Quantum Computing and the Law: Navigating Finnish and EU Legal Frameworks
What Is Quantum Computing?
Classical computers — from smartphones to supercomputers — process information using bits, each of which represents either a 0 or a 1. Quantum computers, by contrast, use quantum bits (qubits), which exploit the principles of quantum mechanics to represent 0 and 1 simultaneously — a property known as superposition. Combined with entanglement (the ability of qubits to be correlated in ways that have no classical equivalent) and interference (the ability to amplify correct answers and cancel out wrong ones), quantum computers can solve certain categories of problem exponentially faster than any classical machine.
Quantum computers exploit superposition, entanglement and interference to offer strong theoretical speedups for certain classes of problem. Their most important potential applications include cryptanalysis, quantum simulation and some optimisation tasks. At the same time, current machines remain technically limited, and it would be overstated to suggest that quantum computers will outperform classical computers across all practically important problems in the near term.
Current quantum computers are still in a relatively early stage, often described as the NISQ (Noisy Intermediate-Scale Quantum) era — machines that are powerful but not yet fully error-corrected or commercially mature. Nevertheless, the pace of development is accelerating rapidly, and governments, technology companies, and regulators worldwide are already preparing for the legal, security, and economic consequences of the quantum age.
Introduction
Quantum computing is rapidly moving from theoretical physics laboratories into commercial and governmental reality. As quantum processors grow more powerful, they bring with them a host of legal questions that practitioners, regulators, and businesses must begin addressing now — before the technology outpaces the law. This article explores the key legal dimensions of quantum computing under Finnish law and European Union legislation, and reflects the regulatory landscape as of 16 March 2026.
1. Data Protection and the GDPR
One of the most pressing legal concerns is the threat that quantum computing poses to modern cryptography. Many encryption standards underpinning today’s data protection infrastructure — including RSA and elliptic curve cryptography — are considered vulnerable to sufficiently powerful quantum computers, a threat known as “harvest now, decrypt later.”
Under the General Data Protection Regulation (GDPR),[1] data controllers and processors are required to implement “appropriate technical and organisational measures” to protect personal data (Article 32). If quantum computing renders current encryption obsolete, organisations may face compliance obligations to migrate to post-quantum cryptographic standards. The Finnish Data Protection Act (1050/2018),[2] which supplements the GDPR domestically, reinforces these obligations and grants investigatory and corrective powers to the Office of the Data Protection Ombudsman.
In Finland, administrative fines under the GDPR are imposed by the Sanctions Board of the Office of the Data Protection Ombudsman, composed of the Data Protection Ombudsman and the deputy data protection ombudsmen. The Office of the Data Protection Ombudsman otherwise exercises supervisory and corrective powers under the GDPR and the Finnish Data Protection Act.
EUCS and the cloud security link
Organisations that process sensitive personal data in cloud environments should also monitor the development of the European
Certification Scheme for Cloud Services (EUCS). Once finalised, EUCS will assign security classification levels to cloud services, and quantum-resistant encryption requirements are a central question particularly for the highest tiers. As discussed further in Section 2 below, the EUCS process remains stalled and the highest certification level (High+) has been removed from the most recent draft. The outcome will have a direct bearing on what constitutes “appropriate technical measures” under Article 32 GDPR for organisations relying on cloud infrastructure.
Pending simplification: Digital Omnibus
On 19 November 2025, the European Commission published the Digital Omnibus package,[3] a proposal to simplify parts of the EU’s digital rulebook. If adopted in its current form, the package would raise the threshold for mandatory breach notifications to supervisory authorities (aligning it with the “high risk” standard already applicable for notification to data subjects), extend the notification deadline from 72 to 96 hours, and establish a single EU reporting portal managed by European Union Agency for Cybersecurity (ENISA) covering incidents under the GDPR, NIS2, DORA, eIDAS and CER. The proposal also includes a narrower definition of “personal data” by codifying a relative concept of identifiability. These proposals remain draft legislative texts subject to full parliamentary and Council scrutiny; the final text may differ materially from the Commission’s proposal.
2. Cybersecurity Legislation: NIS2, CRA, and DORA
The NIS2 Directive (Directive (EU) 2022/2555) required Member States to transpose its rules into national law by 17 October 2024. In practice, implementation has not been uniform across the Union, and the Commission opened infringement procedures against 23 Member States in November 2024 for failure fully to transpose the Directive. In Finland, NIS2 was implemented through the Cybersecurity Act (124/2025), which entered into force on 8 April 2025; as regards public administration, related requirements were laid down through amendments to the Act on Information Management in Public Administration. Finland uses a sector-specific supervisory model, with Traficom coordinating cooperation between supervisory authorities rather than acting as a single primary supervisor, though sector-specific authorities — such as the Finnish Financial Supervisory Authority (Fin. Finanssivalvonta) in the financial sector — also exercise supervisory roles. Entities within the scope are required to adopt risk management measures, including those addressing supply chain security and encryption..
