There’s only so much preparation you can do without knowing exactly what you’re preparing for.
So far, this has been a big hurdle to PQC readiness.
Most organizations are happy to do a bit of scoping and preparation. But they can’t reasonably invest resources into something before they have clear guidance from regulators and public bodies.
Finally, the ambiguity and uncertainty around PQC are coming to an end.
So, now that the International Year of Quantum Science and Technology (2025) has come to an end… What should organizations expect the PQC compliance landscape to look like?
Michael Murphy, Deputy CTO at Arqit, has a shortlist of PQC expectations for 2026.
First and foremost, he argues that public bodies need to:
“Regulation is what drives improvements in cyber hygiene,” he explains. “Many organizations need that push and guidance to move from awareness to action. And that’s very reasonable when you consider the potential commercial consequences of moving before you have clear guidance. You could end up investing in technologies that don’t get backing, and lose a lot of time and money.”
Murphy believes that public bodies around the world will step up this year and deliver firm timelines and guidance that organizations need to start taking real action on PQC migration.
For over a year, we’ve had FIPS-validated PQC standards: FIPS 203, 204, and 205.
Now, another major milestone is approaching: the arrival of the first fully FIPS-validated cryptographic modules for post-quantum algorithms.
That may sound like a mouthful, but it’s an important step forward. A cryptographic module is a component of an IT system that securely implements cryptographic algorithms.
The Cryptographic Module Validation Program, operated by NIST and the Canadian Centre for Cyber Security, aims to “promote the use of validated cryptographic modules and provide Federal agencies with a security metric to use in procuring equipment containing validated cryptographic modules”.
Put simply, the program aims to make it easier for federal agencies (and ultimately, everyone) to purchase IT systems that contain secure cryptographic modules. There are already over 1,000 validated modules, but none currently use validated PQC encryption standards.
Murphy expects these validations to start appearing toward the end of the year.
Why does this matter? FIPS validation is often the gatekeeper for adoption in government, defence, finance, and other regulated environments. Once validated modules exist, PQC can move beyond pilots and proofs of concept into:
At that point, PQC stops being a “tomorrow problem” and starts becoming an operational reality.
Digital and data sovereignty are rising sharply on the agenda, especially in the EU and UK. This is driven by regulations such as DORA and NIS2, as well as a sense that old assumptions about global alliances and shared infrastructure no longer hold in quite the same way.
Murphy outlines three broad options for global organizations dealing with varied regional rules:
The good news is that full data sovereignty in the public cloud is now possible.
For example, Arqit and Intel have developed a solution using Trust Domains and quantum-safe -key encryption that ensures data is securequantum-safe at rest, in transit, and in use. This allows organizations to retain the scale and economic benefits of public cloud while helping them manage current and likely future compliance needs.
Standards and regulations are essential and will drive PQC adoption. But Roberta Faux, US Head of Cryptography and Field CTO at Arqit, argues that meaningful progress depends on deeper collaboration between government and industry:
“We can tell organizations to meet certain standards, but that’s extremely difficult if the commercial reality doesn’t match the regulatory landscape,” she explains. “Procurement is a powerful lever for adoption, so we need practical collaborations and real integrations between the public and private sectors as soon as possible.”
“Organizations need to make purchasing decisions with confidence without running into compliance problems a year or two down the line,” she continues. “That means we need shared testbeds and procurement profiles, so that ‘quantum safe’ in a brochure actually aligns with what works at scale in real environments.”
Naturally, we’re doing everything we can to push PQC readiness forward. In the last year, Arqit has joined several relevant bodies and programs, including:
Through these and our own continued research, development, and real-world implementation of PQC solutions, we continue to help organizations prepare for the post-quantum world.
To find out how Arqit can help your organization prepare for PQC migration and remain compliant in the post-quantum world, get in touch.
18 February 2026