"Readiness" in the context of PQC migration means something more specific than awareness of the quantum threat or even familiarity with the NIST standards. Most organisations that consider themselves PQC-aware have absorbed the briefings and understand that RSA and ECDSA face quantum-enabled failure. What they have not done is assess whether their organisation is actually equipped to migrate: whether the cryptographic inventory is complete, whether vendors and suppliers have defined upgrade paths, whether governance and policy cover quantum security explicitly, and whether their regulatory obligations have been mapped against a documented timeline. Those gaps are what this checklist finds. Start your PQC readiness assessment

What the PQC Readiness Checklist Covers

The checklist works through four assessment domains, generating a personalised set of items based on your organisation type and inputs. The assessment is not a fixed-length questionnaire, it adapts to your answers, so the number of items varies depending on which domains are relevant to your specific environment.

Cryptographic Inventory

Does your organisation know what cryptographic assets it holds, where they are, and what algorithms protect them? Inventory completeness is the prerequisite for every other domain, you cannot prioritise migration of assets you have not identified, and you cannot assess vendor readiness for algorithms you do not know you are running.

The checklist asks whether a cryptographic inventory exists, how recently it was completed, how comprehensively it covers different infrastructure layers (cloud services, on-premises systems, OT environments, and third-party integrations), and whether it is maintained on a documented update schedule.

Policy and Governance

Has the organisation documented its PQC migration policy? Has that policy been approved at board level? Are there named owners for each cryptographic domain? Is there a documented migration timeline with assigned milestones?

Policy gaps are often where the checklist produces its most uncomfortable scores. Many organisations have informal understanding within the security team about what needs to happen, and no documentation that would survive an auditor's questions about governance.

Vendor and Supply Chain Readiness

Are the organisation's key software and hardware vendors PQC-ready? Have contracts been reviewed to confirm quantum security provisions or migration commitments? Has the organisation communicated PQC expectations to its supply chain?

Vendor readiness is frequently the longest lead-time item in any PQC migration programme. Vendor PQC assessment and contract negotiation take time. Twelve to 18 months is not unusual for organisations with complex supplier ecosystems. The checklist identifies whether this process has started, and flags it when it has not.

Regulatory and Compliance Alignment

Has the organisation mapped its regulatory obligations against its migration programme? The relevant frameworks depend on your organisation type and jurisdiction. NIST post-quantum standards (FIPS 203, 204, and 205) serve as the global technical baseline; NSA CNSA 2.0 applies specifically to US National Security Systems; NIS2 entered enforcement in October 2024 for EU essential and important entities; DORA became applicable in January 2025 for EU financial entities; UK organisations follow UK NIS Regulations (2018) and NCSC post-quantum cryptography migration guidance, not EU NIS2 directly. The checklist covers whichever frameworks apply to your organisation. not all simultaneously, and not all applicable to every jurisdiction.

The tool scores each domain on completion and generates an aggregate readiness score with a gap summary.

PQC readiness checklist: four domain assessment with illustrative scores and gap summary PQC Readiness Checklist - Domain Scores Cryptographic Inventory Asset discovery, coverage, update schedule 45% PARTIAL GAP Policy and Governance Board approval, named owners, documented timeline 25% LOW GAP Vendor and Supply Chain Readiness Vendor PQC roadmaps, contract provisions, assessment status 30% LOW GAP Regulatory and Compliance Alignment Framework mapping, migration timeline, audit-ready documentation 60% MEDIUM - AGGREGATE 40% PARTIAL Illustrative scores. Actual results are calculated from your specific inputs across Yes / Partial / No / N/A responses.
Illustrative PQC readiness domain scores. The checklist scores each domain independently, so gaps in governance and vendor readiness are visible alongside stronger regulatory alignment. The lowest-scoring domain drives the first readiness priority, and the aggregate score provides a single figure for board reporting.

Why a PQC Readiness Assessment Matters Before You Start Migrating

The fastest route to underestimating a PQC migration programme's scope is beginning it without first understanding your readiness level. This is not a general principle about preparation, it is a pattern that emerges specifically in PQC migrations, where the discovery of an incomplete cryptographic inventory, an unready vendor, or an unsigned migration policy consistently occurs mid-programme rather than during scoping. The cost of those discoveries multiplies with every week of migration programme already in flight.

