01 · Compliance
The Global Regulatory Landscape
Regulators are no longer asking whether to mandate PQC migration. The questions are timing, scope, and reporting requirements. Several jurisdictions already have binding deadlines.
United States · Federal
NSA CNSA 2.0
Migration deadline: 2035
National Security Algorithm suite mandating ML-KEM, ML-DSA, LMS, XMSS, and AES-256 for national security systems. Software and firmware signing transition required earlier. Defines the de facto floor for any US-facing security product.
United States · Federal
OMB M-23-02 + NSM-10
Inventories: ongoing
White House National Security Memorandum 10 (2022) directs federal agencies to inventory cryptographic systems and plan migration. OMB M-23-02 mandates annual reporting. The Quantum Computing Cybersecurity Preparedness Act (December 2022) makes this law.
United Kingdom
NCSC PQC Guidance
Discovery by 2028, migration by 2035
UK National Cyber Security Centre published phased migration guidance: cryptographic discovery and risk assessment by 2028, early migration of high-priority systems by 2031, and completion by 2035. Aligned with the US timeline.
European Union
NIS2 & Cyber Resilience Act
Compliance: 2024 onward
NIS2 Directive requires essential and important entities to adopt state-of-the-art cryptography. The Cyber Resilience Act mandates security-by-design for digital products. ENISA is publishing PQC migration recommendations as the de facto EU standard.
Germany
BSI Recommendations
Hybrid deployment: now
The German federal information security office (BSI) recommends hybrid classical+PQC deployment immediately for high-value data, with full PQC migration aligned to EU timelines. BSI has approved specific PQC algorithms for federal use.
France
ANSSI Position
Hybrid required
ANSSI requires hybrid (classical + PQC) deployment rather than pure PQC during the transition period, citing the relative immaturity of lattice cryptanalysis. This is the most cautious major government position.
International Standards
ISO/IEC, ETSI, IETF
Standards in progress
ISO/IEC SC 27 is integrating PQC into ISO/IEC 18033 and related standards. ETSI Quantum-Safe Cryptography group publishes industry profiles. IETF working groups have produced hybrid TLS, SSH, and IPsec drafts aligned with NIST algorithms.
Financial Sector
PCI, SWIFT, Basel
Sectoral guidance forming
PCI Security Standards Council is consulting on PQC requirements. SWIFT and major payment networks are conducting PQC pilots. Expect mandatory PQC requirements in PCI DSS within 3–5 years; payment systems with the longest replacement cycles must start now.
02 · Sector Analysis
Industry Exposure by Data Lifetime & Regulatory Pressure
Migration urgency varies dramatically by sector. Industries with the longest-lived sensitive data and the strictest regulators should already be in pilot phase.
Defence & Government
Classified data lifetimes of 25–75 years. Existing NSA CNSA 2.0 mandate with 2035 deadline. Active HNDL targeting confirmed.
Financial Services
Payment systems, SWIFT, settlement records, KYC data. 10–30 year secrecy requirements. PCI, FFIEC, Basel guidance forming. Heavy HSM and PKI dependencies.
Healthcare & Life Sciences
Patient records protected for life of patient plus 25+ years. Genomic data effectively permanent. HIPAA, GDPR exposure. Pharma IP among the most targeted data classes.
Critical Infrastructure
Energy, water, transport, telecoms. Long device lifecycles (15–30 years for SCADA, grid equipment). Nation-state threat profile. NIS2 and CIRCIA compliance.
Digital Assets & Blockchain
$2T+ market capitalisation secured by ECDSA. Governance constraints prevent rapid migration. Exposed wallet addresses are permanent targets.
Technology & Cloud
Hyperscalers already deploying. Long-tail SaaS and enterprise software supply chains lag. Code signing and software update mechanisms are critical paths.
Legal & Professional Services
Client privilege, litigation files, M&A records held for decades. Low cryptographic maturity in many firms. High HNDL exposure with limited internal expertise.
Telecommunications
5G/6G core security, subscriber identity, network signalling. ETSI active in PQC profiles. Long equipment refresh cycles.
Automotive & Aerospace
Vehicle-to-everything (V2X) security, avionics signing, 15+ year operational lifetimes for vehicles and aircraft. Safety certification adds complexity.
Retail & Consumer
Short data lifetimes for most transactions. PCI exposure for payment systems. Customer identity data remains a longer-term concern.
03 · Concentrated Exposure
Blockchain & Cryptocurrency: A Special Case
Every major public blockchain — Bitcoin, Ethereum, Solana, and the rest — uses elliptic-curve signatures that quantum computers will break. Migrating a decentralised network is fundamentally harder than migrating a company.
Bitcoin and Ethereum both depend on ECDSA over the secp256k1 curve for transaction signing. Wallet addresses derived from public keys, once revealed on-chain through a transaction, become permanent targets. Roughly 25% of all Bitcoin sits in addresses with already-exposed public keys — including the estimated one million BTC attributed to Satoshi Nakamoto, which has never moved and will not move to a quantum-safe address.
Migration requires either a coordinated network upgrade adding PQC signatures, or a user-driven re-keying of every active wallet. Both face severe governance challenges. The Ethereum Foundation has begun research; Bitcoin's roadmap is essentially undefined. Quantum-resistant chains exist (QRL, Mochimo) but capture negligible value.
$2T+
Total Crypto Market Cap Exposed
~25%
Bitcoin in Vulnerable Addresses
0
Major Chains With PQC Roadmap
For institutions with significant digital asset exposure, this is a strategic risk independent of any single corporate migration plan. Custody providers, exchanges, and treasury teams should be modelling scenarios in which a CRQC arrives before major chains have completed migration — the largest single-day asset destruction event in financial history is the worst-case outcome.
Diarka Quantum · Advisory
Need a Sector-Specific Risk Assessment?
We tailor PQC exposure analyses to your industry, regulatory profile, and data lifetime requirements. Board-ready output in weeks, not months.