What the 2030 NIST PQC Deadline Actually Means for Your TLS Stack
NIST IR 8547 proposes deprecating every classical public-key primitive your TLS stack uses today by 2030, and disallowing them by 2035. Your migration window is five years. Here is what that actually requires.
In November 2024 NIST published IR 8547, a quiet draft document titled Transition to Post-Quantum Cryptography Standards. The draft proposed concrete deadlines for the federal government’s migration off classical public-key cryptography. The numbers in it are the reason your TLS roadmap for the next five years just got rewritten.
These are NOT a marketing reading of an aspirational guidance document. They are NIST’s own proposed timeline for the cryptographic algorithms that protect ~every TLS handshake on the internet today. The draft entered public review on 2024-11-12, closed comment on 2025-01-13, and is on track to become final NIST guidance during 2026. CNSA 2.0, the parallel National Security Systems mandate from NSA, points the same direction with even tighter ratchets for classified-adjacent systems (see the CNSA 2.0 Cybersecurity Information Sheet). NIST IR 8547 is the civilian-sector echo of CNSA 2.0.
If your stack is going to be alive in 2030, and almost every TLS-terminating service we look at today was designed to be, you have five years to make every key exchange in it post-quantum. Federal contractors have it written into the procurement contract; everyone else will have it written into the SOC 2 report by 2028 because that’s how SOC 2 evolves. Pick your timeline.
This post is the operational answer to “what does that actually require?” It is the second in our PQC series; the first covered the implementation side. This one is for the CISO or security architect who has been told “we need to be PQC-ready” and is staring at a TLS termination layer that has no idea what ML-KEM means.
1. What's actually getting deprecated
The cleanest summary of NIST IR 8547’s algorithm table is this: every public-key primitive your TLS stack uses today appears on it.
NIST IR 8547 algorithm timeline
Source: NIST IR 8547 §3.3 + §4 algorithm table
| Primitive | 2030 | 2035 |
|---|---|---|
| RSA-2048 / RSA-3072 (key agreement) | Deprecated | Disallowed |
| ECDH P-256, P-384 (key agreement) | Deprecated | Disallowed |
| ECDSA P-256, P-384 (signatures) | Deprecated | Disallowed |
| EdDSA Ed25519 (signatures) | Deprecated | Disallowed |
| ML-KEM-512 / 768 / 1024 (FIPS 203) | ApprovedIn force as of FIPS publication, Aug 2024 | |
| ML-DSA-44 / 65 / 87 (FIPS 204) | ApprovedIn force as of FIPS publication, Aug 2024 | |
| SLH-DSA (FIPS 205) | ApprovedIn force as of FIPS publication, Aug 2024 | |
Deprecated in NIST language means: existing approved use is permitted under risk-acceptance, no new approvals. Disallowed means: full stop, no federal use.
2. Where every gateway fails the 2030 test today
Pull up a packet capture of one TLS 1.3 handshake from any gateway you operate. The ClientHello carries a supported_groups extension that enumerates the key-share groups the client is willing to use. Look at what is there. For >99% of HTTPS deployments in production today, you will see only classical groups, every one on the deprecation list:
supported_groups:
- x25519 # NIST IR 8547: deprecated 2030
- secp256r1 (P-256) # NIST IR 8547: deprecated 2030
- secp384r1 (P-384) # NIST IR 8547: deprecated 2030The server picks one, the handshake completes, the session key is derived from a primitive on the deprecation list. Every byte of that TLS session is on a 2030 clock. The ones you don’t see, and which need to be there by 2030, are the hybrid PQ groups Chrome 131+ already negotiates by default:
- X25519MLKEM768 # hybrid, IETF codepoint 0x11EC
- MLKEM768 # pure PQ, post-2030 defaultIf your gateway can’t speak hybrid post-quantum today, meaning Chrome 131+ clients silently downgrade to X25519 when they connect, you don’t have a PQC migration plan. You have a 2030 problem.
The 2030 deadline becomes a 2028 commercial deadline by the time it touches procurement.
3. The three costs of waiting
A 5-year deadline feels like a lot. Three forces compress that into ~24 months of actual runway.
Harvest-now-decrypt-later (HNDL)
An adversary recording TLS handshakes today doesn’t need to decrypt them today. The threat model assumes a cryptographically relevant quantum computer arrives sometime in the 2030s; every X25519 session captured between now and then is decryptable at that point. If your traffic has a confidentiality horizon longer than ~6 years (and almost all enterprise traffic does), the recordings being made today will be readable in the window when ML-KEM is mandatory but your sessions used X25519.
