Vendor PQC Timeline
When will your technology stack be quantum-safe? Track the post-quantum cryptography roadmaps of major vendors.
Last Updated: February 2026 | Next Update: May 2026
The hard truth: Even if you identify every vulnerable cryptographic implementation today, you cannot remediate most of them until your vendors ship PQC support. Microsoft won't be fully quantum-safe until 2033. Oracle is targeting 2027. Plan your migration around vendor reality.
Major Vendor PQC Roadmaps
Current status and projected timelines from key technology providers (as of February 2026).
| Vendor | Status | Key Milestone | Full PQC Target |
|---|---|---|---|
| .NET / C# | Active | .NET 10 GA with ML-KEM, ML-DSA, SLH-DSA via System.Security.Cryptography | Now available (.NET 10) |
| Akamai | Active | PQC production deployment with X25519MLKEM768 across all connections | 2026 full deployment (client + origin) |
| Apple | Active | CryptoKit PQC APIs (iOS 26, macOS Tahoe). Auto PQ-TLS (X25519MLKEM768) in all OS. iMessage PQ3 | Now available (iOS 26+) |
| AWS | Active | PQ-TLS across S3, KMS, ACM, Secrets Manager, CloudFront, ALB/NLB, Private CA (ML-DSA), Payments Cryptography | 2026 full service deployment |
| Cloudflare | Active | 52%+ of human traffic PQ-protected. 6M+ domains upgraded. WARP client PQ tunneling | Mid-2026 PQC-only mode |
| Dell | Planned | CNSA 2.0 compliant hardware, crypto agility in BIOS/firmware | 2027-2030 hardware phase-out |
| Google Cloud | Active | PQC for all internal comms. Cloud KMS KEMs and digital signatures (ML-DSA, SLH-DSA). Chrome, Tink library | 2029 error-corrected quantum hardware |
| IBM | Active | Guardium Cryptography Manager for crypto posture management and PQC remediation | Now available |
| Java (OpenJDK) | Active | Bouncy Castle and OpenJDK 21+ support ML-KEM via JCA/JCE | Now available |
| Microsoft | Planned | Windows Server 2025 / Windows 11 with SymCrypt (ML-KEM / ML-DSA) | 2029 early adoption, 2033 full transition |
| Node.js | Active | Linked to OpenSSL 3.5+, hybrid key exchange in crypto module | Now available |
| OpenSSL | Active | OpenSSL 3.5 native ML-KEM support (512, 768, 1024) in default and FIPS providers | Now available |
| Oracle | Active | Java 24 ML-KEM. Database 26ai hybrid PQC TLS (ECDHE + ML-KEM). JDK 26 ML-DSA signing (Mar 2026) | 2026 cloud, 2027+ full database |
| PHP | Pending | Reliant on system-level OpenSSL 3.5+ updates | TBD no native PQC yet |
| Red Hat | Active | RHEL 10.1 DEFAULT crypto policy now enables and prefers PQC for TLS and SSH | Now PQC by default (RHEL 10.1) |
| Salesforce | Planned | RSA key exchanges phased out for TLS, pushing TLS 1.3 as PQC prerequisite | TBD TLS 1.3 migration underway |
| SAP | Active | Cryptographic Library v8.6 with quantum-safe TLS 1.3 (X25519MLKEM768). BTP Cloud Foundry PQC root CAs | Now available |
| Ubuntu | Planned | Integrating OpenSSL 3.5+ and hybrid SSH/TLS | 2025/2026 LTS releases |
| VMware / Broadcom | Active | vDefend and Avi Load Balancer with NIST-approved PQC + HSM integration | Now available |
Network & Security Vendors
VPN, firewall, and network infrastructure PQC support status.
