The NCSC has approved eight consultancies to support government and critical industry with cryptographic discovery and migration planning, ahead of its 2035 deadline to move to post-quantum cryptography (PQC).

Arqit, Avella, Cambridge Consultants, Capgemini, CGI, Frazer-Nash, IBM, and PQShield are all now assured to support those modernising their cryptographic estates, as pressure mounts to begin work on migration.

Governments and security leaders fear that adversaries equipped with quantum computing capabilities could, in the near future, break widely used existing cryptographic algorithms and may already be working on "harvest now, decrypt later" data mining exercises.

US agency NIST in August 2024 published its first tranche of standardised post-quantum algorithms; FIPS 203, FIPS 204, and FIPS 205. Many organisations are now planning to adopt one of these options.

“Actively engage with us”

The NCSC selected the eight firms under its Assured Cyber Security Consultancy pilot – which verifies them as meeting its PQC standards. The cyber agency said that it “expects all assured consultancy companies to actively engage with us and with each other on a regular basis…” 

Frazer Nash commented this morning that “the threat of a working quantum computer being able to undermine today’s cryptography is being taken seriously by the cyber security world and UK Government.”

Arqit CEO Andy Leaver added this week that “PQC is one of the few moments in cyber history where we can act before the crisis hits…”

“Ripple through infrastructure”

As Orange Cyberdefense’s Group CTO Vivien Mura put it in The Stack last week: “Transitioning to PQC is far from simple. 

“New algorithms often involve significantly larger key sizes, increased bandwidth consumption, and greater processing demands. This can ripple through infrastructure, requiring hardware upgrades, network adjustments, and vendor software changes before deployment can begin. 

Migrating to PQC, he added, “requires a multi‑year, enterprise‑wide effort that touches cryptography embedded across applications, networks, storage systems, and digital identities…This extends beyond a simple list of assets, requiring teams to trace data flows, identify dependencies, and pinpoint potential exposure points…”

The selected consultancies will get potentially improved access to the public sector by being listed on the Crown Commercial Services’ Dynamic Purchasing System (DPS). This gives buyers access to “pre-qualified suppliers” with preset contract terms for specific sectors, making it significantly easier to sign public sector contracts.

The PQC roadmap

The NCSC has been ramping up its work on PQC, publishing a ten-year migration roadmap in March 2025 pushing companies to complete discovery exercises by 2028, migrate high-priority activities by 2031, and mark a full PQC migration by 2035.

To encourage the industry’s compliance, the NCSC said its PQC pilot will run until March 2027, after which it will review its “criteria and learning.”

However, while many in the industry await standardised PQC algorithms to implement in their encryption, the NCSC has mostly deferred to the US' NIST organisation on the topic.

It described the four algorithms chosen by the standardisation body as a "vital first step in securely migrating systems", encouraging companies to ensure their PQC systems comply with the finalised standards.

PQShield CSO Ben Packman said the new pilot recognised “the urgency of migrating critical national infrastructure”, warning “the window for CNI projects to quantum-proof themselves is closing.”

Another application window for the pilot will open in late spring 2026, with new consultancies required to complete a commercial questionnaire, NCSC assessment, and onboarding process.

In the US, the Office of Management and Budget (OMB) estimated last year that securing priority federal systems with PQC by 2035 would cost $7.1 billion – mostly to replace IT systems where "cryptographic algorithms were hardwired into the hardware or firmware.”

Planning your PQC migration and want to share views? Get in touch.

The link has been copied!