up:: The Mandates MOC

EU Quantum Act

The EU Quantum Act is a forthcoming European Union legislative proposal, announced in the European Commission’s 2026 Work Programme, to coordinate research funding, build industrial capacity, and secure the supply chain for Europe’s quantum technology sector, and it’s industrial and research policy rather than a post-quantum cryptography migration mandate. It builds on the Quantum Europe Strategy adopted in July 2025, and as of this note’s verification date it’s a proposal in development, not an adopted or in-force law. It sets no cryptographic deadline, names no algorithm, and does not tell any organization to migrate off RSA or elliptic-curve cryptography. Its subject is the quantum industry Europe wants to grow, not the classical cryptography that quantum computers will eventually break.

The short version:

  • The EU Quantum Act is a proposed EU regulation to make Europe a global leader in quantum technology by funding research, scaling manufacturing (pilot lines and a design facility), and securing the quantum supply chain.
  • It’s industrial and research policy, built on legal bases for EU industry and research programs, not on cybersecurity or internal-market product law.
  • It’s not adopted and not in force. The Commission’s 2026 Work Programme slated the proposal for the second quarter of 2026, and the timeline has been reported as slipping toward 2027.
  • It is not a post-quantum cryptography migration mandate. It names no algorithm, sets no migration deadline, and imposes no cryptographic obligation on any organization.
  • Europe’s actual PQC pressure lives in two other places, the binding Cyber Resilience Act with its state-of-the-art confidentiality clause, and the separate EU Coordinated Implementation Roadmap with its 2030 and 2035 dates. The Quantum Act is a different kind of instrument from both.

Think of the difference between a law that funds building a car industry and a law that requires cars on the road to have working brakes. The EU Quantum Act is the first kind. It’s Europe deciding to build the factories, train the workforce, and own the supply chain for quantum computers. The rules that force existing systems to be safe against those machines, the ones that actually reach a bank or a hospital or a device maker, are separate instruments with their own deadlines. Confusing the two is the single most common mistake people make when they see the word “quantum” in an EU regulation.

What is the EU Quantum Act?

The EU Quantum Act is a proposed regulation of the European Union whose purpose is to develop Europe’s quantum technology sector, and it delivers the legislative substance behind the Quantum Europe Strategy that the Commission adopted in July 2025. It’s the funding-and-industrial-policy vehicle for a stated ambition, making the EU a global leader in quantum by 2030, and it addresses the science and industry of quantum computing rather than the cybersecurity fallout of it.

The identity of the instrument, in the terms that matter when you cite it:

  1. What it is: a forthcoming EU legislative proposal, described in the European Parliament’s Legislative Train as an announced initiative under the Commission’s 2026 Work Programme. It’s expected to take the form of a directly binding EU regulation once adopted, though the text has not been published as law.
  2. Who is issuing it: the European Commission proposes it; the European Parliament and the Council of the European Union would negotiate and adopt it through the ordinary legislative procedure.
  3. The legal bases: the proposal is being prepared under Articles 173, 180, and 184 of the Treaty on the Functioning of the European Union, the treaty provisions for EU industry and for research and technological development programs. Those are industrial and research-policy bases, which is itself the clearest evidence that the Act is about growing a sector, not about regulating cryptography.
  4. What it builds on: the European Declaration on Quantum Technologies that member states signed in 2023, and the Quantum Europe Strategy adopted in July 2025 with its five action areas of research and innovation, quantum infrastructure, ecosystem, space and dual-use technologies, and skills.
  5. What it complements: the European Chips Act, the EuroHPC Joint Undertaking, and the IRIS² secure connectivity program, so it sits inside Europe’s technology-sovereignty stack rather than its cybersecurity-compliance stack.

Source: European Parliament, “Quantum Act,” Legislative Train Schedule, europarl.europa.eu legislative train, for the announced status, the 2026 Work Programme scheduling, and the Article 173, 180, and 184 TFEU legal bases.

Source: European Commission, “Commission invites contributions to shape future EU Quantum Act,” digital-strategy.ec.europa.eu news, for the three objectives and the link to the Quantum Europe Strategy.

Is the EU Quantum Act a PQC migration mandate?

