We ran our open-source PQC scanner against 100 of the most consequential websites on the internet. The targets were not chosen at random but were a selection of institutions that hold sensitive citizen data, manage critical infrastructure, regulate markets, and set security standards for everyone else.
The scanner checks whether a TLS endpoint supports post-quantum cryptographic algorithms; specifically the NIST-standardised ML-KEM and ML-DSA families, and the hybrid key exchange schemes that most production deployments currently use. The check is passive. No credentials required, no traffic intercepted, no systems disrupted. It simply connects, reads the handshake, and reports what algorithms are on offer.
The result: 63% are not post-quantum ready, still offering only classical algorithms.
Here is what we found.
The Headline Numbers
| Sector | Passing | Total | Rate |
|---|---|---|---|
| Overall | 37 | 100 | 37% |
| UK Government | 13 | 25 | 52% |
| UK Banks | 3 | 22 | 14% |
| US Government | 2 | 15 | 13% |
| US Banks | 1 | 10 | 10% |
| EU Finance / Government | 2 | 10 | 20% |
| UK Infrastructure | 7 | 10 | 70% |
| Big Tech | 7 | 10 | 70% |
The pattern is not what we expected. Infrastructure and technology companies are ahead. Financial services, despite being heavily regulated and well-resourced, are behind. Government is split down the middle, possibly benefitting from common infrastructure - some of the UK government sites seem to use Fastly as a CDN provider.
UK Government: The Security Agencies Lead, Everyone Else Follows
Thirteen of twenty-five UK government sites passed. The full list:
Pass: gov.uk, hmrc.gov.uk, homeoffice.gov.uk, dwp.gov.uk, defra.gov.uk, beis.gov.uk, companieshouse.gov.uk, ico.org.uk, ncsc.gov.uk, gchq.gov.uk, royal.uk, cps.gov.uk
Fail: nhs.uk, mod.uk, justice.gov.uk, fcdo.gov.uk, cabinetoffice.gov.uk, dfe.gov.uk, dhsc.gov.uk, dvla.gov.uk, bankofengland.co.uk, pra.org.uk, parliament.uk, ons.gov.uk
The most striking finding: the two agencies responsible for setting the UK's PQC policy - NCSC and GCHQ - both pass. But the departments they advise largely do not. The Ministry of Defence, the Foreign Office, the Cabinet Office, the Department for Education, the Department of Health, and the DVLA all fail. The NHS, which holds some of the most sensitive personal data in the country, fails.
This is not a criticism of any particular department. PQC migration is a multi-year programme requiring budget, engineering time, and careful testing. Where a server passes because a CDN which offers PQC algorithms is being used, it doesn't mean that the origin server would pass, equally just because a server fails, if it's just a static front door it may not be of as much consequence if internal systems have been upgraded. What it does show is that even within government, readiness is uneven. The agencies with the deepest technical expertise have moved first.
The Bank of England fails while the Financial Conduct Authority passes. The institution responsible for monetary stability and systemic risk is behind the regulator that oversees it. Whether this reflects different risk appetites, different procurement cycles, or simply different priorities is impossible to say from the outside. But it is a gap worth noting.
UK Banking: The Neobanks Are Running Rings Round the High Street
This was the most lopsided result in the entire dataset.
Pass: monzo.com, starlingbank.com, revolut.com
Fail: hsbc.co.uk, barclays.co.uk, lloydsbank.com, natwest.com, santander.co.uk, halifax.co.uk, nationwide.co.uk, tsb.co.uk, virginmoney.com, metro-bank.co.uk, co-operativebank.co.uk, firstdirect.com, rbs.co.uk, ulsterbank.co.uk, bankofscotland.co.uk, standardchartered.com, schroders.com
Every single legacy UK high street bank fails. HSBC, Barclays, Lloyds, NatWest, Santander, Halifax, Nationwide, TSB, Virgin Money, Metro Bank, the Co-operative Bank, First Direct, RBS, Ulster Bank, Bank of Scotland, Standard Chartered, Schroders. All of them.
