English
Français
Español
Português
简体中文
10/17/2025“High-risk systems must be migrated before 2030, and by 2035 most should be transitioned.” This dual timeline has been set out by governments and organizations across the world. Behind these dates lies a careful balance: the urgency of quantum threats, the maturity of post-quantum cryptography (PQC) standards, the readiness of industrial supply chains, and the pace of regulatory enforcement. Two years appear most frequently in these discussions: 2030 and 2035. What do they signify, and how should organizations interpret them? To answer, we look at the PQC roadmaps from the UK and the EU.
In March 2025, the UK’s National Cyber Security Centre (NCSC) published Timelines for migration to post-quantum cryptography, establishing three key milestones: 2028 → 2031 → 2035.
Features of the UK timelines:
‧ Gradual progression with buffer time: The UK roadmap does not treat 2030 as a hard deadline, but instead allows organizations a longer transition period.
‧ Emphasis on planning and preparation: From the early stages, organizations are expected to carry out comprehensive discovery, dependency map, and supply-chain analysis as foundational preparation.
‧ Cryptographic agility as a core requirement: Since PQC algorithms and protocol standards are still evolving, the UK stresses that system design must retain the ability to substitute cryptographic algorithms.
‧ Ecosystem support: The NCSC plans to launch a pilot scheme to assure consultancy service providers, helping organizations implement their migration.
Overall, the UK roadmap represents a more conservative but pragmatic path: the target year is further out (2035), but the phases are clearly defined, with room for risk assessment and adjustment.
In April 2024, the European Commission issued Recommendation on a Coordinated Implementation Roadmap for the Transition to Post-Quantum Cryptography, followed by the formal release of A Coordinated Implementation Roadmap for the Transition to Post-Quantum Cryptography in June 2025. Its milestones are 2026→2030→2035.
Features of the EU roadmap:
Risk-first principle: Resources and timelines are concentrated on the migration of high-risk systems as a priority, ensuring that the most critical assets are secured first.
Policy binding and regulatory support: The EU roadmap is not merely advisory; it will be enforced through cybersecurity legislation, Member State coordination, and supervisory mechanisms.
International/standards alignment: The EU roadmap aligns its milestones (notably 2035) with the US and UK, while also emphasizing hybrid approaches and cryptographic agility.
“No-regret moves”: From the outset, organizations are encouraged to implement cryptographic asset management, risk assessment, and supply-chain coordination—fundamental actions that are best practices in cybersecurity regardless of future uncertainty.
It is clear that the EU roadmap assigns significant urgency and pressure to the 2030 milestone: if high-risk systems are migrated only after 2030, they will face heightened exposure to quantum threats.
1. Why 2035 as the full migration goal?
Quantum technology maturity expectations: The prevailing view is that building a Cryptographically Relevant Quantum Computer (CRQC) capable of breaking today’s public-key cryptography still faces significant technical challenges in the near term. It is generally expected that such capability will not emerge before 2030.
Time needed for standards, protocols, and implementation maturity: Even though NIST and other standards bodies have published PQC algorithms, validating, optimizing, and adapting them across diverse systems, protocols, and hardware platforms will take several more years.
Complexity of industrial supply chains and system upgrades: Operating systems, middleware, communication protocols, smart devices, control systems, and industrial platforms all require synchronized adaptation, testing, compatibility validation, and upgrade path design.
Transition buffer design: A buffer window is necessary to give organizations, device manufacturers, software vendors, and system maintainers time to adapt, reducing the risks and costs of premature mandatory migration.
In other words, the 2035 target provides a cushion—flexibility and fault tolerance—allowing the global supply chain to progress at a sustainable pace.
2. Why 2030 as the high-risk deadline?
Long exposure period of high-risk systems: Systems that require long-term confidentiality (e.g., government, defense, healthcare, finance, research archives) are particularly vulnerable. If sensitive data is intercepted today and stored for future decryption (harvest-now, decrypt-later), the impact could be severe even before quantum capabilities fully mature.
Pressure of the risk window: For these systems, the cost of tolerating the quantum threat window is too high, hence the need for an earlier milestone to accelerate migration.
Policy and regulatory drivers: For critical infrastructure, public services, and high-impact industries, governments tend to enforce mandatory or quasi-mandatory requirements, making the 2030 milestone politically and legally significant.
Alignment with international timelines: The EU, UK, and US are converging on standards, compliance, and international frameworks. If high-risk systems are not migrated early, cross-border cooperation and trust frameworks will face significant challenges.
“2030 or 2035” is not simply a matter of choosing a deadline. It reflects a broader balance of factors: security urgency, the maturity of post-quantum technologies, the rhythm of industry adoption, and the force of policy and regulation.
For Watchdata, as a company dedicated to the deployment of cryptographic and security technologies, the essential question is not which date is right—but how to use this critical window to prepare. That means building comprehensive visibility into cryptographic assets, enabling true cryptographic agility, ensuring compatibility and upgrade paths, and aligning with international roadmaps.
The years ahead will be pivotal, as PQC transitions from standards to implementation, from research to engineered solutions. By planning early and executing steadily, enterprises can position themselves to lead rather than follow in the global migration wave between 2030 and 2035. At Watchdata, we are committed to supporting our partners and clients throughout this transition, helping them build the resilience required for a quantum-secure future.