The 2026 Deadline: A Founder's Guide to the ASD Post-Quantum Roadmap Mandate

Most US-based startups selling into Australian enterprise markets don't know about the ASD PQC mandate. Their Australian competitors do. Their enterprise buyers' procurement teams do. And increasingly, they're asking about it in vendor questionnaires.

What the ASD Actually Requires

The Australian Signals Directorate (ASD), through the Australian Cyber Security Centre (ACSC), published updated post-quantum cryptography guidance in September 2025 establishing three hard milestones for all organizations operating in Australia — including private sector businesses, not just government agencies. The February 2026 guidance explicitly names SMBs using cloud services or SaaS platforms as in scope.

End of 2026

A refined, organization-specific PQC transition plan must exist. The plan must account for security goals, risk tolerances, dependencies, and the value of data. This is not a future obligation — it is a current one. The deadline is seven months away.

End of 2028

Migration must have commenced for critical systems and long-lived sensitive data. Organizations should have begun transitioning their highest-priority systems to post-quantum algorithms.

End of 2030

Full PQC transition must be complete. ASD mandates that organizations cease using traditional asymmetric cryptography — RSA, Diffie-Hellman, ECDH, ECDSA — by 2030. The mandated replacement standard is ML-KEM-1024.

The 2026 milestone is a current obligation. A startup without a documented PQC transition plan by December 2026 is not early in its compliance journey. It is late.

Why This Affects Your Sales Pipeline Now

Enterprise procurement teams at Australian banks, government agencies, and critical infrastructure operators are beginning to include PQC readiness in vendor security assessments. If your startup is trying to close a contract with an Australian bank, a government department, or a utility company, there's a reasonable probability you'll face a question about your PQC migration roadmap before end of 2026.

The dynamic is identical to what happened with GDPR vendor questionnaires between 2017 and 2019. Enterprise buyers got ahead of the regulatory deadline by requiring vendor compliance documentation before it was technically mandatory. By the time enforcement arrived, the question was already standard in procurement. Australian enterprise buyers are doing the same thing with PQC.

If your answer to the question is "we haven't assessed this yet," you will lose deals to competitors who have a documented roadmap. The roadmap doesn't need to show completed migration. It needs to show that the organization has mapped its cryptographic exposure, understands the timeline, and has a credible plan. That's achievable in a 4–6 week engagement. Not having it is not.

The LATICE Framework — What ASD Actually Wants to See

ASD recommends organizations follow the LATICE framework — a five-phase approach that defines exactly what a compliant PQC transition process looks like. When an enterprise buyer or assessor asks about your PQC readiness, this is the structure they're working from.

Locate

Build a Cryptographic Bill of Materials (CBOM) identifying every use of traditional asymmetric cryptography — applications, cloud services, hardware, APIs, third-party dependencies. This is the foundational step. Nothing else works without it.

Assess

Evaluate the sensitivity and value of systems and data protected by vulnerable algorithms. Priority: systems handling long-lived data, customer PII, financial records, or any data with regulatory retention requirements.

Triage

Prioritize systems for transition based on risk, data longevity, regulatory exposure, vendor dependency, and migration complexity. Not everything migrates at once — the triage output is a sequenced work order.

Implement

Apply post-quantum algorithms using ASD-approved implementations — ML-KEM-1024 for encryption, ML-DSA for signatures. ASD allows hybrid schemes during transition but treats them as temporary.

Communicate

Coordinate vendors, internal teams, and stakeholders. Ensure your upstream providers are on track. Educate relevant staff. This phase includes pushing your cloud providers and SaaS dependencies for their own PQC roadmaps — because their timeline is your dependency.

For a startup, the 2026 deliverable is completing L, A, and T — the CBOM, the risk assessment, and the prioritized roadmap. Implementation comes in 2027–2028. But the assessment and plan need to exist this year.

What the CBOM Actually Is (and Why You Don't Build It by Hand)

The Cryptographic Bill of Materials (CBOM) is the starting point ASD requires. A CBOM is a machine-readable inventory of all cryptographic assets in your software — every algorithm, key type, key length, certificate, and protocol, and the dependencies between them. Think of it as the cryptographic equivalent of an SBOM: you can't manage what you can't see.

CBOMs are standardized in CycloneDX 1.6 (April 2024), now formalized as ECMA-424. IBM originally developed the specification; it's now an OWASP project. Automated tools exist to generate CBOMs from source code and container analysis. You don't build the CBOM manually — you run a scanner and manage the output.

What you do manually: interpret the CBOM output, map it against the LATICE risk assessment, and build the transition plan that the CBOM informs. That's the governance work — and it's where the 4–6 week sprint pays for itself.

What the Procurement Conversation Looks Like

When an Australian enterprise buyer asks about PQC readiness, they're typically looking for two things: evidence that you know what cryptography you're running (the CBOM / Locate phase), and a documented plan for how you're transitioning (the roadmap).

The conversation does not require you to have completed migration. It requires you to have done the assessment and built the plan. A startup that can say "we completed our CBOM in Q3 2026, assessed our exposure against ASD LATICE, prioritized our three highest-risk components, and have a documented migration roadmap through 2030 aligned to NIST FIPS 203" passes the procurement question. A startup that says "we're looking into it" does not.

The Immediate Action

If your startup sells to Australian enterprise buyers and you don't have a documented PQC transition plan, you have until end of 2026 to fix that. The plan requires three things: a completed CBOM, a risk assessment against ASD LATICE criteria, and a sequenced migration roadmap. None of these require hands-on cryptographic implementation. All of them require governance and project management — which is exactly what an Enterprise Governance Sprint delivers.

Build your PQC roadmap →

This article reflects ASD guidance published through February 2026. Organizations operating in Australia should monitor the ASD's cyber.gov.au for updates to the Information Security Manual and post-quantum cryptography guidance.

References: Australian Signals Directorate / ACSC. Planning for Post-Quantum Cryptography (September 2025, updated February 2026) · Australian Signals Directorate. Information Security Manual (ISM) · NIST FIPS 203 (August 2024) · CycloneDX CBOM Standard, ECMA-424 (July 2024)