On June 22, 2026, the White House published an executive order titled Securing the Nation Against Advanced Cryptographic Attacks. It is signed by President Trump and it is, without exaggeration, the most significant government action on post-quantum cryptography since NIST published FIPS 203 to 205 in August 2024. For anyone working in cybersecurity, this is worth reading carefully.
The order does something that guidance documents, NIST recommendations, and NSA advisories have not done: it sets hard legal deadlines for the US federal government, creates formal accountability mechanisms, and extends obligations to federal contractors. That last point is what makes this relevant well beyond Washington.
What the order actually says
The policy statement in Section 1 is unusually direct for a government document. It names the harvest now, decrypt later threat explicitly, describing adversaries collecting US information now and decrypting it later once large-scale quantum computers are operational. This is no longer fringe language in policy circles. It is now the official position of the US executive branch.
The operational requirements are in Section 4. Each agency has 30 days to identify a PQC migration lead reporting to the chief information officer. Within 90 days, OMB must issue guidance requiring every agency to complete the following:
- Transition all high value assets and high impact systems to PQC for key establishment by December 31, 2030.
- Transition all high value assets and high impact systems to PQC for digital signatures by December 31, 2031.
- Submit a migration plan to OMB and the National Cyber Director covering both objectives.
Those are not suggestions. They are deadlines with a formal reporting chain attached.
The contractor angle is the big one
Section 6 is where things get interesting for the private sector. The order directs the Federal Acquisition Regulatory Council to publish a proposed rule amending the Federal Acquisition Regulation to require covered contractors to comply with NIST FIPS, including all applicable FIPS incorporating PQC algorithms, by December 31, 2030.
In plain terms: if you sell technology or services to the US federal government, you will need to be PQC compliant by the end of 2030 or risk losing those contracts. This affects an enormous number of companies, including many European ones with US government contracts or subsidiaries operating in the US market.
The order also requires vulnerability disclosure programmes to incorporate reports of cryptographic vulnerabilities, specifically including testing for lack of encryption and the use of non-FIPS approved algorithms. Cryptographic posture is now formally in scope for federal contractor security assessments.
The Cryptographic Bill of Materials gets its moment
Section 5 directs CISA and NIST to release public guidance within 270 days describing the minimum elements for a cryptographic bill of materials. The CBOM concept, which we have covered here before, has been discussed in standards circles for a few years. This order puts federal weight behind it and effectively makes it a prerequisite for compliant federal systems.
The significance of a standardised CBOM format should not be underestimated. Once CISA publishes minimum element requirements, those requirements will likely become the baseline for any serious PQC migration assessment, in the US and eventually elsewhere.
What it means outside the US
The direct legal force of this order stops at US borders. European organisations are not subject to US executive orders. But the practical implications extend further than the legal ones.
First, the contractor requirements will push PQC compliance up the supply chains of US federal agencies, many of which include European technology companies. If you provide cloud infrastructure, security tooling, or managed services to a US federal contractor, expect PQC requirements to flow down through contract terms within the next two to three years.
Second, US regulatory precedent tends to influence EU regulatory direction on cybersecurity, sometimes directly (GDPR was partly a response to US surveillance practices) and sometimes through the standards bodies where both sides participate. NIST’s PQC standards already carry de facto global authority. An executive order with hard deadlines attached to them strengthens the hand of European regulators who want to push similar timelines under NIS2 and DORA.
Third, the explicit naming of HNDL as a current threat in a presidential order is a data point that CISOs can use internally. If the US government is willing to say publicly that adversaries are harvesting encrypted data today, that framing is available to anyone making the case for urgent PQC investment to a board or a budget committee.
The timelines in context
The 2030 deadline for key establishment and 2031 for digital signatures are aggressive but not unreasonable for organisations that start now. The NSA’s CNSA 2.0, published in 2022, already set similar timelines for national security systems. What this order does is extend that urgency to the broader federal civilian infrastructure and its contractor ecosystem.
For organisations that have been treating PQC as a 2027 or 2028 problem, this order is a useful recalibration. The US government, which operates some of the largest and most complex IT environments in the world, has just committed to completing key establishment migration in four years. If that timeline is achievable for federal agencies, the argument that enterprise migration requires more time than that becomes harder to sustain.
The full text of the order is available at whitehouse.gov. It is worth reading in full, particularly Sections 4 and 6, if you are building a PQC migration business case or trying to frame the urgency for non-technical stakeholders.