Japan Sets 2035 as Its PQC Migration Target, Aligning With Allies While Running a QKD Parallel Track

2 December 2025 — Japan’s National Cyber Command Office (NCO, formerly NISC) has published an interim report concluding that all government agencies must complete their transition to post-quantum cryptography by 2035. The report, coordinated with the Cabinet Secretariat, aligns Japan with the timeline now shared by the United States, the European Union, the United Kingdom, and Canada.

The interim report sets out the role of Japan’s Cryptography Research and Evaluation Committees (CRYPTREC) in defining the technical basis for government cryptographic standards, including the timeline for decommissioning classical ciphers. CRYPTREC has been evaluating NIST’s PQC algorithms and is expected to incorporate them into Japan’s recommended algorithm lists, consistent with how CRYPTREC has historically tracked international cryptographic standards.

The report recommends both cryptographic agility and hybrid post-quantum/traditional (PQ/T) schemes as transitional strategies. It highlights the Harvest Now, Decrypt Later (HNDL) threat as a reason for prioritizing key exchange migration, with systems protecting long-lived sensitive data expected to transition first.

Japan’s approach is coordinated across multiple agencies. METI (Ministry of Economy, Trade and Industry) leads industrial engagement, including a March 2025 cybersecurity industry policy package. NICT (National Institute of Information and Communications Technology) handles quantum technology R&D, with active programs in both quantum key distribution and PQC implementation testing. The Financial Services Agency (FSA) convened a study group in 2024 on deposit-taking institutions’ PQC migration and called on financial institutions to begin the transition immediately. An Inter-Ministerial Committee convened in June 2025 began formulating a national PQC migration strategy across government.

Japan is the third country in Asia to set a formal PQC timeline target, following India’s 2027–2029 CII migration window and Singapore’s CSA quantum-safe readiness program.

My Analysis

Japan’s 2035 alignment is the expected outcome. The more interesting question is how Japan gets there, because one element of its approach is distinct from every Western ally: the dual-track strategy combining PQC migration with a parallel, substantial investment in quantum key distribution.

NICT has built one of the world’s most developed QKD testbed networks. The Tokyo QKD testbed has been running for years, and Japan’s contributions to QKD research are substantial. The NCO report treats PQC and QKD as complementary rather than competing. That differs from the skepticism toward QKD expressed by the UK’s NCSC, the NSA, and multiple European agencies that published a joint position paper dismissing QKD’s maturity for production use. Where the US and most of Europe treat PQC as the answer and QKD as a niche technology, Japan is hedging both directions.

For the PQC-specific timeline, the 2035 target raises the same question I’ve raised about every 2035 target: are the intermediate milestones specific enough to drive action? The US has CNSA 2.0’s granular sub-deadlines (2025 for firmware signing, 2027 for new acquisitions, 2030 for networking equipment). The UK has three phases at 2028, 2031, and 2035. Canada has dated planning requirements starting April 2026. Japan’s NCO report, at least as publicly described, sets the endpoint without specifying intermediate checkpoints.

The enterprise PQC migration study estimates 12–15+ years for large enterprises. Japanese financial institutions, industrial conglomerates, and government agencies are among the world’s largest and most complex organizations. A 2035 target without a 2027 or 2028 intermediate gate risks the outcome of any deadline set a decade in the future: broad agreement on importance, minimal urgency to start.

The FSA’s engagement with the banking sector is a positive signal. When a financial regulator convenes a study group and tells banks to “begin the transition immediately,” that language cascades into compliance planning and board-level risk committees far more effectively than a headline target. The Inter-Ministerial Committee’s work through 2025 should produce the intermediate milestones Japan needs.

For CISOs in organizations with Japanese operations or government contracts: the 2035 target is now official. But the practical urgency is driven by the convergence of deadlines across Japan’s allies. CNSA 2.0’s January 2027 acquisition gate affects any product also sold into US national security markets. The EU’s 2030 critical infrastructure target affects any system operated across European and Japanese jurisdictions. As I’ve written before, the earliest deadline in any jurisdiction you operate in is your effective deadline. For most Japanese multinationals, that’s 2027 or 2030, not 2035.