G7 Cyber Expert Group issues roadmap to guide financial sector transition to post‑quantum cryptography

Post‑quantum cryptography (PQC) is a new family of encryption and digital‑signature algorithms designed so that even a powerful future quantum computer cannot crack them within a practical time. Unlike today’s most common public‑key methods such as RSA and elliptic‑curve cryptography (ECC), which rely on math problems (integer factoring, discrete logarithms) that Shor’s quantum algorithm can solve efficiently, PQC uses different hard problems (for example lattice‑based, code‑based, and hash‑based constructions) believed to remain hard even for quantum computers. PQC algorithms are meant to run on ordinary (non‑quantum) hardware and be used in the same kinds of protocols we use today (TLS, VPNs, code‑signing), but with quantum‑resistant math under the hood.

No exact date is known, but credible expert assessments suggest that quantum computers capable of breaking today’s widely used public‑key encryption (such as RSA‑2048) could plausibly emerge within roughly 10–15 years, and possibly sooner, so planning needs to start now:

• The G7 Cyber Expert Group’s 2024 statement (via HM Treasury) warns there is “a real possibility” that quantum computers able to defeat current cryptography could emerge “within a decade,” and urges financial entities to begin planning immediately.
• The Global Risk Institute’s 2024 Quantum Threat Timeline finds a significant probability that a “cryptographically relevant quantum computer” able to break RSA‑2048 could exist by the mid‑2030s, while stressing the uncertainty and the need for early preparation. Because large‑scale deployment and system upgrades take many years, authorities emphasize that organizations should not wait for a precise date but should begin inventory, risk assessment, and migration planning now.

The G7 Cyber Expert Group (CEG) is a permanent working group set up in 2015 to coordinate cybersecurity policy, strategy, information‑sharing and cyber‑incident response across the G7 financial system. It focuses on cyber risks in the financial sector and develops non‑binding guidance (“Fundamental Elements,” statements, and roadmaps) for authorities and firms.

Members are financial authorities (central banks, finance ministries, and regulators) from all G7 countries plus EU institutions. According to the U.S. Treasury, membership includes, among others:

• Canada: Bank of Canada; Department of Finance Canada; Office of the Superintendent of Financial Institutions.
• France: Banque de France; Directorate General of the Treasury; Prudential Supervision and Resolution Authority.
• Germany: Deutsche Bundesbank; Federal Financial Supervisory Authority (BaFin); Federal Ministry of Finance.
• Italy: Bank of Italy (Banca d’Italia); CONSOB; Ministry of Economy and Finance.
• Japan: Bank of Japan; Financial Services Agency; Ministry of Finance.
• United Kingdom: Bank of England; Financial Conduct Authority; HM Treasury.
• United States: Department of the Treasury; Federal Reserve Board of Governors; Securities and Exchange Commission.
• European Union: European Banking Authority; European Central Bank; European Commission.

The full text of the January 2026 G7 CEG roadmap has not yet been widely published beyond the high‑level description in the U.S. Treasury press release, but it is described as outlining “key considerations and potential activities” and a non‑prescriptive timeline for transitioning to quantum‑resilient cryptography.

Based on the G7 CEG’s earlier quantum‑computing statement (2024), the initial actions it expects financial firms to consider are:

1. Develop a better understanding of quantum‑computing risks and mitigation strategies.
2. Assess quantum‑computing risks in their areas of responsibility (e.g., where vulnerable cryptography is used, and what data could be at long‑term risk).
3. Develop a plan for mitigating those risks, including a strategy to adopt quantum‑resilient cryptography as standards and vendor solutions become available.

Related guidance from the UK National Cyber Security Centre’s PQC migration roadmap (a separate but aligned document) suggests that, in the near term, organizations should first:

• Discover and inventory where cryptography is used across systems and suppliers.
• Prioritize high‑value and long‑lived data and connections for early migration.
• Begin planning and testing for a phased transition aiming for completion by around 2035.

These steps are consistent with the G7 roadmap’s intent but the exact wording and phase dates in the 2026 roadmap are not yet publicly accessible.

Saying the roadmap is “not prescriptive” means it is guidance, not a binding rulebook or regulation. It does not itself create new legal or supervisory requirements for regulated firms, nor does it mandate specific technologies or fixed deadlines. Instead, it:

• Sets out principles, considerations and an example timeline that firms and authorities can adapt to their own size, risk profile, and regulatory context.
• Leaves supervisors and firms free to decide how to incorporate post‑quantum planning into existing risk‑management and cybersecurity frameworks and compliance obligations.

The U.S. Treasury press release states that “the roadmap and its associated timeline are not prescriptive, providing organizations with the flexibility to implement as appropriate for their unique situation,” which is in line with how prior G7 CEG “Fundamental Elements” documents are described as non‑binding, high‑level guidance.

The roadmap and related materials can be accessed from official government sites:

• U.S. Department of the Treasury press release announcing the roadmap (this page is likely to host or link to the roadmap document as it becomes available): https://home.treasury.gov/news/press-releases/sb0355
• U.S. Treasury’s G7 Cyber Expert Group page, which collects CEG publications (including the 2024 quantum‑computing statement and FAQs, and is where future G7 CEG quantum‑related documents are published): https://home.treasury.gov/policy-issues/international/g-7-and-g-20/g7-cyber-expert-group
• UK Government’s G7 Cyber Expert Group collection page, which hosts CEG documents produced via HM Treasury, including the earlier “Statement on planning for the opportunities and risks of quantum computing” and future updates: https://www.gov.uk/government/collections/g7-cyber-expert-group

As of now, those are the primary official sources where the full roadmap PDF and supporting statements/FAQs are expected to be published or linked.

Cory Wilson and Duncan Mackinnon are the co‑chairs of the G7 Cyber Expert Group and are leading figures behind this roadmap:

• Cory Wilson is the U.S. Treasury’s Deputy Assistant Secretary for Cybersecurity and Critical Infrastructure Protection. In this role he is responsible for Treasury’s cybersecurity policy for the financial sector and co‑chairs the G7 CEG on behalf of the United States. The January 2026 press release cites him as one of the G7 CEG co‑chairs issuing the roadmap.

• Duncan Mackinnon is the Bank of England’s Executive Director for Supervisory Risk Specialists. He oversees specialist supervisory teams (including cyber and operational resilience) at the UK Prudential Regulation Authority and co‑chairs the G7 CEG on behalf of the UK. The press release likewise names him as a G7 CEG co‑chair speaking on the roadmap’s importance for making financial systems “quantum resilient.”