China could have national post-quantum cryptography standards within three years, according to Tsinghua cryptographer Wang Xiaoyun, a timeline reported by Reuters on March 19 that points to a bigger shift than a routine cybersecurity update. The estimate is not an official state deadline. But paired with China’s February 2025 launch of a global call for next-generation commercial cryptography algorithms, and with finance and energy identified as priority migration sectors, it suggests Beijing is moving quantum-safe encryption from research into standards-setting. The deeper story is not that China is rejecting NIST. It is that China appears determined to build its own compliance path for the quantum era.
The three-year signal matters because it moves PQC from theory toward policy
What makes the Reuters report important is not just the phrase “within three years.” It is that the timeline came with a second, more operational signal: Wang also said China’s post-quantum cryptography industry could enter a strong growth phase over the next three to five years. That framing turns the issue from an abstract scientific challenge into a migration story. Once governments and critical industries begin talking in multi-year deployment windows, the subject is no longer only about academic research or lab demonstrations. It becomes a planning problem for standards bodies, infrastructure operators and compliance teams.
That context matters even more because Beijing has already elevated quantum technology within its latest five-year planning cycle. As The Quantum Insider noted in early March, quantum technology was named alongside other strategic frontier sectors in China’s new national development agenda. In other words, post-quantum cryptography is not appearing in isolation. It sits inside a broader state-backed push to strengthen China’s position in quantum science, quantum computing and related security infrastructure.
The key issue is standards sovereignty, not a dramatic split from the West
The most valuable extension to the Reuters story came from CSO Online, which argued that Beijing is seeking its own quantum-resistant encryption standards rather than simply adopting the U.S. National Institute of Standards and Technology framework as the default endpoint. That is the angle that gives the story international importance. A new standards path in China would not just affect domestic vendors. It could shape how banks, utilities, telecom operators and multinational companies think about quantum-safe compliance in the world’s second-largest economy.
Still, this should be written carefully. The right formulation is not “China rejects NIST.” That would overstate what is publicly known and flatten a more nuanced reality. China has not published a final national standard, nor has it formally declared that globally used NIST standards will be irrelevant in its market. The more accurate conclusion is that China appears to be developing its own national standards route instead of treating NIST as the only framework that matters.
CSO Online also highlighted a technical distinction that helps explain why this may not end in simple policy imitation. According to the report, Chinese researchers have focused more on so-called structureless lattice approaches, while much of the current international standardization effort has centered on algebraic lattice designs. Whether that difference eventually becomes a major interoperability issue remains unclear. But it reinforces the broader point: this is not only a cybersecurity procurement story. It is also a story about who gets to define trusted math, acceptable risk and regulatory legitimacy in the quantum era.
Finance and energy are early because the data risk is unusually long-lived
Reuters said finance and energy are likely to be priority sectors for migration in China. That makes sense because both industries hold highly sensitive data with long value cycles. Financial transaction histories, identity records, payment infrastructure and energy-grid communications cannot be treated like short-lived consumer data. If attackers can collect encrypted information today and wait for future quantum capability to make decryption easier, then the damage window stretches far beyond the present.
That is why the “harvest now, decrypt later” problem matters so much here. Post-quantum cryptography is not being discussed only because practical quantum computers are ready now. It is being discussed because sensitive information stolen today may still be worth reading years from now. For sectors such as banking, insurance, power generation and energy transport, waiting until the quantum threat is fully mature could mean waiting too long. Migration also takes time: software libraries, hardware modules, firmware, device certificates and internal protocols all need to be updated in sequence. A three-year standards window and a three-to-five-year migration expansion window fit that reality.
China is not starting from zero
Another reason the story carries weight is that there is already institutional preparation behind it. On February 5, 2025, the Institute of Commercial Cryptography Standards, China launched what it called the Next-generation Commercial Cryptographic Algorithms Program, inviting global proposals for public-key algorithms, cryptographic hash algorithms and block cipher algorithms. That is a meaningful signal because it shows China has already opened a formal standards-preparation process rather than merely floating general political interest in quantum security.
