Post-quantum cryptography
the standards and the deadlines
Key facts
- 3FIPS 203/204/205
- NIST standards
- Jul 2026Classic McEliece
- ISO milestone
- 2030encryption, EO 14412
- Federal deadline
- Jan 2027NSA milestone
- CNSA 2.0
- 100s KBpublic key
- McEliece key
The standards and the deadlines. NIST finalised FIPS 203 (ML-KEM), FIPS 204 (ML-DSA) and FIPS 205 (SLH-DSA).
What it is
Post-quantum cryptography is the effort to replace the encryption that protects the internet with schemes a quantum computer cannot break. Today’s public-key systems rest on hard sums, factoring large numbers and computing discrete logarithms, that a sufficiently large quantum machine would solve quickly. Post-quantum cryptography swaps those foundations for problems believed to resist both classical and quantum attack, and after a decade of open competition the first standards now exist. The task ahead is less about invention than migration: moving banks, governments and every connected device onto the new algorithms before a capable machine arrives.
The standards
The anchor is a set of standards from the US National Institute of Standards and Technology. NIST finalised FIPS 203, a key-encapsulation mechanism named ML-KEM; FIPS 204, a digital signature scheme called ML-DSA; and FIPS 205, a second signature scheme, SLH-DSA. The division of labour is deliberate: a key-encapsulation mechanism such as ML-KEM protects the confidentiality of a connection, while the signature schemes prove that data and software genuinely come from who they claim to, so both functions had to be re-based on quantum-resistant mathematics. Two of the three rest on the mathematics of lattices, which is efficient and well studied but concentrates the world’s trust in a single family of hard problems. That concentration risk is the main argument for standardising a structurally different backup, so that a future break in lattice methods would not leave post-quantum cryptography without a fallback.
That backup arrived through a different route. Classic McEliece, a code-based scheme, achieved ISO standardisation under ISO/IEC 18033-2 on 15 July 2026, the first post-quantum algorithm to earn an ISO standard. Its appeal is pedigree: it has resisted attack for nearly five decades, which buys unusual confidence. The price is size. Its public keys run to hundreds of kilobytes, far too large to drop into a routine web handshake, so its natural home is long-lived static keys where the key can be distributed once and reused, rather than negotiated afresh on every connection.
The deadlines
Standards are only the starting gun; the deadlines are what force action. In the United States, EO 14412 requires federal agencies to move sensitive systems to post-quantum encryption by 31 December 2030 and to post-quantum authentication by 31 December 2031, with contractors expected to comply by the end of 2030. The National Security Agency’s CNSA 2.0 timetable sets an earlier milestone in January 2027. In Britain, the National Cyber Security Centre urges financial services firms to complete external TLS hybrids before 2028, and the broader UK, EU and Australian roadmaps run out to somewhere between 2030 and 2035. The direction of travel is unambiguous even where the exact dates differ.
Hybrids and inventory
Two practical themes run through all of this. The first is hybrids: rather than switching outright, organisations are expected to run a classical and a post-quantum algorithm together, so that security holds even if one of them later fails. The second is inventory. Most institutions do not have a reliable map of where their cryptography actually lives, and post-quantum cryptography cannot be deployed against systems no one has catalogued. Much of the early work is therefore discovery rather than mathematics, a theme the migration frameworks return to repeatedly.
What to watch
For readers tracking the field, the questions to watch are whether a second, non-lattice standard gains real deployment, how quickly the hybrid handshakes become default in browsers and financial networks, and whether the 2027 to 2031 deadlines slip. Post-quantum cryptography is now a delivery programme with legal force behind it, and its progress will be measured in migrated systems rather than published papers. For the encryption it is designed to protect, see our crypto explainers, and for the machine that makes it necessary, our quantum explainers.