The UAE Just Issued One of the World’s First Binding National PQC Migration Requirements

1 December 2025 — The United Arab Emirates announced the approval of a National Encryption Policy and its accompanying executive regulation on November 27, 2025. The policy, issued by the UAE Cybersecurity Council, requires all government entities to develop “clear, well-defined, and officially approved transition plans from traditional encryption methods to post-quantum cryptography.”

This is not advisory guidance. The executive regulation creates a formal public-law anchor for PQC migration, making the UAE one of the first countries in the world, alongside the United States’ NSM-10 and Canada’s Treasury Board SPIN, to issue binding national-level requirements for post-quantum transition.

The policy introduces several specific requirements for government entities:

Mandatory transition plans. Every government entity must prepare a formal migration roadmap showing how it will move from RSA, ECC, and other classical asymmetric algorithms to post-quantum standards. The plans must be officially approved, not merely drafted.

Automated cryptographic inventory. Entities are required to deploy automated tools for cryptographic discovery and maintain a real-time record of cryptographic assets. This goes beyond the manual inventory approach that most organizations are still contemplating.

Crypto-agility by design. New systems must be architected to support algorithm transitions without re-architecture, a requirement that embeds crypto-agility as a design constraint rather than a retrofit aspiration.

HNDL-driven prioritization. The policy explicitly cites the Harvest Now, Decrypt Later threat model and prioritizes protection of data with 10–20 year confidentiality lifetimes.

The UAE Cybersecurity Council will oversee national migration efforts, coordinating with federal and local government bodies. A specific submission deadline for the migration plans has not been publicly announced, though secondary reporting indicates 2026 as the expected timeframe. The language from the authorities indicates the transition is meant to begin immediately.

My Analysis

Most PQC migration announcements from governments are either strategy documents that set a distant target without enforcement, or technical standards that specify algorithms without addressing organizational readiness. The UAE’s National Encryption Policy does something more useful. It mandates the process (the planning, the inventory, the architectural requirements) rather than just the endpoint.

I’ve spent years writing about why PQC migration is the largest cryptographic overhaul in IT history, and the consistent finding is that the organizations furthest behind are not those that lack awareness of PQC algorithms. They’re the ones that haven’t done a cryptographic inventory, don’t know where their classical cryptography lives, and haven’t assigned anyone to own the migration. The UAE’s policy addresses this directly: you must have automated discovery, you must produce a formal plan, and the plan must be approved.

The automated inventory requirement is particularly notable. My experience working with organizations on PQC readiness, documented in the PQC Migration Framework, consistently shows that manual cryptographic inventories fail at enterprise scale. CISA has been pushing toward automated crypto inventory for US federal agencies. The UAE is codifying this as a binding requirement from day one, skipping the intermediate step where agencies attempt manual approaches and discover two years later that they missed half their cryptographic dependencies.

The crypto-agility mandate is equally forward-looking. I’ve argued before that crypto-agility is an architecture problem, not a library swap. The UAE is making this architectural capability a design requirement for new systems. For vendors selling into the UAE government market, this is a capability that needs to be demonstrable, not aspirational.

How does the UAE compare with its peers? The CNSA 2.0 acquisition gate at January 2027 is the sharpest near-term deadline in the US. Canada’s CCCS roadmap requires planning by April 2026. Australia’s ASD guidance targets planning by end of 2026. The EU’s coordinated roadmap targets Phase 1 (national strategies, inventories, pilot projects) by end of 2026. The UAE is operating in the same band as these leading programs, placing it ahead of most countries globally and ahead of all of its regional neighbors.

For organizations operating in the UAE or selling into UAE government markets: PQC migration planning is now a compliance item, not a strategic option. Expect procurement requirements to reflect this within months.