Post-Quantum Cryptography Hits Government Deadlines: The 2026 Migration Mandate

The Clock Is Ticking

The theoretical threat of quantum computers breaking current encryption has been discussed in cybersecurity circles for over two decades. In 2026, that theoretical threat is translating into concrete government mandates with hard deadlines, and the gap between regulatory expectations and organizational readiness is becoming alarmingly visible.

By April 2026, every US federal agency must submit a comprehensive post-quantum cryptography (PQC) transition plan. Under Canada’s parallel roadmap, departments must also have initial PQC migration plans in place by April 2026 and ensure all new contracts with a digital component include PQC procurement clauses. The plans must inventory all cryptographic systems, prioritize assets by sensitivity and risk, identify migration pathways for each system, and establish timelines for completing the transition to quantum-resistant algorithms.

This is not a planning exercise that agencies can file and forget. The mandate, rooted in National Security Memorandum 10 (NSM-10) signed on May 4, 2022, and reinforced by OMB Memorandum M-23-02 issued in November 2022, includes annual progress reviews and ties funding decisions to demonstrated migration progress. Agencies that fail to show adequate progress face budget consequences — a lever that has historically proven effective in driving federal IT modernization.

The United States is not acting alone. The European Union’s coordinated PQC implementation roadmap, published by the NIS Cooperation Group, recommends that member states initiate national PQC transition strategies by the end of 2026, with critical infrastructure migrated by 2030 and full transition by 2035. Canada’s Centre for Cyber Security published its own PQC migration roadmap, requiring PQC-aligned procurement clauses in all new contracts from April 2026 and targeting high-priority system migration by 2031. The United Kingdom’s National Cyber Security Centre (NCSC) published a three-phase migration roadmap in March 2025 with milestones in 2028, 2031, and 2035. France’s ANSSI has issued sector-specific PQC requirements emphasizing hybrid cryptographic approaches for critical infrastructure operators.

The convergence of these mandates across multiple major economies signals that the post-quantum migration is no longer an abstract future concern — it is a present regulatory obligation with immediate compliance implications.

What the US Federal Mandate Requires

The US PQC migration mandate has evolved through a series of directives, each adding specificity and urgency to the requirement.

NSM-10, signed on May 4, 2022, established the policy framework and directed agencies to begin inventorying their cryptographic systems, setting a target year of 2035 for completing the transition to quantum-resistant cryptography. OMB Memorandum M-23-02, issued on November 18, 2022, set the initial requirements for cryptographic inventory completion and migration planning, directing agencies to designate a cryptographic inventory and migration lead within 30 days. CISA’s subsequent guidance documents have provided technical specifics on implementation.

The April 2026 deadline requires agencies to submit transition plans that include four core elements.

First, a complete cryptographic inventory. Agencies must document every system, application, and communication channel that uses public-key cryptography, including the specific algorithms in use (RSA, ECC, Diffie-Hellman, etc.), key sizes, certificate authorities, and protocol versions. This inventory must extend to systems operated by contractors and cloud service providers on the agency’s behalf.

Second, a risk-prioritized migration roadmap. Not all systems need to migrate simultaneously. Agencies must categorize their cryptographic assets based on the sensitivity of the data they protect, the expected operational lifetime of the system, and the feasibility of migration. Systems protecting data with long-term sensitivity — classified information, health records, financial data, intellectual property — are prioritized because they are vulnerable to “harvest now, decrypt later” attacks, where adversaries collect encrypted data today with the intention of decrypting it once quantum computers become capable.

Third, a technology selection plan. Agencies must identify which NIST-approved post-quantum algorithms they intend to adopt for each system category. NIST finalized its first set of post-quantum cryptographic standards on August 13, 2024, publishing three Federal Information Processing Standards: FIPS 203 for ML-KEM (formerly CRYSTALS-Kyber) for key encapsulation, FIPS 204 for ML-DSA (formerly CRYSTALS-Dilithium) for digital signatures, and FIPS 205 for SLH-DSA (formerly SPHINCS+) as a backup signature scheme. A fourth algorithm, FN-DSA (formerly FALCON), is under development as draft FIPS 206 and expected to be finalized in late 2026 or early 2027.

Fourth, a timeline and resource plan. Agencies must provide realistic timelines for completing migration, identify resource requirements (budget, personnel, technical support), and document dependencies on vendor product updates, standards finalization, and interoperability testing.

