Post-Quantum Cryptography (PQC) Compliance

International (US CNSA 2.0, EU ENISA, Canada CCCS, national agencies)NIST standards finalized (FIPS 203, 204, 205). Migration mandates active for US federal/NSS systems.

Post-Quantum Cryptography (PQC) compliance ensures organizations are prepared for the transition from quantum-vulnerable cryptographic algorithms (RSA, ECC, DH) to quantum-resistant alternatives standardized by NIST (ML-KEM, ML-DSA, SLH-DSA). With harvest-now-decrypt-later attacks an active threat today, PQC migration is critical for any organization handling long-lived sensitive data.

Who It Applies To

All organizations using public-key cryptography — especially those handling long-lived sensitive data (10+ year retention), operating in regulated industries (finance, healthcare, defense, government), or participating in federal supply chains. US National Security Systems operators face mandatory CNSA 2.0 timelines.

Key Dates & Deadlines

August 13, 2024NIST publishes FIPS 203 (ML-KEM), FIPS 204 (ML-DSA), FIPS 205 (SLH-DSA)

2025CNSA 2.0 requires PQC for key establishment in national security systems

2030CNSA 2.0 requires PQC for digital signatures in national security systems

2033CNSA 2.0 full PQC adoption deadline for all national security systems

2035Expected commercial PQC adoption milestone per NIST guidance

Key Requirements

Complete cryptographic inventory (Cryptographic Bill of Materials) of all algorithms, protocols, and dependencies
Assess harvest-now-decrypt-later (HNDL) exposure for all long-lived sensitive data
Select NIST-approved PQC algorithms: ML-KEM (FIPS 203) for key encapsulation, ML-DSA (FIPS 204) for signatures, SLH-DSA (FIPS 205) as hash-based backup
Develop PQC migration roadmap with phased timeline and milestones
Implement hybrid cryptography (classical + PQC) during transition period
Test PQC algorithm performance, interoperability, and HSM/hardware compatibility
Align with applicable mandates (CNSA 2.0, NIST SP 800-208, OMB M-23-02, EU ENISA)

Penalties & Enforcement

No direct penalties for commercial organizations (compliance is currently voluntary outside NSS). However, failure to migrate exposes organizations to catastrophic data breaches when CRQCs arrive. Federal contractors and NSS operators face contractual and regulatory consequences under CNSA 2.0 and OMB M-23-02.

Quick Compliance Checklist

Get started with these essential steps. For a full automated assessment, start your free trial.

1Inventory all quantum-vulnerable cryptographic algorithms and dependencies
2Conduct harvest-now-decrypt-later risk assessment
3Map data shelf life against quantum computing threat timeline
4Select PQC algorithms for key exchange, signatures, and backup
5Test ML-KEM, ML-DSA, and SLH-DSA in staging environments
6Benchmark PQC performance impact on critical systems
7Develop and approve PQC migration roadmap with executive sponsorship
8Begin hybrid deployment for highest-priority systems
9Verify HSM and hardware PQC readiness
10Document compliance evidence for audit readiness

Recent PQC Changes

View all

No changes tracked yet for PQC. Our monitoring engine scans sources every 6-24 hours.

Check Your PQC Compliance

Start Free Trial