A cryptographically-relevant quantum computer doesn't exist yet — but the deadline to defend against one is already running, because attackers can steal encrypted data today and decrypt it later. In March 2025 the UK's NCSC published a migration roadmap with a hard 2035 endpoint and interim milestones in 2028 and 2031. For most UK organisations this is not a research problem to ignore; it's a multi-year programme that starts with an inventory. Here is what's real, what NCSC actually asks, and the pragmatic first steps.
Why now, when quantum computers can't break encryption yet
The threat is 'harvest now, decrypt later'. An adversary can capture your encrypted traffic or exfiltrate encrypted archives today and simply store them until a future quantum computer can break the public-key cryptography (RSA, elliptic-curve) that protects them. Any data with a long confidentiality lifetime — health records, legal files, state secrets, long-term IP — is therefore already exposed in principle. That is why standards bodies and governments are pushing migration now rather than waiting for the machine to arrive.
The defence is post-quantum cryptography (PQC): new algorithms believed to resist quantum attack. NIST standardised the first set in 2024 — ML-KEM (Kyber) for key exchange and ML-DSA (Dilithium) and SLH-DSA (SPHINCS+) for signatures — and the NCSC aligns with these. Vendors have been getting validated implementations through NIST's programme since.
What the NCSC roadmap actually asks
The NCSC's 'Timelines for migration to post-quantum cryptography' (March 2025) sets a three-phase programme to be complete by 2035:
- •By 2028 — discover and plan: identify every cryptographic service, system and dependency that will need upgrading, and build a migration plan.
- •2028-2031 — high-priority upgrades: execute the earliest and most critical migrations (the systems and long-lived data most at risk), refining the plan as PQC tooling matures.
- •2031-2035 — complete migration: finish moving systems, services and products to PQC.
The first step is an inventory, not an algorithm
The single most useful thing you can do in 2026 is build a cryptographic inventory: where is encryption used across your estate, by what systems, protecting what data, with what algorithms and key lifetimes, and which of it is supplier-controlled? Most organisations genuinely don't know — cryptography is buried in TLS termination, VPNs, code-signing, databases, backups, IoT and dozens of third-party products. You cannot plan a migration you can't see, and the 2028 milestone is fundamentally about achieving that visibility and prioritising by data lifetime and exposure.
Prioritise by 'how long must this stay secret' and 'how exposed is it in transit/at rest to harvesting'. Long-lived secrets crossing untrusted networks are the front of the queue.
What to do in 2026
Treat 2026-2028 as the discovery-and-planning phase NCSC describes: inventory your crypto, classify data by confidentiality lifetime, ask your strategic suppliers for their PQC roadmaps (much of your exposure is in their products), and pilot PQC-ready TLS and VPN where it's available. Avoid bespoke crypto — wait for vendor-validated implementations rather than rolling your own. The goal this year is a credible plan and a prioritised list, not a finished migration.
Servnet can help map the infrastructure side of that inventory — what your servers, network and security stack use, and which vendors have validated PQC support — and feed it into a plan that hits the NCSC milestones.