Where available, you can migrate. Even if PQ is not yet available it helps to:

1. Make sure your dependencies are up to date. Move to a recent version of your crypto libraries. 2. Make sure your server can install multiple certificates: you'll need that unless you control all your clients. 3. Automate certificate issuance as far as possible.

Also, what you can do now is to run the following wargame: assume the CRQC arrived. What's the business impact?

For the migration itself I see three parallel streams.

1. Main push of straight-forward cases (TLS, etc.) Might need to wait a bit for software support.

2. Hard cases: crypto baked into hardware; custom protocols; keys in tight spaces (JWT in URLs); etc. You need to bubble those up soon to make decisions on how to fix them.

3. External dependencies. Barely any vendor has a PQ roadmap, so asking now is probably early, but you can figure out what to do if they don't get their stuff ready in time.