PQC Roadmap

What is a PQC roadmap?

In the near future, quantum computers will be capable of breaking asymmetric cryptography, the foundation of digital trust that secures our data exchanges, our communications, and our infrastructures. There is only one viable answer: replacing this “classical” cryptography with post-quantum cryptography (PQC), which resists attacks from quantum computers.

To protect themselves against this systemic risk, organizations need to prepare a transition plan toward post-quantum cryptography, set out in a roadmap, or PQC roadmap. It establishes a strategic and operational framework for steering the transition to PQC. As the backbone of a cryptographic transformation program, it defines priorities, sequences actions, sets milestones, and allocates the resources needed to migrate to algorithms resistant to quantum attacks, without operational disruption.

Why is a PQC roadmap essential?

Migrating to PQC is unlike any conventional security update.

It reaches the most fundamental layer of digital infrastructure: TLS protocols, certificates, cryptographic keys, libraries, equipment, suppliers.

It mobilizes multidisciplinary teams well beyond the cybersecurity department, and It spans several years, and it has to be coordinated with external partners.

The history of past cryptographic transitions is instructive. The migration away from SHA-1, broken in 2005, took more than ten years. The transition from TLS 1.2 to TLS 1.3 is still not complete everywhere. These precedents point to a simple reality: without a structured roadmap, the transition to PQC will not happen within the required timeframes.

And the timeframes are constrained. NIST has announced that RSA and elliptic curve algorithms will no longer be permitted in FIPS-certified products after 2035. In Europe, the roadmaps published by ANSSI, ENISA, and BSI converge on similar deadlines, between 2030 and 2035. DORA and NIS2, already in force, require organizations operating in Europe to maintain a formal cryptographic policy and a documented crypto-agility capability.

The quantum threat is already present today, notably through the “harvest now, decrypt later” attack: malicious actors collect data encrypted with classical cryptographic algorithms, intending to decrypt it once a quantum computer of sufficient power becomes available. Any data whose confidentiality must be preserved over the long term is therefore already exposed. The PQC roadmap sets out the plan of action for organizing the response to this urgency.

The four stages of a PQC roadmap

A robust post-quantum roadmap is structured around four phases that can be addressed in parallel.

1. Assessment: measuring the real impact before acting

Before launching a large-scale migration program, organizations need to understand what post-quantum cryptography concretely involves for the systems in place. The post-quantum algorithms standardized by NIST, ML-KEM, ML-DSA, and SLH-DSA, have different characteristics from classical algorithms: larger public keys and signatures, with possible effects on network latency and memory footprint.

This assessment phase relies on targeted pilot projects. Organizations test the new algorithms on representative use cases: TLS flows, authentication, document signing, communication protocols. They measure the effects on performance, identify critical dependencies, and anticipate compatibility issues.

This stage is also where organizations gather the data needed to build a realistic roadmap: costing the effort, prioritizing the systems to migrate, sizing the teams, and securing leadership support. This phase is essential to build a roadmap aligned with the organization’s operational constraints.

2. Discovery: making the cryptographic surface visible

You cannot migrate what you do not know. The cryptographic inventory is the first concrete action recommended by every security agency, NIST, NSA, ENISA, ANSSI, as an unavoidable step in any post-quantum strategy.

A complete inventory identifies all the algorithms, protocols, libraries, certificates, and cryptographic keys deployed across an organization’s applications, networks, and infrastructures. It also catalogs hidden dependencies and third-party libraries, which are often invisible in existing maps.

In practice, this inventory addresses a cybersecurity blind spot for the vast majority of organizations. Cryptography was never genuinely mapped over the decades, because no one needed to keep a precise register of it. The need to migrate to PQC is what brought this gap to light: without complete visibility into the cryptographic surface, it is impossible to prioritize systems at risk, demonstrate compliance with DORA or NIS2, or steer the migration coherently.

ENISA strongly recommends that this inventory be initiated before the end of 2026 for organizations subject to European regulations.

3. Governance: sustaining crypto-agility over time

PQC migration is not a one-time project but a continuous transformation of cryptographic governance. Standards evolve, regulations become more precise, and new algorithms may be published or, conversely, weakened. An organization that simply replaces one algorithm with another, with no steering mechanism, creates new cryptographic debt instead of resolving it.

The transition to PQC is an opportunity to change paradigms and deploy cryptographic agility, or crypto-agility. The goal is to build an infrastructure capable of changing algorithms quickly and in a controlled way, without rewriting applications, without service disruption, without depending on a single supplier.

