When the European Commission published its Quantum Strategy in July 2025, it made a choice that deserves more attention than it has received. The forthcoming EU Quantum Act – expected as a legislative proposal in 2026 – will not follow the regulatory logic of the AI Act. It will follow the logic of the Chips Act instead. That is not a technical detail. It is a statement about what kind of problem the EU believes it is trying to solve.
Two Models, Two Problems
The AI Act is built around risk. It classifies systems, assigns obligations, and creates accountability structures for deployers and providers. Its underlying assumption is that AI is already here and needs to be governed.
The Quantum Act starts from a different premise. The signal from Brussels is clear: the regulation will aim to make the EU Quantum Strategy operational – focusing on the transition from science to market, not on governing systems already in widespread use. The Chips Act analogy is instructive: that regulation mobilised public and private investment, created frameworks for pilot production lines, and established Joint Undertakings to coordinate procurement. The Quantum Act is expected to work in similar ways.
This matters for lawyers and legal strategists. A Chips Act-style regulation generates compliance obligations that look very different from an AI Act-style one. The key questions shift from “how do I classify my system” and “what documentation do I need” to “how do I structure procurement participation,” “how do I qualify for strategic project funding,” and “what counts as a genuine EU presence for strategic project eligibility.”
The Uncomfortable Numbers
Europe’s position in quantum is a study in contradiction. The scientific base is genuinely strong – the EU produces over 110,000 graduates annually in physics, ICT, and engineering, fields that feed directly into quantum research. It accounts for 42% of newly established quantum companies globally. And yet the gap between scientific output and commercial traction is stark.
Europe attracts approximately 5% of global private quantum investment. The United States captures over 50% of the same pool. China outspends the EU in public quantum funding by a significant margin. The funding shortfall is most acute at later stages – where startups need capital to scale, not just to survive – and private investment in European quantum companies fell sharply between 2023 and 2024, while US investment moved in the opposite direction.
The structural problem is not talent. It is infrastructure, capital, and coordination. EU quantum startups depend heavily on public funding to grow because private capital does not follow at scale. Without intervention, the risk is not just slower growth – it is that European companies and researchers relocate to where the money is.
The Quantum Strategy published in July 2025 is explicit about this. The European Quantum Academy, which launched in May 2026 with €19.8 million in funding and over 70 partner institutions, is one of the first concrete steps. But skills alone do not close an investment gap of this magnitude.
The Cryptography Deadline That Already Applies
Quantum computing creates a category of legal risk that is often discussed in the future tense but operates in the present: the threat to existing encryption infrastructure.
In June 2025, the NIS Cooperation Group published a coordinated implementation roadmap for the transition to post-quantum cryptography. The milestones are specific. By the end of 2026, all EU Member States must have national PQC transition plans in place. High-risk use cases must be migrated to quantum-resistant cryptography by the end of 2030. Medium-risk use cases follow by 2035.
These are not aspirational targets. They sit within a regulatory architecture that already creates binding obligations. NIS2 requires organisations to apply state-of-the-art cryptographic measures. DORA, which became applicable in January 2025, requires financial entities to maintain structured records of cryptographic assets and to demonstrate operational resilience. GDPR Article 32 requires appropriate technical measures to protect personal data. As PQC becomes the recognised standard, the meaning of “appropriate” and “state-of-the-art” shifts accordingly.
In January 2026, the European Commission proposed amending NIS2 directly to require Member States to adopt national PQC transition policies aligned with the roadmap. If adopted, this removes the interpretive gap that currently allows organisations to treat PQC readiness as optional. The obligation would become explicit, not inferred.
The practical implication is that organisations operating their own cryptographic infrastructure – rather than relying on cloud providers or software vendors to apply patches – face the most direct exposure. For those organisations, 2026 is not a future planning horizon. It is the year their national supervisory authority is expected to have a framework in place to measure their progress.
What This Means for Legal Strategy
The EU’s quantum regulatory landscape involves at least two distinct legal tracks running in parallel, with a third forming.
The Quantum Act – still being drafted – concerns R&D investment structures, procurement participation, and supply chain governance. Its logic is industrial policy: how to build a European quantum sector, not how to regulate one that already exists.
PQC compliance is different in kind. It is embedded in sectoral regulation that already applies: NIS2, DORA, GDPR. The obligations are not quantum-specific, but the interpretation of existing requirements is shifting as post-quantum cryptography becomes the recognised standard. For regulated entities in finance, energy, health, or public administration, the question is not whether PQC transition is required – it is how quickly supervisory expectations will crystallise around it.
The legal work is not about waiting for the Quantum Act to appear. It is about understanding which obligations are already live, which are forming, and which require structural preparation – procurement frameworks, IP strategies, cryptographic asset inventories – that takes time to build.
Dr Agata Konieczna | @DrKonieczna
For legal and strategic advisory on AI governance, visit AI Business Studio