| Vendor | Status | PQC Capability |
|---|---|---|
| Check Point | Active | R82 release supports ML-KEM (Kyber) for IPsec VPNs and IKEv2 |
| Cisco | Active | IOS XE 26 full-stack PQC (ML-KEM + ML-DSA in TLS, IKEv2, SSH). First vendor with complete enterprise PQC stack |
| Fortinet | Active | FortiOS 7.6+ PQC for IPsec key exchange. ML-KEM plus BIKE, HQC, Frodo across FortiGate NGFW and SD-WAN |
| HP / HPE | Active | Silicon Root of Trust and PQC-ready firmware for ProLiant servers |
| Palo Alto | Active | Quantum-Safe Security GA (Jan 2026). PAN-OS cipher translation for instant PQC upgrade of apps and IoT/OT |
PQC Services from Major Providers (2026)
Specific quantum-safe services and protocols available today.
| Provider | PQC Service | Algorithm | Use Case |
|---|---|---|---|
| Apple | iMessage (PQ3), Secure Enclave | ML-KEM-1024, ML-DSA | Secure messaging with self-healing re-keying, firmware verification |
| AWS | KMS, Secrets Manager, ACM, CloudFront, S3, ALB/NLB, Private CA, Payments Cryptography | Hybrid ML-KEM (PQ-TLS), ML-DSA (signing) | API calls, storage, load balancing, certificates, payment processing |
| Cloudflare | CDN edge, WARP client, origin connections, 6M+ domains | X25519MLKEM768 | 52%+ of human traffic PQ-protected. Automatic PQ for all customers |
| Cloud KMS (KEMs + signatures), Chrome, Tink Library, all internal comms | ML-KEM-768/1024, ML-DSA, SLH-DSA, X-Wing | Hybrid key exchange, TLS handshakes, digital signatures, developer APIs | |
| Meta | Internal Infrastructure, WhatsApp | Hybrid ML-KEM/ML-DSA, PQ-X3DH | Data center traffic protection, E2E encryption |
| Microsoft | Azure Key Vault, Entra ID, Windows | SymCrypt (ML-KEM / ML-DSA) | Key storage, identity verification, OS-level support |
| SAP | SAP Cryptographic Library v8.6, BTP Cloud Foundry | Hybrid ECDHE-MLKEM (X25519MLKEM768) | Quantum-safe TLS 1.3 handshakes for SAP applications |
| Signal | Signal Protocol (PQXDH + SPQR Triple Ratchet) | ML-KEM-768, X25519 | Quantum-safe end-to-end encrypted messaging with forward secrecy |
Key Industry Standards & Deadlines
NIST Standards
Global Baseline
FIPS 203 (ML-KEM), FIPS 204 (ML-DSA), FIPS 205 (SLH-DSA) are the baseline. HQC selected as 5th algorithm (standard expected 2027). NIST IR 8547: deprecate quantum-vulnerable by 2030, disallow by 2035.
CNSA 2.0 (NSA)
US National Security
Hard deadline: Systems handling national security information must be PQC-compliant by 2030 (software) and 2035 (hardware).
EU Coordinated PQC Roadmap
European Union
The European Commission recommends all Member States begin PQC transition by end of 2026; critical infrastructure by 2030. Under NIS2 and EuroQCI, essential entities must implement "state-of-the-art" cryptographic measures with hybrid schemes.
UK NCSC
United Kingdom
Three-phase migration: discovery by 2028, high-priority migration by 2031, complete migration by 2035 for government and critical national infrastructure.
Canada CCCS
Canada
Federal PQC migration plans due by April 2026. High-priority systems by 2031, all systems by 2035. HNDL-susceptible systems designated highest priority.
Australia ASD
Australia
Most aggressive Western timeline: transition plans by 2026, implement on critical systems by 2028, cease traditional asymmetric crypto by 2030.
Global PQC Strategies
Different regions are taking different approaches to quantum security.
US / EU / UK / Canada
Software-First (PQC)
Focus on NIST-standardised PQC algorithms. The internet is too large to rewire with QKD hardware. Software patches can protect millions of devices overnight. Canada mandates federal PQC plans by April 2026 (ITSM.40.001).
China
Independent Standards + QKD
China launched its own independent PQC algorithm call in 2025, diverging from NIST. Stage A (2025 Q4 - 2026 Q4) focuses on national GB/T PQC standards. Also operates the 2,000km Beijing-Shanghai QKD Trunk Line.