The ICCS notice does not tell the market which algorithms will ultimately be chosen, nor does it provide a final implementation roadmap. But it does show that the standards effort has procedural scaffolding. Combined with Wang’s March comments, the result is a much more credible narrative: China is not improvising a headline response to Western progress in post-quantum security. It is building a domestic pipeline that could eventually support national standards, sector migration guidance and a more distinctly Chinese compliance stack.
The global comparison makes this bigger than a domestic China story
The United States finalized its first set of post-quantum cryptography standards in 2024, and the broader migration conversation in the West already points toward a 2035 horizon for full transition across major systems. China is therefore not the first mover in finalized standards. But it may become one of the most important second-track standard setters. If Washington has already defined one global reference point, Beijing now appears to be positioning itself to define another.
That creates a more complicated future for cross-border technology planning. A multinational company operating in China may eventually need to think about more than one post-quantum compliance destination. A vendor serving Chinese financial or energy clients may need to map products not only to NIST-aligned expectations but also to whatever Chinese national standards eventually emerge. This is where the idea of standards sovereignty becomes tangible. The competition is not simply about whose cryptographers are right. It is about whose rules become mandatory in critical digital environments.
This is also why the story stands apart from many recent China technology headlines. Recent coverage has revolved around AI agents, export-control enforcement, Xiaomi’s AI spending and the monetization pressure on large internet platforms. This one sits deeper in the stack. It is about the security foundation beneath future digital systems — the layer that becomes visible only when governments start deciding what counts as trusted encryption.
What changed, and what could come next
What changed this week is that China’s post-quantum conversation moved from broad strategic ambition to a more usable public timeline. Reuters put a three-year standards estimate and a three-to-five-year migration outlook into circulation. CSO Online gave the story its most important interpretive frame by arguing that Beijing wants a domestic standards path rather than simple NIST adoption. The Quantum Insider added the international comparison, while ICCS provided the strongest evidence that institutional groundwork has already begun.
What comes next is still uncertain, and that uncertainty should remain in the copy. China has not yet published a final standards package, announced mandatory sector deadlines or disclosed which algorithms will definitively anchor its national framework. But the direction of travel is becoming easier to see. Beijing is treating post-quantum cryptography not as a distant science topic, but as a strategic security and industrial-policy issue. If that continues, the real consequence will not just be safer encryption inside China. It will be a world in which the quantum-safe internet may have to navigate more than one major standards center.
This policy-and-standards framing also fits alongside China’s 15th Five-Year Plan boosts AI Plus, semiconductors, China Gives BCI a 3–5 Year Public-Use Timeline and China’s 3.15 Spotlight Puts Smart‑Car OTA Updates Under a Compliance Lens, because together they show how Beijing is translating frontier-technology ambition into multi-year planning, compliance design and sector-specific implementation.
Sources
- Reuters — China likely to have standards for post-quantum cryptography in 3 years, expert says (2026-03-19)
- CSO Online — Beijing wants its own quantum-resistant encryption standards rather than adopt NIST’s (2026-03-19)
- The Quantum Insider — China Expects Post-Quantum Cryptography Standards Within Three Years (2026-03-19)
- The Quantum Insider — China’s New Five-Year Plan Specifically Targets Quantum Leadership And AI Expansion (2026-03-05)
- Institute of Commercial Cryptography Standards, China — Announcement on Launching the Next-generation Commercial Cryptographic Algorithms Program (NGCC) (2025-02-05)
Editorial caveats: Treat the three-year timeline as Wang Xiaoyun’s expert assessment reported by Reuters, not as a formal state deadline. Keep the core framing as China developing its own national standards path rather than “rejecting NIST.” Avoid claiming that final algorithms, compliance mandates or migration deadlines have already been fully published.
