The US National Institute of Standards and Technology (NIST) has published the final versions of its post-quantum cryptography (PQC) standards — FIPS 203, FIPS 204, and FIPS 205 — marking the formal beginning of the global migration away from RSA and elliptic-curve cryptography toward quantum-resistant alternatives.
The standards define three algorithms: ML-KEM (Module-Lattice Key Encapsulation Mechanism, formerly CRYSTALS-Kyber) for key exchange and encryption; ML-DSA (Module-Lattice Digital Signature Algorithm, formerly CRYSTALS-Dilithium) for digital signatures; and SLH-DSA (Stateless Hash-Based Digital Signature Algorithm, formerly SPHINCS+) as a hash-based backup signature scheme.
Why the Migration Is Urgent
The urgency of the PQC migration stems from the "harvest now, decrypt later" (HNDL) threat. Adversaries — particularly nation-state actors — are believed to be collecting encrypted data today with the intention of decrypting it once cryptographically relevant quantum computers become available, potentially within the next decade.
Data with long-term sensitivity — classified government communications, medical records, financial transactions, intellectual property — is therefore already at risk, even though quantum computers capable of breaking RSA do not yet exist. The window between the publication of standards and the completion of enterprise migration is measured in years, making immediate action critical.
"The question is not whether to migrate to post-quantum cryptography. The question is whether you will complete the migration before a cryptographically relevant quantum computer arrives. The clock is running."
— Dustin Moody, NIST Post-Quantum Cryptography Project
The Three-Step Migration Framework
NIST and CISA have jointly published a migration framework for enterprises. The three-step process begins with a cryptographic inventory — cataloguing all systems, protocols, and data that rely on public-key cryptography. This is typically the most time-consuming phase, as cryptographic dependencies are often deeply embedded in legacy software and hardware.
The second step is prioritisation: identifying which systems handle the most sensitive long-lived data and therefore face the highest HNDL risk. These systems should be migrated first. The third step is implementation: deploying ML-KEM and ML-DSA in place of existing key exchange and signature schemes, ideally using a hybrid approach that combines classical and post-quantum algorithms during the transition period.
Industry Response
Major technology vendors have moved quickly to support the new standards. Apple has announced PQC support in iMessage and iCloud Keychain. Signal added ML-KEM to its key exchange protocol. Google has deployed ML-KEM in Chrome's TLS implementation. Microsoft has published a PQC migration guide for Azure customers.
However, the enterprise migration picture is more complex. A survey by the Cloud Security Alliance found that only 23% of enterprises have completed a cryptographic inventory, and fewer than 10% have begun active PQC migration. The gap between vendor readiness and enterprise adoption represents a significant vulnerability window.
Regulatory Timeline
US federal agencies are required to complete PQC migration for high-priority systems by 2030, per the National Security Memorandum on Quantum Computing. The European Union's NIS2 Directive and the UK's NCSC have issued similar guidance. Financial regulators in the US, EU, and UK are expected to issue sector-specific PQC requirements in 2026.