The UK’s National Cyber Security Centre (NCSC) has warned that future quantum computers could break today’s encryption, urging businesses and government agencies to start preparing for a post-quantum era before it’s too late.
In a newly released guide, the agency has advised organizations to identify vulnerable systems by 2028 and prioritize critical upgrades by 2031, with a full transition to post-quantum cryptography (PQC) expected by 2035.
The NCSC cautioned that adversaries may already be harvesting encrypted data for future decryption, making early action critical.
Industries handling long-term sensitive data, including financial services and national infrastructure, face heightened risks and must begin planning their transition now to avoid exposure as quantum technology advances.
“Migration to PQC is a global-scale change to IT and operational technology (OT) systems and will typically involve activity that spans multiple leadership cycles in most large organizations,” NCSC said in its guide. “Like any major IT or OT upgrade, the total financial cost of PQC migration could be significant, so it’s essential that organizations budget accordingly, including for preparatory activities as well as the actual migration.”
The threat from quantum computing
The emergence of quantum computing is set to reshape the cybersecurity landscape, raising concerns about its potential use in cyber warfare and espionage.
Security experts warn that while the technology is still in its early stages, its implications for cybersecurity cannot be ignored.
“I believe this has the potential to create cross-border cyber threats, including proxy cyber wars or enemy nation-sponsored cyber terrorism,” said Faisal Kawoosa, founder and lead analyst at Techarc. “It’s complex and costly to use quantum computing even for cybercrimes. So, at this stage, it could only be government-supported and used against unfavorable nations. Given the current state of international relations, the risk appears high.”
This growing risk underscores the urgency of transitioning to PQC before adversaries develop the means to exploit vulnerabilities at scale. Organizations that delay migration could find themselves exposed to quantum-enabled attacks sooner than anticipated.
Challenges for enterprises
The NCSC’s roadmap underscores the urgency of transitioning to PQC, but businesses may face significant challenges in meeting the proposed timelines.
The migration process could be complex, costly, and disruptive, requiring organizations to overhaul encryption protocols embedded in critical infrastructure, financial systems, and cloud services.
Kawoosa pointed out that while enterprises typically have basic cybersecurity measures in place, only certain industries – such as banking and financial services – have invested in more advanced protections.
“In general, cybersecurity is only given serious attention when something happens,” Kawoosa added.
This reactive approach could pose risks as quantum threats grow more imminent. Waiting too long to begin migration could leave critical systems vulnerable to emerging threats.
However, on the plus side, both quantum computing and PQC are still in the early stages of development.
“I think we are still in the infancy stage when it comes to quantum computing in action,” Kawoosa said. “The same applies to post-quantum cryptography. We have to bear in mind that NIST only established standards for it in 2024, so the actual work on developing solutions is just beginning.”