Skip to content

Tech Forum

Quantum-safe Cybersecurity in Canada 2026: PQC Readiness

Cover Image for Quantum-safe Cybersecurity in Canada 2026: PQC Readiness
Derek Fung
Derek Fung
Share:

Canada is moving decisively toward quantum-safe cybersecurity in Canada 2026, a milestone year in which federal agencies, researchers, and industry players are aligning around post-quantum cryptography (PQC) standards and migration plans. The government has signaled a broad, government-wide push to harden critical systems against the coming quantum era, while Canada’s research ecosystem and private-sector players are accelerating productization and deployment of quantum-safe technologies. In practical terms, this means planning now for a multi-year transition—from inventorying cryptographic usage to embedding PQC in new procurement and, ultimately, updating legacy networks and devices. The initiative comes with concrete deadlines, sizable public investments, and a growing concerted effort across federal departments, Crown corporations, and Canadian technology firms to translate early quantum leadership into durable, sovereign cybersecurity capabilities. This nationwide effort is unfolding as a structured, three-phase migration timeline, with ongoing updates and governance designed to keep Canada on track for a broad, national PQC transition trajectory. The convergence of government policy, agency roadmaps, and industry activity defines quantum-safe cybersecurity in Canada 2026 as not just a technology upgrade but a strategic shift in how Canada protects sensitive data, maintains public trust, and sustains domestic capabilities in a globally critical field.

The magnitude of the shift is underscored by the first major government-led steps announced in late 2024 through 2025 and subsequently codified in 2025–2026 policy instruments. The government’s quantum programs, including the Quantum Safe Technologies Initiative at the National Research Council (NRC) and the broader Canadian quantum ecosystem investments, are designed to strengthen Canada’s security posture while fostering domestic quantum innovation. In December 2025, Ottawa announced the Phase 1 launch of the Canadian Quantum Champions Program (CQCP), a $92 million thrust to anchor leading Canadian quantum companies and talent at home, with additional commitments and a five-year horizon that aligns with broader quantum strategy goals. The CQCP is tied to Canada’s national quantum strategy and Budget 2025 commitments, signaling a strong link between sovereign security objectives and economic growth in this sector. (canada.ca)

Section 1: What Happened

NRC launches Quantum Safe Technologies Initiative to harden Canada’s cyber defenses

The National Research Council of Canada (NRC) announced the creation of a dedicated Quantum Safe Technologies Initiative, with program duration set for 2026–2028. The initiative is explicitly designed to address threats posed by quantum computing to conventional cryptography, focusing on developing quantum-safe applications, testing and evaluation frameworks, and quantum-safe communication concepts across critical sectors like defense, finance, telecommunications, health, and transportation. The program aims to build national capacity by training personnel and fostering partnerships across government, academia, and industry. It is described as a coordinated effort to strengthen Canada’s quantum-safe cybersecurity capabilities and to support a robust Canadian quantum innovation ecosystem. Launching in 2026, the NRC emphasizes a practical, implementable approach to quantum-resilient cryptography and secure communications, not just theoretical research. The initiative’s areas of focus include advancing quantum-resilient cryptographic research, testing and integration into critical systems, and building a national capacity for quantum-safe cybersecurity solutions. (nrc.canada.ca)

The initiative at a glance: scope, timeline, and collaboration

Key program details highlight a concrete, multi-year path: the initiative will run from 2026 through 2028, with emphasis on post-quantum cryptography (PQC) testing and the development of standards-compliant, quantum-safe protocols. The NRC notes that the effort will also help create testing and evaluation frameworks for PQC applications across both government and industry, and will support the design of quantum-safe communications that can operate in hybrid quantum-classical networks. Importantly, NRC frames the initiative as a national ecosystem play—emphasizing collaboration across government departments to coordinate national action on quantum security and to train a capable workforce that can sustain quantum-safe cybersecurity capabilities into the future. This aligns with Canada’s broader quantum strategy, which seeks to translate early leadership into sovereign, scalable impact. (nrc.canada.ca)