The DoD’s Quantum-Resistant Posture

The Department of Defense has taken the most aggressive approach to PQC migration within the federal government, reflecting both the sensitivity of military communications and the department’s early awareness of the quantum threat.

The DoD issued a PQC migration memorandum directing all components to rapidly transition to post-quantum cryptography, citing advances in quantum information science and the need to protect information systems, communications, and personnel. The directive went beyond the OMB requirements in two significant respects. First, it explicitly banned the use of quantum key distribution (QKD) in DoD systems. The ban reflects the NSA’s longstanding assessment that QKD has fundamental limitations, including its dependence on dedicated fiber-optic infrastructure, its vulnerability to implementation attacks, and its inability to provide authentication without relying on conventional cryptography. The NSA has stated it does not anticipate certifying or approving any QKD products for national security use.

Second, the DoD directive established that outdated cryptographic solutions must be replaced with NIST-approved PQC algorithms by December 31, 2030. All PQC-related technologies must be approved by the DoD CIO PQC Directorate before testing, evaluation, or deployment. The NSA’s Commercial National Security Algorithm Suite 2.0 (CNSA 2.0) further specifies that starting January 1, 2027, all new acquisitions of national security systems equipment must be CNSA 2.0-compliant.

For defense contractors, the implications are immediate. A June 2025 Executive Order requires contractors to achieve PQC readiness by January 4, 2027. Vendors that are slow to adopt PQC may be excluded from federal contracts entirely. Contractors that cannot demonstrate a credible PQC migration path risk losing contract eligibility.

CISA’s Procurement Guidance

CISA’s role in the PQC transition extends beyond federal agencies to the broader critical infrastructure ecosystem. On January 23, 2026, CISA released “Product Categories for Technologies That Use Post-Quantum Cryptography Standards” — a list required by Executive Order 14306 (issued June 6, 2025) identifying product categories where PQC-capable products are widely available.

The guidance bifurcates the information technology marketplace into two classifications.

“Widely Available” applies to product categories where PQC-capable products are commercially mature. This notably includes cloud services (PaaS/IaaS), web browsers, and endpoint security. For these categories, CISA has effectively signaled that federal agencies should cease procurement of non-compliant legacy products.

“Transitioning” applies to product categories where PQC adoption is underway but not yet universal. Vendors in these categories must provide documented upgrade paths and timelines for PQC capability delivery.

The procurement guidance has significant ripple effects beyond the federal market. Many technology vendors maintain a single product line for both government and commercial customers, meaning that PQC capabilities developed for federal compliance will likely flow into commercial products. This dynamic could accelerate PQC adoption in the private sector even in the absence of private-sector mandates.

CISA has also published migration resources emphasizing the importance of crypto-agility — designing systems so that cryptographic algorithms can be replaced without fundamental architectural changes. The US General Services Administration (GSA) has released a PQC Buyer’s Guide offering practical steps for agencies and contractors to assess cryptographic systems, plan migrations, and procure quantum-safe solutions. Organizations that have invested in crypto-agile architectures will find the PQC transition significantly easier than those with hardcoded cryptographic dependencies.

The European and Allied Landscape

The PQC migration is a genuinely global undertaking, with coordinated mandates emerging across major economies.

The European Union’s approach is structured through the NIS Cooperation Group’s coordinated PQC implementation roadmap, published in early 2025. The roadmap recommends that member states initiate national PQC transition strategies by the end of 2026, transition critical infrastructure by the end of 2030, and complete transition for as many systems as practically feasible by the end of 2035. In January 2026, the European Commission published a proposed directive amending NIS2 with targeted changes that include, for the first time, an explicit post-quantum cryptography requirement written directly into the directive text. ENISA has published guidance recommending hybrid PQ/T schemes — combining conventional algorithms like X25519 with PQC schemes like ML-KEM — to smooth interoperability during the transition.

The EU approach differs from the US in its emphasis on algorithmic diversity. While the US has focused on the NIST-approved algorithms, ENISA has recommended that European implementations support multiple post-quantum algorithm families to reduce the risk of a single-point-of-failure if one algorithm family is found to have vulnerabilities. This recommendation adds complexity to implementation but provides a hedge against the mathematical uncertainties that still surround some post-quantum constructions.

