pqshield.com, Jun. 05, 2025 –
Migration Is Happening – With or Without You
“There’s no cryptographically relevant quantum computer yet. But the standards are here. The implementations are real. The migration is happening.”
That’s the no-nonsense message from Dr Jeremy Bradley., Principal Technical Director at the UK’s National Cyber Security Centre (NCSC), on the latest episode of Shielded: The Last Line of Cyber Defense. And it’s a message organisations can’t afford to ignore. For years, conversations around post-quantum cryptography (PQC) have hinged on one question: When will a quantum computer capable of breaking today’s encryption actually arrive? But according to Jeremy, that framing misses the point. “The thing we do have certainty about is the existence of standards, the existence of implementations of those standards,” he said. “What we really want to do is pitch the migration to PQC as a large-scale technology change programme. That’s the thing most organisations know how to do and have some experience of.”
A Guidance-First Approach, Not a Mandate
Unlike other government bodies, the NCSC doesn’t create policy, it provides technical guidance. But that hasn’t stopped it from influencing change across the UK’s critical national infrastructure. Through sector-specific relationships and advisory frameworks, the NCSC supports regulators and policymakers by embedding technical knowledge in the systems that matter most. “We have teams responsible for each of the major critical national infrastructure sectors,” Jeremy explained. “We work closely with departments like finance, telecoms, energy, and transport to build forward-looking strategies that don’t rely on enforcement, but still create real movement.” That includes PQC migration. The NCSC’s recently published Timelines for Migration to Post-Quantum Cryptography lays out a practical roadmap stretching to 2035, with sector readiness, not quantum hype, driving the timeline.
The Real Threat Is Legacy Infrastructure
According to Jeremy, waiting for a CRQC is not only risky, it’s irrelevant. “In some numbers of years’ time, classical public key cryptography will effectively become a legacy technology,” he said. That’s where the real danger lies. The longer organisations wait, the more likely they are to be left with unsupported infrastructure and fragmented systems. “The risk isn’t a quantum computer will be here by year end,” Jeremy said. “It is that without action, they’ll run the risk of holding substantial legacy IT estates.” And legacy risk, as he points out, brings two major challenges: technology that becomes increasingly difficult to maintain, and complexity from running outdated systems in parallel with modern ones.
Discovery First, Then Migration
So, where should organisations begin? “Understanding what your critical systems are. Who the suppliers are for those systems. What’s your supply chain. Which ones are you responsible for managing and owning,” Jeremy advised. He emphasised that this isn’t just about cryptographic algorithms, it’s about systems thinking. Start with visibility, inventory, and architecture. Know how your data moves, how it’s protected, and where long-lived roots of trust exist. And if you rely on external vendors, now is the time to apply pressure. “Individual companies may not be able to directly affect how an individual supplier plans their migration, but groups of companies within the sector certainly can,” Jeremy noted.