Procurement and compliance lag
Once NIST IR 8547 finalizes, federal procurement contracts will reference it within months. The federal cycle bleeds into commercial SOC 2 and ISO 27001 audits about two years behind; expect “PQC-ready” to be a CISO-questionnaire line item by late 2026 and a hard gate by 2028 for any vendor selling into regulated verticals.
Customer expectations
Chrome 131 already advertises X25519MLKEM768. Browsers tell users which protocols their connections used. Customer security teams who can read a TLS handshake are noticing which of their vendors negotiate hybrid PQ and which silently downgrade. The asymmetry is unkind: vendors who shipped it get a checkbox; vendors who haven’t get a question.
4. What a real PQC migration touches
“Just enable hybrid PQ” sounds like a config-flag flip. The actual migration touches five layers of your stack, and each has independent risks.
Key exchange, the easy part, paradoxically
Hybrid X25519MLKEM768 in TLS 1.3 is a TLS-server config change in principle. In practice, your library must support it (OpenSSL 3.5+, rustls 0.23 + aws-lc-rs, Go 1.24+), your load balancer must pass through unrecognized groups, and the ~1 KB extra in each ClientHello can push tight-MTU IoT links into fragmentation. We have measured ~4 ms median handshake-latency overhead on copper Ethernet and ~12 ms on a Jetson over LTE.
Certificate chain, the hard part
Your server cert is signed with RSA or ECDSA today. That signature algorithm is on the deprecation list too. The CA/Browser Forum has not yet permitted PQ signatures in publicly-trusted issuance; Let’s Encrypt commits to ML-DSA-44 chains “in 2026.” A 3-level chain signed with ML-DSA-65 adds ~13 KB to every full handshake. SLH-DSA is worse: 30+ KB per signature. This breaks deployment assumptions for IoT and any 50 ms-SLA path.
Code-signing and supply chain
Your TLS library was loaded from a signed binary. That binary was signed with RSA or ECDSA. The package manager verified that signature. The container image was signed (Sigstore, Notary) with classical algorithms. By 2030 every step from your code repo to your serving pod has to chain back to a PQ-signed trust root.
Long-lived secrets
Anything signed today with a classical algorithm and meant to be valid past 2030 is a problem. Firmware signatures on 10-year industrial controllers; root CAs with 20-year validity. If you ship hardware with classical-signed firmware that needs to be patchable in 2034, you have already missed the window.
Compliance attestation
The SOC 2 / ISO 27001 / HIPAA framework lookups for “post-quantum readiness” don’t exist yet. They will. The auditor in 2028 will not accept “we are planning to migrate” the way they accept it today.
Realistic 2026 plan
Q3 2026 pilot is the load-bearing milestone, hybrid PQ in production with real customer traffic surfaces the integration surprises before the deadline forces them.
5. Where Scrutari fits
Our gateway is a multi-tenant Rust-based TLS terminator that ships with hybrid X25519MLKEM768 enabled by default. Every TLS handshake completes with the same hybrid key exchange Chrome 131 already negotiates, no opt-in, no flag, no separate “PQ mode.” The implementation details (rustls 0.23 + aws-lc-rs + quinn) are in our companion post on building the gateway; the operational point for this post is that we removed the “should we enable PQ?” decision from your migration plan entirely.
The reason this matters operationally is that our gateway sits before your existing TLS terminator. You point a CNAME at our edge, hand us your domain, and we terminate hybrid PQ on the public side while forwarding plain-TLS (or even plain HTTP, if your backend lives on a trusted network) to your existing infrastructure. Your application doesn’t change; your existing nginx / Envoy / ALB doesn’t change; your customers’ browsers start negotiating hybrid PQ on the next visit. The migration window for the key-exchange layer collapses from “rewrite your TLS termination” to “update your DNS.”
The cert-chain migration (§4.2) is separately on our roadmap and will follow public-CA PQ signature support as it ships. Our AI Insights daily briefing surfaces the per-tenant ratio of hybrid-PQ vs classical handshakes in a daily report, so you can watch the migration happen across your client fleet without spinning up your own observability stack.
The single most useful thing you can do this quarter
Walk the list of every endpoint that terminates TLS for an external client. Mark each one with whether it speaks X25519MLKEM768. The endpoints that don’t are your 2030 backlog, ordered roughly by traffic volume. For the ones at the top of that list, the customer-facing gateway, the partner-facing API, the SSO endpoints federal customers use, talk to us about whether dropping our gateway in front of them is a faster path than rebuilding the termination layer.