The G7 PQC Roadmap: Why Financial Services Must Act Now on Quantum Risk

by Ben de la Salle

The G7’s coordinated roadmap for post-quantum cryptography (PQC) migration is a defining moment for financial services.

This isn’t a technical bulletin for IT teams. It’s a strategic directive aimed at finance ministries, central banks, regulators, and systemically important institutions. The message is straightforward: migration will take years, and the work must start now.

From technical debate to board-level obligation

What distinguishes this roadmap from earlier guidance is clarity—both in audience and accountability. The G7 has elevated quantum risk from a cryptographic concern to a governance imperative.

For too long, PQC has been treated as “tomorrow’s problem”. The roadmap dismantles that assumption: timelines are explicit, expectations are clear, and responsibility sits firmly at executive and board level.

At ICA Consultancy, we’ve been advising financial services clients on emerging technology risk for over two decades. The G7 roadmap reflects what we’ve consistently seen in practice: quantum readiness isn’t a technology project—it’s an enterprise transformation.

Three continuous responsibilities

The roadmap highlights three activities that must run throughout every phase of migration:

1. Governance & risk management Quantum-resilient cryptography must be embedded into governance frameworks, oversight mechanisms, and executive accountability. This is positioned as a fiduciary responsibility—not a software upgrade. Boards cannot delegate this away.

2. Managing external dependencies No institution operates in isolation. Vendor maturity, cloud provider roadmaps, protocol dependencies, and supply-chain constraints will shape your timeline. In reality, your migration pace is often dictated by your slowest critical dependency.

3. Stakeholder dialogue Structured engagement across regulators, central banks, critical infrastructure operators, and technology vendors is essential. Fragmented approaches create systemic vulnerabilities. Coordination is not optional.

Six phases of transformation

The G7 outlines six overlapping phases for PQC transition:

• Awareness & preparation

• Discovery & inventory

• Risk assessment & planning

• Migration execution

• Migration testing

• Validation & monitoring

This is one of the clearest lifecycle frameworks we’ve seen for PQC transition—and it gives institutions a practical structure for what can otherwise feel like an overwhelming challenge.

The timeline is set, and global consensus is here

The roadmap establishes globally aligned milestones:

• 2026: discovery, inventory, risk assessment, planning

• 2027 onwards: begin migration execution

• 2030–2032: critical systems migrated

• 2035: all systems migrated

These dates align closely with the direction of travel across major standards and supervisory bodies (including NIST and others). While the roadmap isn’t regulation, it represents pre-regulatory alignment—expectations being set before formal mandates arrive.

Institutions that treat this as optional guidance do so at increasing risk.

Quantum Risk: The hard part isn’t the maths

NIST-approved post-quantum algorithms exist and are being standardised. The hardest challenges are organisational:

• Executive accountability: who owns cryptographic risk at board level?

• Assurance: can you evidence progress, compliance, and residual risk to regulators and stakeholders?

• Important business services: do you know what truly matters, and the impact tolerances?

• Discovery: do you have visibility of your cryptographic estate?

• Dependency mapping: do you understand interconnections across vendors, partners, and infrastructure?

Institutions that approach PQC migration as a narrow IT initiative will struggle. Those that treat it as strategic transformation, proper governance, resourcing, and executive sponsorship, will navigate it successfully.

Superficial claims of “quantum readiness” won’t withstand scrutiny. Regulators, auditors, and counterparties will increasingly demand evidence.

Cryptgility: ICA Consultancy’s Quantum PQC services

To support this, ICA Consultancy has developed Cryptgility—our PQC services aligned to the phases of the G7 roadmap:

• Governance & assurance frameworks (embedding quantum risk into enterprise risk management)

• Migration strategy & planning (pragmatic, board-ready roadmaps)

• Dependency & risk assessment (vendor, protocol, and supply-chain mapping)

• Validation & ongoing monitoring (sustained compliance and resilience)

Through our partner network, we can also support cryptographic discovery/inventory and migration execution support.

Our recommendation

The G7 roadmap delivers a consistent message: don’t panic. Plan. But plan now.

Institutions that begin business impact assessments, discovery, inventory, and subsequent risk assessments today will be positioned to meet 2030 milestones with confidence. Those that delay will face compressed timelines, escalating costs, and intensifying regulatory pressure.

The quantum threat is no longer speculative, it’s a planning reality. The governance frameworks, visibility capabilities, and transformation programmes we establish today will determine our collective resilience tomorrow.

At ICA Consultancy, through our Cryptgility services, we stand ready to support financial institutions through every phase of this journey, from initial discovery through to validated migration and ongoing assurance.

The time to act is now.

Ben de la Salle is the CEO of ICA Consultancy (www.icaconsultancy.co.uk), providing strategic advisory services on technology risk, regulatory compliance, and enterprise transformation for financial services organisations. Cryptgility is ICA Consultancy’s range of Quantum PQC services.