It’s still the first month of 2026, and momentum around post-quantum planning is already building. Governments and financial authorities are publishing roadmaps, aligning expectations, and signaling what comes next.
On 13 January 2026, the G7 Cyber Expert Group (CEG) published its most detailed statement yet on how the financial sector should prepare for the quantum era. The policy paper, Advancing a Coordinated Roadmap for the Transition to Post-Quantum Cryptography in the Financial Sector, is not regulation, but it carries more weight than a typical guidance note.
It reflects a shared view among finance ministries, central banks, and regulators like the G7 Cyber Expert Group, that cryptographic transition is now a systemic risk management issue, making delay no longer a neutral option for banks and financial institutions.
The G7 Cyber Expert Group and Its Role in Financial Security
The G7 Cyber Expert Group was created in 2015 to coordinate cybersecurity policy across G7 jurisdictions. It advises Finance Ministers and Central Bank Governors on threats that could undermine the stability and resilience of the global financial system.
The group is co-chaired by the Bank of England and the US Department of the Treasury, and includes authorities and financial institutions from Canada, France, Germany, Italy, Japan, the UK, and the US. Its role is to align expectations across regulators, institutions, and markets.
When Post-Quantum Planning Became a Shared Effort
The G7 Cyber Expert Group formally addressed quantum risk in 2024, warning that sufficiently powerful quantum computers could break widely used public-key cryptography. That statement focused on awareness and early risk recognition, rather than execution.
The 2026 roadmap does something different. It assumes awareness already exists and moves directly to the harder question: how does the financial sector transition without disrupting the systems it depends on?
The G7 is explicitly trying to avoid a fragmented transition where:
- Institutions move at different speeds
- Vendors implement incompatible solutions
- Cross-border systems lose interoperability
- Critical infrastructure becomes unevenly protected
In a highly interconnected financial ecosystem, uncoordinated security upgrades can introduce as much risk as no upgrade at all.
The Principles Behind the G7 Roadmap
The roadmap is built around a small set of principles designed to prevent rushed or fragmented migration across the financial system.
- Flexibility over fixed timelines: Institutions must be prepared to adapt their approach as risks, standards, and dependencies involve, instead of depending on a predefined roadmap.
- Risk-based prioritization: Critical systems and long-lived data demand early action; while lower risk systems may be deferred, reflecting their lesser urgency.
- Standards-based execution: The G7 urges institutions to anchor their migration efforts in established security and implementation standards, focusing on demonstrable, measurable progress rather than loosely scoped or improvised initiatives.
- Collaboration across the ecosystem: Successful migration depends on coordinated action across jurisdictions, institutions, and vendors, ensuring alignment and preventing interoperability gaps or delays.
The Risk the Roadmap Is Trying to Contain
The roadmap acknowledges what security teams already know: cryptographic migration is slow, complex, and deeply embedded in systems, vendors, and processes. That is why it emphasizes starting before the threat materializes, not after.
Why the G7 Is Pushing Cryptographic Agility, Not Just PQC
One of the most important signals in the paper is the shift from post-quantum algorithms to cryptographic agility.
The G7 explicitly notes that while quantum-resistant algorithms exist today, migration must be done in a way that allows future change. This reflects the reality that:
- PQC standards will evolve
- Vulnerabilities will be discovered
- This will not be the last cryptographic transition
Organizations that treat PQC as a one-off upgrade will find themselves repeating this process again. Agility, not algorithm selection, is the long-term objective.
What the Six Migration Phases Reveal
The roadmap introduces six overlapping phases. While they appear procedural, they highlight where the real challenges lie.
- Awareness and preparation – This is about executive ownership, not education. The G7 is signaling that post-quantum risk belongs in board-level discussions, not buried in technical teams.
- Discovery and inventory – This is the most underestimated phase. Without a cryptographic inventory, timelines are guesses. Most institutions still do not know:
- Where cryptography is used
- Which vendors control it
- Which systems depend on which protocols
- Which data must remain confidential for decades
- Risk assessment and planning – The G7 stresses risk-based prioritization. Critical systems, long-lived data, and externally exposed services must move first. Less critical systems can be used to build experience.
- Migration execution – Early adoption is encouraged where standards and products exist, including hybrid approaches such as quantum-safe key exchange in web infrastructure. Waiting for perfection is riskier than starting carefully.
- Migration testing – Testing is framed as both internal validation and ecosystem-level exercises. The goal is to ensure quantum-safe systems work together, not just individually.
- Validation and monitoring – Migration does not end. Continuous validation, new standards, and ongoing improvement become permanent responsibilities.
The G7 roadmap includes an illustrative timeline showing how these phases overlap across a decade, with governance and dependency management running continuously.
Managing Third-Party Dependencies in Post-Quantum Migration
The roadmap makes it clear that third-party dependencies are a major factor in post-quantum migration.
Financial institutions rely heavily on:
- Cloud providers
- Core banking platforms
- Payment systems
- Messaging infrastructure
- SaaS applications
The G7 calls for transparency from vendors and early engagement to avoid stalled migration. This quietly acknowledges that many institutions will not be able to move faster than their vendors.
In practice, post-quantum migration is as much a procurement and vendor governance challenge as it is a security one.
The Timelines the G7 Is Signaling
The roadmap’s 2035 target is just the overall endpoint, and is aligned with NIST, ISO, and other standards bodies. What really matters is the earlier 2030-2032 window, when institutions need to have their highest-risk systems secured. If those essential systems remain exposed, the rest of the timeline won’t make a difference.
Why This Matters for Financial Institutions in the UAE and MENA
While this roadmap was published by the G7, its direction aligns closely with steps already underway in the UAE and across the region. Financial institutions are designated as critical infrastructure, and regulators are already expecting early planning, cryptographic inventory, and migration roadmaps as part of broader cyber resilience efforts.
For banks and financial entities operating in MENA, the G7 roadmap reinforces the same priorities: start with visibility, plan based on risk, and embed post-quantum readiness into governance early, rather than waiting for a single mandate to trigger action.
What Financial Institutions Should Do Now
The roadmap offers a clear starting point, even if it avoids prescriptive steps. Three priorities stand out:
- Build cryptographic visibility – Discovery and inventory are the foundation of everything that follows. Without them, governance and planning will fail.
- Engage vendors early and formally – Institutions should be requesting vendor PQC roadmaps now. Migration timelines will be constrained by third parties.
- Embed PQC into governance, not one-off projects – Post-quantum readiness needs to be part of risk management, architecture reviews, procurement, and resilience planning – not handled as an isolated effort.
This Is About Coordination, Not Cryptography
The G7 roadmap is ultimately less about cryptographic algorithms and more about how the financial system manages change without disrupting the services it depends on. It reflects an understanding that post-quantum migration will touch infrastructure, vendors, governance processes, and cross-border systems all at once, and that coordination matters as much as technical readiness. Read the full statement here.
At QuantumGate, we work with financial institutions and critical infrastructure providers that are navigating these questions in practice. What we consistently see is that early focus on visibility, governance, and coordination creates a stronger foundation for whatever technical decisions follow. This roadmap reinforces that view and provides a useful reference for how institutions can prepare without rushing. If you want to understand how this looks in your environment, you can book a demo with our team here.