No. The EU Quantum Act is not a post-quantum cryptography migration mandate, and it doesn’t function as one in any way. It names no cryptographic algorithm, sets no migration deadline, and places no cryptographic requirement on any organization’s systems. Anyone who tells you the Quantum Act “requires PQC” or “sets an EU quantum deadline for encryption” has confused it with a different instrument.

Three facts settle it:

  1. The subject is the industry, not the cryptography. The Act’s three objectives are coordinating research and innovation investment across member states, improving EU industrial capacity to design and produce quantum technologies, and ensuring the security and resilience of quantum supply chains. Every one of those is about building and protecting Europe’s quantum sector. None of them is about migrating classical public-key cryptography to ML-KEM or ML-DSA.
  2. The “security” it addresses is supply-chain security, not cryptographic migration. When the Act talks about security and resilience, it means the resilience of the quantum-technology supply chain itself, the chips, the components, the dual-use and defense dimension of a strategic technology, in the same spirit as the Chips Act. That’s a very different thing from the harvest-now-decrypt-later threat that drives PQC migration.
  3. The legal bases prove the intent. A cryptographic-migration mandate would sit on internal-market or cybersecurity treaty provisions, the way the CRA does. The Quantum Act sits on the industry and research-program provisions of the TFEU, which is where the EU legislates to fund and scale a technology sector.

Source: European Commission, “Commission invites contributions to shape future EU Quantum Act,” digital-strategy.ec.europa.eu news, confirming the three objectives are research and innovation, industrial capacity, and quantum supply-chain resilience, with no mention of post-quantum cryptography migration.

The place Europe’s PQC obligations actually live is covered under the CRA and the separate roadmap, both detailed further down this note. Keep the two families of instrument apart and the whole EU picture gets simpler.

What would the EU Quantum Act do?

The EU Quantum Act would fund and coordinate the growth of Europe’s quantum technology sector, and it’s organized around three problems the Commission says are holding that sector back. The Act is the response to a fragmented landscape, thin industrial capacity, and supply-chain and governance gaps, and each response is a lever the EU already uses for strategic technologies.

  1. Coordinate research and innovation across member states. The Commission’s stated problem is a fragmented research landscape where member states duplicate work and investment is scattered. The Act would coordinate national and EU research funding so Europe’s spending compounds instead of overlapping.
  2. Build industrial capacity to design and produce quantum technologies. The Commission points to limited investment and a lack of quantum-chip fabrication capability. The Act is expected to support pilot lines and a quantum design facility, the manufacturing infrastructure that lets European research turn into European products rather than being commercialized elsewhere.
  3. Secure and govern the quantum supply chain. The third problem is supply-chain resilience and governance gaps for a critical dual-use technology. The Act would strengthen the security and resilience of the components and materials the quantum industry depends on, and set up the governance to manage a technology with civilian and defense uses at once.

Source: Inside Global Tech, “European Commission launches a call for evidence on the impact assessment for the forthcoming EU Quantum Act,” November 4, 2025, insideglobaltech.com, for the three structural problems the Act is designed to address.

None of these three levers reaches into an enterprise’s cryptography. They reach into laboratories, fabrication plants, and the companies that build quantum hardware, which is exactly why the Act belongs in the international context of the mandate landscape without being a mandate that binds a migration.

Who would the EU Quantum Act apply to?

The EU Quantum Act would primarily reach the actors that build and fund quantum technology, which is a very different population from the one the PQC mandates reach. Where the CRA reaches any company that sells a connected product into the EU, the Quantum Act’s center of gravity is research, manufacturing, and public investment in the quantum sector.

  1. Research organizations and universities working on quantum computing, sensing, and communication, whose funding and coordination the Act is meant to improve.
  2. Quantum-technology industry, including startups and SMEs, that would benefit from pilot lines, a design facility, and a more resilient supply chain.
  3. Member-state authorities and EU agencies whose investments the Act would coordinate, and who would run the governance the Act establishes.
  4. Standardization, cybersecurity, and defense bodies consulted on the dual-use and security dimension of a strategic technology.

Source: European Commission, “Commission invites contributions to shape future EU Quantum Act,” digital-strategy.ec.europa.eu news, listing member-state authorities, EU agencies, infrastructure operators, industry including SMEs and startups, research organizations, universities, standardization bodies, and cybersecurity, defense, and quantum experts among the stakeholders invited to contribute.