Government PQC migration roadmap: a public, enforceable deadline set in 2025

Canada’s approach to moving government IT systems to PQC rests on a formal, three-phase roadmap issued by the Canadian Centre for Cyber Security (Cyber Centre) in June 2025. The Roadmap for the migration to post-quantum cryptography for the Government of Canada (ITSM.40.001) lays out milestones, deliverables, governance, and the phased plan departments should follow as they transition away from vulnerability to quantum-enabled cryptographic techniques. The roadmap emphasizes the need for standardized PQC algorithms, compliance with cryptographic guidance, and a structured program of department-level migration activities. Crucially, the roadmap specifies a hard deadline: an initial departmental PQC migration plan by April 2026, followed by annual progress reporting, with a broader target to complete high-priority migrations by the end of 2031 and full migration by 2035. The guidance also calls for procurement clauses, cryptographic agility, and CMVP-certified cryptographic modules to ensure interoperable, future-proof security infrastructure. (cyber.gc.ca)

Government PQC migration roadmap: a public, enforc...

Photo by Hermes Rivera on Unsplash

Effective dates and procedural milestones for the GC

The official guidance emphasizes several near-term actions that have real implications for procurement, project planning, and budget cycles. The timeline specifies that by April 2026, departments must develop high-level departmental PQC migration plans and begin reporting migration progress on an annual basis. By 2027, departments should update their migration plans to reflect Phase 2 activities, including asset inventories and prioritization of high-risk systems. By 2028, Phase 3 calls for concrete transitions toward quantum-safe cryptography across the government’s IT landscape, with additional expectations for procurement practices and vendor negotiations to reflect PQC requirements. The plan also outlines governance roles across the Treasury Board of Canada Secretariat (TBS), Shared Services Canada (SSC), and Cyber Centre to ensure alignment with enterprise architecture and overall cyber security risk management. The Roadmap affirms a longer horizon—targeting full migration by 2035, with high-priority systems completed by 2031—recognizing the scale and complexity of moving millions of endpoints, services, and networks. (cyber.gc.ca)

A parallel policy instrument: migration guidance in policy form

In October 2025, the Government of Canada released a Security Policy Implementation Notice (SPIN) reinforcing requirements to migrate to PQC across GC information systems. The SPIN, effective October 9, 2025, underscores the cryptographic threat from quantum computing, formalizes the migration as a matter of policy, and highlights SSC’s critical role in implementing PQC across networks and infrastructure. It provides phased timelines—Phase 1 (Preparation) due by April 1, 2026; Phase 2 (Identification) due by April 1, 2027; Phase 3 (Transition) by April 1, 2028, with then-schedules for 2031 and 2035 milestones. The SPIN also calls for procurement clauses and vendor management practices that support PQC, cryptographic agility, and CMVP-certified cryptographic modules, signaling a binding, cross-departmental approach to quantum-safe procurement and deployment. The SPIN is a decisive policy instrument that complements the technical Roadmap ITSM.40.001 and the GC’s Enterprise Cyber Security Strategy, providing enforceable expectations for departments and SSC. (canada.ca)

Industry movements: Canada’s quantum ecosystem accelerates practical PQC deployments

Canada’s private sector and research institutions have been mapping the path to quantum-safe security for several years, and 2026 marks an inflection point where pilots, product roadmaps, and standards activity begin to translate into real-world deployments. A notable example is the collaboration among ISARA, Carillon Information Security, and Crypto4A Technologies, announced in 2021, which showcased a world-first Canadian fully integrated Quantum-Safe Now PKI solution. This early demonstration highlighted practical crypto-agility and hybrid cryptographic approaches designed to ease migrations and protect digital trust as quantum threats mature. The ISARA Radiate Quantum-safe Toolkit and related crypto-agility tooling exemplify the kind of software and hardware integration that Canada’s PQC migration roadmaps aim to scale across public and private sectors. Although the press release is older, it remains emblematic of Canada’s ongoing industry momentum and the country’s emphasis on crypto agility as a core capability for quantum-safe security. (isara.com)

