← Back to Blog
Compliance||10 min read

NCSC Post-Quantum Guidance: What UK Businesses Need to Do

The National Cyber Security Centre has published guidance on preparing for quantum threats. Here's what UK organisations need to know.

The NCSC (National Cyber Security Centre), part of GCHQ, is the UK's technical authority on cybersecurity. Their guidance on post-quantum cryptography (PQC) sets the direction for UK businesses, government departments, and critical national infrastructure. The key message: start planning now.

Who Needs to Act?

The NCSC guidance applies broadly, but priority organisations include:

  • Critical National Infrastructure: energy, transport, health, water, telecommunications, financial services
  • Government departments and agencies: all public sector bodies handling sensitive data
  • Defence and national security: already subject to stricter timelines
  • Financial services: FCA-regulated firms with data protection obligations
  • Healthcare: NHS trusts and private providers handling patient data

However, any organisation handling data that needs to remain confidential for 10+ years should be planning their PQC transition.

Note

Unlike the EU's NIS2 directive, UK guidance is not yet legally mandated for most organisations. However, it represents best practice and will likely become regulatory requirement. Early adopters will have competitive advantage.

What Does the NCSC Recommend?

The NCSC's guidance aligns with international standards while providing UK-specific context:

1. Understand Your Cryptographic Estate

Map where cryptography is used across your organisation:

  • TLS certificates and configurations
  • VPNs and remote access
  • Digital signatures and code signing
  • Data-at-rest encryption
  • Key management systems
  • Third-party integrations and APIs

2. Assess Risk by Data Sensitivity

Not all data needs the same protection timeline. Prioritise based on:

  • How long the data must remain confidential
  • Regulatory requirements (GDPR, FCA, etc.)
  • Business impact if the data were exposed

3. Plan for Hybrid Cryptography

The NCSC recommends hybrid approaches that combine classical algorithms with post-quantum algorithms. This provides protection even if one algorithm is later found to have weaknesses.

4. Engage with Suppliers

Many organisations depend on third-party software, cloud services, and hardware. Understand their PQC roadmaps and ensure they align with yours.

NCSC Timeline Guidance

  • Now: Begin cryptographic inventory and risk assessment
  • 2026-2028: Pilot hybrid PQC implementations
  • 2028-2030: Production deployment for high-priority systems
  • 2035: Complete migration from vulnerable algorithms

How This Relates to Other UK Regulations

Cyber Essentials

The Cyber Essentials scheme doesn't yet include PQC requirements, but expect updates as the technology matures. Organisations pursuing Cyber Essentials Plus should consider PQC readiness as part of their security posture.

UK GDPR

GDPR requires "appropriate technical and organisational measures" for data protection. As quantum threats become more immediate, regulators may interpret this to include PQC for long-lived sensitive data.

FCA Requirements

Financial services firms should note that the FCA expects firms to manage technology risk appropriately. PQC planning should be part of technology risk management frameworks.

NHS DSPT

Healthcare organisations completing the Data Security and Protection Toolkit should consider how quantum threats affect their data security assessments.

Practical Steps to Start Now

1. TLS Baseline

Ensure all your services use TLS 1.3. This is a prerequisite for PQC and should be standard practice already.

2. Cryptographic Inventory

Document every system using cryptography. Many organisations are surprised by how extensive this is.

3. Supplier Assessment

Ask your key suppliers about their PQC roadmaps. This is especially important for security products, cloud services, and certificate authorities.

4. Skills Development

Ensure your security team understands PQC concepts. The NCSC provides free resources and training materials.

How FIRA Quantum Safe Can Help

We offer services specifically designed for UK organisations following NCSC guidance:

  • Free quantum readiness scan for your website
  • Comprehensive cryptographic assessment of your infrastructure
  • TLS 1.3 implementation with hybrid PQC support
  • Documentation for audits and compliance
  • Staff training on PQC concepts and implementation

Check Your Quantum Readiness

Free instant scan to assess your cryptographic posture.

Conclusion

The NCSC's guidance is clear: the time to prepare for post-quantum cryptography is now. While 2035 may seem distant, cryptographic migrations are complex, multi-year projects.

Organisations that start now will have orderly transitions. Those that wait risk rushed, expensive migrations — or worse, data exposure from the Harvest Now, Decrypt Later threat.

The UK has a strong track record of cybersecurity leadership. Following NCSC guidance on PQC will help maintain that position.