NIST finalised PQC standards in August 2024. NSA CNSA 2.0 compliance windows are documented for US National Security Systems. NIS2 entered enforcement in October 2024 across EU Member States. DORA became applicable in January 2025 for EU financial entities. UK organisations follow NCSC post-quantum cryptography migration guidance and UK NIS Regulations, their framework is distinct from EU NIS2 but equally specific in direction. An organisation that has not mapped its readiness against the frameworks applicable to its own jurisdiction is running a compliance risk it has not quantified, and in the current regulatory environment, "we were aware of the requirement but had not yet assessed our position" is a thin response to an audit finding.

The HNDL risk is the urgency driver that makes readiness assessment time-sensitive rather than theoretical. Data that needs long-term protection is at retrospective decryption risk now. A readiness assessment identifies whether the highest-HNDL-risk data categories in your organisation are supported by migration-ready vendors, documented in your cryptographic inventory, and covered by your migration policy, or not.

The board reporting value is direct. "Where are we on quantum security?" is a question most boards are beginning to ask. A scored readiness assessment produces the most defensible answer: a number, a domain breakdown, and a gap list. That is harder to dismiss than a verbal status update, and harder for an auditor to challenge than an informal assertion.

Our tools are designed as directional tools only. Advice and standards are changing rapidly and although we update tools as new information is periodically released they are not designed as a replacement for expert advice. If your organisation results show high-priority exposure the next step is to contact our team or speak to a qualified expert member.

How to Complete the PQC Readiness Checklist

Step 1. Open the checklist tool. No registration required.

Step 2. Work through the four domains in sequence. Each domain presents questions with Yes, Partial, No, or Not Applicable response options. Work through each question carefully.

Step 3. Be accurate, not optimistic. A Partial answer where the honest position is Partial produces a more useful output than an optimistic Yes. The gap summary is only as useful as the inputs are honest. Security teams that complete this checklist collectively, with representation from IT security, compliance, legal, and procurement, consistently identify more gaps than individuals completing it from memory for domains they do not directly own.

Step 4. The tool scores each domain on completion. You will see domain scores as you work through the checklist.

Step 5. Review the aggregate score and gap summary. The summary identifies which domains have the most significant gaps and provides a prioritised view of where readiness effort should focus.

Step 6. Identify your lowest-scoring domain. This is your first readiness priority. If Cryptographic Inventory scores lowest, complete the inventory before doing anything else, every other domain depends on it. If Vendor Readiness scores lowest, begin vendor PQC assessment immediately, this has the longest lead time of any readiness activity.

Step 7. Export the results. The output can be used for compliance documentation, board reporting, or as input into a formal PQC migration programme.

For large organisations: this assessment is most accurate when completed as a structured workshop with representatives from IT security, legal and compliance, procurement, and the relevant business units. A single person completing it from memory for a complex organisation will understate gaps in domains they do not own directly.

How to Use Your Readiness Score

The score is a gap finder, not a grade. A high score is not a pass, it is confirmation that your organisation has genuinely addressed the dimensions the checklist covers. Genuine PQC readiness is uncommon. Most organisations that run this checklist for the first time discover they score well on awareness and poorly on documentation, vendor engagement, and policy.

Low score in Cryptographic Inventory: complete the inventory before advancing any other domain. A cryptographic inventory is the prerequisite input for the Cryptographic Asset Prioritisation Matrix, the PQC Migration Decision Tree, and vendor readiness conversations. Everything else depends on it.

Low score in Vendor and Supply Chain Readiness: this is typically the highest-priority finding after inventory because it has the longest lead time. Begin vendor PQC assessment conversations immediately. Review key contracts for quantum security provisions. Where contracts lack these provisions, flag for next renewal cycle or initiate renegotiation where risk warrants it.

Low score in Policy and Governance: a governance gap often indicates that PQC migration has not yet reached board level as a documented commitment. The readiness score provides the evidence to change that. A quantified gap summary is more persuasive in a board discussion than a general statement about quantum risk.

High scores across all domains: communicate this to your board for governance and documentation purposes. Any external communication of self-assessment results to customers or commercial partners should be reviewed by legal counsel before use, a self-assessment score creates expectations that, if used commercially, carry reputational and legal implications. Internally, a high score is confirmation that your organisation has genuinely addressed the readiness dimensions the checklist covers.

From here, move to the PQC Migration Decision Tree to identify your migration starting point based on your infrastructure profile, and the Cryptographic Asset Prioritisation Matrix to sequence the assets within your migration programme.

Discuss your results with a QSECDEF expert member. A directional assessment is the starting point, not the programme. If your results show high-priority exposure, the next step is a discussion about a structured migration programme with defined milestones. Request a consultation with our team or find a qualified expert member.