The G7 PQC Roadmap: A Wake-Up Call for Financial Services Security Leaders

Most people read the G7’s post-quantum roadmap and fixate on the algorithms.

Tom Millar reads something far more uncomfortable between the lines: a quiet admission that many institutions still don’t know what they need to protect.

In his article, Tom argues that PQC migration won’t fail because of cryptography — NIST-approved algorithms already exist — it will fail because of visibility, ownership, and assurance. If you can’t discover and inventory your cryptographic assets, you can’t migrate them. If accountability isn’t embedded at board level, it won’t move. And if you can’t prove progress, “quantum-ready” becomes little more than quantum washing.

He also lays out the reality few leaders want to say out loud: this isn’t a quick fix. It’s a multi-year transformation programme — with a timeline the industry can no longer ignore: 2026 discovery and planning, 2027 execution, 2030–2032 critical systems migrated, 2035 completion.

The message is clear: don’t panic — plan — but plan now.

What strikes me most about the G7 roadmap isn’t the technical requirements—it’s the implicit admission that most institutions don’t actually know what they need to protect.

The Visibility Challenge No One Wants to Talk About

The new G7 roadmap places Discovery and Inventory at the very start of the journey for good reason. In my experience working with global financial institutions, cryptographic visibility remains the single greatest weakness in overall security posture. You cannot migrate what you cannot see. You cannot prioritise what you cannot measure.

This is the uncomfortable truth at the heart of post-quantum cryptography (PQC) readiness: before organisations can talk about algorithms, they must first confront a fundamental lack of cryptographic asset discovery.

The six phases outlined in the G7 roadmap – from Awareness and Preparation through to Validation and Monitoring – acknowledge what security leaders have known for years. Post-quantum cryptography migration is not a software patch or a point upgrade. It is a multi-year transformation programme that touches governance, risk, operations, and accountability.

Three Continuous Responsibilities That Define PQC Migration Success

The G7 identifies three activities that must run continuously throughout the PQC migration roadmap. These are not optional add-ons — they are the pillars that determine success or failure.

1. Governance and Risk Management

Quantum-resilient cryptography must be embedded into governance structures, oversight frameworks, and executive accountability models. The roadmap is explicit: this is a fiduciary responsibility, not a purely technical exercise.

Boards will be held accountable for cryptographic risk. Without clear ownership, defined escalation paths, and measurable assurance, post-quantum initiatives stall. Effective cryptographic risk governance ensures that PQC migration remains visible at the highest levels of the organisation.

2. Managing External Dependencies

No institution operates in isolation. PQC readiness for financial services is shaped as much by third parties as by internal systems.

Vendor maturity, cloud provider roadmaps, protocol dependencies, and supply-chain constraints will dictate the pace of your post-quantum cryptography migration. Understanding where cryptography lives across external services — and how quickly those providers can adapt — is non-negotiable.

This is where cryptographic visibility extends beyond internal environments into the wider ecosystem.

3. Stakeholder Dialogue

Fragmentation is the enemy of resilience. The G7 roadmap highlights the importance of structured dialogue across regulators, central banks, critical infrastructure operators, and technology vendors.

Coordinated migration reduces systemic risk. Without alignment, organisations risk duplicated effort, incompatible controls, and uneven progress — all of which undermine quantum readiness at an industry level.

The Timeline Is Now Fixed — Are You Ready?

The G7 has provided the clarity the industry has been waiting for. The PQC migration roadmap is no longer theoretical:

• 2026: Cryptographic discovery, inventory, risk assessment, and planning
  
• 2027 onwards: Begin migration execution
  
• 2030–2032: Critical systems migrated
  
• 2035: All systems migrated
  

These milestones align with guidance from NIST, ISO, BIS, FS-ISAC, NCSC, the EU-QSFF, and the Global Risk Institute. The global consensus around post-quantum cryptography readiness is undeniable.

While the roadmap itself is not regulation, it represents pre-regulatory alignment. It sets expectations before mandates arrive. Institutions that wait for formal enforcement will find themselves reacting under pressure rather than executing with confidence.

Venari Security’s Perspective

At Venari Security, we have long maintained that cryptographic resilience is fundamentally a governance and visibility problem before it becomes a cryptographic one.

The G7 roadmap validates this position entirely.

The real bottlenecks in post-quantum cryptography migration are not algorithmic. NIST-approved PQC algorithms already exist. The true constraints are:

• Visibility: Do you know where all your cryptographic assets reside?
  
• Ownership: Is accountability for cryptographic risk clearly defined?
  
• Assurance: Can you demonstrate compliance and track migration progress over time?
  

Modernising infrastructure without modernising cryptographic visibility and control models simply accelerates drift. Institutions that succeed will treat PQC migration as strategic transformation, not a technical refresh.

And quantum washing — superficial claims of quantum readiness without genuine capability — will not survive regulatory scrutiny or board-level due diligence.

The Path Forward

The G7 roadmap delivers an unambiguous message to financial services:

Don’t panic. Plan. But plan now.

Institutions that begin cryptographic asset discovery and inventory today will be the ones that meet 2030 milestones with confidence. Those that delay will face compressed timelines, higher costs, and increasing regulatory pressure.

The quantum era is no longer a distant concern — it is an active planning horizon. As this roadmap makes clear, the governance frameworks and visibility models we build today will determine our resilience tomorrow.

Tom Millar is CEO of Venari Security, a leader in cryptographic visibility and post-quantum readiness solutions for critical infrastructure and financial services.