Insider Brief
- Canada has launched a formal roadmap to migrate all federal non-classified IT systems to post-quantum cryptography by 2035 to defend against future quantum-enabled threats.
- Departments must submit initial migration plans by April 2026, prioritize critical systems for transition by 2031, and complete all remaining upgrades by 2035.
- The Canadian Centre for Cyber Security, working with TBS and SSC, will provide technical guidance, oversight, and compliance monitoring throughout the multi-phase process.
The Canadian government has launched a formal plan to protect its federal IT infrastructure from the looming risks posed by quantum computers, setting strict milestones through 2035 for a nationwide migration to post-quantum cryptography.
Detailed in a roadmap published by the Canadian Centre for Cyber Security, the initiative mandates all federal departments to adopt encryption standards that are resistant to attacks from quantum machines. These computers, once powerful enough, could render many current encryption methods obsolete, potentially exposing sensitive government data to future decryption.
The strategy, effective as of June 23, 2025, sets out clear deadlines. Federal departments must submit an initial post-quantum cryptography (PQC) migration plan by April 2026 and continue reporting annually. High-priority systems must complete migration by the end of 2031, with all remaining systems transitioned by 2035. The roadmap applies to non-classified systems and includes IT infrastructure managed both internally and through third-party services, such as cloud providers.
The Cyber Centre, Canada’s lead authority on IT security and part of the Communications Security Establishment, issued the plan in partnership with Shared Services Canada (SSC) and the Treasury Board Secretariat (TBS). The roadmap aligns with global standards being finalized by the U.S. National Institute of Standards and Technology (NIST) and supports Canada’s broader National Quantum Strategy.
According to the guidance, departments are expected to identify all systems currently relying on vulnerable public-key encryption—used for securing communications, authenticating users, and other functions. The risk isn’t just theoretical and not just a threat set in the vague future. The roadmap warns that hostile actors may already be collecting encrypted data with the intent to decrypt it later when quantum computing becomes viable, a strategy known as “harvest now, decrypt later.”
Departments must first carry out a comprehensive audit to locate all instances of cryptographic usage. This includes everything from server racks and laptops to smart cards, printers, and voice-over-IP phones. The aim is to build a full inventory of components using at-risk encryption, identifying those most critical and vulnerable.
To coordinate the transition, each department must appoint a PQC migration executive lead from senior management, supported by a technical lead and a cross-functional committee. These teams are responsible not only for planning and execution but also for educating staff on quantum risks, budgeting for system upgrades, and integrating PQC into procurement policies.
The Cyber Centre cautions that not all existing systems can be retrofitted. Some legacy systems may require full replacement, while others might be protected in the interim through secure tunneling or network isolation. The roadmap emphasizes that early planning is essential to avoid rushed procurement and higher costs.
The transition phase will rely heavily on identifying which products and services can be upgraded and which must be replaced. The guidance encourages departments to engage vendors early to confirm PQC roadmaps and product compatibility. Some cryptographic modules will need to be certified through recognized programs, and new purchases must allow for cryptographic flexibility to adapt to evolving standards.
The Cyber Centre will provide further technical assistance through its sensor programs and network monitoring tools. It also plans to update network protocol configuration guidance and maintain a shared resource repository via the TBS GCxchange platform.
Governance of the initiative will be coordinated by the IT Security Tripartite—a joint body comprising the Cyber Centre, SSC, and TBS—which will oversee progress, manage compliance, and issue additional guidance. Departments are also subject to oversight by the Government of Canada’s Enterprise Architecture Review Board, which ensures new systems meet cybersecurity and digital service standards.
Progress reports will be integrated into the federal digital services planning process. The government intends these reports to ensure transparency and help departments adjust timelines and resources as needed.
Read the entire document here.
0 Comments