows RSA-2048 and ECC-256

    Federal systems must complete migration. Regulated industries follow inside the same window.

    QCI-QS1 · Clause 8Q-Risk · Attestation
    By 2035
    Deadline
    EU
    EU PQC Roadmap

    EU — full PQC transition

    Roadmap horizon: full transition for as many systems as practically feasible.

    Q-Risk · Attestation
    By 2035
    Deadline
    UK
    UK NCSC

    UK NCSC — migration complete

    Third and final NCSC milestone: PQC migration complete across UK organizations.

    Q-Risk · Attestation

    Where does your posture sit on this calendar?

    Score your migration readiness against the deadlines above and generate a board-ready briefing aligned to QCI-QS1.