Logo
Back

Approved, or Decommissioned: What the National Encryption Policy Means for Your VPN

10 July, 2026

Image

Under the UAE National Encryption Policy, critical and government entities are required to migrate their cryptography to post-quantum standards. VPNs are among the first systems organizations should assess because the security of a VPN tunnel relies on public-key cryptography, including the classical algorithms like RSA, Diffie-Hellman, and elliptic-curve cryptography (ECC), that the policy requires organizations to transition away from. A VPN that cannot be upgraded to support post-quantum cryptography will ultimately need to be replaced

For most security teams, this is a shift in how a VPN is treated. It has been infrastructure you renew and patch, not a system with a compliance deadline attached to it. Under the policy, every cryptographic system faces the same outcome over time: it either meets the post-quantum requirement and stays in service, or it is retired and replaced. For many organizations, that makes the VPN one of the first infrastructure components to evaluate.

What the National Encryption Policy asks of critical entities

The UAE Cybersecurity Council announced the policy and set out cryptographic requirements for critical and government entities. Four requirements have a direct impact on VPNs:

  • Transition Planning. Entities must submit an official roadmap for migrating from traditional algorithms (e.g., RSA and ECC) to post-quantum standards.
  • Asset Inventory. Entities must maintain a current inventory of cryptographic assets, with automated discovery recommended for accuracy and ongoing compliance.
  • Cryptographic Agility. New systems must be designed to support cryptographic agility, allowing algorithms and keys to be updated without service disruption.
  • Risk-Based Prioritization. Entities must prioritize data requiring ten-to-twenty-year confidentiality, such as national security information, health records, and long-term financial data.

Why your VPN is an early priority

A VPN is both a cryptographic asset and one of the most widely deployed cryptographic systems in an enterprise, which places it inside all four requirements at once.

Every employee working remotely, every administrator accessing infrastructure, every branch office connected through secure VPN tunnels, and every third-party contractor relies on a VPN. That makes it one of the most widely deployed cryptographic systems in an enterprise and one of the highest-impact systems to assess early.

It belongs in the transition plan because many existing VPN deployments rely on RSA and elliptic-curve cryptography that will need to transition to post-quantum alternatives. It must meet the crypto-agility requirement, since the underlying standards will continue to develop. And it carries the data the policy prioritizes, because the traffic inside a corporate or government tunnel is frequently financial, health, or government information that must remain confidential for years.

For those reasons, a VPN is not a system to address late in a migration program. It is among the first that a security team needs to assess.

Other countries are mandating quantum-safe migration too

The UAE is early, but it is not the only jurisdiction setting this expectation. Similar requirements are now appearing in national mandates worldwide.

The United States' NSA CNSA 2.0 guidance expects VPNs and routers in national security systems to support quantum-safe key exchange by 2026 and to use it exclusively by 2030. It also requires new equipment purchases to be quantum-safe from 2027 and states that networking gear that cannot be upgraded should be retired.

A separate White House executive order extends similar requirements beyond national security systems. It requires federal high-value assets and high-impact systems, along with relevant contractors, to migrate to post-quantum key establishment by 2030 and digital signatures by 2031. Together with CNSA 2.0, it puts most VPNs sold into the US public sector on a fixed migration timeline.

The European Union's coordinated roadmap requires critical infrastructure, including finance, energy, telecom, and government, to be secured with post-quantum cryptography by 2030, with the wider transition completed by 2035. The United Kingdom's national guidance sets staged dates toward the same goal: discovery and planning by 2028, migration of high-priority systems by 2031, and complete migration by 2035. France's security agency, ANSSI, has said it will stop certifying products that are not quantum-safe from 2027.

The deadlines vary by jurisdiction, but the requirement is consistent, and each framework begins with a cryptographic inventory.

What counts as a quantum-safe VPN

A quantum-safe VPN meets two requirements, and the second is where most legacy products fall short.

The first is post-quantum key establishment. The point in a VPN connection where two endpoints agree on a shared key currently relies on classical public-key cryptographic algorithms that a sufficiently capable quantum computer could break. A quantum-safe VPN replaces or augments that step with a post-quantum method, commonly a hybrid approach that runs a classical and a post-quantum algorithm together, so the session remains protected even if one of them is later weakened.

The second is crypto-agility. Because the standards will continue to evolve, a compliant VPN must be able to adopt new algorithms without a disruptive rebuild. A product built around a single cryptographic algorithm may support software updates, but without crypto-agility it cannot readily adopt new cryptographic standards as they evolve.

A VPN that supports post-quantum key establishment and can change algorithms over time stays in service. A VPN that cannot is decommissioned and replaced as part of the transition plan.

Questions to ask about your VPN

As organizations assess whether their existing VPN is ready for the post-quantum transition, these questions provide a useful starting point:

  • Does the VPN support hybrid post-quantum key establishment today?
  • Can cryptographic algorithms be updated without replacing the platform?
  • Can cryptographic algorithms be updated without replacing the platform?
  • Does the platform support crypto-agility?

The migration path, in four stages

Image

1. Inventory. Identify and document every cryptographic asset and every place encryption is used. Discovery is the step most programs underestimate, because cryptographic dependencies are embedded across applications, devices, and protocols that were never centrally recorded. QuantumGate's Crypto Discovery Tool automates this and maintains the record continuously.

2. Assess. Use the inventory to identify the systems that rely on traditional encryption, then sequence the work according to the sensitivity and retention period of the data each system handles.

3. Transition. Replace systems that cannot be upgraded to support post-quantum cryptography. For organizations replacing legacy VPNs, QSphere VPN combines hybrid post-quantum key establishment with crypto-agility in a single platform.

4. Monitor. Migration is not a one-time submission. Continuous scanning keeps the inventory accurate and identifies new or non-compliant cryptography as the environment changes.

Where to start

The first step is cryptographic discovery. A credible migration plan cannot be built without an accurate inventory of where cryptography is used, and which systems depend on the algorithms being retired. For most organizations, the VPN will appear early in that inventory as both a high-sensitivity and a widely exposed system. Beginning the assessment now, rather than closer to the deadlines, gives security teams time to plan and budget the transition deliberately instead of carrying them out under pressure.

The National Encryption Policy changes the question organizations should ask about every VPN. Instead of asking whether it still works, they now need to ask whether it can meet future cryptographic requirements. If the answer is no, upgrading or replacing it becomes part of the migration plan.

Have a question about our services or products?