Written by SONNY SEHGAL | CEO
Post-quantum security can sound like something you can push into the “later” pile. For many UK organisations, that would be a mistake.
You do not need to panic, and you do not need to rebuild everything this quarter. But you do need to start. The National Cyber Security Centre has made that clear. In March 2025, the NCSC published migration timelines that tell organisations to begin discovery and planning now, with key milestones by 2028, 2031 and 2035. By 2035, organisations should aim to complete migration to post-quantum cryptography across systems, services and products.
That matters because the risk is not only about the day a cryptographically relevant quantum computer appears. It is also about long-life data that could be collected now and decrypted later. The NCSC’s guidance on preparing for post-quantum cryptography is built around exactly that problem: some information encrypted today may still need to remain confidential years from now.
For UK organisations already using AWS, this is not just a theoretical research topic. AWS has been rolling out post-quantum capabilities and publishing a clearer migration path, including support for hybrid post-quantum TLS in services such as AWS KMS and guidance across its security documentation.
The real question is not whether post-quantum security is relevant. The real question is what you should start doing now without turning it into a bloated, expensive programme that goes nowhere.
Why UK organisations should act before the deadline pressure hits
A lot of cyber work becomes harder and more expensive when you leave it too late. Post-quantum migration is one of those areas.
Unlike a normal patching cycle, this is not just about updating one product. Public-key cryptography sits across identities, VPNs, certificates, software libraries, APIs, email security, device management, key infrastructure, third-party platforms and custom applications. The NCSC has been very direct that migration to PQC is a multi-year effort that will span more than one investment cycle.
That message lands in a UK cyber environment that is already under pressure. The government’s Cyber Security Breaches Survey 2025 found that 43% of UK businesses and 30% of charities reported experiencing a cyber security breach or attack in the previous 12 months.
So this is not a niche issue sitting outside your normal security priorities. It sits inside the same wider challenge: how you improve resilience now while preparing for threats that will become more serious over time.
If your business runs workloads in AWS, the good news is that you do not need to invent the roadmap on your own. You can align post-quantum preparation with wider improvements in cloud security, managed IT services, and cyber security services, rather than treating it as a separate science project.
Recover Faster. Come Back Stronger After Ransomware.
Get expert support to contain the attack, restore safely, and strengthen your business against future threats.
What post-quantum security actually means in practice
In simple terms, post-quantum cryptography is about using cryptographic algorithms that are designed to resist attacks from both classical and future quantum computers. AWS describes its own approach as deploying NIST-standardised post-quantum algorithms that are intended to resist both types of attack.
For most organisations, this does not mean ripping out every encryption control today. It means understanding where you currently depend on public-key cryptography and where the biggest long-term risks sit.
That usually includes:
- TLS connections protecting data in transit
- PKI and certificate-based trust
- Key exchange mechanisms
- Digital signatures
- Identity systems and federation
- Secrets distribution
- Legacy applications using older cryptographic libraries
- Third-party tools you do not fully control
This is why discovery matters so much. If you cannot see where cryptography lives in your estate, you cannot plan a sensible migration.
What AWS is doing now
AWS has moved beyond broad statements and into practical rollout.
AWS says it is deploying NIST-standardised post-quantum algorithms, and in December 2024 it published a post-quantum cryptography migration plan explaining its path forward. AWS documentation also confirms that AWS KMS supports an optional hybrid post-quantum key exchange for TLS connections, and that supported algorithms now include ML-KEM variants for key agreement.
AWS has also published configuration guidance for hybrid post-quantum TLS with AWS KMS and Amazon S3, and Secrets Manager documentation states that the Secrets Manager Agent uses ML-KEM key exchange as the highest-priority option by default.
That does not mean every AWS service and every customer workload is automatically “quantum safe” already. It means AWS is creating the building blocks for staged migration, and you should be watching which services, endpoints and integrations matter most to your own environment.
