Quantum Readiness Phases and Timelines
Date: March 2026
Introduction
Advances in cryptographically relevant quantum computers (CRQCs) pose a credible threat to the encryption that protects financial records, customer data, and critical assets. Because cryptography is deeply embedded across the digital infrastructure, applications, and third-party services, CRQCs create system-wide risk for the financial sector.
Over the past year, rapid progress towards error-corrected quantum processors and intensified competition among leading superconducting developers have amplified the risk. In response, experts continue to stress that early preparedness is essential to be post quantum cryptography (PQC) ready.
In 2024, we raised awareness of quantum related risks among institutions through a bulletin. To assist institutions with preparedness, this bulletin provides further best practices on PQC migration phases and expected PQC migration timelines.
PQC migration phases
Our 2024 bulletin set out best practices covering cryptographic inventory, risk and control assessment, vendor engagement, and cryptographic agility. This bulletin builds on that foundation by organizing these practices into logical migration phases that can help inform institutions' planning.
Build competency and awareness
Quantum computing and cryptography are specialized and rapidly evolving fields. To support effective decision making, institutions can consider a few measures, for example:
- update policies, standards, and procedures to reflect emerging quantum related risks
- define governance roles and accountabilities relevant to PQC migration
- educate and train executives and technical teams on quantum threats and quantum-safe solutions
Inventory cryptographic assets
A comprehensive and current crypto inventory can help support risk assessment and prioritization. To achieve a complete crypto inventory, institutions might:
- maintain a centralized inventory of cryptographic assets, including algorithms, protocols, keys, certificates, secrets, and relevant third-party dependencies
- map sensitive data flow and communications across systems
Assess risk and create PQC migration plan
Adaptable, risk-based plans can be useful in managing the uncertainty around CRQC capability timelines. Institutions can consider the following actions:
- assess potential impacts across technology and cybersecurity functions, including exposure to "harvest-now, decrypt-later" risk
- evaluate dependencies on key vendors and third parties that provide cryptographic functionality or services
- establish an enterprise roadmap with measurable milestones that prioritize critical systems, data, and third parties
Transition execution
As migration initiatives progress, institutions can apply a phased execution reflecting risk and criticality. In practice, they may choose to:
- roll out quantum-safe solutions, prioritizing critical systems and sensitive data that needs to stay protected for years
- embed cryptographic agility to enable rapid upgrades, maintain interoperability, and respond quickly to future vulnerabilities
Test, validate, and anticipate
PQC migration may introduce unintended operational effects. As systems transition, institutions may decide to:
- test and validate whether migrated functions perform as intended
- plan and rehearse responses if CRQC arrives sooner than expected, including disaster recovery and incident response
PQC migration timelines
In the financial sector, complex platforms and extensive reliance on third parties heighten exposure to cryptographic risk. Delaying action increases the likelihood of higher costs, operational disruption, and loss of trust.
For these reasons, experts across jurisdictions, standard-setting bodies, and industry consortia consistently emphasize early preparation and phased execution. They have issued PQC migration roadmaps and timelines and tactical guidance. These guidelines generally recommend achieving quantum readiness across all systems by 2035.
Conclusion
CRQCs are not yet operational, but preparation takes years as institutions navigate through interconnected systems, uncertain CRQC timelines, and evolving standards.
A phased, risk-based migration strategy that aligns with guidance from recognized authorities, such as the Canadian Centre for Cyber Security, the National Institute of Standards and Technology, and the G7 Cyber Expert Group, can help build preparedness.
Related links
- Quantum Briefing Note: Update on Recent Developments in Quantum Research and Commercialization
- Status of quantum computer developmen
- Planning for post-quantum cryptography
- Quantum-readiness for the financial system: a roadmap
- Roadmap for the migration to post-quantum cryptography for the Government of Canada
- A Coordinated Implementation Roadmap for the Transition to Post-Quantum Cryptography
- Timelines for migration to post-quantum cryptography
- Preparing for Post-Quantum Cryptography: Infographic
- Advancing a Coordinated Roadmap for the Transition to Post-Quantum Cryptography in the Financial Sector (PDF)
- Transition to Post-Quantum Cryptography Standards
- FS-ISAC Urges Global Coordination for Migration to Post-Quantum Cryptography in Financial Services
- Technology and Cyber Risk Management