Skip to content
Chimera readability score 72 out of 100, Expert reading level.

Late last month, a new White House executive order, 14412 “Securing the Nation Against Advanced Cryptographic Attacks,” accelerated the timeline for preparing against post-quantum cybersecurity threats, adding urgency to quantum innovation. The order sets a clear schedule: a post-quantum cryptography (PQC) pilot program within 180 days, guidance for a cryptographic bill of materials (CBOM) within 270 days, and full implementation of PQC by the end of 2030.
While the U.S. administration has already warned about post-quantum threats over the past couple of years, the new executive order reflects a rapidly evolving landscape. It recognizes the growing risk of “harvest now, decrypt later” attacks, in which adversaries use AI to collect encrypted data today for decryption once quantum computers become practical. To address this, the order mandates the implementation of PQC within a defined timeline.
It states specifically:
“Within 180 days of the date of this order, the Federal Acquisition Regulatory Council (FAR Council), in consultation with the Secretary of Homeland Security through the Director of CISA and the Director of NIST, shall publish a proposed rule amending the Federal Acquisition Regulation (FAR) to require covered contractors to comply by December 31, 2030, with NIST’s FIPS, including all applicable FIPS incorporating PQC compliant algorithms.”
The executive order (EO) targets federal government contractors, but its knock-on effect will almost certainly be felt across the broader market and technology industry. It is expected to encourage faster adoption of NIST-approved PQC standards, increase demand for products that support PQC algorithms, encourage critical national infrastructure (CNI) operators to plan their migration to PQC, and prompt organizations to assess their cryptographic assets.
As research firm Forrester said in a recent blog, “The debate over whether this is a foreseeable risk just ended. Any board that chooses not to follow a comparable path will need to explain why its own standard of care is lower than that of the U.S. federal government. In the event of a lawsuit, that gap can translate into findings of negligence for executives. Negligence analysis is simple: Was the burden of taking action smaller than the expected harm? The new directives shape both sides of that test.”
EE Times asked two companies, Microchip Technology and NXP Semiconductors, for their views on the executive order’s accelerated timeline for PQC and its implications for the industry.
Xavier Bignalet, product marketing manager for Microchip Technology’s secure computing group, said in a written response to EE Times, “The CISO [chief information security officer] community has long argued that without legal penalties, companies will continue to deprioritize security. With recent mandates from the U.S. White House and the French government, this is no longer the case. Organizations must now implement foundational security to prepare for the future.” [The French government mandate follows a report published last month stating that France’s national cybersecurity agency, ANSSI (Agence Nationale de la Sécurité des Systèmes d’Information), will stop certifying security products that lack quantum-resistant encryption starting in 2027.]
Bignalet added, “Given the tight timelines outlined in CNSA 2.0 for 2027 and 2030, companies need to begin updating their embedded products for PQC compliance now. Both governments have been clear about the required PQC cryptographic algorithms, and Microchip already offers hardware-based PQC-accelerated devices.” He said that the TS1800 platform root-of-trust controller and the TS50x secure boot controller follow this model by containing cryptographic operations within a dedicated, purpose-built device. He said this isolation helps decouple PQC implementation from the broader system, reducing exposure to software bugs in the main chipset, simplifying updates, and providing a more controlled path for addressing future vulnerabilities as standards and requirements evolve.
Meanwhile, Joost Renes, senior principal cryptographer and security architect at NXP Semiconductors, told EE Times in a written response, “From NXP’s perspective, this EO is a strong indicator that PQC migration is becoming increasingly urgent and widespread. Requirements for National Security Systems (NSSs) targeting as early as 2027 for PQC adoption existed already in the form of CNSA 2.0, while traditional cryptography for non-NSS systems was to be phased out by NIST by 2035.”
He added, “This EO accelerates the PQC migration deadlines by a significant amount to 2030-2031 and affects a broader range of systems. While the EO itself only affects federal systems, we can expect to see a ripple effect on other industries, where similar trends of pulling deadlines forward (e.g., Google is targeting 2029 for PQC readiness) are happening. The majority of solutions that are designed and deployed today will have lifetimes that exceed past 2030, so to ensure longevity and security for the full lifetime of a system, it is critical to make PQC a foundational element of today’s security architectures. Key elements to include are a strong hardware root of trust, as well as crypto agility and updatability. The EO further strengthens the needs for these features.”
