G7 Cyber Expert Group Sets 2035 Target for Post-Quantum Cryptography Transition in Financial Services
The G7 Cyber Expert Group (CEG) has released a coordinated roadmap for the financial sector's transition to post-quantum cryptography, marking a significant milestone in international efforts to address the quantum threat. Published in January 2026, this statement provides the clearest indication yet of the timeline and approach that financial institutions should adopt.
The Core Message
The roadmap establishes 2035 as the target date for completing the migration to quantum-resistant cryptography across governmental and private sector systems. For the most critical systems, the CEG recommends addressing migration between 2030 and 2032 to limit downside risk.
This timeline reflects the reality of the "harvest now, decrypt later" threat. Data encrypted today using current algorithms could be intercepted and stored by adversaries, then decrypted once cryptographically relevant quantum computers (CRQCs) become available. For financial institutions handling sensitive customer data and transaction records, this creates an immediate strategic concern, not a future one.
A Six-Phase Approach
The G7 outlines six key migration activities for financial entities:
Awareness and Preparation involves establishing executive-level risk awareness, defining key roles, and mapping critical systems, functions, and sensitive data alongside current communication protocols.
Discovery and Inventory requires a comprehensive inventory of cryptographic assets, communication protocols, and third-party dependencies, whilst identifying gaps in people, processes, organisation, and technology capabilities.
Risk Assessment and Planning calls for tailored migration plans covering critical and less critical functions, including tools, standards, and interoperability requirements, with adapted internal processes for capability building and risk management.
Migration Execution focuses on progressive deployment of quantum-resistant solutions, starting with priority functions and adapting the transition pace to the evolving quantum threat landscape.
Migration Testing encompasses testing of migrated functions alongside ecosystem-oriented quantum-resilience exercises.
Validation and Monitoring ensures continuous validation, ongoing improvement, and incorporation of new cryptographic standards as they emerge.
Key Principles
The roadmap emphasises flexibility, recognising that not all entities face the same level of exposure or systemic importance. Organisations may apply more aggressive timelines to critical areas whilst building experience through pilot projects in lower-risk systems.
Collaboration across jurisdictions and with third-party providers is essential. Financial institutions depend heavily on technology vendors and service providers, making active management of these dependencies critical for meeting proposed timelines.
What This Means for Your Organisation
The G7 statement reinforces what many security leaders already understand: preparing for post-quantum cryptography is not optional, and the window for orderly transition is finite.
Organisations that have not yet begun a cryptographic inventory should treat this as a priority. Understanding where vulnerable algorithms exist across systems, hardware, firmware, and applications is the foundation for any migration programme. Those already engaged in PQC readiness work should review their timelines against the G7's 2030-2035 framework.
The roadmap also highlights the importance of cryptographic agility, building the capability to adapt quickly as new standards and threats emerge. This requires not just technical changes but governance structures that can support ongoing recalibration.
Read the Full Report
The complete G7 Cyber Expert Group statement, including detailed activity tables and timeline illustrations, is available on GOV.UK:
