The post-quantum countdown

Every dated deadline that is going to land on your desk, and what each one actually asks you to produce. Most of them ask for the same thing first: an inventory of the cryptography you are running. Almost nobody has one.

The quantum computer is not the deadline. The regulator is.

In effect now

PQC standards published — ML-KEM, ML-DSA, SLH-DSA

NIST · FIPS 203 / 204 / 205

The final post-quantum standards: ML-KEM (key encapsulation), ML-DSA and SLH-DSA (signatures).

Why it matters: The 'we're waiting for the standards' excuse expired here. Every deadline after this one assumes these algorithms are available, and they are.

Applies to: Everyone; the basis of every migration below

Read the source →

In effect now

Cryptographic inventory required (req. 12.3.3)

PCI SSC · PCI DSS v4.0.1

Maintain a documented inventory of the cipher suites and protocols in use, reviewed at least every 12 months, including a plan to respond to changes in cryptographic vulnerabilities.

Why it matters: This is not a quantum requirement and it is not in the future — it is a live, assessable control. A QSA can ask for the inventory today, and 'we don't have one' is a finding.

Applies to: Any entity storing, processing or transmitting cardholder data

Read the source →

171 days

Member States to have started PQC migration

European Commission · EU PQC coordinated implementation roadmap

Begin the transition to post-quantum cryptography, with high-risk use cases targeted for completion by end-2030.

Why it matters: The nearest cliff on this map. 'Started' means a plan and an inventory — which is exactly the artifact nobody has.

Applies to: EU Member States and, in practice, their critical-infrastructure supply chains

Read the source →

2.5 years

Discovery and migration plan complete

UK NCSC · NCSC PQC migration timeline

By 2028: define migration goals, carry out a full discovery exercise, and build an initial migration plan.

Why it matters: NCSC put discovery first and gave it its own deadline — an admission that nobody knows what crypto they are running.

Applies to: UK organisations, explicitly including critical national infrastructure

Read the source →

3.5 years

Software and firmware signing: exclusively PQC

NSA · CNSA 2.0

CNSA 2.0 requires PQC signatures (ML-DSA / LMS / XMSS) for software and firmware signing, the earliest of its category deadlines.

Why it matters: Signing keys are the first thing anyone has to migrate, and the hardest — you cannot re-sign the past, and firmware in the field outlives the key that signed it.

Applies to: National Security Systems and their vendors — in practice, anyone selling software to US defence

Read the source →

4.5 years

RSA, ECDSA, EdDSA, DH and ECDH deprecated

NIST · NIST IR 8547

112-bit classical security (RSA-2048, P-256 and friends) becomes deprecated after 2030 and disallowed after 2035.

Why it matters: This is the date your current TLS certificates, SSH keys and JWT signing keys stop being acceptable. Almost all of them are on this list.

Applies to: US federal systems, and every standard that follows NIST

Read the source →

4.5 years

High-risk use cases migrated

European Commission · EU PQC coordinated implementation roadmap

Complete PQC migration for high-risk use cases.

Why it matters: Four years to migrate the systems that are hardest to change. That is not a long time in an environment with hardware in it.

Applies to: EU Member States; critical infrastructure first

Read the source →

6.5 years

Web servers, browsers and cloud services: exclusively PQC

NSA · CNSA 2.0

Networking and cloud categories complete their transition to CNSA 2.0 algorithms.

Why it matters: Your TLS termination, your CDN and your managed KMS all land here.

Applies to: National Security Systems and their vendors

Read the source →

9.5 years

Classical public-key crypto disallowed; US migration target

NIST / NSM-10 · NIST IR 8547; US National Security Memorandum 10

RSA/ECC disallowed. NSM-10 sets 2035 as the target for mitigating quantum risk across US systems.

Why it matters: This is the end of the runway, and it is the number every other regulator anchored to. Data you encrypt today that must stay secret past 2035 is already exposed — harvest now, decrypt later.

Applies to: US federal systems; the de-facto global backstop date

Read the source →

Find out where you stand — in an afternoon

PQLens builds the inventory these deadlines ask for: across your code, dependencies, configs, certificates, keystores, TLS and SSH endpoints, JWKS, and cloud KMS. Free to run, 100% local — nothing about your code leaves the machine.

Regulatory dates move, and the wording matters more than the date. Every entry above links to its primary source — read it before you put a number in a board pack. Last verified 2026-07-13. We never claim any algorithm is “quantum-proof”; the honest words are quantum-vulnerable, quantum-weakened, PQC-ready, and hybrid.

PQLens by CybXSan · The evidence engine is open source: cybxsan-evidence.