In 2013, the National Security Agency intercepted and stored hundreds of millions of encrypted communications it could not read. The agency did not need to read them immediately. The bet was that one day it would.

That logic — collect now, decrypt later — is the operating premise of every signals intelligence program run by major powers. It has always existed as a theoretical risk. What changed in the last decade is that the theoretical became plausible. Quantum computers, if they reach sufficient scale, could break the encryption protecting most of today's internet traffic, financial transactions, and classified communications. The question is not whether such computers will exist, but when — and whether the data collected today will still matter when they do.

Europe has decided it cannot afford to find out. The result is one of the most complex and least understood infrastructure transitions in the EU's regulatory history: a continent-wide migration away from classical cryptography toward algorithms designed to resist attacks by quantum computers. Understanding who is driving that migration, how fast it is moving, and where it fits in Europe's institutional architecture is essential for any organisation whose data has a lifespan longer than a decade.

Classical encryption — the kind protecting your bank transfer, your medical records, your corporate communications — relies on mathematical problems that are easy to set up but extremely hard to reverse. Factoring a large number into its prime components, for instance, is computationally prohibitive for any classical computer. A sufficiently large quantum computer, running an algorithm first described by mathematician Peter Shor in 1994, could solve the same problem in hours.

The machine that would run Shor's algorithm at the scale needed to break RSA-2048 — the encryption standard underpinning most of today's secure communications — does not yet exist. Current quantum computers operate with hundreds to low thousands of noisy, error-prone qubits. Breaking real-world encryption would require millions of stable, error-corrected qubits. That is a gap measured in orders of magnitude, and most credible technical assessments place it a decade or more away.

But the harvest-now-decrypt-later strategy changes the relevant timeline entirely. An adversary collecting encrypted European government communications today, storing them at scale, and waiting for a quantum computer to mature ten years from now is behaving rationally. The data collected in 2026 may contain secrets that remain sensitive in 2036. This is why the EU's response is not a future concern — it is already a present operational obligation.

The EU's quantum migration framework is coordinated, but not centralised. That distinction matters enormously for understanding both its strengths and its limitations.

The roadmap governing the European transition to post-quantum cryptography (PQC) was adopted in June 2025 by the NIS Cooperation Group, the body that coordinates cybersecurity policy across EU member states under the Network and Information Security Directive. The timeline is structured around three thresholds: every member state is to have a national PQC strategy in place by the end of 2026; high-risk applications — systems processing classified government data, critical infrastructure, financial market infrastructure — are to be migrated by 2030; remaining systems by 2035.

The Cooperation Group's PQC workstream is co-chaired by three national agencies: France's ANSSI, Germany's BSI, and the Dutch NCSC. This triumvirate shapes the technical substance of the transition in ways that matter significantly for companies operating in those markets — and it creates an effective Franco-German-Dutch axis at the centre of European quantum security governance.

France is the most aggressive mover. ANSSI has announced that from 2027, it will not certify security products that lack post-quantum cryptographic capabilities. French government procurement, and much of the financial sector's compliance-grade infrastructure, runs through ANSSI certification. The effective deadline for any company selling security technology into the French market is two to three years earlier than the formal EU 2030 milestone.

EU Post-Quantum Cryptography Migration — Key Dates

The framework is coordinated, but coordination is not uniformity. The practical reality of European quantum migration is that 27 member states are moving at different speeds with different technical capacities and different institutional starting points.

France, Germany, and the Netherlands have national agencies with deep cryptographic expertise and the institutional authority to drive migration in their domestic markets. Several other member states — particularly those in Central and Eastern Europe — are still building the institutional infrastructure to implement PQC requirements at scale. The roadmap acknowledges this variation; it does not resolve it.

This fragmentation creates a specific and underappreciated risk for multinational organisations. A company operating across the EU faces, in effect, multiple overlapping migration timelines: the French deadline of 2027 for ANSSI-certified products; the broader EU high-risk deadline of 2030; and the varying national interpretations of what constitutes a high-risk application in between. Legal compliance with the EU framework does not guarantee adequate posture in any specific national regulatory environment.

The Cyber Resilience Act — expected to apply fully by late 2027 — adds a further dimension. It requires manufacturers of products with digital elements to ensure cryptographic agility: the ability to update cryptographic algorithms without replacing underlying hardware. This means PQC requirements will enter European markets not only through explicit security regulation but through product regulation. A connected device sold in the EU from 2027 onward will need to be quantum-ready by design, not by retrofit.

There is an irony at the centre of Europe's quantum security posture that receives less attention than it deserves.

The post-quantum algorithms that Europe is adopting as the foundation of its security transition were standardised by the United States National Institute of Standards and Technology. ML-KEM (formerly known as Kyber) and ML-DSA — the primary algorithms in the European PQC transition — are NIST standards, finalised in 2024 following an eight-year public competition. Europe is, in effect, hardening its communications infrastructure against potential adversaries using algorithms whose design and standardisation process was controlled by an American federal agency.

Whether this constitutes pragmatic transatlantic cooperation or a new form of technological dependence is a genuine open question in European security discussions. ANSSI and BSI have responded by developing and recommending hybrid approaches for their most sensitive applications — combining NIST-standardised algorithms with European-developed alternatives in a layered structure, so that compromising the communication requires defeating both simultaneously.

This is not reflexive anti-Americanism. The history of cryptographic standards includes at least one documented case where a NIST-standardised algorithm was later shown to contain a design element that functioned as a backdoor. European agencies with long institutional memories have noted it. The hybrid approach is their answer — and it represents a pragmatic acknowledgement that cryptographic sovereignty, like energy sovereignty, is easier to declare than to achieve.

Europe is building quantum-proof defences using American-designed locks — and whether that is wisdom or dependence will not be answered until someone tries to pick them.

Friday's EuroTasteDaily Review examines the transatlantic divergence in quantum security strategy: why the United States standardises while Europe coordinates, what that difference means for companies operating across both markets, and why the most important quantum deadline for many businesses may be one they have never heard of.