Japan / Singapore / Australia
Tiered Approach
Japan's NCO mandates full PQC by 2035. Singapore's NQSN+ provides nationwide quantum-safe networking. Australia's ASD requires classical crypto phase-out by 2030 — the most aggressive Western timeline.
South Korea / India
Sovereign Development
South Korea's KpqC competition selected national algorithms (HAETAE, AIMer, SMAUG-T, NTRU+). India's roadmap targets critical infrastructure PQC by 2027, full adoption by 2033.
UAE / Gulf States
Policy-Led Transition
UAE approved a National Encryption Policy requiring government entities to develop PQC transition plans. Abu Dhabi's Technology Innovation Institute operates full-stack PQC research. Saudi Arabia added PQC to national standards in 2025.
Israel
Financial Sector First
Bank of Israel directive (January 2025) requires banks to build cryptographic inventories and develop PQC roadmaps. INCD national cybersecurity strategy 2025-2028 includes quantum-resistant encryption mandates.
Global PQC Migration Deadlines
| Region | Deadline | Requirement | Authority |
|---|---|---|---|
| Canada | Apr 2026 | Federal departments must submit initial PQC migration plans | CCCS (ITSM.40.001) |
| EU | End 2026 | All Member States must begin PQC transition | European Commission |
| Australia | End 2026 | Organisations must have detailed PQC transition plans | ASD/ACSC |
| India | 2027 | Critical infrastructure sectors begin formal PQC implementation | C-DOT Task Force |
| UK | 2028 | Phase 1 complete: discovery and migration planning | NCSC |
| Australia | 2030 | Cease using traditional asymmetric cryptography entirely | ASD/ACSC |
| EU | 2030 | Critical infrastructure PQC migration complete | European Commission |
| US (NSS) | 2030 | Quantum-vulnerable algorithms deprecated (software) | NIST IR 8547 / NSA CNSA 2.0 |
| Canada | 2031 | High-priority federal systems PQC migration complete | CCCS |
| India | 2033 | Full nationwide PQC adoption | C-DOT Task Force |
| Global | 2035 | All quantum-vulnerable algorithms disallowed | NIST / NCSC / Japan NCO / Canada CCCS |
What This Means for Your Assessment
Know When, Not Just What
Your assessment should map findings to vendor timelines — showing when each issue becomes actionable, not just that it exists.
Prioritise by HNDL Risk
Data with long shelf-life is at risk today. Prioritise by data sensitivity, not just cryptographic algorithm weakness.
Group by Vendor Dependency
"Blocked by Microsoft" vs "Blocked by Oracle" vs "Fixable now" — actionable categorisation for your roadmap.
Satisfy Compliance Once
NIS2 requires demonstrable cryptographic risk management, not full implementation. A single assessment with migration plan demonstrates compliance.
What You Can Fix Now
You don't need to wait for vendors to take action. Here are 5 things you can do today.
Inventory Your Crypto Estate
You can't migrate what you don't know you have. Generate a CBOM to understand your current cryptographic usage across source code and infrastructure.
Retire Deprecated Algorithms
Remove MD5, SHA-1, DES, and 3DES from your codebase now. These are already broken — no need to wait for quantum computers.
Enable TLS 1.3 Everywhere
TLS 1.3 is faster, more secure, and easier to upgrade to hybrid PQC when the time comes. Disable TLS 1.0 and 1.1 today.
Audit Key Lengths
Ensure RSA keys are at least 3072-bit and ECC keys are at least 256-bit. Short keys are the lowest-hanging fruit for quantum attackers.
Start Your PQC Roadmap
A documented migration plan satisfies most current regulatory requirements. You don't need to implement PQC today — but you need a plan for when you will.
Get a Vendor-Aware PQC Assessment
We don't just tell you what's vulnerable — we tell you what's blocked by vendors, what's at HNDL risk, and what you can actually fix today.
Request Assessment