Thinking about tomorrow today has always been a guiding principle in cybersecurity. But few developments make this mindset as tangible as Post-Quantum Cryptography (PQC). Within the next decades, current encryption mechanisms will become vulnerable to quantum computers. For decision-makers, this shifts PQC from a future concern to a present-day topic – along with relevant standards, regulatory requirements, and migration strategies.

The quantum era: why the risk starts now

Even if “Q-Day”- the moment when quantum computers can break classical encryption - may still be 10 to 20 years away, the risk is already present. Encrypted data can be intercepted now and decrypted later as quantum technology matures. This “harvest now, decrypt later” threat turns time into a weapon. And for organizations, this means: data that must remain confidential for years – personal data, intellectual property, or business-critical documents – is already exposed to future risk.

Quantum security: who needs to act

The next generation of encryption leaves little room for delay. PQC will eventually affect nearly every organization, but the pressure is highest for:

• Regulated organizations (e.g. in finance, healthcare, or legal sectors) that process sensitive data and depend on compliant IT partners and cloud providers.
• Software and hardware vendors embedding encryption and signatures into their products.
• Providers of cryptographic infrastructure whose services are used across global supply chains and must evolve accordingly.

For most systems, the path forward won't be a sudden switch. Instead, it will involve a gradual transition period with hybrid approaches that combine classical and post-quantum algorithms. While effective, transitioning to PQC is technically demanding and requires careful integration into existing systems.

Standards at a glance: who defines what?

Around the world, new standards are emerging that define which algorithms and migration strategies will be accepted in the future. PQC standards generally fall into two core categories:

• Key Encapsulation Mechanisms (KEMs) for secure key exchange (relevant for TLS, VPNs, and cloud or service communication)
• Digital Signature Algorithms (DSAs) for identity, authenticity, and software signing (relevant for certificates, firmware updates, code signing, and trust chains.
  

This distinction matters, as key exchange and digital signatures follow different migration paths, risk profiles, and operational dependencies – and they need to be planned accordingly. 

USA #1: NIST –the technical foundation of PQC

In the United States, the National Institute of Standards and Technology (NIST) laid the technical groundwork by publishing the first finalized PQC standards in2024. These standards define which algorithms are considered secure and for which cryptographic tasks they are intended:

• ML-KEM: Quantum-safe key exchange for confidential communication, such as TLS, VPNs, and cloud services. It is expected to replace today’s widely used key exchange mechanisms and forms the basis for secure connections.
• ML-DSA: Post-quantum, lattice-based digital signatures for identity, authentication, and software signing. Designed to replace widely used RSA and ECDSA in certificates and trust infrastructures.
• SLH-DSA: Highly robust, hash-based signatures for particularly critical or long-term security use cases, not for large-scale deployment.

Besides these three standards, NIST is advancing HQC as a backup KEM and FALCON as an alternative DSA, while additional DSA selection –  aimed at risk diversification and long-term resilience – remains in progress.

USA #2: NSA & CNSA 2.0 – from algorithms to binding timelines

While NIST defines which post-quantum algorithms should be used, the Commercial National Security Algorithm Suite 2.0 (CNSA 2.0) defines when organizations should adopt them.

PQC is already recommended for operators of security-critical systems, as well as for software and firmware signing and web and cloud services. By 2035 at the latest, implementation will become mandatory for U.S. national security systems. Although CNSA 2.0 formally applies only to U.S. government systems, its impact is global. Major cloud and security providers adopt these requirements across their platforms.

Canada: PQC roadmap with clear milestones

Canada combines internationally recommended PQC algorithms with a binding roadmap. Organizations are required to plan early and migrate critical systems well ahead of 2035:

• by April 2026: submission of a PQC migration plan
• by the end of 2031: migration of critical systems
• by 2035: migration of all remaining systems

EU: ENISA and ETSI – coordinated migration instead of isolated measures

PQC is also gaining momentum in the European Union. The EU Agency for Cybersecurity (ENISA) is driving the development of a common European framework. Rather than focusing on the rapid introduction of individual algorithms, the emphasis is on a coordinated migration that closely links interoperability, risk analysis, and compliance.

In parallel, ETSI (European Telecommunications Standards Institute) is developing concrete technical specifications and migration guidelines. The goal is to harmonize the adoption of quantum-resistant cryptography across EU member states – particularly in the context of NIS2 and the EU Cybersecurity Act.

Strategic roadmap: what organizations should do

A successful transition to PQC does not begin with code, but with the right questions:

• Which data must remain confidential for decades?
• Where does cryptography quietly underpin critical systems?
• How can migration happen without disrupting security or compliance?

Answering these questions early turns uncertainty into a structured plan – one that can be implemented through five practical steps:

1. Establish governance

Anchor post-quantum cryptography as a management responsibility.

2. Create cryptographic transparency

Identify where cryptographic mechanisms are used across systems and processes.

3. Define priorities

Focus on data that must remain confidential in the long run.

4. Plan the migration

Prepare a phased transition to quantum-secure cryptography.

5. Steer implementation

Regularly review progress and adapt the strategy as standards and risks evolve.

PQC in practice: forward-looking solutions

When evaluating solutions for secure file sharing and collaboration, organizations are starting to ask a new question: not just how secure is this today, but how well is it prepared for what’s coming next? Forward-looking security platforms already support hybrid approaches and are aligning their architectures with upcoming compliance requirements.

At Tresorit, we’re integrating PQC step by step, starting where long-term risk is highest: key exchange. For this, Tresorit uses ML-KEM-1024, a NIST-standardized post-quantum algorithm, to be deployed in a hybrid setup alongside mature, extensively scrutinized cryptographic primitives. This approach preserves security during the transition while strengthening Tresorit’s zero-knowledge, end-to-end encryption. This provides organizations a clear migration path long before Q-Day arrives.

The takeaway for decision-makers

For most organizations, PQC won’t arrive as a single deadline circled in red. It will surface gradually through new requirements, partner expectations, and audits. And while PQC sounds technical, its impact goes beyond IT, affecting how long sensitive data remains protected and whether compliance can be maintained. That’s why PQC deserves attention at the decision-making level now – so emerging requirements can be turned into manageable action and lasting trust with customers and partners.

Get ahead of upcoming PQC requirements with Tresorit's forward-looking security architecture designed to keep your data protected today and resilient tomorrow.