Post-Quantum Cryptography: Why New Zealand Can’t Afford to Be Left Behind
At this week’s member meetup, one topic sparked real concern: Post-Quantum Cryptography (PQC). Around the world, governments and critical industries are already making moves to prepare for a post-quantum world, while here in Aotearoa New Zealand, we risk falling dangerously behind.
What is Post-Quantum Cryptography? and why do we need it?
PQC refers to next-generation cryptographic algorithms designed to withstand decryption by quantum computers—machines powerful enough to break today’s encryption in seconds. Put simply: what’s secure now will be instantly compromised once quantum computing matures.
The “harvest now, exploit later” threat is real—malicious actors can steal encrypted data today and decrypt in future when the computing is here.
What kind of data is being stolen? health records, financial systems, government data, and more.
Migration to PQC isn’t trivial—it will take 3–4 years, requiring discovery, planning, testing, and rollout across hardware, software, and services.
That means start now, not when a breakthrough quantum machine is in the wild.
I learnt heaps about migration in our member chat so will write a seperate blog post on what needs to be migrated soon.
What the World Is Doing—and NZ’s Response So Far
US, Europe, Australia mandate that critical infrastructure (banks, healthcare, energy, public sector) must transition to PQC by 2030. This article has a great table describing each country mandate and timeframe.
Australia’s Signals Directorate is phasing out vulnerable algorithms by 2030, ahead of NIST’s 2035 roadmap.
The Strategist in Australia calls for mandating PQC across confidential communication channels, data tunnels, and supply chains.
In Australia, there's also a NZ$20M AUD investment in quantum-resilient cybersecurity solutions through QuintessenceLabs.
In Aotearoa, NZ’s Information Security Manual (NZISM v3.9) has taken a small step: agencies must now audit encryption use across systems. But I can’t find a plan for migration or capability development.
What Requires Capability-Building in NZ
From our meetup notes, here’s what the discussion identified as needs to be done—all very very soon:
Discovery programs: Agencies, businesses, not-for-profits must know where encryption is used—and where it’s vulnerable.
Agile migration capability: Even simple systems must have migration plans, tested and repeatable.
Organisational change readiness: PQC isn’t a plug-and-play swap—it requires training, simulation, process redesign.
Pilot and testing environments: Safe sandboxes to test algorithms and interoperability without risk to live systems.
Workforce development: We need cybersecurity practitioners who understand crypto agility and PQC standards.
Policy frameworks: Clear guidelines and roadmaps—so public and private sectors adopt PQC in sync.
What Should NZ Do—Now
Launch a national PQC readiness program across sectors—health, finance, government, utilities.
Set a migration deadline like 2030, aligned with global benchmarks.
Support SMEs and community organisations so they can upgrade too—not just large agencies.
Invest in capability-building: fund cryptography education, tools, cross-sector knowledge-sharing.
Demystify PQC for decision-makers—make it not just a technical problem, but a national security, equity, and digital trust imperative.
Conclusion
At this point, PQC isn’t a distant concern—it’s a looming reality. Our community conversations remind us: the first organisation to deliver a working quantum computer ‘wins’ the race—but not necessarily in a good way. If we don’t start building capability across systems, organisations, and people today, we'll be left with massive vulnerabilities baked into our digital future.
NZ needs a visible, resourced, stimulating cross-sector PQC capability initiatives—because if not us, then who? This is important. We can’t be kicking the tyres on PQC.
Footnote: Next steps will be migration, here is a post with a migration approach sourced from ITP members. https://itp.nz/techblog/migration-pqc
