Blog
Quantum-Safe

When should you start planning your quantum-safe roadmap? Yesterday.

By
July 24, 2025
When should you start planning your quantum-safe roadmap? Yesterday.

For CISOs and CIOs wondering when they really need to start preparing for post-quantum security, the answer according to a growing number of national governments is now. Increasingly, it’s abundantly clear that IT and security teams shouldn’t be tackling this alone or in isolation - post-quantum security is more than just a technology issue: it’s a business risk with implications for every part of the enterprise.

Timelines for quantum-safe roadmaps and remediations are tight

On June 23, Canada and the EU became the latest jurisdictions to set timelines for government agencies and critical infrastructure operators to develop quantum-safe roadmaps outlining the key workstreams, activities and milestones necessary to reach a quantum-safe state and put remediations in place. This comes fast on the heels of similar orders in the U.S. and UK.

What stands out is how soon those roadmaps are expected. The EU is calling for member states to have plans by the end of 2026; Canada’s timeline is even more aggressive, with departmental migration plans to be developed by April 2026. Both have also indicated high-risk use cases or systems should be mitigated by 2030–2031, and medium-risk systems by 2035–2036.

What’s the rush then? History shows that cryptographic migrations take time — anywhere from four years to a decade or more. We’ve seen NIST provide guidance to deprecate RSA/ECC by 2030 and disallow these quantum vulnerable algorithms by 2035. Plus, companies developing quantum computers aren’t slowing down: major players like IBM have outlined plans to scale quantum computers, with projections for significant capabilities by 2029. In May, Google published a paper showing a substantial reduction in the resources needed to break current cryptographic algorithms. While multiple factors are at play there’s never been a clearer signal on the dates to work towards.

It’s about managing business risk

While these hard deadlines for post-quantum security planning and mitigations are imposed on government organizations they will quickly trickle down as ‘state-of-the-art’ and ‘best practices’ to all other critical infrastructure providers from power utilities to financial institutions, healthcare providers, telcos and more.

Enterprises in other sectors with sensitive data to protect, systems to safeguard and regulations to comply with — in other words, everyone else — will have to adopt similar post-quantum security measures if they want to keep up with leading risk management. Corporate legal teams will be asking about it; risk-minded boards of directors will be expecting to see plans for it.

Starting immediately will give organizations as much runway as possible to work out the details and keep post-quantum security migration costs under control.

Won’t my supply chain take care of it?

Some businesses seem to be hoping for “trickle-up” post-quantum cybersecurity from their supply chains — expecting that their partners will put in place what is needed.

Even if this does occur to some extent, there’s no guarantee that what happens in the supply chain will dovetail perfectly with an organization’s own risk appetite or regulatory requirements. And, as has been seen with AI, trickling-up doesn’t always happen as hoped.

Organizations need to understand their specific risks and work with vendors and supply chain partners to understand migration plans and timelines to close any gaps. It’s not about becoming a deep subject-matter expert in post-quantum security – but you do need to be confident that you and your partners and vendors are addressing the risks adequately and in time.

A solid quantum-safe roadmap can help you manage risk for your organization and through your supply chains. While the high-level frameworks put forward by Canada, the EU and others are good starting points, your roadmap needs to be specific to your sector, industry and business – with buy-in from your key stakeholders.

You’re not in it alone

Post-quantum security, and ensuring compliance with best practices, is a corporate concern rooted in business risk, CISOs and CIOs must rally their colleagues behind it, engaging functions including procurement and legal, product and profit-and-loss owners, and risk and governance management — the entire executive team.

The task for CISOs and CIOs is to put the issue into business language, frame roadmap development as a first step toward “buying down” risk and aligning C-level colleagues that this truly is an all-hands-on-deck affair.

While this may seem daunting, organizations shouldn’t be overwhelmed by the prospect of getting started. A key step is to ensure someone in the organization owns and is accountable for developing the quantum-safe roadmap and implementing mitigation measures. If you’re looking for expert advisors to help kickstart or accelerate this process, cut through the noise, and develop a quantum-safe roadmap, connect with us today.

For more about post-quantum security roadmaps, check out our Quantum-Safe Journey webinar.

Contact Us
evolutionQ
PRODUCTS
BasejumpQDNBasejumpSKI
Technical Support
SERVICES
Quantum Risk AssessmentQuantum-Safe Executive WorkshopQuantum Roadmap & Strategy
RESOURCES
ResourcesPublicationsFAQBlog
COMPANY
AboutCareersEventsNewsPartner ProgramContact
Subscribe
Join our newsletter to stay up to date on features and releases.
By subscribing you agree to our Privacy Policy and provide consent to receive updates from our company.
Thank you! Your submission has been received!
Oops! Something went wrong while submitting the form.
© 2025 evolutionQ. All rights reserved.
Privacy PolicyDisclosure Policy

Cookie Preferences

LinkedInTwitter