DORA and NIS2 do not stop at requiring migration to post-quantum algorithms. They explicitly mandate a cryptographic agility capability: the ability to replace a compromised algorithm quickly and in a controlled way. This regulatory requirement converges with sound technical practice: designing cryptography as a governed layer, not as a fixed component of the infrastructure.

Cryptographic governance over time covers defining and enforcing a formal cryptographic policy, continuously monitoring compliance, managing the lifecycle of certificates and keys, and adapting the cryptographic posture quickly as standards or threats evolve.

4. Remediation: integrating PQC with a hybrid approach

The first inventory and prioritization deliverables make it possible to begin remediation actions. Remediation consists of replacing vulnerable classical algorithms with standardized post-quantum algorithms, starting with the systems and data identified as the most exposed to quantum risk, and preferably implementing crypto-agility along the way.

The approach recommended by security agencies, including ANSSI, is hybridization: combining a classical algorithm and a post-quantum algorithm within the same protection mechanism. This hybrid approach offers two complementary advantages. It maintains compatibility with existing systems that do not yet support PQC algorithms. And it ensures that channel security cannot be compromised if one of the two algorithms fails, whether through a cryptographic flaw or a quantum technological breakthrough.

For certificates and TLS protocols, hybridization is already an industrial reality. Cloudflare passed the threshold of 50% of traffic using hybrid post-quantum key exchanges in November 2025. The major web browsers now support this capability natively.

Remediation follows a risk-based prioritization logic. It starts with long-lived, highly sensitive data, the data already targeted by “harvest now, decrypt later” attacks. It then moves to public key infrastructures (PKI), authentication protocols, and finally less critical systems. This gradual approach spreads costs over time, builds on accumulated experience, and avoids destabilizing ongoing operations.

The actors that publish PQC roadmaps

A PQC roadmap is not built in a regulatory vacuum. It fits within an ecosystem of standards, recommendations, and obligations that converge on the same milestones.

NIST published the first post-quantum cryptography standards in August 2024: FIPS 203 (ML-KEM), FIPS 204 (ML-DSA), and FIPS 205 (SLH-DSA). These standards form the foundation on which any organization can build its migration strategy. NIST has also set 2035 as the end-of-life deadline for RSA and classical DSA algorithms in FIPS-certified products.

ANSSI (the French national cybersecurity agency) has published detailed recommendations on PQC migration, favoring a hybrid approach and stressing the need to begin the inventory now. ANSSI’s position on hybrid algorithms is a reference for French and European organizations subject to national qualification requirements.

ENISA (the European Union Agency for Cybersecurity) structures the European roadmap around precise milestones. In June 2025 it published a NIS2 implementation guide that explicitly recommends securing systems with algorithms resistant to quantum computers, particularly for sensitive data exposed to “harvest now, decrypt later” attacks. Its milestone for the cryptographic inventory is set for the end of 2026.

The NSA has published the CNSA 2.0 roadmap (Commercial National Security Algorithm Suite), with precise deadlines for migrating government and defense systems. It mandates the exclusive use of post-quantum algorithms for national security products by 2033.

These regulatory milestones are constraints, not mere recommendations. A realistic PQC roadmap has to incorporate them as fixed dates and work backward to sequence its actions.

The supplier and supply chain challenge

No organization migrates alone. Its post-quantum security posture also depends on that of its suppliers, its partners, and the solutions it deploys. A secure TLS endpoint protects nothing if the certificate authenticating it is issued by a PKI that has not migrated. An information system protected by hybrid algorithms remains exposed if the hardware components (HSMs, smart cards, network equipment) do not support the new algorithms.

A systematic supplier assessment therefore has to be part of the PQC roadmap: which suppliers are already committed to a post-quantum trajectory? Which offer products compatible with NIST-standardized algorithms? Which publish their own roadmap and allow verification?

This dimension is often underestimated in the first versions of PQC roadmaps. Yet it determines the success of large-scale migration.

The PQC roadmap as a competitive advantage

The post-quantum transition is often presented as a regulatory constraint. It can also be an advantage. Organizations that migrate ahead of the regulatory schedule, or ahead of their competitors, strengthen the trust of their clients and partners. They demonstrate maturity in risk management. They position themselves as “quantum-safe” players at a time when that qualification is becoming a selection criterion in tenders and strategic partnerships.

FAQ: Frequently asked questions about the PQC roadmap