Recognizing the imminent threat posed by the advent of powerful quantum computers, Canada has unveiled a comprehensive and ambitious timeline to safeguard its critical government systems through a nationwide transition to post-quantum cryptography (PQC). This proactive strategy, detailed in a roadmap released by the Canadian Centre for Cyber Security (Cyber Centre), sets clear milestones through 2035, aiming to fortify federal IT infrastructure against decryption by future quantum machines.
The move comes as experts warn that malicious actors may already be engaged in a “harvest now, decrypt later” strategy, collecting currently encrypted sensitive data with the intent to decrypt it once quantum computing capabilities mature. The Communications Security Establishment Canada (CSE) assesses that a quantum computer capable of breaking many current cryptographic standards could emerge as early as the 2030s.
Effective June 23, 2025, the new directive mandates all federal departments to develop initial PQC migration plans by April 2026, with annual progress reports thereafter. High-priority systems are slated for full PQC migration by the end of 2031, and all remaining systems must complete their transition by 2035.
The undertaking is colossal, requiring a meticulous audit of all systems utilizing vulnerable public-key encryption. This includes a vast array of IT assets, from server racks and laptops to smart cards, printers, and voice-over-IP phones. Each department is tasked with identifying and prioritizing these components, determining their criticality and vulnerability to quantum attacks.
To facilitate this complex transition, departments are required to appoint a senior-level PQC migration executive lead, supported by a technical lead and a cross-functional committee. These teams will be responsible for not only the planning and execution of the migration but also for educating staff on quantum risks, managing budgets for system upgrades, and integrating PQC into future procurement policies.
The Cyber Centre cautions that a complete overhaul may be necessary for some legacy systems that lack the flexibility for PQC retrofitting. For others, interim protective measures like secure tunneling or network isolation might be employed. The roadmap underscores the critical importance of early planning to avoid rushed procurements and inflated costs.
This initiative is a cornerstone of Canada’s broader National Quantum Strategy, which allocates $360 million over seven years to bolster Canada’s quantum research, talent, and commercialization efforts, while simultaneously ensuring the nation’s cybersecurity in a quantum-enabled world. The Cyber Centre, in collaboration with Shared Services Canada (SSC) and the Treasury Board of Canada Secretariat (TBS), will provide ongoing technical guidance, oversight, and compliance monitoring, ensuring a unified and secure transition for all government systems.
