Malaysia Publishes Southeast Asia’s First National PQC Readiness Roadmap

31 October 2025 — Malaysia’s Ministry of Digital and the National Cyber Security Agency (NACSA) unveiled the National Post-Quantum Cryptography Readiness Roadmap on October 29, 2025, during the PKI Consortium’s Post-Quantum Cryptography Conference in Kuala Lumpur. The conference drew over 600 participants from more than 30 countries and was described as one of the largest dedicated PQC events held globally.

The roadmap positions Malaysia as the first Southeast Asian country to publish a structured national framework for post-quantum transition. It outlines three pillars:

Pillar 1: Technical readiness. A migration plan spanning 2025–2030, including proof-of-concept PQC deployments and a sandbox initiative for testing quantum-safe implementations in government systems.

Pillar 2: Strategic alignment. Policy-to-practice coordination across government, with alignment to international standards and frameworks from NIST and the EU. NACSA presented details on public-sector pilot programs, early adoption of hybrid cryptography, and new frameworks for cryptographic agility.

Pillar 3: Human readiness. Investment in capability-building programs linking national workforce development with global PQC expertise, in collaboration with UN agencies, ASEAN counterparts, and academic institutions.

The roadmap does not include binding deadlines or mandatory compliance dates. NACSA Chief Executive Ir. Dr. Megat Zuhairy emphasized the roadmap as a strategic framework, not a regulatory mandate. No specific PQC algorithm requirements were announced; the roadmap aligns with NIST’s standardized algorithms.

The conference also saw the PKI Consortium unveil its Post-Quantum Cryptography Maturity Model (PQCMM), a practical framework for organizations to assess their PQC readiness posture.

My Analysis

Malaysia’s roadmap is early-stage: a framework for thinking about the problem rather than a set of enforceable deadlines. Compared to the UK’s three-phase timeline (2028, 2031, 2035), Canada’s dated planning requirements (April 2026 onward), or Australia’s ASD guidance targeting classical crypto elimination by 2030, Malaysia’s roadmap carries less immediate force.

Three aspects are worth watching, though.

The ASEAN framing is the first. Malaysia explicitly positioned this as a step toward “building a quantum-secure ASEAN,” not just a national exercise. ASEAN’s 10 member states have highly varying levels of cybersecurity maturity, and a coordinated regional approach to PQC migration would be unprecedented for the bloc. Whether Malaysia can translate this aspiration into coordinated ASEAN-level action is an open question. But a Southeast Asian country publicly leading on PQC readiness, and hosting one of the world’s largest PQC conferences, shifts perceptions about where quantum security leadership is emerging.

The 2025–2030 migration plan timeline is the second. Malaysia isn’t waiting for a distant 2035 target. The sandbox initiative and proof-of-concept deployments planned within this five-year window suggest NACSA intends to build practical experience with PQC systems before any mandate arrives. The organizations that learn the most from early pilots (where the integration breaks, which PQC performance impacts are tolerable, which vendor products actually work) will be far better positioned when hard deadlines eventually appear.

The human readiness pillar is the third, and the most underappreciated. Most PQC migration roadmaps focus on technology and policy. Malaysia’s explicit inclusion of workforce development addresses a constraint that every country faces but few acknowledge in their official strategies. You cannot migrate to post-quantum cryptography if you don’t have people who understand what they’re migrating from and to. The enterprise PQC migration study published in late 2024 identifies personnel availability as one of the binding constraints on migration timelines, particularly outside the US and Western Europe. Malaysia’s investment in this area could become a model for other developing economies.

For multinationals operating in ASEAN: Malaysia’s roadmap is non-binding, but it signals the direction. Organizations that build PQC capability for their Malaysian operations now will find that capability reusable across the region as other ASEAN states develop their own programs. Deadlines will come. Getting ahead of them is cheaper than catching up.