Canada’s Centre for Cyber Security published a comprehensive PQC migration roadmap with concrete milestones: April 2026 for initial departmental migration plans and procurement clauses, end of 2031 for completion of high-priority system migration, and end of 2035 for remaining systems. By the end of 2026, cryptographic modules implementing digital signature schemes must support appropriate PQC algorithms. The Cyber Centre has also developed recommended contract clauses for systems containing cryptographic modules.

The United Kingdom’s NCSC published its three-phase migration roadmap in March 2025. By 2028, organizations should complete discovery of cryptographic dependencies. By 2031, highest-priority migrations should be complete. By 2035, migration should be finished across all systems. The NCSC was the first major regulatory body to endorse NIST’s standardized PQC algorithms after their August 2024 release, recommending ML-KEM, ML-DSA, and SLH-DSA.

France’s ANSSI has been the most technically prescriptive of the European national agencies. ANSSI’s three-phase PQC roadmap emphasizes hybrid approaches during the transition: Phase 1 (now) focuses on hybridization for additional defense-in-depth; Phase 2 (not before 2025) targets hybrid schemes providing full post-quantum security assurance; Phase 3 (not before 2030) enables optional standalone PQC. Notably, from 2027, ANSSI will not accept products for its security visa (Visa de securite) that do not incorporate post-quantum cryptography.

Industry Readiness: The Gap

Despite years of advance warning, the technology industry’s readiness for the PQC migration remains uneven.

Major cloud providers have made the most progress. AWS has deployed ML-KEM for hybrid post-quantum key exchange across its public service endpoints, with AWS KMS, Certificate Manager, and Secrets Manager now supporting PQC. Application and network load balancers support post-quantum TLS at no additional cost. Microsoft has made ML-KEM and ML-DSA available through its Cryptography API: Next Generation (CNG), with Windows Server 2025 and Windows 11 receiving PQC algorithm support through November 2025 updates. Google’s Chrome browser switched to ML-KEM for hybrid post-quantum key exchange in Chrome 131 (November 2024), and Cloudflare reported that roughly 38% of HTTPS traffic on its network was using hybrid PQC handshakes by March 2025. Apple deployed PQ3, its post-quantum encryption protocol for iMessage, beginning with iOS 17.4 in early 2024.

Enterprise software vendors present a more mixed picture. Database vendors, enterprise resource planning providers, and collaboration platform companies are at various stages of PQC integration, with many still in testing phases. The challenge for these vendors is not just algorithm implementation but interoperability — ensuring that PQC-protected communications work correctly across complex multi-vendor environments.

Hardware presents the greatest challenge. Cryptographic hardware — including hardware security modules (HSMs), trusted platform modules (TPMs), and smartcards — often has hardcoded cryptographic capabilities that cannot be updated through software patches. Organizations relying on cryptographic hardware may face replacement cycles measured in years.

A 2025 survey by GDIT of 200 federal IT decision-makers found that only 8% had fully integrated PQC standards, while 50% were actively developing strategies and 35% were still defining plans and budgets. 46% had identified key risks but had not yet begun formal assessments. The results suggest that the PQC transition will be a multi-year, possibly multi-decade effort, with the 2026 deadlines serving as catalysts for planning rather than completion milestones.

The fundamental challenge is scale. The modern digital economy runs on public-key cryptography. Every TLS connection, every digital signature, every encrypted email, every VPN tunnel, every certificate authority interaction depends on algorithms that quantum computers could eventually break. Replacing this infrastructure is not a single project — it is a generational transformation of the digital foundation.

Sources & Further Reading

• National Security Memorandum on Promoting United States Leadership in Quantum Computing (NSM-10) — The White House
• NIST Releases First 3 Finalized Post-Quantum Encryption Standards — NIST
• Product Categories for Technologies That Use Post-Quantum Cryptography Standards — CISA
• Timelines for Migration to Post-Quantum Cryptography — UK NCSC
• A Coordinated Implementation Roadmap for the Transition to Post-Quantum Cryptography — European Commission
• Roadmap for the Migration to Post-Quantum Cryptography for the Government of Canada — Canadian Centre for Cyber Security
• ANSSI Views on the Post-Quantum Cryptography Transition — ANSSI
• OMB Memorandum M-23-02: Migrating to Post-Quantum Cryptography — The White House