Jochen Michels, Director, Public Affairs, Europe, Kaspersky
In the summer of 2025, the European Commission adopted its “Quantum Europe Strategy” to position Europe as a global leader in quantum technologies by 2030. This ambitious research and innovation agenda is designed to strengthen a more focused and results-driven European approach. It outlines five strategic priorities: advancing research and development, building quantum infrastructures, investing in a robust European quantum ecosystem, promoting applications in space and dual-use technologies, and fostering talent. Through this plan, the EU is responding proactively to the rapid and inevitable rise of quantum computing.
At the same time, it emphasizes digital resilience as a key priority and reaffirms the Union’s commitment to future-proofing Europe’s cybersecurity in the quantum era. This includes, among other measures, the establishment of a secure EU Quantum Communication Infrastructure (EuroQCI) and the integration of security considerations from the outset of all quantum projects.
Rethink cybersecurity
Preparing for the quantum era also means rethinking how we secure information, systems, and trust. Over the past few years, governments and standards bodies have moved from cautious curiosity to concrete action: NIST has published final post-quantum cryptography (PQC) standards for the first set of algorithms, creating a real path for migrating critical systems to quantum-resistant primitives. At the same time, the European Commission has pushed member states toward coordinated roadmaps and specific timelines—urging the start of transitions now and the protection of critical infrastructure within a defined window—because the practical work of replacing deeply embedded cryptography takes years.
This momentum exists for a reason: the “harvest now, decrypt later” threat is no longer a thought experiment. Sophisticated actors can and do intercept and archive encrypted traffic today with the explicit calculation that someday a quantum computer might make that data readable. The result is a present-day imperative to protect data whose secrecy lifetime extends into the quantum era.
What should policymakers do?
Given those realities, what should policymakers and industry leaders actually do? The short answer is: treat quantum readiness as a multi-decade modernization program that blends cryptography, supply-chain security, procurement policy, workforce development, international cooperation, and ongoing R&D. The longer answer—practical, concrete, and structured—looks like this.
First, governments must set clear, risk-based mandates and timelines that reflect the long lead times of modernization. Technical standards bodies and agencies should publish priority lists for what must be migrated first: classified systems and communications with long secrecy lifetimes, critical infrastructure (energy, telecoms, finance, healthcare), and devices that are hard to update. Several national agencies already urge organizations to create quantum-readiness roadmaps—inventorying cryptographic assets, performing risk assessments, and prioritizing migration—because ad hoc or unfunded transitions will fail.
Second, secure the supply chain and hardware. Quantum systems depend on physical components, firmware, and classical control systems that are vulnerable to tampering, side-channel attacks, and counterfeit parts. Policies should expand secure supply-chain requirements, fund independent testing labs, and incentivize domestic or allied manufacturing for high-risk components. In Europe, pre-certification environments are already being deployed in some jurisdictions as part of this effort.
Third, invest in workforce development and operational readiness. Migrating to PQC or integrating quantum networks is not simply a software update—it requires cryptographers, systems engineers, procurement officers, and incident responders who understand new algorithms, protocol changes, and risks. Governments and large firms should fund training programs, create standardized playbooks for migration and incident response, and run tabletop exercises that simulate Q-Day scenarios and harvest-now attacks.
Fourth, fund and coordinate R&D. Public investment is needed not only to advance quantum computing and networking, but to develop practical PQC toolkits, interoperable migration libraries, and verification tools that test implementations for correct, secure behavior. R&D programs should prioritize usable, auditable cryptographic libraries, support open reference implementations, and sponsor security analysis to catch weaknesses before they reach production systems.
Fifth, build international alignment and norms. The quantum challenge is global: adversaries will exploit any jurisdiction that lags. International cooperation can synchronize standards adoption, share threat intelligence about harvest-now activity, align export controls for sensitive quantum hardware, and create mutual-assistance frameworks for incidents affecting cross-border infrastructures. The EU’s coordinated recommendations and the international attention on NIST’s standards make clear that harmonization accelerates security and reduces costly fragmentation.
Finally, make transparency and accountability central to policy. Agencies should require reporting on migration progress, publish timelines for when federal systems will be PQC-compliant, and maintain public registries of critical systems that still rely on quantum-vulnerable algorithms. Transparency helps markets and downstream vendors plan and provides civil-society oversight to ensure that public funds produce measurable security improvements.
The transition must be balanced: move fast enough to mitigate harvested data and protect long-lived secrets, but deliberately enough to avoid introducing implementation bugs or supply-chain shortcuts that create fresh risks. That balance is itself a policy problem—one that combines deadlines, funding, standards, and incentives.
