Financial businesses and public entities should have fully transitioned to post-quantum cryptography (PQC) by 2034 at the latest, according to the G7.
In a new document published on January 13, the G7 Cyber Expert Group (CEG) set a recommended roadmap for financial entities to test, migrate and fully transition to quantum-resistant cryptographic systems in order to anticipate the risk of potential quantum-enabled cyber-attacks in the future that would break current cryptographic systems.
The CEG is a group of cybersecurity experts that advise finance ministers of G7 member states and central bank governors on cybersecurity matters of importance for the security and resilience of the financial system.
The roadmap, developed by a dedicated CEG task force of experts from financial authorities and industry across G7 jurisdictions, is designed to inform senior leaders on the types of activities that may help organizations transition to PQC.
It is not intended to be prescriptive and does not set guidance or regulatory expectations.
It sets up six recommended phase to transition to PQC, with related recommended timelines:
- Awareness and preparation (2025-2027): during this first phase, the G7 CEG recommended awareness be raised about the risks of quantum threats across organizations and map critical systems and sensitive data
- Discovery and inventory (2025-2028): this second phase, which can occur in parallel to the first phase, is dedicated to building a comprehensive inventory of systems within the organizations and third-party dependencies and identifying potential gaps
- Risk assessment and planning (2026-2029): the G7 CEG recommended to start planning the migration for all systems, including less critical ones
- Migration execution (2027-2034): this is the core phase, during which organizations progressively migrate the cryptographic systems they use to quantum-resistant solutions, starting with priority functions
- Migration testing (2032-2035): the G7 CEG advised to spend enough time testing that the migrated systems are working as they should and conducting ecosystem-oriented quantum-resilience exercises
- Validation and monitoring (2033-2035): the G7 CEG recommended to continue validating and improving systems once the test phase is officially over, including by incorporating new cryptographic standards as they become available
Additionally, the G7 advised organizations transitioning to PQC systems to build their plan on a risk and standards-based approach – preferably by integrating it into existing governance and risk management frameworks and technology strategies – and to remain flexible in their migration plans and allow for recalibration over time.
“Organizations may also benefit from incorporating a goal of cryptographic agility in their transition plans to adapt new cryptographic solutions for emerging threats and vulnerabilities,” the G7 experts wrote.
Crypto agility is the ability to quickly swap out cryptographic algorithms without disrupting systems, for example, by creating an abstract layer between the applications and the cryptography libraries that isolates security functions from the rest of the codebase.
This way, organizations can update or replace encryption methods (like switching from RSA to a post-quantum algorithm) with minimal downtime, simply by modifying the underlying library rather than rewriting entire applications.
Finally, the G7 also encouraged collaboration across jurisdictions and all sizes and types of financial entities as well as with third parties. Such cooperation “may enable entities to learn from one another and mitigate the risk of fragmented approaches, thereby enhancing interoperability,” the document reads.
Read now: How Businesses Should Approach the Post-Quantum Cryptography Transition