Cyber Resilience Act (CRA)
The Cyber Resilience Act (Regulation (EU) 2024/2847)[4] entered into force on 10 December 2024 and extends security-by-design requirements to products with digital elements. Mandatory reporting obligations under Article 14 apply from 11 September 2026, while the regulation becomes fully applicable from 11 December 2027. The standardisation process is now well advanced: CEN, CENELEC and ETSI accepted the Commission’s standardisation request (M/606) on 3 April 2025, mandating 41 harmonised standards. Horizontal standards are due by 30 August 2026 and product-specific vertical standards by 30 October 2026. Mandatory reporting of actively exploited vulnerabilities will apply from 11 September 2026, while full product compliance obligations apply from 11 December 2027. Quantum-safe product requirements are a live development area within this process.
EUCS: Cloud certification stalled
ENISA’s European Cybersecurity Certification Scheme for Cloud Services (EUCS) has been under development since 2019 but remains in deadlock.[5] The latest draft version (V1.0.413, March 2024) is frozen, and the previously planned vote has not taken place. The central controversy concerns sovereignty requirements: the High+ certification level — which had envisaged data residency and immunity from non-EU law requirements most relevant for quantum-resistant cloud security — has been removed from the current draft. Progress is unlikely before the revision of the EU Cybersecurity Act (CSA), for which the Commission tabled a proposal on 20 January 2026.[6]
DORA: Digital operational resilience in the financial sector
The Digital Operational Resilience Act (DORA, Regulation (EU) 2022/2554)[7] has been applicable since 17 January 2025 and imposes mandatory ICT risk management, incident reporting and third-party risk requirements on financial institutions across the EU. DORA is directly relevant to quantum risk: financial sector entities are particularly exposed to the “harvest now, decrypt later” threat given the long-term sensitivity of the data they hold. The three European Supervisory Authorities (EBA, EIOPA and ESMA) designated the first list of critical ICT third-party service providers (CTPPs) on 18 November 2025 and will conduct individual oversight assessments throughout 2026. Quantum-resistant cryptography requirements are an emerging question in DORA’s technical standards, and organisations subject to DORA should treat post-quantum migration as part of their ICT risk management obligations under Article 6.
3. Intellectual Property Rights
Quantum computing raises complex questions in intellectual property law. The patentability of quantum algorithms is a live issue. The European Patent Convention (EPC) excludes mathematical methods and mental acts from patentability to the extent they are claimed as such (Articles 52(2)–(3 EPC).[8] Quantum algorithms embedded in a technical implementation may therefore still be patent-eligible, depending on how the claim is framed and whether it produces a technical effect. Applications for European patents are filed directly with the European Patent Office (EPO) under the EPC framework. Separately, national patents in Finland are governed by the Finnish Patents Act (550/1967, as amended), which reflects equivalent exclusions. Quantum algorithms embedded in technical implementations — particularly those producing a technical effect — may qualify for patent protection under either route, but the EPC and Finnish national patent system operate as parallel, distinct frameworks rather than one being implemented through the other.
The race between major technology companies and nation-states to develop quantum advantage has already generated a significant volume of patent filings. Finnish and EU-based organisations developing quantum technologies should consider carefully how to protect their innovations within these constraints.
Trade secrets also become increasingly relevant: the EU Trade Secrets Directive (2016/943/EU), implemented in Finland through the Act on Trade Secrets (595/2018),[9] protects undisclosed know-how, including proprietary quantum computing techniques, provided reasonable confidentiality measures are maintained. Notably, the Digital Omnibus proposal strengthens trade secret safeguards under the Data Act’s IoT data-sharing regime, allowing data holders to refuse mandatory sharing where there is a substantial risk of unlawful disclosure — a protection with practical relevance for quantum technology developers.
4. Export Controls and Dual-Use Regulation
Quantum computing technology carries significant dual-use potential — civilian and military applications overlap substantially. The EU Dual-Use Regulation (2021/821/EU)[10] is directly applicable across all Member States, including Finland, and takes precedence as the primary legal instrument governing the export of goods, software and technology that can be used for both civilian and military purposes. Quantum computers, components and related software are increasingly listed on relevant control lists. The Finnish Act on the Export Control of Dual-Use Items 500/2024, in force from 15 September 2024, complements the EU Regulation at the national level, providing the procedural and enforcement framework within Finland. As quantum computing advances, export control classifications are likely to become more stringent, and businesses should monitor updates to the EU Dual-Use Regulation’s Annex I accordingly.