Every UK neobank passes. Monzo, Starling, and Revolut all support post-quantum key exchange.
There is a straightforward technical explanation. Neobanks built their infrastructure in the last decade on modern cloud-native stacks. Their TLS termination layers, load balancers, and API gateways run software that was updated to support PQC as soon as Cloudflare, AWS, and Google Cloud made it available. Legacy banks operate sprawling estates of mainframes, bespoke middleware, and third-party integrations accumulated over decades. Upgrading cryptography across that footprint is a far larger undertaking.
But the explanation is cold comfort for customers. The banks holding the majority of UK retail deposits, mortgages, and business lending are less quantum-ready than three mobile-only challengers with a fraction of the resources. Regulatory pressure may change that - the FCA's operational resilience framework and DORA's cryptographic requirements both point in that direction - but the gap is real today.
US Government: The Agencies Writing the Standards Are Not Following Them
Pass: cia.gov, fbi.gov
Fail: whitehouse.gov, nsa.gov, cisa.gov, nist.gov, state.gov, treasury.gov, dod.gov, dhs.gov, hhs.gov, irs.gov, ssa.gov, va.gov, defense.gov
The most embarrassing failure is NIST. The body that standardised ML-KEM and ML-DSA does not support those algorithms on its own public website. The scanner found only classical RSA and ECDH key exchange.
CISA - the Cybersecurity and Infrastructure Security Agency, which runs the .gov security programme and advises critical infrastructure operators on PQC migration - also fails.
The NSA fails. The agency that published CNSA 2.0, the mandatory algorithm suite for National Security Systems, does not support CNSA 2.0 algorithms on its public-facing web server. The CIA and FBI both pass, which makes the NSA's failure more striking.
This is not as contradictory as it appears. NIST, CISA, and NSA internal systems may well be CNSA 2.0 compliant. Public-facing websites are often hosted on separate infrastructure, managed by different teams, with different update cadences. But the optics are poor. When the organisations telling everyone else to migrate have not migrated their own public presence, it undermines the message.
The White House, the State Department, the Treasury, the Department of Defense, and the Department of Veterans Affairs all fail. Only the CIA and FBI pass from the fifteen US government sites we tested.
US Banking: One Out of Ten
Pass: bankofamerica.com
Fail: jpmorgan.com, wellsfargo.com, citibank.com, goldmansachs.com, morganstanley.com, usbank.com, pnc.com, capitalone.com, tdbank.com
Bank of America is the only US bank in our sample that passes. JPMorgan, Wells Fargo, Citi, Goldman Sachs, Morgan Stanley, US Bank, PNC, Capital One, and TD Bank all fail.
US banks in our set lag their UK counterparts in overall readiness - 10% versus 14% - but the UK figure is inflated by three small neobanks. If you compare legacy banks alone, both jurisdictions are in similar territory; almost nobody is ready.
EU Finance and Government: Slow Starts
Pass: bafin.de, bundesbank.de
Fail: europa.eu, ecb.europa.eu, enisa.europa.eu, amf-france.org, banque-france.fr, bancaditalia.it, bde.es, dnb.nl
Germany's BaFin and Bundesbank both pass. Every other EU institution in our sample fails, including the European Commission, the European Central Bank, ENISA, and the central banks of France, Italy, Spain, and the Netherlands.
The EU's coordinated roadmap was only published in June 2025, with a first milestone of December 2026 for national transition plans. Most EU institutions are likely still in the discovery phase. But the gap between German readiness and the rest of the bloc is notable.
UK Infrastructure: The Standout Performers
Pass: nationalgrid.com, ofgem.gov.uk, bt.com, openreach.com, networkrail.co.uk, nats.aero, ukresilience.info
Fail: o2.co.uk, virginmedia.com, heathrow.com
UK infrastructure operators scored 70%, the joint-highest rate of any sector. National Grid, Ofgem, BT, Openreach, Network Rail, NATS, and the UK Resilience portal all pass.
