ABSTRACT

The consolidation of Europe’s quantum ecosystem since 2018 has been anchored by the European Union’s €1 billion Quantum Technologies Flagship and complementary instruments spanning Horizon Europe, Digital Europe, Connecting Europe Facility, the Chips Act, and the EuroHPC Joint Undertaking, producing a layered strategy that couples research, pre-industrial deployment, and secure communications. The European Commission confirms the Quantum Technologies Flagship’s ten-year, €1 billion horizon and strategic goals to develop computing, sensing, and communications capacities (European Commission — Quantum Technologies Flagship; Quantum Flagship).

Parallel public investment approaches €7 billion when aggregated at Union and Member State levels, positioning the European Union as second globally by public funding as of April 2024 (European Parliamentary Research Service). Infrastructure execution is advancing: the EuroHPC-owned photonic system “Lucy” will be hosted at CEA/TGCC and coupled to GENCI’s Joliot-Curie; deployment is slated for mid-2025 within the EuroQCS-France consortium led by Quandela with attocube systems AG (Quandela — EuroQCS-France; Quandela press release (EuroQCS-France)).

In Germany, the EuroHPC hybrid system Euro-Q-Exa at LRZ integrates IQM superconducting processors, with 54 qubits in H2 2025 and 150 by end-2026 (EuroHPC JU — Euro-Q-Exa procurement; IQM). On networking, QuTech operates live quantum-internet testbeds linking Delft and The Hague with a staged expansion roadmap (QuTech — Quantum Internet Milestones). For secure communications, the European Commission and ESA formalised EuroQCI implementation in January 2025 to fuse terrestrial fiber and space segments for continent-scale QKD-enabled links safeguarding public-sector and critical-infrastructure traffic (ESA–European Commission — EuroQCI agreement; European Commission — EuroQCI).

A July 2025 European Commission communication documents pilots that include encrypted inter-government communications and hospital-to-hospital exchanges over quantum-secured terrestrial networks, while a June 2025 post-quantum cryptography roadmap advances cryptographic migration across the Union (COM(2025) 363; European Commission — Post-Quantum Cryptography Roadmap). Industrial capacity is being scaled under the Chips Act framework via the SUPREME pilot-line consortium, announced July 2025, to industrialise fabrication of superconducting quantum chips across 23 partners in 8 Member States, coordinated by VTT (VTT — SUPREME press release; Fraunhofer IAF — SUPREME). The combined trajectory evidences a sovereignty-oriented architecture: open-research access via EuroHPC, secure sovereign links via EuroQCI, and domestic chip supply via SUPREME, designed to lower dependence on United States or Chinese stacks for finance, health, and defense-grade data at risk from cryptanalytic advances.

---

Sovereignty, Risk, and Europe’s Quantum Doctrine: Funding, Law, and Strategic Positioning

A decade-scale funding spine emerged in 2018 when the European Commission launched the Quantum Technologies Flagship with a ten-year horizon and an expected €1 billion envelope to stimulate computing, sensing, and communications across academia and industry, codified in policy pages and programme histories that tie calls to a Strategic Research Agenda and open competitive selection (European Commission — Quantum Technologies Flagship; Quantum Flagship — Introduction). The European Parliamentary Research Service quantified aggregate public quantum commitments at nearly €7 billion by April 2024, situating the European Union second globally by public spending, and explicitly linking quantum development to dual-use sensitivities and the objective of strategic autonomy in digital infrastructure (EPRS). The fiscal scaffold is vertically integrated: research and innovation flow through Horizon Europe (Regulation (EU) 2021/695), industrialisation through Digital Europe (Regulation (EU) 2021/694), cross-border connectivity via the Connecting Europe Facility — Digital, and large-scale compute through the EuroHPC Joint Undertaking founded under Council Regulation (EU) 2021/1173 and subsequent acts published by the Official Journal (EUR-Lex — EuroHPC JU regulation note). This design reflects a governance doctrine that treats quantum capability as infrastructure, not a single-vendor acquisition, thereby aligning with the European Union’s commitment to “technological sovereignty” in core computation and secure communications — a theme reiterated across 2025 policy communications on cryptographic migration and secure connectivity (European Commission — Post-Quantum Cryptography Roadmap; European Commission — EuroQCI).

Risk framing is explicit: large-scale quantum computing threatens widely deployed public-key cryptosystems, creating incentives for “harvest-now-decrypt-later” adversary models against sensitive archives in finance, health, and critical infrastructure. The European Commission’s June 23, 2025 roadmap mandates a coordinated post-quantum cryptography transition to standardised algorithms, linking national competent authorities, ENISA, supervisory bodies, and market infrastructures in a time-bound plan that emphasises inventory, prioritisation, laboratory validation, and staged rollout (European Commission — Post-Quantum Cryptography Roadmap). In parallel, the EuroQCI programme and OPENQKD demonstrators implement QKD-based key establishment atop terrestrial and space segments to harden high-value links, establishing a dual track in which algorithmic resilience and physics-based key exchange co-evolve under public governance (European Commission — EuroQCI; ESA–European Commission — EuroQCI agreement; CORDIS — OPENQKD; Quantum Flagship — OPENQKD). A July 2, 2025 European Commission communication, COM(2025) 363, reports pilots that already demonstrate encrypted government-to-government communications, hospital data exchanges, and power-grid control-centre links using quantum-secured terrestrial networks, thereby validating operational feasibility beyond laboratory conditions (COM(2025) 363 (EUR-Lex)).

