NIST’s Post-Quantum Standards: What You Need to Know Before Transitioning — and PQC Sector Transition Insights

The Standards That Change Everything

July 25, 2025

In August 2024, a milestone was reached: finalized encryption standards designed to withstand attacks from quantum computers were published. These post-quantum standards are built to secure everything from confidential communications to global e-commerce transactions. They are not just theoretical—they are ready for immediate use.

The standards include three core algorithms:

  • FIPS 203 (ML-KEM) for general encryption.

  • FIPS 204 (ML-DSA) for digital signatures.

  • FIPS 205 (SLH-DSA) as a backup digital signature scheme.

Together, they provide a foundation for organizations to begin their migration journey today, rather than waiting for the threat to fully materialize. As NIST notes, integration will take time—so early adoption is essential.

Lessons from IoT Security

The transition to post-quantum cryptography (PQC) can borrow lessons from the way IoT security has been approached. Key principles include:

  • Risk-based understanding: Different systems face different levels of exposure, so priorities should reflect real-world risks.

  • Ecosystem thinking: No system exists in isolation—supply chains, partners, and devices must all be considered.

  • Outcome-based approach: Focus on results, not rigid prescriptions, allowing flexibility in how organizations implement PQC.

  • Stakeholder engagement: Migration requires collaboration across industries, regulators, and technology providers.

  • No one-size-fits-all: Each sector must define its own roadmap within a shared global direction.

This framework applies directly to PQC: migration will be systemic, requiring shared responsibility across ecosystems.

The Global PQC Transition Landscape

Government guidance on PQC migration is accelerating. In the past year, updates have been released across multiple jurisdictions, all pointing toward urgent timelines for action.

Here is a consolidated view of government and sectoral PQC initiatives worldwide:

Entity Date / Published Sector Action
AustraliaDec 2024GovernmentInformation Security Manual (ISM-1990 to ISM-1995)
CanadaJul 2025GovernmentGuidelines for cryptography
CanadaFeb 2025GovernmentPreparing your organization for the quantum threat to cryptography (ITSAP.00.017)
ChinaFeb 2025GovernmentNext-generation Commercial Cryptographic Algorithms Program (ICCS)
GermanyJan 2025GovernmentCryptographic Mechanisms: Recommendations and Key Lengths (BSI TR 02102-1)
EUJun 2025GovernmentCoordinated Implementation Roadmap for PQC
FranceMar 2025GovernmentÉtude sur la transition post-quantique
G7Jun 2025GovernmentLeaders' Summit communique
IsraelJan 2025GovernmentBanking system preparedness for quantum risk
NetherlandsDec 2024GovernmentThe PQC Migration Handbook (2nd edition)
New ZealandApr 2025GovernmentInformation Security Manual (section 2.4)
UKMar 2025GovernmentTimelines for migration to PQC
USAJun 2025GovernmentExecutive Order 14144 on strengthening cybersecurity
USAAug 2025GovernmentH.R.4942 PQC Subcommittee Act
3GPPJun 2025TelecomPlanning for PQC in future 5G and 6G standards
5GAAMar 2025AutomotiveQuantum Threat and Mitigation Strategies for Automotive
5G AmericasFeb 2025TelecomPost Quantum Computing Security
ATISMar 2025TelecomStrategic overview of PQC and cryptographic timelines
BISJul 2025BankingQuantum-readiness for the financial system
CFDIRFeb 2025BankingPQC organizational preparedness guidance
CMORGApr 2025BankingPost-Quantum Cyber Coordination Group Guidance
CRYPTRECMar 2025BankingCryptographic Technology Guidelines (Quantum-Resistant Cryptography)
EuropolFeb 2025BankingPQC call to action for financial systems
GSMAFeb 2025TelecomPost-Quantum Cryptography in IoT ecosystem
ECJun 2025Cross-sectorCoordinated Implementation Roadmap for PQC
ENISAApr 2025Cross-sectorCryptographic Mechanisms (v2.0)
NESOMay 2025EnergyPQC risk open-source tools
NISTJul 2025Cross-sectorConsiderations for Achieving Crypto Agility
MITRE PQCCMay 2025Cross-sectorPQC Migration Roadmap
Santander2025BankingOpen source PQC management tools
Telecom Eng. CentreJan 2025TelecomTechnical Report: Migration to PQC
WEFJul 2025FinancePQC Key Strategies and Opportunities

What the Trends Show

Across governments, a consensus is emerging:

  • Planning must start now.

  • High-priority systems should transition by 2030–2031.

  • All systems should transition by 2035.

NIST’s algorithms are positioned as the global anchor. However, national variations are evident:

  • Some countries promote hybrid approaches (classical + PQC).

  • Others encourage non-NIST algorithms (such as FrodoKEM in Germany).

  • Some nations are setting explicit deprecation dates for RSA-2048, with 2030 as a key cut-off.

Industry adoption is uneven. Telecom and financial services are progressing rapidly, with standards bodies, regulators, and large institutions publishing roadmaps and open-sourcing tools. But other critical sectors—such as aviation, energy, healthcare, logistics, manufacturing, pharmaceuticals, space, real estate, retail, transportation, and water—remain far behind.

One bright spot is the UK’s energy sector, where regulators and industry players are advancing pilot programs. This kind of sectoral leadership is what’s needed more broadly.

The post-quantum transition will not be solved by governments or standards bodies alone. Every sector must step up, define roadmaps, and start implementing PQC. With only five years until 2030, time is short.

For organizations, the immediate steps are clear:

  • Inventory cryptographic assets.

  • Assess exposure and prioritize high-risk systems.

  • Adopt NIST PQC algorithms where appropriate.

  • Engage with sector-specific guidance and initiatives.

The standards exist. The roadmaps are emerging. What’s missing is decisive action from industries beyond finance and telecom.

2030 is just around the corner. PQC migration must begin now.

Call to Action