okay, so we're maybe 8-30 years out from quantum computers breaking ECDSA. what's the plan? how far ahead should we integrate a quantum resistant signature scheme?
In any case there's no real reason to worry about any of this, quantum computing as it is today it's just a meme. I would stick to SHA256 and plan for a NIST alternative in the future if necessary.. and non-US stuff doesn't necessarily mean safer anyway. It just has to be peer reviewed by as many independent and widespread people as possible.
my understanding is that ECDSA will eventually be vulnerable to quantum computers. SHA-256 not so much.