Reference
Post-quantum regulatory timeline
The dated obligations driving the transition, in order. Entries marked proposed are directed but not yet issued; entries marked draft are published for comment and not final. Every entry links to a primary source.
- 13 Aug 2024
NIST publishes the first post-quantum standards
FIPS 203 (ML-KEM), FIPS 204 (ML-DSA) and FIPS 205 (SLH-DSA) are finalized.
NIST - 11 Mar 2025
NIST selects HQC as an additional algorithm
A backup key-encapsulation mechanism is chosen to complement ML-KEM (NIST IR 8545).
NIST - 6 Jun 2025
Executive Order 14306 signed
Directs DHS, through CISA, to publish a list of product categories that support post-quantum cryptography.
CISA - 23 Jan 2026
CISA publishes the Product Categories list
An initial list of technology categories that support or are transitioning to post-quantum standards.
CISA - 22 Jun 2026
Executive Order 14412 signed
Securing the Nation Against Advanced Cryptographic Attacks. Sets federal deadlines and directs a procurement rule for contractors.
White House - 24 Jun 2026
OMB Memorandum M-26-15
Directs agencies to execute the migration and names an automated cryptographic inventory, populated into a CBOM, as its foundation.
White House - 22 Oct 2026proposed
Agency migration plans due to OMB
Within 120 days of M-26-15, agencies submit post-quantum migration plans.
White House - 1–3 Dec 2026
PKI Consortium PQCMM certification program
The Post-Quantum Cryptography Maturity Model certification program is announced at the PQC Conference in Amsterdam.
PKI Consortium - ~Dec 2026proposed
FAR proposed rule for contractors
Within 180 days of EO 14412, the FAR Council proposes a rule requiring covered contractors to meet post-quantum FIPS by the end of 2030.
Federal Register - ~Mar 2027proposed
CISA defines the minimum elements of a CBOM
Within 270 days of EO 14412, CISA publishes guidance on the minimum elements for a Cryptographic Bill of Materials.
Federal Register - 31 Dec 2030
Federal key-establishment deadline
High Value Assets and high-impact systems must move to post-quantum key establishment. Covered contractors must meet post-quantum FIPS.
White House - 31 Dec 2031
- After 2035draft
NIST disallows classical public-key algorithms
Draft NIST guidance (IR 8547) proposes deprecating RSA and elliptic-curve algorithms after 2030 and disallowing them after 2035.
NIST
This timeline covers the United States, where the obligations are furthest along. See standards alignment for the technical standards behind these dates.