We’re a few weeks into 2026 and the G7 Cyber Expert Group has released their roadmap for post-quantum cryptography transition in the financial sector. While it’s framed as non-binding guidance this document signals regulatory timelines are tight.

Six Phases

The roadmap uses phases to describe the migration pattern: Awareness & Preparation, Discovery & Inventory, Risk Assessment & Planning, Migration Execution, Migration Testing, and Validation & Monitoring.

The visual timeline on page 5 puts “non-critical” system Discovery & Inventory squarely in 2025-2027.

Since we already are in January 2026, your cryptographic inventory for non-critical systems now should be looking at its final year, which means critical ahead of that. And algorithms should be migrating before 2030. Note that their diagram begs the question of a cycle, rather than a linear approach, perhaps as a blog post topic for another day.

More pointedly, the G7 suggests prioritizing critical systems for migration by 2030. A later date is for a comprehensive migration, which means the nearest deadline is for data that actually matters, most likely 2027.

Three Requirements

1. Comprehensive cryptographic inventory. The document calls for mapping “cryptographic assets, communication protocols, and relevant third-party dependencies.” Not just your certificates. Not just your endpoints. Everything that touches cryptography across your infrastructure.
2. Quantifiable metrics to track progress. The roadmap emphasizes “mechanisms for ongoing monitoring and recalibration” and metrics that “demonstrate accountability.” Point-in-time assessments won’t cut it. You need to know whether you’re getting better or worse over time.
3. Third-party visibility. Financial institutions are “highly dependent upon and interconnected with information technology products, vendors and other third-party providers.” Your migration plan is only as good as your visibility into your supply chain’s cryptographic posture.

Beyond Finance

The roadmap is for financial institutions, and these principles apply universally. If you handle sensitive data with long retention requirements the “harvest now, decrypt later” threat cited in the document applies to you today. Anything that is useful five years from today is vulnerable right now. Data encrypted with targeted algorithms and intercepted now can be stored and then broken by quantum computers.

The G7’s complete migration target date of 2035 is when they expect no more classical algorithms in use. The threat window opens much, much earlier. Technically it started years ago.

What To Do

Hello discovery. You can’t plan a migration without knowing what you’re migrating. I speak with a lot of organizations and they are surprised by what they find and where—legacy protocols in production systems, certificates with longer validity periods than their algorithms will remain secure, third-party integrations using deprecated cryptography.

The G7 roadmap explicitly calls for tools for “quantifiable metrics to track progress.” That means every discovery process needs to be repeatable, far beyond manual and one-time audits.

Everyone needs right now to measure their quantum migration velocity, not just document current state risks. The G7 gave us another roadmap, saying what we already should know: the quantum clock has been running.