Post-Quantum Cryptography: Why New Zealand Can’t Afford to Be Left Behind

At this week’s member meetup, one topic sparked real concern: Post-Quantum Cryptography (PQC). Around the world, governments and critical industries are already making moves to prepare for a post-quantum world, while here in Aotearoa New Zealand, we risk falling dangerously behind.

What is Post-Quantum Cryptography? and why do we need it?

PQC refers to next-generation cryptographic algorithms designed to withstand decryption by quantum computers—machines powerful enough to break today’s encryption in seconds. Put simply: what’s secure now will be instantly compromised once quantum computing matures.

  • The “harvest now, exploit later” threat is real—malicious actors can steal encrypted data today and decrypt in future when the computing is here.

  • What kind of data is being stolen? health records, financial systems, government data, and more.

  • Migration to PQC isn’t trivial—it will take 3–4 years, requiring discovery, planning, testing, and rollout across hardware, software, and services.

  • That means start now, not when a breakthrough quantum machine is in the wild.

I learnt heaps about migration in our member chat so will write a seperate blog post on what needs to be migrated soon.

What the World Is Doing—and NZ’s Response So Far

  • US, Europe, Australia mandate that critical infrastructure (banks, healthcare, energy, public sector) must transition to PQC by 2030. This article has a great table describing each country mandate and timeframe.

  • Australia’s Signals Directorate is phasing out vulnerable algorithms by 2030, ahead of NIST’s 2035 roadmap.

  • The Strategist in Australia calls for mandating PQC across confidential communication channels, data tunnels, and supply chains.

  • In Australia, there's also a NZ$20M AUD investment in quantum-resilient cybersecurity solutions through QuintessenceLabs.

In Aotearoa, NZ’s Information Security Manual (NZISM v3.9) has taken a small step: agencies must now audit encryption use across systems. But I can’t find a plan for migration or capability development.

What Requires Capability-Building in NZ

From our meetup notes, here’s what the discussion identified as needs to be done—all very very soon:

  • Discovery programs: Agencies, businesses, not-for-profits must know where encryption is used—and where it’s vulnerable.

  • Agile migration capability: Even simple systems must have migration plans, tested and repeatable.

  • Organisational change readiness: PQC isn’t a plug-and-play swap—it requires training, simulation, process redesign.

  • Pilot and testing environments: Safe sandboxes to test algorithms and interoperability without risk to live systems.

  • Workforce development: We need cybersecurity practitioners who understand crypto agility and PQC standards.

  • Policy frameworks: Clear guidelines and roadmaps—so public and private sectors adopt PQC in sync.

What Should NZ Do—Now

  1. Launch a national PQC readiness program across sectors—health, finance, government, utilities.

  2. Set a migration deadline like 2030, aligned with global benchmarks.

  3. Support SMEs and community organisations so they can upgrade too—not just large agencies.

  4. Invest in capability-building: fund cryptography education, tools, cross-sector knowledge-sharing.

  5. Demystify PQC for decision-makers—make it not just a technical problem, but a national security, equity, and digital trust imperative.

Conclusion

At this point, PQC isn’t a distant concern—it’s a looming reality. Our community conversations remind us: the first organisation to deliver a working quantum computer ‘wins’ the race—but not necessarily in a good way. If we don’t start building capability across systems, organisations, and people today, we'll be left with massive vulnerabilities baked into our digital future.

NZ needs a visible, resourced, stimulating cross-sector PQC capability initiatives—because if not us, then who? This is important. We can’t be kicking the tyres on PQC.

Footnote: Next steps will be migration, here is a post with a migration approach sourced from ITP members. https://itp.nz/techblog/migration-pqc

Vic MacLennan

CEO of IT Professionals, Te Pou Haungarau Ngaio, Vic believes everyone in Aotearoa New Zealand deserves an opportunity to reach their potential so as a technologist by trade she is dedicated to changing the face of the digital tech industry - to become more inclusive, where everyone has a place to belong. Vic is also on a quest to close the digital divide. Find out more about her mahi on LinkedIN.

Previous
Previous

Getting Started: Data Protection

Next
Next

AI is peeling back the layers of ‘low-value’ work – NZ may be well placed to adapt