For most of the past decade post-quantum cryptography lived in research papers, standards committees and conference talks. That phase is over. Within a two-year window the United States finalized its first post-quantum standards, the European Commission published a coordinated transition roadmap, France's national cybersecurity agency set out its expectations for hybrid deployments and crypto-agility and Washington turned federal PQC migration into a program with a deadline. The transition has moved from future concern to active migration.

The reason for the urgency is not a working cryptographically relevant quantum computer. It is the "harvest now, decrypt later" problem: adversaries can collect encrypted traffic and stolen ciphertext today and store it until quantum capabilities mature. For any data whose confidentiality must hold for five, ten or twenty-five years such as health records, defense communications, industrial designs, citizen data, the exposure window opened years ago. Governments have internalized this and their policy machinery is now moving.

France is treating PQC as a decade-long national transition

ANSSI, the French national agency for information systems security, describes post-quantum cryptography as one of the most promising ways to guard against the quantum threat while it is equally clear that this is not a quick swap. In ANSSI's assessment, the transition will take more than a decade. That framing matters: it turns PQC from a product decision into an infrastructure program, with all the sequencing, budgeting and governance that implies.

Two elements of the French position deserve particular attention from anyone planning a migration:

Hybrid mechanisms as the initial pathway

ANSSI recommends that entities initiate their transition toward hybridized post-quantum mechanisms. These are constructions that combine a well-studied classical algorithm with a post-quantum one, so that security holds as long as either survives. Hybridization is a pragmatic answer to a real tension. Post-quantum algorithms are standardized but comparatively young while RSA and elliptic-curve cryptography are mature but quantum-vulnerable. Hybrids let organizations start moving without betting everything on new mathematics.

Crypto-agility as a first-class requirement

ANSSI's recent work including its January 2026 views on crypto-agility and its contribution to the EU's coordinated PQC roadmap. Systems that hard-code a single algorithm will have to be re-engineered every time the landscape shifts. Systems designed to swap cryptographic primitives cleanly will not. Crypto-agility is what turns a decade-long transition from a series of emergencies into a managed program.

The European layer reinforces this. On 23 June 2025, the European Commission published A Coordinated Implementation Roadmap for the Transition to Post-Quantum Cryptography, stating plainly that quantum computing threatens the cryptographic algorithms used for confidentiality and authenticity and that Member States need shared recommendations for a synchronized transition. France is not acting alone; it is acting inside an EU-wide coordination effort.

Post-quantum transition timeline, 2024 to 2035 and beyond Horizontal timeline: 2024 NIST FIPS 203 to 205; 2025 EU PQC roadmap; 2026 ANSSI crypto-agility, U.S. Executive Order 14412 and OMB M-26-15; 2030 U.S. federal risk mitigation objective; 2035 and beyond, long-tail migration and legacy systems. PQC TRANSITION // 2024 → 2035+ 2024 NIST FIPS 203–205 first PQC standards 2025 EU PQC roadmap coordinated transition 2026 ANSSI crypto-agility U.S. EO 14412 · OMB M-26-15 2030 U.S. federal risk mitigation objective 2035+ long-tail migration legacy systems NBQ ENGINEERING
fig. 02 — Key milestones in the post-quantum transition, from the first NIST standards to long-tail legacy migration.

The United States has turned PQC migration into a federal execution problem

The American trajectory is a study in how standards become mandates. In August 2024, NIST finalized the first three post-quantum cryptography standards:

FIPS 203 (ML-KEM) for key encapsulation, FIPS 204 (ML-DSA) for digital signatures and FIPS 205 (SLH-DSA) as a hash-based signature alternative. NIST did not present these as reference material for the future but it encouraged system administrators to begin transitioning to the new standards as soon as possible.

Two years later the policy layer caught up with the standards layer. On 22 June 2026 the United States issued Executive Order 14412 "in order to secure the Nation Against Advanced Cryptographic Attacks." The order states that large-scale quantum computers could threaten widely used cryptographic systems and names the harvest-now-decrypt-later risk directly. Adversaries may collect encrypted information today and decrypt it later.

Executive orders need implementation machinery and that arrived within days. OMB Memorandum M-26-15, dated 24 June 2026, operationalizes an accelerated federal PQC migration. Agencies must execute a prioritized migration of their cryptographic systems, with the objective of mitigating as much quantum risk as feasible by 31 December 2030 and each agency must develop a PQC migration plan.

Setting politics entirely aside, the technical signal is unambiguous. The world's largest single buyer of information technology now requires its agencies to prioritize and migrate cryptographic systems on a schedule. Federal procurement pressure of that scale propagates outward: into vendor roadmaps, into product certifications, into the default configurations of the software everyone else buys. What the U.S. federal government demands in 2026 tends to become the commercial baseline shortly after.

Why this matters for Europe and critical infrastructure

It would be a mistake to read the French and American programs as someone else's compliance exercise. The EU's coordinated roadmap exists precisely because Member States are expected to move together. A synchronized transition avoids a patchwork of incompatible timelines across a single market whose supply chains, payment systems and energy grids are deeply interconnected. Organizations across Europe will feel this through regulation and through the expectations of partners and customers who are already migrating.

The exposure is sharpest wherever data confidentiality must last for many years. A hospital's patient records, a utility's SCADA telemetry and network architecture, a ministry's citizen registries, a shipping operator's commercial contracts, a defense supplier's technical documentation. These will remain sensitive long past the point at which today's public-key cryptography is expected to remain safe. For critical infrastructure in particular the arithmetic is unforgiving. If your retention obligation is measured in decades and your migration takes a decade, the time to start is not when a quantum computer is announced. It is now.

There is also a quieter structural reason to begin early. Cryptography is rarely inventoried. It is embedded in protocols like TLS, VPN as well as firmware, smart meters, medical devices and third-party SaaS. Most services were configured years ago by people who have since moved on. The first phase of any PQC program is therefore not cryptography at all. It is discovery.

What organizations should do first

The good news: the first steps are well understood, sector-independent and do not require betting on any particular vendor or algorithm. They form a sequence and the sequence matters.

  1. Build a cryptographic inventory

    Discover where cryptography actually lives across your estate. This inventory is the foundation for every later decision and the single most common reason migrations stall is that it doesn't exist.

  2. Identify long-life sensitive data

    Classify data by how long its confidentiality must hold. Anything that must remain secret beyond the early 2030s is already exposed to harvest-now-decrypt-later collection and should be prioritized.

  3. Map RSA/ECC usage across your infrastructure

    Trace quantum-vulnerable public-key cryptography through TLS, SSH, VPNs, PKI, code signing, certificates, applications, embedded systems and cloud services. The dependencies you find will define your migration order.

  4. Ask vendors for PQC roadmaps

    Most of your cryptography is implemented by suppliers. Ask each one when they will support the NIST standards and hybrid modes, and make PQC readiness a procurement criterion starting now.

  5. Start with hybrid pilots and crypto-agility

    Pilot hybrid key establishment on a contained, well-instrumented system, and use what you learn to design for algorithm replaceability everywhere else. Agility is what protects the investment as standards evolve.

Crypto inventory first diagram A central crypto inventory node connected to nine surrounding systems: TLS, SSH, VPN, PKI, code signing, certificates, APIs, embedded systems, and cloud services. CRYPTO INVENTORY FIRST TLS SSH VPN PKI CODE SIGNING CERTIFICATES APIs EMBEDDED SYSTEMS CLOUD SERVICES CRYPTO INVENTORY // you cannot migrate what you have not mapped
fig. 03 — Everything connects back to the inventory. You cannot migrate what you have not mapped.

References & further reading