What the NCSC 2028 migration target actually requires
2028 is not the finish line. It's the first checkpoint — and the work required to reach it is already behind schedule for most UK financial institutions.
The framework
Three milestones, not one
The NCSC's PQC migration guidance sets out a three-phase timeline. Most compliance coverage leads with 2028 and stops — leaving readers with the impression that 2028 is when the migration is done. It isn't. 2028 is when the planning is done.
| Milestone | What it requires | Status |
|---|---|---|
| 2028 | Discovery complete. Migration plan built. Suppliers engaged. | Planning phase |
| 2031 | Highest-risk and internet-facing systems migrated to PQC. | Migration phase |
| 2035 | Full estate migrated. Legacy cryptography decommissioned. | Completion phase |
“The urgency argument isn't that quantum computers are coming. It's that the clock on your planning phase has already started — and most firms haven't begun.”
The 2028 checkpoint
What 2028 actually requires
The NCSC's Migration Timelines document is specific about what the 2028 deliverable must contain. It isn't a strategy deck or a high-level intention statement. By 2028, an organisation is expected to have completed all five of the following gates:
Discovery
A complete cryptographic asset inventory — every algorithm, certificate, key, and library in use across your estate. Every system that handles encryption, every supplier dependency that touches your PKI.
Risk prioritisation
A documented assessment of which assets carry the highest exposure — internet-facing systems, long-lived data, asymmetric key exchange under HNDL threat. Highest-risk assets identified and ranked.
Migration plan
A costed, time-bound roadmap covering prioritised activities, milestones, forecasted budget, and hardware roots of trust. Not a wish list — a plan with financial sign-off.
Supplier engagement
Formal communication issued to key suppliers requesting their PQC readiness timeline. Your migration cannot proceed faster than your supply chain allows.
Internal ownership
A designated internal owner with board-level visibility. PQC migration cannot be owned by a single team — it requires cross-functional accountability and executive sponsorship.
The timing problem
Why most firms are already behind
The NCSC states explicitly that large enterprises need two to three years to complete the discovery, assessment, and planning exercises required for 2028. The guidance was published in March 2025. A large financial institution that began the day the guidance dropped would be finishing their discovery work in early 2028 — with no time left for the plan, supplier engagement, or governance.
Most haven't started. The NCSC's own math makes the urgency case — Q-Edge doesn't need to manufacture it.
Free tool
Check your progress against the five gates
Six questions. See exactly which NCSC gates your organisation has met, which are in progress, and which haven't started.
Check my NCSC readinessThe stakes
What happens if you miss the gate
Missing 2028 isn't a fine. There's no immediate regulatory enforcement attached to the milestone. But the consequences are structural, not theoretical.
An organisation that reaches 2031 without a completed migration plan is not ready to begin migrating its highest-risk systems. The three-phase timeline is sequential — each gate is a prerequisite for the next. Miss 2028 and you don't just slip a year. You compress the 2031 and 2035 work into a shorter window, at higher cost, under greater regulatory scrutiny.
The NCSC also expects financial services to lead — not just comply. FS infrastructure runs on TLS, PKI, and X.509: internet-standard protocols for which PQC tooling is already maturing. Banks will have the migration capability before most other sectors have finished their inventories. Missing the vanguard expectation is visible, at exactly the moment FCA and PRA are beginning to audit operational resilience against NCSC timelines.
Where to start
The practical first step
Gate 1 — Discovery — is the prerequisite for everything else. You cannot build a migration plan without knowing what you're migrating. You cannot engage suppliers without knowing which systems depend on them. You cannot prioritise risk without a map of your cryptographic estate.
A cryptographic asset inventory covers:
Every encryption algorithm in use across your estate (RSA, ECC, AES, SHA variants)
Every TLS certificate — issuing authority, expiry date, key size
Every system that exchanges keys over a public network
Every supplier or third party that touches your PKI
Hardware security modules and their firmware upgrade paths
For most large financial institutions, this exercise alone takes 12 to 18 months. Starting in 2026 leaves enough runway — just. Starting in 2027 does not.
Next step
Want to know where your organisation stands?
Book a free 30-minute call. We'll map your current position against the five NCSC gates, identify your biggest gaps, and tell you exactly what a formal Quantum Readiness Assessment would cover.