These are organisations that understand operational continuity. They have been through Y2K, the SHA-1 deprecation, and multiple TLS version upgrades. They have the engineering culture, the procurement processes, and the risk awareness to treat cryptographic transitions as infrastructure maintenance rather than optional security enhancements.
O2, Virgin Media, and Heathrow fail. The reasons vary - telecoms operators have complex legacy network equipment, airports have sprawling vendor ecosystems - but the gap between the infrastructure leaders and laggards is widening.
Big Tech: A Split Decision
Pass: google.com, cloudflare.com, apple.com, meta.com, aws.amazon.com, cloud.google.com
Fail: amazon.com, microsoft.com, github.com, azure.microsoft.com
Big tech scored 70%, matching infrastructure. But the pattern is more interesting than the headline.
Google passes at every layer. Google.com, Google Cloud, and the underlying infrastructure all support hybrid PQC key exchange. Cloudflare, which terminates TLS for a significant fraction of the internet, passes. Apple and Meta both pass.
Amazon is split. AWS passes - if you terminate TLS on an AWS load balancer or CloudFront distribution, PQC is available. But amazon.com itself, the retail storefront, fails. Microsoft is similarly split: Microsoft.com and Azure fail, but some Microsoft services may pass on different endpoints.
GitHub fails. This is arguably the most surprising result in the entire dataset. GitHub is a developer platform owned by Microsoft, used by the teams implementing PQC in open-source projects. Its TLS stack does not offer post-quantum algorithms. Given Microsoft's resources and security focus, this is almost certainly a matter of prioritisation rather than capability.
What These Results Mean
Passing Does Not Mean Finished
A passing score from our scanner means only that a TLS endpoint offers at least one post-quantum algorithm in its handshake. It does not mean the organisation has completed migration. It does not mean internal systems, VPNs, SSH servers, or code signing infrastructure are PQC-ready. It does not mean the organisation has a migration plan, a budget, or board-level accountability.
What passing does mean is that the organisation has updated its edge TLS termination to a modern software stack. For cloud-native companies, that is often a configuration change. For legacy organisations, it may be the first visible output of a multi-year programme.
Failing Does Not Mean Negligent
A failing score means only that the endpoint offers classical algorithms and no post-quantum alternatives. For many organisations, this is the correct state today. NIST's standards were finalised in August 2024. The UK NCSC published its roadmap in March 2025. Most organisations are still in the discovery and planning phase that every roadmap mandates.
Failing is not a regulatory violation - yet. The hard deadlines are years away. But failing without a plan is a problem. The organisations that will meet the 2030 and 2035 deadlines are those that started inventorying their estates in 2025.
The Hardest Work Is Invisible
The easiest part of PQC migration is updating a public-facing web server. The hardest part is finding every embedded cryptographic library, every legacy VPN concentrator, every IoT device with a ten-year lifespan, every third-party SaaS integration, and every backup archive encrypted with RSA-wrapped keys. Our scanner does not see any of that. Awkwardly, neither do most organisations.
The 63% failure rate in our scan is almost certainly better than the true rate of enterprise readiness. High-profile, public websites are the tip of the iceberg.
Methodology
We used the PQC scanner described in our earlier guide to probe each target's primary HTTPS endpoint on port 443. The scanner enumerates the key exchange groups offered during the TLS handshake and checks for post-quantum algorithms including:
A site was marked as passing if it offered at least one post-quantum key exchange group. A site was marked as failing if it offered only classical ECDH or RSA key exchange.
The target list was compiled manually and is not a random sample. It represents institutions we consider strategically significant: government agencies, regulators, critical infrastructure operators, major financial institutions, and technology platforms. The 100-site limit was arbitrary - we stopped when we had broad sector coverage.
A Note on Timing
TLS configurations change. A site that failed today may pass tomorrow if its operator updates a load balancer or enables a new cipher suite. A site that passes today may regress if an older configuration is reinstated during an incident. These results are a snapshot taken in May 2026, not a permanent verdict.
We will repeat this scan periodically and publish updates. If you represent an organisation in this list and believe our result is incorrect, please contact us and we will verify and update.
