Securing Tomorrow, Today: EU issues post-quantum cryptography roadmap

The uncertainties surrounding post quantum computing threats continue to concern global governments.

The US and UK have previously issued guidance on PQC security requirements and now the EU has issued a roadmap and timeline to instruct its member states to start using post-quantum cryptography.

Last week, Henna Virkkunen, Executive Vice-President for Technological Sovereignty, Security and Democracy at the EU Commission said: "post-quantum cryptography is essential to ensure a high level of cybersecurity, fortifying our systems against future threats."

Launching the 'Coordinated Implementation Roadmap', the EU has advised that:

"All Member States should start transitioning to post-quantum cryptography by the end of 2026. At the same time, the protection of critical infrastructures should be transitioned to PQC as soon as possible, no later than by the end of 2030"

This accelerates the UK's proposed PQC timeline, published just three months ago in March 2025. In Britain, 2028 was the target date for creating a migration plan with the highest-priority migration activities completed by the end of 2031.

The EU announcement provides some context for this disparity stating, "the recommended deadline may in fact not always be sufficient," potentially reflective of gains being made in quantum computing globally as nation states shift their focus to the perceived benefits of harvest now, decrypt later attacks on data accumulated through well publicised breaches.

What is apparent from the new roadmap, is the need for any EU member state to create their own national implementation plan that prioritises protecting the most critical national assets using the quantum vulnerability diagnosis and risk assessment methodologies from the PQC Migration Handbook.

The EU states: "unexpected advances in quantum computing could warrant an acceleration of the transition process," where a safe window to address the PQC threat already appears to be shrinking.

Protecting CNI systems and assets remains a priority globally, what's not yet crystal clear is how quickly this work must begin and be successfully delivered.