The Global PQC Migration Map (2026-2035)
Framing post-quantum cryptography as a problem for the distant future is an outdated view. Regulatory timelines are tightening across many jurisdictions as we enter 2026.
While the US and Japan have targeted 2035 for full migration, Australia has adopted a more aggressive stance. The Australian Cyber Security Centre (ACSC) now recommends that organisations cease using traditional asymmetric cryptography by 2030.
The diverging timelines
| Region | Approach | Key Deadline |
|---|---|---|
| Australia | Aggressive | Plan by 2026. Stop using RSA/DH by 2030. |
| European Union | Coordinated | Critical infrastructure by 2030. Full migration by 2035. |
| United States | NIST Standards | National security systems by 2035. |
| Japan | Global Alignment | Government migration by 2035. |
The engineering signal is clear: we are entering the inventory phase. You cannot migrate what you cannot see. Consequently, the priority for 2026 is discovery rather than immediate replacement. Establishing an automated inventory of where cryptographic primitives run across the stack is the necessary first step.
Adversaries are already collecting encrypted traffic today to decrypt it later. This is the "harvest now, decrypt later" threat. It remains the primary driver for these timelines. The risk persists regardless of the specific deadline a jurisdiction chooses to follow.