For organisations with complex estates, this is exactly where AWS managed services and AWS Landing Zones become useful. A clean AWS foundation makes cryptographic inventory, policy enforcement and phased migration easier than trying to retrofit controls into a messy estate.
What UK organisations should start doing now
You do not need to complete migration this year. But you do need to build momentum. The most practical steps are usually the least glamorous ones.
1. Treat post-quantum migration as a board-level risk and planning issue
This is not just a technical decision for infrastructure teams. It touches confidentiality, compliance, supplier risk, long-term data protection, procurement and investment planning.
If your organisation stores data that needs to remain confidential for many years, you should be asking tougher questions now. That includes legal documents, financial records, intellectual property, healthcare data, identity data, security logs and sensitive customer information.
The NCSC’s roadmap is useful here because it gives you a planning rhythm rather than an abstract warning. By 2028, organisations should define migration goals, carry out discovery and build an initial plan.
2. Run a cryptography discovery exercise across your estate
This is the big one.
You need to know where public-key cryptography is used across your AWS and wider IT environment. That means cloud workloads, on-premise dependencies, SaaS, endpoint tools, identity systems, certificates, internal APIs, data pipelines and third-party platforms.
Focus on questions like these:
- Which systems rely on RSA or elliptic curve cryptography for key exchange or signatures?
- Which applications depend on certificates or internal PKI?
- Which workloads hold long-life sensitive data?
- Which third-party services may be slow to support PQC?
- Which custom applications are tied to old libraries or unsupported software?
Without this discovery work, the rest of the programme becomes guesswork.
This kind of visibility also overlaps with broader managed SOC services, vulnerability management, and ongoing AWS governance. A mature security function is usually better at finding cryptographic dependencies because it already understands the estate.
3. Identify the “harvest now, decrypt later” risk first
Not all data has the same time horizon.
If a piece of information only needs to stay sensitive for a few weeks, it is a different problem from data that needs protection for 10 or 20 years. The NCSC’s preparation guidance is clear that long-term confidentiality is central to the problem.
That means you should classify workloads based on how long the data needs to stay secure, not just how important the system feels today.
For many UK organisations, the early priority list will include:
- Sensitive regulated data
- Customer identity information
- Financial systems
- Intellectual property
- Legal and contractual archives
- Executive communications
- Authentication infrastructure
4. Build crypto agility into new AWS projects
One of the biggest mistakes is waiting for a full migration programme before improving new designs.
You should already be asking whether new systems are easier to update when cryptographic standards change. That is the idea behind crypto agility: designing systems so algorithms, certificates, libraries and trust chains can be updated without a full rebuild.
In practical AWS terms, that means:
- Avoiding hard-coded cryptographic choices in custom applications
- Keeping dependencies and SDKs current
- Using managed AWS services where feasible
- Standardising certificate and key management
- Reducing legacy exceptions
- Documenting external dependencies clearly
This is where strong cloud architecture pays off. If your estate is fragmented, migrations take longer and cost more. If it is built cleanly, the path becomes far more manageable. That aligns well with secure AWS environments, AWS cloud strategy, and AWS cost governance, because good structure helps both security and spend control.
5. Track AWS service support and vendor readiness
Post-quantum migration will not happen at the same pace everywhere.
AWS is moving, but your third-party vendors, internal tools and legacy platforms may not be. You need a live view of what is supported now, what is on the roadmap, and what remains a blocker.
That is particularly important for:
- Identity providers
- Network security tooling
- Endpoint agents
- PKI vendors
- Email and collaboration platforms
- Backup providers
- SaaS platforms with sensitive data flows
For hybrid and remote organisations, you should also connect this work with Microsoft Modern Workplace planning, because user access, device trust and collaboration data all sit inside the wider long-term risk picture.
6. Test hybrid post-quantum options in controlled workloads
For most organisations, the next sensible technical step is not a full migration. It is testing.
AWS documentation gives you practical routes to test hybrid post-quantum TLS in supported services such as AWS KMS and Amazon S3. That makes pilot exercises much more realistic than they were a couple of years ago.
