Europe’s Path to a Quantum-Resistant Future

The European Union has introduced a coordinated plan to prepare its digital infrastructure for the era of quantum computing. While quantum technologies promise advances in sectors such as healthcare, logistics and energy optimisation, they also present a significant business risk. The cryptographic systems that protect everything from payment transactions to intellectual property are at risk of being broken by quantum attacks. Algorithms such as RSA and ECC, long used as encryption and digital signature standards, are expected to be vulnerable to techniques like Shor’s algorithm.

Intelligence agencies and other actors are already suspected of adopting “harvest now, decrypt later” strategies, collecting encrypted data today with the aim of decrypting it once quantum capabilities mature.

A Timetable for Change

In June 2025, the EU published its Coordinated Implementation Roadmap for Transition to Post-Quantum Cryptography. It sets three key milestones:

• By the end of 2026 – Member States begin their national transition to post-quantum cryptography (PQC).

• By the end of 2030 – All critical infrastructure must operate with quantum-resistant cryptography.

• By 2035 – As many other systems as possible should be converted.

This plan builds on the European Commission’s April 2024 recommendation, which stressed the importance of cryptographic agility and resilience across both public and private sectors.

From Planning to Action

The roadmap’s first phase focuses on mapping cryptographic dependencies, engaging with stakeholders, assessing supply chain risks and launching pilot projects to test PQC in operational environments. From late 2027, the scope will expand to include designing IT products with built-in cryptographic agility, updating certification frameworks to include PQC readiness and adapting procurement processes to ensure quantum security is embedded in purchasing decisions.

These measures sit alongside other EU initiatives, such as the EuroQCI programme for secure quantum communications, and align with the broader goals of the NIS2 Directive. Together, they aim to protect Europe’s digital sovereignty and ensure the region maintains control over its cybersecurity capabilities.

Why We Need to Move Now

Organisations should:

• Conduct a comprehensive audit of cryptographic assets.

• Identify areas where vulnerable methods remain in use.

• Begin allocating budget for phased upgrades.

• Ensure that new products and services support cryptographic agility by design.

Acting early reduces the risk of costly disruption and positions organisations to take advantage of new opportunities in the emerging quantum-safe technology market.

To put these requirements into a global context, our LinkedIn article on mapping global software supply chain regulation outlines how quantum readiness fits into a wider trend of tightening digital regulations. Our Global Software Supply Chain Regulation Infographic provides a visual overview of relevant laws and frameworks across key markets.

By prioritising PQC, the EU is sending a clear message: quantum resilience will be a cornerstone of its future digital economy. This approach encourages the growth of a competitive market for quantum-safe products and skills, complements the NIST PQC standardisation process in the United States, and positions Europe as a global leader in setting security standards.

Ensuring quantum resistance today safeguards not only compliance but also customer confidence and market competitiveness tomorrow.

For organisations that want to understand their current exposure and create a practical migration strategy, SCANOSS offers specialised tools and expertise. Our Quantum Readiness solution helps businesses inventory encryption in source code,  detect potential cryptographic vulnerabilities,  and plan their transition in line with EU deadlines.