Post-quantum cryptography is no longer an abstract problem. It's a technology transformation that touches every layer of critical infrastructure, from policy to procurement, systems to supply chains. In this episode, Dr. Jeremy Bradley, Principal Technical Director at the UK’s NCSC and lead author of the government’s official PQC timeline guidance, breaks down how the UK is approaching this monumental shift.

Jeremy explains why the NCSC focused on organisational readiness and available technology rather than waiting for a cryptographically relevant quantum computer (CRQC). He unpacks how government and industry can work together without formal policy mandates, the importance of sector-wide movement, and what it takes to make your supply chain quantum-safe.

Dr. Jeremy Bradley is Principal Technical Director for Cryptography and High Threat Technologies at the UK’s National Cyber Security Centre (NCSC). He leads the team behind the newly released Timelines for Migration to Post-Quantum Cryptography guidance. At NCSC, Jeremy oversees cryptographic assurance for the UK’s sensitive systems, advises across government and regulated sectors, and drives strategy for secure implementations. His work spans technical standards, inter-agency cooperation, and future-focused guidance to help the UK become quantum-safe.

The NCSC isn’t a policymaker, it doesn’t mandate, legislate, or enforce. Instead, its strength lies in providing deeply technical, context-aware guidance to government departments, regulators, and sectors that run the UK’s critical infrastructure. Jeremy explains how this advisory role enables the NCSC to influence national cyber posture through trust, collaboration, and technical credibility. By staying connected to sector-specific realities like what’s feasible in telecoms vs. energy, they help shape decisions that matter without issuing formal rules.

The UK’s new PQC guidance wasn’t dropped in a vacuum, it’s the result of years of groundwork. Jeremy highlights how the foundational pieces have finally aligned: algorithm standards are in place, certified implementations are available, and protocols are maturing. Meanwhile, government departments and regulators are actively asking for support as they prepare sector-specific plans. It’s not about waiting for a quantum computer to arrive, it’s about moving because we finally can.

Instead of reacting to an unknown future event, the arrival of a CRQC, the NCSC frames PQC migration like any other major tech transformation. Jeremy explains how organisations should approach it with a project management mindset: define end states, audit systems, plan upgrades, and refine over time. This engineering-first, risk-managed approach feels familiar to CISOs and CTOs and helps cut through the noise of hypothetical quantum fears. It’s not about guessing when; it’s about preparing how.

If the NCSC can’t enforce action, how does it drive real adoption? Through deep partnerships across government and industry. Jeremy describes how they work sector-by-sector, finance, telecoms, energy, etc., through advisory frameworks, guidance, and technical toolkits that regulators and agencies can lean on. They also influence key tools like the UK’s Cyber Assessment Framework, ensuring PQC is embedded in broader risk conversations. This has resulted in movement, even without mandates.

Boards may not lose sleep over quantum decryption, but they should over legacy systems. Jeremy shifts the narrative from quantum as an abstract threat to legacy as a very real, growing one. The risk isn't that a CRQC appears overnight, but that your infrastructure becomes unsupported, rigid, and expensive to maintain. Treating PQC migration as a chance to modernise legacy environments makes it easier to justify and more urgent to act on.

To scale migration across the UK, Jeremy reveals that the NCSC is launching a scheme to vet and recognise consultancies with true PQC expertise. It’s about ensuring organisations can find partners who understand cryptography, can assess systems, and offer repeatable, strategic guidance, not just sell buzzwords. The programme starts with a pilot cohort and aims to grow a national pool of trusted advisors. For both large enterprises and small firms, this initiative creates a clear path to credible help.

Talking about quantum doesn’t always land with leadership. Jeremy suggests a better angle: frame the conversation around business risk, legacy management, and operational complexity. Rather than “a quantum computer is coming,” try “your systems may be stuck with outdated security tech that vendors stop supporting.” When risk is tied to budget, compliance, and resilience, not just cryptographic theory, the board listens. And that unlocks funding, alignment, and momentum.

Jeremy lays out a practical near-term action plan: start with system discovery. Identify your most critical systems, map your data flows, and get clear on who manages your cryptographic tools: you or your vendors. These early steps shape your strategy and timelines. For most, PQC migration will rely heavily on understanding systems, not mastering algorithms. The more visibility you gain now, the fewer roadblocks you’ll face later.

Even if you don’t directly control your cryptography, you still influence it. Jeremy points out that most sectors rely on a shared set of suppliers, so when industries move together, vendors listen. By using early discovery work to ask tough questions, “What’s your PQC roadmap?” organisations can pressure vendors to evolve faster. The goal isn’t just awareness; it’s collective influence that lifts the entire ecosystem.

The UK isn’t just following global standards, it’s helping shape them. Jeremy highlights the NCSC’s role in bodies like IETF and ETSI, and how they’ve contributed clarity through work like hybrid cryptography definitions. These technical contributions matter because they reduce ambiguity and align industry efforts across borders. It’s a quiet but powerful form of leadership that is currently building the foundations for smoother global collaboration in the post-quantum world.

Want exclusive insights on post-quantum security? Stay ahead of the curve—subscribe to Shielded: The Last Line of Cyber Defense on Apple Podcasts, Spotify, and YouTube Podcasts.

✔ Get insider knowledge from leading cybersecurity experts.

✔ Learn practical steps to future-proof your organization.

✔ Stay updated on regulatory changes and industry trends.
Need help subscribing? Click here for step-by-step instructions.