Canada’s Harvest Now Decrypt Later & Post-Quantum Migration
Canada Sets 2035 Quantum Cyber Defence Initiative Deadline
Canada accelerates its transition to post-quantum encryption standards in crucial sectors to combat Harvest Now Decrypt Later (HNDL).
Canada has announced a multi-year initiative to protect its government IT systems from quantum computers. All government IT systems that aren't classified as post-quantum cryptography (PQC) must be transformed by 2035, according to the initiative, which started on June 23, 2025. The government's dedication to safeguarding personal information from quantum technologies is demonstrated by this ambitious timeframe.
The Canadian Centre for Cyber Security's roadmap sets strict requirements for government agencies. Initial PQC migration plans and annual progress reports are expected April 2026. High-priority systems should be transferred by 2031, while all other systems should be upgraded by 2035. Cloud providers and in-house IT infrastructure are included.
Quantum Threat: “Harvest Now Decrypt Later”
Quantum computers could replace encryption, making this project vital. The plan opposes “harvest now, decrypt later”. Malicious actors may be amassing encrypted material now to decipher it when quantum computing is practical. Since they are vulnerable to HNDL, systems that protect data privacy over public networks are prioritised for migration.
PQC replaces vulnerable public-key cryptography for user authentication, communication security, and other essential functions to reduce this cryptographic risk. Standardised PQC algorithms are recommended by the Cyber Centre based on worldwide standards finalised by NIST.
A Comprehensive Government Approach with Clear Duties This complex, multi-year effort requires GC devotion and teamwork. Important parties include:
The Communications Security Establishment's Canadian Centre for Cyber Security (Cyber Centre), Canada's IT security authority, provides technical guidance, oversight, and compliance monitoring throughout the multi-phase process. They will also update network protocol setup instructions and a shared resource repository.
Treasury Board Secretariat (TBS) provides strategic direction, policy leadership, and government-wide security management. TBS will release policy tools to compel progress reporting and departmental PQC migration strategies.
Shared Services Canada (SSC) develops its PQC migration strategy and advises TBS and the Cyber Centre on its viability while administering IT services and infrastructure for many departments.
Federal departments and agencies: Each agency handles cybersecurity issues within its program area. They must establish and implement tailored PQC migration plans for their systems, including contractual cloud services.
Phased Execution for Smooth Transition
The roadmap's three PQC migration phases should overlap:
Prepare: Departments must prepare a PQC migration plan. This requires a cross-functional committee, a PQC Migration Technical Lead for coordination, and a PQC Migration Executive Lead (typically the Designated Official for Cyber Security or a delegated executive official) for oversight and accountability.
This phase includes financial planning to decrease costs using IT equipment lifecycles and modernisation strategies. This is because delays can lead to rushed purchases and higher costs. An education plan is needed to inform employees about the quantum threat and migration status. Procurement legislation must be amended to ensure new systems meet PQC, cryptographic agility, and Cyber Centre-recommended contract conditions and certification criteria.
Identification: This key process involves a thorough audit to find all cryptography usage across IT systems. The scope includes network services, operating systems, applications, and physical assets including server racks, laptops, printers, and smart cards. We want to create a complete inventory of system components, vendors, security measures, configurations, dependencies, and accountable contacts.
Departments must prioritise “harvest now, decrypt later” systems. Discovery will employ existing ITSM procedures and software tools, such as network monitoring, EDR, and SIEM solutions. The Cyber Center's sensors program should aid this identification. To understand vendor PQC roadmaps and product compatibility, engage vendors early.
Implement system replacements, updates, secure tunnelling, or network isolation based on inventories. Impact assessments, rollback playbooks, testing staging environments, and post-transition monitoring should be part of IT transition plans. Though the initial range of PQC-capable devices is minimal, providers are increasingly adopting new standards. The change may require backward compatibility and a second phase to disable outdated, vulnerable encryption. Legacy systems that cannot be retrofitted may need complete replacement or network isolation or secure tunnelling.
Governance and Support
The Cyber Centre, SSC, and TBS form the IT Security Tripartite, which governs the effort. It oversees compliance and advises. The Canadian Government's Enterprise Architecture Review Board (GC EARB) will ensure new systems meet cybersecurity and digital service standards. Progress reports will be included in government digital services planning to ensure transparency and help agencies adjust timetables and resources.
Interdepartmental Quantum Science and Technology (S&T) Coordination Committees oversee this pathway, which supports Canada's National Quantum Strategy. The Cyber Centre will advise and steer using the TBS GCxchange platform for resource exchange and the Learning Hub for quantum threat education.
Interdepartmental Quantum Science and Technology (S&T) Coordination Committees oversee this pathway, which supports Canada's National Quantum Strategy. The Cyber Centre will advise and steer using the TBS GCxchange platform for resource exchange and the Learning Hub for quantum threat education.











