NCSC Guidance on Post-Quantum Cryptography (PQC) What UK and EU Organisations Need to Know Now

Key Takeaways

• Timeline: NCSC three-phase roadmap (2028, 2031, 2035 deadlines) for UK/EU PQC standards migration
• For: CISOs, IT Directors, Risk Officers, Compliance Teams across UK/EU sectors
• Key Standards: ML-KEM-768 (Kyber), ML-DSA-65 (Dilithium), SLH-DSA (SPHINCS+)
• Regulatory Context: NCSC guidance aligns with DORA, GDPR, NIS2 compliance requirements

Reading Time: 8 minutes

Why the UK/EU is Paying Attention to Quantum Threats

Quantum computing promises transformational capabilities – from drug discovery to logistics optimisation. Quantum chips are rapidly becoming more scalable, stable, and usable, accelerating solutions beyond traditional computing capabilities.

But this power also threatens our cryptographic foundations. If quantum computers can decrypt sensitive data, trust in everything from online banking to digital healthcare records could erode overnight. For UK/EU organisations, this represents an existential threat to data sovereignty, regulatory compliance and customer confidence.

That’s why the UK’s National Cyber Security Centre (NCSC) has taken a proactive position, issuing clear NCSC post-quantum guidance to help organisations prepare for post-quantum cryptography UK/EU standards.

This isn’t just a technical update, it’s a foundational shift in how we need to protect our sensitive data in the decades ahead. 

• For comprehensive quantum threat context: Why Post-Quantum Cryptography Matters

The Quantum Algorithms That Changed Everything

How real is this threat? Two quantum algorithms in particular have raised red flags for security professionals. 

As quantum computing matures, the risk of a “harvest now, decrypt later” strategy grows: adversaries may already be storing encrypted communications with the intent to decrypt them in the future once quantum capabilities catch up. 

This is why cybersecurity communities in the UK, Europe and the world over are aligning around post-quantum readiness.  The “harvest now, decrypt later” threat is active: adversaries collect encrypted communications today to decrypt once quantum computers mature (estimated 2030-2035). The NCSC has warned UK organisations that sensitive encrypted data should be assumed already collected.

We explore the harvest now, decrypt later threat in detail here.

“Migration to PQC is a national technology change programme. It comes with significant potential cyber risk, and we have a strong responsibility to manage that. But it also promises major opportunities.”

NCSC Annual Review

NCSC Post-Quantum Cryptography Guidance: Roadmap and Timelines 

In March 2025, the NCSC released its Timelines for Migration to Post-Quantum Cryptography – a comprehensive roadmap for UK organisations across sectors, reflecting consensus among UK and EU security leaders on urgency and strategic approach – perspectives we explore in depth in our expert analysis of the future of post-quantum cryptography in the UK/EU (coming soon).

The NCSC emphasised that the severity of quantum risk facing the UK is being widely underestimated, particularly for critical infrastructure, supply chains, and the public sector. The gap between the evolving quantum threat and the cyber resilience of UK organisations needs to close as a matter of urgency, according to the NCSC’s 2024 Annual Review.

Key PQC Implications for UK/EU Organisations

Across industries, post-quantum cryptography (PQC) represents not just a technical shift, but a strategic imperative for quantum-safe cybersecurity in the UK and EU. 

Financial Services: Quantum-Safe Security and Regulatory Readiness

The financial sector is both a high-value target and a critical dependency in the UK economy.  

Institutions using TLS, digital signatures, and secure messaging must prioritise PQC to protect customer data, financial transactions and blockchain integrations.  Adopting quantum-safe encryption early will also align financial institutions with UK/EU PQC standards and regulatory expectations. 

Quantum Threats to UK/EU Financial Services Why Banks and Insurers Must Act Now

Key Takeaways Timeline: Quantum threat window 2027-2030, data being harvested now for future decryption For: Bank CFOs, CISOs, Risk Officers, Insurance CROs, Compliance Directors Key Threats:…

Continue reading

Healthcare and Government: Managing Long-Term Data Risks

Long data retention cycles make these sectors particularly vulnerable to “harvest now, decrypt later” attacks – a key quantum threat identified in NCSC PQC guidance. Secure storage of medical records, census data, and citizen identifiers must transition to quantum-safe protocols. 

Healthcare: Patient medical records (lifetime retention under GDPR), genetic data, NHS systems, and medical device communications require quantum-resistant cryptography.

Government: Census data, classified communications, tax records, social services data, and digital identity systems face decades-long sensitivity periods.

The NCSC has warned that organisations should assume sensitive encrypted data is already being collected by adversaries for future decryption (estimated 2030-2035).

Supply Chains and Critical National Infrastructure (CNI): Quantum-Resilient Upgrades

Transport, energy, and logistics providers face integration challenges with distributed systems and embedded devices. PQC deployment may require over-the-air firmware updates for IoT devices, hardware upgrades for industrial control systems (ICS/SCADA), protocol-level changes in telecommunications infrastructure, and supplier PQC readiness verification.

Critical sectors affected: Energy (smart grids, SCADA), transport (railway signalling, air traffic control), telecommunications (5G/6G infrastructure), and water treatment systems.

Each sector faces distinct migration challenges. For financial services organisations, we examine the regulatory and operational considerations in our guide to quantum-safe finance for UK and EU banks and insurers.

For organisations leveraging distributed ledger technology, blockchain systems present unique PQC challenges due to cryptographic immutability and permanent transaction records.

Securing Blockchain in a Quantum World

Key Takeaways Timeline: NCSC roadmap (2028, 2031, 2035) applies to blockchain post-quantum UK/EU migration For: Blockchain architects, fintech CTOs, digital asset managers, DLT innovators, crypto custody…

Continue reading

3 Steps to PQC Readiness

The NCSC has explicitly warned that organisations must assume sensitive encrypted data is already being collected and will eventually be decrypted.

Venari’s Perspective

Turning Guidance into Practice

As organisations across the UK and Europe prepare for the transition to post-quantum cryptography, many are finding the process more complex than expected – especially balancing compliance, vendor dependencies, and sector-specific risks.

The NCSC PQC guidance provides an excellent strategic framework, but requires complete visibility into cryptographic assets, understanding of dependencies, vendor PQC readiness assessment, regulatory gap analysis, and phased implementation maintaining operational continuity.

At Venari, we help enterprises across the UK and EU:

• Conduct cryptographic inventories(CBOM) and risk assessments
• Integrate NCSC-aligned timelines into digital transformation strategies
• Implement hybrid PQC/traditional models while maintaining interoperability
• Build long-term cryptographic agility 

Our deep experience working across finance, government, telecoms, and critical infrastructure means we understand the practical constraints UK/EU organisations face – and we’re ready to help. 

Talk to Us

Book a 30-minute strategy session with our PQC advisors to assess your current posture and define next practical steps toward crypto-agility and compliance with NCSC PQC guidance.

→ Book a PQC Consultation