Renes said that NXP sees the immediate focus as being on high-risk use cases and high-value systems. “For chip vendors, this means longevity of hardware and systems, to protect against ‘trust now, forge later’ attacks, where components without protection against quantum computers will be exploitable whenever a quantum attack becomes feasible. With the advent of quantum computers, the crypto lifecycle will likely be shorter than the hardware lifecycle. NXP already addresses this threat in its products, launching in 2026-2027 across various domains such as industrial IoT, automotive, mobile, and secure identity. It also means protecting against ‘harvest now, decrypt later’ attacks, where cloud providers also play a big role in moving adoption forward.”
Renes indicated that we are still early in the adoption of PQC. He said, “We are only at the beginning of the migration as industries begin to adopt PQC into their application standards, certifications, and testing labs supporting PQC, including high-assurance implementations (e.g., smart cards, passports).” He added that as PQC becomes a mandatory technology rather than an optional feature, the industry will have to address the threat to existing systems that are expected to be active for years to come through a combination of software updates, hardware replacements, and other creative solutions. “The migration to PQC is a major and complex task, but steps are already being taken in the right direction,” he noted.
Microchip’s Bignalet added that companies should today focus on designing for flexibility. He said, “A realistic migration starts with building a clear cryptographic inventory. Organizations should adopt a phased transition rather than attempt full replacement. Due to system complexity, migration requires careful architectural planning to maintain interoperability and long-term maintainability. This phased approach inherently leads to a hybrid model to maintain compatibility while transitioning to new cryptographic foundations. This allows for testing, validation, and incremental rollout without disrupting existing systems, while also reducing migration risk.”
Bignalet continued, “PQC adoption introduces new design considerations, including larger key sizes, performance impacts and potential exposure to side-channel and fault injection attacks, all of which must be addressed at the implementation level.”
NXP’s Renes added, “NXP has been working for years with the security community and our customers to raise awareness for the threat of quantum computers. While the U.S. has previously raised it as a concern, this EO provides a very concrete timeline (2030-2031) and clear targets (key establishment, digital signatures) which will help focus the efforts for any party considering to migrate.”
Bignalet reemphasized what industry executives have been saying for years: Security strategy and implementation are often driven by CEO prioritization, while product security is often treated as an afterthought. He said, “Security is frequently viewed as a cost rather than an investment. More like insurance: Its value becomes clear only after something goes wrong, when the financial impact on the P&L can be severe. As a result, foundational security has historically been treated as optional.”
Hence, the new executive order now stresses the importance of not just security, but post-quantum security. He said, “That means no more excuses, no more delays.”
Read also:
The PQC Silicon Is Here Today for Tomorrow’s Quantum Threats
The Quantum Leap in Cybersecurity: A New Era of Challenges
Leave a Reply
You must Register or Login to post a comment.

Sentinel — Human

Confidence

The article is a well-structured journalistic report synthesizing a specific executive order with expert commentary, displaying characteristics of human-driven analysis layered onto factual data.

Signals Detected
low severity: Moderate sentence length variance and natural shifts in focus, especially in the quoted segments.
low severity: Maintains strong thematic flow linking the executive order to industry response without excessive hedging.
low severity: Quotes from named experts (Bignalet, Renes) reference specific, verifiable industry/government documents (CNSA 2.0, NIST deadlines), suggesting direct sourcing rather than mere aggregation.
low severity: The core arguments presented by the quoted experts—focusing on hardware root of trust, crypto agility, and phased migration—align with known industry discourse regarding PQC transition.
Human Indicators
Presence of direct quotes attributed to named industry figures with specific technical context.
Integration of external references (FORRESTER, CNSA 2.0) that suggest synthesis from existing knowledge rather than pure fabrication.