Beyond individual partnerships, Canada’s broader quantum ecosystem features a cluster of academic-industry collaborations, provincial initiatives, and international engagements that collectively push PQC readiness forward. The Canadian government’s Phase 1 CQCP investments, including agreements with Canadian-headquartered quantum firms for up to $23 million each (Total CQCP Phase 1 funding of up to $92 million), illustrate a national strategy to anchor quantum innovation at home while funding the development of near-term industrial applications. The Phase 1 announcements highlight the involvement of firms such as Anyon Systems, Nord Quantique, Photonic, Xanadu Quantum Technologies, and the NRC’s Benchmarking Quantum Platform to assess technology readiness. These investments signal a coherent national strategy in which quantum hardware, software, and cryptographic solutions are being co-located with security policy developments to accelerate practical PQC adoption. (canada.ca)

Section 2: Why It Matters

Strategic implications for government, industry, and critical infrastructure

The quantum threat to cryptography is not hypothetical for long. Canada’s leaders frame PQC as a national security and economic priority, tying quantum-ready cryptography to both resilience and sovereignty in cyberspace. The GC’s Enterprise Cyber Security Strategy and the Cyber Centre’s PQC migration guidance explicitly position the migration as an essential protective measure for government communications, VPNs, and PKI-based authentication—areas critical to public services, defense, finance, and critical infrastructure. The alignment of policy, procurement, and technical standards is aimed at preventing a “harvest now, decrypt later” scenario, in which adversaries collect encrypted data today and decrypt it once quantum computers are capable. As the Canada.ca public communications emphasize, PQC migration is not optional but a policy-based requirement that touches every device, software, and service that handles cryptographic material. The combined policy instruments—Roadmap ITSM.40.001, SPIN, and Enterprise Cyber Security Strategy—create a governance envelope that makes quantum-safe cybersecurity in Canada 2026 a cross-cutting national mandate. (cyber.gc.ca)

Strategic implications for government, industry, a...

Photo by engin akyurt on Unsplash

Economic and industrial impact: a growth corridor for Canadian PQC providers and talent

Canada’s quantum investments are designed to support domestic capability, job creation, and industrial leadership in a high-growth sector. The December 2025 CQCP launch signals a multi-year commitment to fund and recruit Canadian quantum firms and researchers to build a sovereign advantage. With initial Phase 1 funding of up to $92 million spread across multiple companies, Canada is channeling capital into a cluster of Canadian firms focused on fault-tolerant quantum computing, quantum-safe security, and related quantum technologies. This has implications for local ecosystems, attracting talent to Kingston, Waterloo, Montreal, and other hubs, and for supply chain development around cryptographic modules, testing platforms, and secure cloud offerings that can comply with PQC standards. The policy framework ensures that public procurement will require validated PQC and cryptographic agility, creating demand for standards-aligned products and services, including cryptographic modules, secure key management, and crypto-aware cloud platforms. In this sense, quantum-safe cybersecurity in Canada 2026 is also a market signal for a new wave of Canadian cybertech growth. (canada.ca)

Security posture and user trust: what goes into protecting long-lived data

Quantum-safe migration isn’t just about technology—it’s about protecting data with long lifespans and ensuring public trust in digital services. The GC’s emphasis on migrating to standardized PQC for non-classified IT systems targets the cryptographic foundations that support everyday digital services—VPNs, TLS, PKI, and secure software updates. The Canada.ca “Quantum Computing and Cyber Security” explainer highlights the risk to VPNs and authentication mechanisms and stresses the need to plan for a future where quantum-safe cryptography underpins public sector security and citizen data protection. As systems scale, the emphasis on cryptographic agility—designing certificates that can switch algorithms without disrupting end users—becomes a practical norm rather than an academic ideal. Canada’s approach—combining policy mandates, vendor guidance, and practical deployment roadmaps—aims to sustain user confidence in digital government services and in the private sector’s ability to protect sensitive information. (canada.ca)

Security posture and user trust: what goes into pr...