A good pilot should answer questions such as:
- What changes are needed in your client applications?
- Is there any performance impact?
- Which development teams need to adapt code or dependencies?
- How will support and monitoring teams validate these connections?
- Which policies or standards need updating?
The point of a pilot is not to tick a box. It is to find friction early while the scope is still small.
7. Align post-quantum work with your wider cyber resilience programme
PQC should not sit in a silo.
If you already have projects around identity, secure remote access, certificate management, cloud governance, application modernisation or incident response, use those programmes to reduce future migration pain now.
That means linking the work to:
- Cyber incident response services
- 24/7 IT support services
- Managed IT service desk
- Remote IT support
- Device as a service
If your teams already have better visibility, cleaner assets, stronger patching and clearer ownership, post-quantum migration becomes less disruptive.
8. Budget for this as a phased programme, not a one-off spend
There is no single “post-quantum upgrade fee”. The cost comes from discovery, architecture work, vendor changes, testing, migration effort and occasional redesign.
For UK organisations, that means planning budgets over multiple years instead of trying to force everything into a single annual cycle. Some of the work will be operational. Some will be project-based. Some will arrive indirectly through supplier renewals and platform refreshes.
That phased approach matches the NCSC’s timeline and is usually more realistic financially. It also reduces the risk of rushed decisions and poor-quality migrations.
What not to do
There are a few traps worth avoiding.
- Do not assume AWS will solve the whole issue for you automatically.
- Do not wait until regulators or customers force the conversation.
- Do not treat this as a networking-only problem.
- Do not ignore long-life data just because your production systems seem stable today.
- Do not let unsupported legacy applications quietly become your future blocker.
- And do not confuse “we are watching the space” with “we have a migration plan”.
The next move should be practical, not theoretical
Post-quantum security on AWS is not something to ignore until the last minute. For UK organisations, the smarter move is to begin now with discovery, prioritisation, pilot testing and better architectural discipline.
You do not need to overhaul your estate overnight. You do need a credible plan.
That is especially true if your business relies on AWS for critical workloads, stores data that must remain confidential for years, or is already modernising cloud operations and cyber resilience. In those cases, post-quantum preparation is not a side topic. It is part of doing cloud security properly.
If you want help turning post-quantum planning into a realistic AWS roadmap, Transputec can support you through AWS managed services, cloud security, cyber security services, and a stronger secure foundation with AWS Landing Zones.
Ready to Experience the Transputec Difference?
Contact us today to schedule a consultation with our experts.
FAQs
1. What is post-quantum cryptography in simple terms?
Post-quantum cryptography is a set of cryptographic algorithms designed to remain secure even if powerful quantum computers become practical. It is mainly relevant because some of today’s widely used public-key methods could eventually be broken by quantum-capable attackers. For most organisations, it is less about immediate replacement and more about staged preparation, discovery and migration planning over several years. AWS and the NCSC are both treating this as a real transition challenge rather than a distant theory.
2. Does every UK organisation need to act now?
Not every organisation needs to migrate at the same pace, but every organisation should start preparing now. The NCSC’s guidance is aimed broadly at UK organisations and sets planning milestones that begin with discovery and goal setting well before full migration. If you handle long-life sensitive data, run critical services, or depend heavily on cloud and third-party platforms, early planning matters even more.
3. Is AWS already post-quantum secure by default?
No, not in the sense that every service and every customer workload has automatically completed migration. AWS is actively rolling out post-quantum capabilities and has published support in areas such as hybrid post-quantum TLS for AWS KMS, along with broader migration plans. You still need to understand which AWS services you use, what support exists today, and what changes your own applications and clients require.
4. What should be the first practical step for most organisations?
For most organisations, the first step should be a cryptography discovery exercise. That means identifying where public-key cryptography is used, which systems hold long-life sensitive data, which third parties are involved, and where legacy dependencies sit. Without that, it is very hard to prioritise risk or build a realistic roadmap. The NCSC’s 2025 timeline specifically highlights discovery and initial planning as early milestones.