For a CISO or a security team asking “does this bind us,” the honest answer is that unless you build or fund quantum technology, the Quantum Act mostly reaches you as industrial context rather than as a compliance obligation. The EU instrument that binds your products is the CRA, and the EU dates that govern your migration live in the roadmap.

What is the EU Quantum Act timeline?

The Quantum Act is early in the EU legislative pipeline, so its timeline is a sequence of strategy, consultation, and a proposal that has not yet landed as law. These are the dated milestones on the record, and the load-bearing point is that no binding text exists yet.

DateMilestone
2023Member states sign the European Declaration on Quantum Technologies, the political starting point
July 2025The European Commission adopts the Quantum Europe Strategy, the Act’s parent policy
Late 2025The Commission opens a call for evidence on the impact assessment, with the feedback window extended to December 15, 2025
Q2 2026 (planned)The Commission’s 2026 Work Programme schedules the Quantum Act proposal, targeted around June 2026
Reportedly moving to 2027Trackers report the proposal timeline slipping toward 2027; no proposal text was confirmed published as law as of this note’s verification date

Source: European Commission, “Commission invites contributions to shape future EU Quantum Act,” digital-strategy.ec.europa.eu news, for the July 2025 strategy adoption and the call for evidence with a December 15, 2025 extended deadline.

Source: European Parliament, “Quantum Act,” Legislative Train Schedule, europarl.europa.eu legislative train, for the announced status and the 2026 Work Programme Q2 2026 scheduling.

The slip from a Q2 2026 target toward 2027 is worth tracking, but it doesn’t change the substance for a security team, because even the adopted Act wouldn’t carry a cryptographic deadline. [OPERATOR VERIFY: confirm the current proposal or adoption status and the revised quarter against the European Commission’s Have Your Say portal and the Legislative Train before quoting a specific 2027 date in a client deliverable, since the revised timing traces to third-party trackers rather than a primary Commission source.]

How does the EU Quantum Act differ from the CRA and the EU PQC roadmap?

The EU Quantum Act is one of three EU instruments people lump together under “the EU quantum rules,” and only the other two actually touch cryptography. Keeping them straight is the whole value of this note, because a program built on the wrong one aims at the wrong obligation. The table sorts them.

InstrumentWhat it isStatusDoes it drive PQC migration?
EU Quantum ActIndustrial and research policy to build and scale Europe’s quantum technology sectorProposed, not adoptedNo. It funds and coordinates the quantum industry and says nothing about migrating classical cryptography
EU Cyber Resilience Act (CRA)Binding product-security law, Regulation (EU) 2024/2847In force, obligations phasing in through December 11, 2027Indirectly. Its state-of-the-art confidentiality clause and multi-year update duty are the enforceable lever that pulls PQC readiness into EU market access
EU Coordinated Implementation RoadmapMember-state schedule for transitioning to post-quantum cryptographyPublished guidance, not binding lawIt sets the dates, start by end of 2026, high-risk use cases by end of 2030, completion by end of 2035, but it’s a roadmap, not a statute

Source: EUR-Lex, Regulation (EU) 2024/2847 (Cyber Resilience Act), EUR-Lex 2024/2847, and European Commission, “A Coordinated Implementation Roadmap for the Transition to Post-Quantum Cryptography,” ec.europa.eu roadmap library, for the CRA’s binding status and the roadmap’s end-2026, end-2030, and end-2035 dates.

Read across the three and the division of labor is clean. The Quantum Act builds the machines and the sector. The CRA makes the products you sell into Europe defend data with current cryptography and stay updatable for years, which is crypto-agility in all but name. The Coordinated Roadmap sets when Europe wants post-quantum cryptography actually in place. If you’re trying to figure out what binds your migration, it’s the CRA and the roadmap, and the Quantum Act is context that explains why Europe is investing so heavily in the technology on both sides of the cryptographic line.

How does the EU Quantum Act fit the wider mandate landscape?

The EU Quantum Act belongs in the mandate landscape as strategic context, not as a deadline, and placing it correctly is what keeps the whole mandate picture honest. Every other instrument in that landscape, from NSA CNSA 2.0 to NIST IR 8547 to the CRA, drives an organization toward post-quantum cryptography on a clock. The Quantum Act instead explains the industrial policy running alongside those clocks.