The Quantum Europe Strategy (July 2025) explicitly acknowledges the dual-use character of quantum technologies and their role in discussions on both inbound and outbound investment controls. The forthcoming Quantum Act is expected to include governance provisions addressing supply-chain security and export-related risks — areas where EU and national export control regimes intersect.
5. Competition Law Considerations
The development of quantum computing is dominated by a small number of well-resourced actors, raising concerns about market concentration. The EU’s antitrust framework under Articles 101 and 102 of the Treaty on the Functioning of the European Union (TFEU) applies fully to the quantum sector.[11] The European Commission has already signalled interest in digital markets concentration, and quantum computing — given its potential to confer extraordinary computational advantages — may attract scrutiny under merger control rules and abuse of dominance provisions.
In the context of merger control, where transactions meet the thresholds set out in the EU Merger Regulation (139/2004), the European Commission has exclusive jurisdiction, and national authorities such as the Finnish Competition and Consumer Authority (KKV) are precluded from applying national competition law to the same transaction. The KKV’s jurisdiction is therefore limited to mergers and market conduct falling below EU-level thresholds. Within those bounds, Finland’s domestic competition rules mirror EU principles and apply fully to market conduct within Finnish borders.
6. AI, Quantum Computing, and the EU AI Act
The EU AI Act (Regulation (EU) 2024/1689)[12] classifies AI systems by risk level and imposes corresponding obligations. Quantum-enhanced AI systems — which could operate at vastly greater speeds and with greater analytical power than classical AI — may fall within the Act’s scope. High-risk quantum AI applications in areas such as biometric identification, critical infrastructure management or judicial decision-support would attract the most stringent requirements, including transparency, human oversight, and conformity assessments.
As regards timing, the Commission’s AI Omnibus proposal of 19 November 2025 proposes a “stop-the-clock” mechanism that would link the application of high-risk AI obligations to the availability of harmonised standards and guidance. Under this proposal, obligations for high-risk systems listed in Annex III would apply six months after the Commission confirms that support measures are available, with a long-stop date of 2 December 2027; obligations for Annex I systems would apply twelve months after that confirmation, with a long-stop of 2 August 2028. If adopted, this would affect the timeline for compliance by developers of quantum-assisted AI systems. The AI Omnibus is currently subject to legislative negotiations and may be materially amended.
7. Regulatory Horizon: What to Expect
EU Quantum Act
The most significant near-term development is the forthcoming EU Quantum Act. On 2 July 2025, the Commission published the Quantum Europe Strategy (COM(2025) 363 final),[13] setting out an ambition for Europe to become a global quantum leader by 2030. The Commission’s 2026 Work Programme schedules the Quantum Act legislative proposal for 2026. According to the European Parliament’s Legislative Train Schedule, the Act is expected to pursue three complementary objectives: coordinating research and innovation investment across Member States; improving EU industrial capacity in quantum hardware and chip manufacturing; and reinforcing quantum supply-chain security and governance. Its legal basis is Articles 173, 180 and 184 TFEU — framing it as a research, industrial and competitiveness instrument, more akin to the EU Chips Act than to the AI Act. Commission President von der Leyen indicated in her September 2025 State of the Union address plans for a ‘Quantum Sandbox’ which would be a welcome approach to facilitate interplay between the regulators and innovators. The Quantum Act will be the first piece of EU legislation specifically designed around quantum technology and will represent a landmark development for the legal frameworks surveyed in this article.
Post-quantum cryptography: converging standards
NIST finalised its first three post-quantum cryptography standards in August 2024 (FIPS 203, 204 and 205).[14] In June 2025, the European Commission published a Coordinated Implementation Roadmap for the Transition to Post-Quantum Cryptography, signalling a EU-level push for PQC migration across public and private sectors. ENISA continues to publish guidance on cryptographic risk, and organisations subject to GDPR Article 32, NIS2 or DORA should treat PQC migration planning as an active compliance obligation, not a future consideration.
Cybersecurity Act revision
On 20 January 2026, the Commission tabled a proposal to revise the EU Cybersecurity Act (Regulation (EU) 2019/881),[15] aiming to strengthen ENISA’s mandate and accelerate the development of certification schemes. This revision will directly affect the EUCS cloud certification process and may provide a procedural basis for revisiting the stalled High+ quantum-resistant tier.
Digital Omnibus: simplification in progress
The Digital Omnibus package (19 November 2025) is the Commission’s first comprehensive effort to simplify the EU’s digital rulebook. It does not introduce new substantive requirements relevant to quantum computing, but its proposed unification of incident reporting obligations (under GDPR, NIS2, DORA and CER through a single ENISA-operated portal) will reduce compliance complexity for organisations already navigating multiple cybersecurity regimes. The package is in the ordinary legislative procedure; adoption is expected in 2026–2027.