Photo by Michael Descharles on Unsplash

Global alignment and Canada’s unique positioning

Canada’s PQC migration strategy sits within a broader global trend toward quantum readiness, as standardization efforts, government roadmaps, and industry partnerships converge worldwide. The June 2025 ITSM.40.001 roadmap aligns with international standards processes (and with NIST PQC standardization progress) while embedding Canadian governance mechanisms and procurement practices. The national quantum strategy and the CQCP emphasize Canada’s desire to maintain sovereignty and security independence in a field characterized by rapid technological evolution and geopolitical importance. Canada’s approach—leveraging NRC’s Quantum Safe Technologies Initiative alongside the Cyber Centre’s guidance and SSC’s implementation capabilities—creates a coordinated model that other nations watch closely. The emphasis on domestic capability, secure cloud-ready PKI, and a national testing platform parallels similar efforts in other advanced economies, though Canada’s explicit multi-year deadlines and policy instruments offer a relatively concrete governance framework that few other countries can claim with the same level of detail. (nrc.canada.ca)

Expert perspectives and balanced viewpoints

Analysts note that the PQC transition is as much an organizational transformation as a technical one. The policy instruments require departments to inventory cryptographic usage, standardize algorithm choices, and establish procurement clauses that encourage vendor flexibility while ensuring cryptographic agility. Some observers caution that the cost of timely migration—especially for large, legacy-embedded systems—will be nontrivial, and that tight governance must be paired with robust risk management to prevent project delays or budget overruns. Others emphasize that Canada’s integrated approach—combining government policy, industry collaboration, and a strong research ecosystem—reduces risk by providing clear milestones and accountable governance bodies. In the Canadian context, the synergy among NRC’s Quantum Safe Technologies Initiative, the CQCP, and the Cyber Centre’s PQC Roadmap offers a rare combination of funding, practical deployment pathways, and standards alignment. This balance helps ensure that quantum-safe cybersecurity in Canada 2026 remains both technically credible and economically viable for government and industry alike. (nrc.canada.ca)

Section 3: What’s Next

Immediate steps: April 2026 and beyond

The Roadmap ITSM.40.001 and SPIN define the near-term milestones that organizations should monitor closely. By April 1, 2026, departments and SSC are expected to have developed high-level departmental PQC migration plans and to begin reporting progress on an annual basis. This starts a cadence of centralized reporting and cross-department coordination, enabling the GC to track readiness, dependencies, and resource needs. The initial planning phase sets the foundation for a more granular identification phase, where cryptographic inventories are expanded, high-priority systems are identified, and procurement strategies align with PQC requirements. The emphasis on procurement clauses and cryptographic agility in Phase 3 (Transition) signals that new contracts entering after 2026 should be designed to accommodate quantum-safe algorithms and modular migration as part of standard procurement cycles. (canada.ca)

2027–2031: identification, transition, and priority migrations

The roadmap’s Phase 2 (Identification) and Phase 3 (Transition) are designed to unfold across 2027 and 2028 onward, expanding the departmental inventories, refactoring system architectures, and beginning targeted migrations of high-priority systems. The end-of-2031 milestone—completing the PQC migration of high-priority systems—will be a major inflection point in Canada’s cyber resilience. Agencies must demonstrate progress on risk-reducing deployments, ensure cryptographic standardization across protocols, and refine procurement practices to support ongoing PQC adoption. SSC’s ongoing collaboration with the Cyber Centre and its own lifecycle management frameworks will be critical to managing the multi-year timeline and ensuring that network infrastructure, cloud services, and endpoint devices align with PQC standards. By 2035, the government targets full migration of remaining systems, bringing Canada’s public sector cryptography into a post-quantum security posture. (cyber.gc.ca)