The useful framing is that quantum policy has two arms, and they’re easy to conflate because they share a word:

  1. The offense arm, building the technology. This is where the Quantum Act sits, along with the Quantum Europe Strategy, the Chips Act, and EuroHPC. These fund and scale the quantum computers, sensors, and networks Europe wants to lead in.
  2. The defense arm, protecting cryptography against the technology. This is where the CRA, the EU Coordinated Roadmap, and the U.S. and national mandates sit. These force existing systems onto quantum-resistant cryptography ahead of a cryptographically relevant quantum computer.

An organization tracking its post-quantum obligations cares about the defense arm. The Quantum Act matters to that organization as background, the reason Europe is simultaneously racing to build quantum machines and racing to defend against them, and as a reminder that a regulation with “quantum” in its name is not automatically a cryptography rule.

Common misconceptions

  1. “The EU Quantum Act sets a deadline for post-quantum cryptography.” It sets none. It names no algorithm and imposes no cryptographic obligation. Europe’s PQC dates come from the separate Coordinated Implementation Roadmap, and the enforceable product lever is the CRA.
  2. “The Quantum Act is already law.” It’s a proposal in development, scheduled in the Commission’s 2026 Work Programme and reported as slipping toward 2027. As of this note’s verification date, no adopted or in-force text exists.
  3. “Quantum Act and Cyber Resilience Act are two names for the same thing.” They’re different instruments on different legal bases. The CRA is binding product-security law about defending data; the Quantum Act is proposed industrial policy about building the quantum sector.
  4. “The Act’s ‘security’ focus means it governs encryption.” The security it addresses is the resilience of the quantum-technology supply chain, the chips and components and the dual-use dimension, not the migration of classical cryptography to post-quantum algorithms.
  5. “It only matters to European quantum companies.” Its direct reach is the quantum sector, but it shapes the global market for quantum hardware and talent, and it explains the industrial half of the same story whose cryptographic half every enterprise has to act on.
  6. “Because it’s about quantum computers, it accelerates the threat to my encryption.” Funding European quantum research is industrial policy, and it doesn’t change your migration obligations, which are set by the mandates and driven by Mosca’s inequality, not by any single funding law.

Questions people ask

Does the EU Quantum Act apply to my organization? Directly, only if you build, fund, or supply quantum technology. For a typical enterprise or a CISO, it’s industrial context rather than a compliance obligation. The EU instrument that binds your products is the Cyber Resilience Act, and the EU dates that govern your migration are in the Coordinated Implementation Roadmap.

Is the EU Quantum Act law yet? No. It’s a forthcoming proposal announced in the Commission’s 2026 Work Programme, and it has not been adopted or entered into force. The timeline has been reported as moving toward 2027.

Does the EU Quantum Act require post-quantum cryptography? No. It names no algorithm, sets no migration deadline, and imposes no cryptographic requirement. Its objectives are research coordination, industrial capacity, and quantum supply-chain resilience.

What’s the difference between the Quantum Act and the Cyber Resilience Act? The Quantum Act is proposed industrial policy to build Europe’s quantum sector. The CRA is binding product-security law, Regulation (EU) 2024/2847, whose state-of-the-art confidentiality clause is what actually pulls post-quantum readiness into EU market access.

Where do the EU’s real post-quantum deadlines come from? From the EU Coordinated Implementation Roadmap, which targets starting the transition by the end of 2026, migrating high-risk use cases by the end of 2030, and completing by the end of 2035. That roadmap, not the Quantum Act, carries the dates.

Should my migration program track the Quantum Act at all? Track it as context, not as a deliverable. It won’t add a cryptographic obligation to your program even after it’s adopted. Your PQC clock runs off the CRA, the roadmap, and, if you operate globally, the U.S. and national mandates.

Why does everyone confuse it with a cryptography rule? Because it has “quantum” in the name and arrives during the same years as the PQC mandates. The word covers two different projects at once, building quantum computers and defending cryptography against them, and the Quantum Act is squarely the first.


Everything here is the map, given freely. When your team needs the difference between Europe’s quantum industrial policy and its actual post-quantum obligations turned into one migration plan sequenced against the deadlines that really bind you, that’s what an alignment briefing is for.

Last verified 2026-07-09 · Maintained by Addie LaMarr, LaMarr Labs.