Finland’s quantum readiness
In Finland, the government’s broader digital and technology strategy, coordinated through the Ministry of Economic Affairs and Employment and Traficom, is expected to address quantum readiness as part of national cybersecurity and innovation policy. Finnish universities and technology companies — several of which are active in the European Quantum Flagship programme — have a central role to play in translating the EU’s regulatory ambitions into practical capability.
Conclusion
The EU’s Quantum Flagship programme, the forthcoming Quantum Act, and the regulatory frameworks surveyed in this article are welcome and necessary steps. Europe’s achievements — from the GDPR to the AI Act, NIS2, DORA and the CRA — demonstrate a commendable capacity for thoughtful governance of emerging technologies. The regulatory horizon is now substantially clearer than it was even twelve months ago: NIST has finalised its first three post-quantum cryptography standards, and the Commission Work Programme schedules a Quantum Act legislative proposal for Q2 2026.
However, regulation alone is not sufficient to secure Europe’s place in the quantum age. The global race for quantum supremacy is, at its core, a race for scientific and technological leadership, and in that race the United States and China are investing heavily — not merely in legal frameworks, but in laboratories, talent pipelines and industrial capacity. The EU remains scientifically strong in quantum technologies, but commercialisation and scale-up remain weaker. The Commission’s Quantum Europe Strategy states that Europe attracts only around 5% of global private quantum funding, while a JRC assessment reports that the EU hosts 32% of the world’s quantum-technology companies but accounts for only 6% of global patenting.
For the European Union to compete meaningfully, it must match its regulatory ambition with equally bold investment in fundamental research, applied sciences and quantum engineering. The Quantum Act represents precisely the kind of commitment needed, and it must be backed by the political will to make Europe a genuine quantum power — not simply a well-regulated bystander to a revolution happening elsewhere. Finnish institutions, universities and technology companies have a vital role to play in that endeavour, and the legal frameworks surveyed in this article exist, ultimately, to serve and support that broader scientific and economic mission.
Partner
[1]Regulation (EU) 2016/679, OJ L 119, 4.5.2016.
[2]Finnish Data Protection Act (Tietosuojalaki) 1050/2018.
[3]Digital Omnibus Regulation Proposal, COM(2025) 765 final, 19.11.2025.
[4] [4]Regulation (EU) 2024/2847 (Cyber Resilience Act), OJ L, 20.11.2024. Standardisation request M/606 approved by CEN/CENELEC/ETSI 3.4.2025; deadline for horizontal standards 30.8.2026, for vertical standards 30.10.2026; reporting obligations apply from 11.9.2026; full application from 11.12.2027.
[5]ENISA, EUCS Draft v1.0.413 (March 2024), jäädytetty; ks. myös Euroopan parlamentin ajatushautomo, Cybersecurity Act Review, 5.1.2026.
[6]Revision of the Cybersecurity Act, COM(2026) 30 final, 20.1.2026.
[7]Regulation (EU) 2022/2554 (DORA), OJ L 333, 27.12.2022; sovellettavana 17.1.2025. EBA, EIOPA, ESMA nimesivät kriittiset ICT-kolmannet osapuolet 18.11.2025.
[8]European Patent Convention, Articles 52–53; Finnish Patents Act (Patentilaki) 550/1967.
[9]Directive (EU) 2016/943 (Trade Secrets Directive); Act on Trade Secrets (Liikesalaisuuslaki) 595/2018.
[10]Regulation (EU) 2021/821 (EU Dual-Use Regulation), OJ L 206, 11.6.2021; Act on the Export Control of Dual-Use Items 500/2024, in force from 15 September 2024.
[11]TFEU Articles 101–102; Regulation (EU) 139/2004 (EU Merger Regulation), OJ L 24, 29.1.2004.
[12]Regulation (EU) 2024/1689 (EU AI Act), OJ L, 12.7.2024. The AI Omnibus proposal (19.11.2025) proposes a ”stop-the-clock” mechanism: Annex III high-risk systems by 2.12.2027 at the latest, and Annex I systems by 2.8.2028. The proposal is pending.
[13] Quantum Europe Strategy, COM(2025) 363 final, 2.7.2025; European Parliament Legislative Train Schedule, Quantum Act, status as of 22.1.2026; Commission work programme 2026 (proposal expected in Q2/2026).
[14]NIST FIPS 203 (ML-KEM), FIPS 204 (ML-DSA), FIPS 205 (SLH-DSA), approved on 13.8.2024. European Commission, “A Coordinated Implementation Roadmap for the Transition to Post-Quantum Cryptography”, June 2025.