What to watch for: productization, standards, and international collaboration

Several themes will shape what happens next. First, productization and vendor readiness will determine how quickly PQC can be adopted in real environments. Companies like ISARA, with radiate-based toolkits and crypto-agility capabilities, exemplify the private-sector readiness to bridge the gap between standardization and deployment. Second, international standards activities and cross-border cooperation will influence algorithm selection and interoperability. As PQC standardization matures, Canada’s alignment with NIST standards and international cryptographic practices will be essential to avoid vendor lock-in and to ensure that PQC deployments are portable across systems and networks. Finally, Canada’s investment in the CQCP and NRC programs signals a continued commitment to building domestic capabilities—potentially attracting more talent, research partnerships, and venture activity that could position Canada as a regional hub for quantum-safe cyber technologies. The Ottawa-anchored ETSI/IQC Quantum Safe Cryptography Conference 2026, slated to bring together policymakers, researchers, and industry leaders in Ottawa, highlights Canada’s central role in the global PQC dialogue and the practical steps needed to translate standardization into secure, scalable deployments. (etsi.org)

Timeline snapshot: concrete dates you can rely on

  • June 2025: Cyber Centre releases Roadmap for migration to PQC for the Government of Canada (ITSM.40.001), outlining milestones and phased execution. (cyber.gc.ca)
  • October 9, 2025: Security Policy Implementation Notice (SPIN) becomes effective, detailing Phase 1 (Preparation) by April 1, 2026, Phase 2 by 2027, Phase 3 by 2028, and long-term milestones through 2035. (canada.ca)
  • April 1, 2026: Departments and SSC must develop initial PQC migration plans and begin annual progress reporting (Phase 1 readiness). (cyber.gc.ca)
  • End of 2031: Completion of PQC migration for high-priority GC systems. (cyber.gc.ca)
  • End of 2035: Completion of PQC migration for remaining GC systems. (cyber.gc.ca)
  • December 15, 2025: Government announces Phase 1 of the Canadian Quantum Champions Program (CQCP), a $92 million investment to anchor Canadian quantum companies and talent at home, with broader Budget 2025 quantum investments totaling $334.3 million over five years. (canada.ca)
  • 2026–2028: NRC’s Quantum Safe Technologies Initiative (program duration 2026–2028) to develop, test, and validate quantum-safe cryptographic solutions for Canada’s critical sectors. (nrc.canada.ca)

Closing

As Canada charts quantum-safe cybersecurity in Canada 2026, the convergence of government policy, formal roadmaps, and a growing quantum industry signals a deliberate, multi-year effort to put Canada on a secure, sovereign footing in the quantum era. The near-term milestones—initial migration plans due by April 2026, annual progress reporting, and the move to protect high-priority systems by 2031—provide a tangible path forward for agencies, vendors, and researchers alike. The NRC’s Quantum Safe Technologies Initiative adds an important R&D and testing backbone to this national transition, while the CQCP and the broader national quantum strategy anchor Canada’s ambitions to retain leadership and drive economic resilience. For citizens and businesses, the practical implication is clear: by 2035, Canada envisions a public and private sector landscape where data remains protected against quantum-enabled threats, where cryptographic agility is a standard capability, and where domestic capabilities in quantum-safe security are embedded in everyday digital infrastructures. Stay tuned to official channels from the Canadian Centre for Cyber Security, Shared Services Canada, and the NRC for updates on deployment milestones, procurement guidelines, and the evolving standards that will shape quantum-safe cybersecurity in Canada for years to come.

At Tech Forum, we will continue to monitor the milestones, analyze deployments, and translate complex policy and technical developments into practical guidance for organizations preparing for quantum-safe cybersecurity in Canada 2026 and beyond. For ongoing updates, watch government portals such as the Cyber Centre and Canada.ca, which are coordinating Canadian PQC migration plans, and keep an eye on industry announcements from ISARA and other Canadian PQC developers as they scale from pilots to production-ready solutions. The journey toward quantum-safe cybersecurity in Canada 2026 is underway, and the path ahead is defined not by a single breakthrough but by coordinated policy, open collaboration, and steady, standards-aligned progress across government, industry, and academia.