Sovereignty objectives are juridically circumscribed by horizontal regulatory pillars designed to elevate baseline operational resilience in sectors where quantum-era transition risks are most acute. For financial market infrastructures and regulated firms, the Digital Operational Resilience Act (Regulation (EU) 2022/2554) creates enforceable requirements for ICT risk management, incident reporting, testing, and third-party oversight, with direct implications for cryptographic-control migration and dependency vetting of hardware and managed services (EUR-Lex — DORA). For cross-sector critical services, Directive (EU) 2022/2555 (NIS 2) mandates governance, risk management, and reporting duties for essential and important entities across energy, transport, health, digital infrastructure, and public administration, creating supervisory levers to mandate quantum-safe cryptographic baselines and secure-link adoption as guidance matures (EUR-Lex — NIS 2).

Semiconductor supply for quantum devices is elevated to strategic status under the Chips Act (Regulation (EU) 2023/1781), enabling pilot lines, capacity support, and crisis coordination measures that underpin domestic production of superconducting quantum chips, control electronics, and photonic components central to European platforms (EUR-Lex — Chips Act; EUR-Lex — Chips Act summary). Coordination instruments matter because quantum supply chains are multi-technology: superconducting platforms require Josephson-junction fabrication and cryogenic-microwave integration, photonic platforms require narrow-linewidth sources, ultra-low-loss waveguides, and on-chip programmable interferometers, and trapped-atom systems require laser arrays, vacuum packages, and nanofabricated electrode structures. The SUPREME pilot line announced in July 2025 binds 23 partners in 8 Member States to industrialise superconducting quantum chip processes — including angle-evaporated and etched junctions, 3D integration, and hybrid flows — with process design kits envisaged to open access by 2027, creating shared wafer-level capabilities to reduce import reliance (VTT — SUPREME; Munich Quantum Valley — SUPREME; Fraunhofer IAF — SUPREME).

Execution evidence connects policy intent to hardware and networks operated in secure data-centre contexts under public ownership or control. In France, EuroHPC’s photonic system “Lucy” — a Quandela platform delivered within EuroQCS-France — is scheduled for installation at TGCC (CEA) and coupling to GENCI’s Joliot-Curie, extending open-research access for the European community in 2025 (Quandela — Lucy; Quandela/GENCI press note; CEA — Joliot-Curie). In Germany, the Euro-Q-Exa procurement commits IQM superconducting systems at LRZ with 54 qubits arriving in H2 2025 and a 150-qubit system by end-2026, architected as an integrated hybrid with SuperMUC-NG rather than a loosely-coupled adjunct, a design that privileges performance portability and security management within the existing HPC software and access stack (EuroHPC JU — Euro-Q-Exa contract; LRZ — Quantum computing overview; EuroHPC — procurement launch).

Earlier hybridisation under HPCQS placed PASQAL neutral-atom quantum processors at FZJ (Jülich) and CEA/GENCI, each exceeding 100 controllable qubits, and coupled them to JURECA DC and Joliot-Curie respectively, thereby maturing middleware, scheduling, and user workflows for federated HPC-QC operations across borders (HPCQS; FZJ — PASQAL milestone; PASQAL — milestone). These deployments sit in hardened national facilities: TGCC operates under CEA/DAM with long-standing operational security for open research and industrial workloads, while LRZ integrates quantum systems alongside HPC assets with secure remote access and data-centre procedures maintained for scientific infrastructures (CEA — Joliot-Curie; LRZ — Quantum computing).

On networking, QuTech’s Delft–The Hague entanglement link establishes a metropolitan-scale nucleus for a future multi-node quantum internet, representing a European lead in control protocols, repeater development, and systems engineering for quantum networking, with published roadmaps to chain additional nodes across Leiden and Amsterdam as functionality and reliability targets are met (QuTech — Quantum Internet Milestones). Continental scale is addressed by EuroQCI. In January 2025, the ESA–European Commission implementation agreement cleared development to begin on the space-enabled segment that, combined with terrestrial backbones, will deliver quantum-secured links to governmental sites and critical-infrastructure operators; the initiative is framed as a pillar of the EU’s cybersecurity posture toward 2030 and explicitly cites QKD as the key enabling mechanism for the first wave of services (ESA — EuroQCI agreement; ESA Connectivity — EuroQCI; European Commission — EuroQCI policy page).

Terrestrial pilots under OPENQKD and related projects report real-world trials — including secure video-conferencing with quantum keys and metropolitan fibre links — documenting deployment KPIs and lessons learned through May 2024 deliverables and showing how operational traffic can be protected under European-made systems (OPENQKD D8.7 (May 6, 2024); OPENQKD — CORDIS; PETRUS EuroQCI demonstrations). The COM(2025) 363 communication records pilots for encrypted exchanges between government institutions and hospitals on terrestrial quantum networks, supporting the assertion that Europe has moved beyond proofs-of-concept into operational pilot protection for public services; where production security of European Commission internal communications is concerned, no verified public source attests to a full production switchover, and therefore the present assessment strictly references the published pilots (COM(2025) 363).

The sovereignty frame is therefore practical rather than declarative: European quantum computers owned by EuroHPC and situated at state-operated research centres provide controlled environments for algorithmic development, while quantum networks under EuroQCI deliver hardened key exchange for high-value links, and the Chips Act enables manufacturing depth for future scaling. Avoiding supplier lock-in to extra-European stacks is accomplished by combining open research access policies with European industrial participation — exemplified by Franco-German collaborations such as Quandela/attocube on the photonic path and IQM/LRZ on the superconducting path — and by ensuring that compute and communications are instantiated within sovereign facilities in France and Germany with public-interest mandates (Quandela — EuroQCS-France; Quandela press release (EuroQCS-France); EuroHPC — Euro-Q-Exa; LRZ — Quantum computing). In this configuration, sensitive financial-market infrastructures subject to DORA, national health-data operators, and strategic control systems regulated under NIS 2 can be on-ramped to quantum-safe cryptography and, where justified by risk, to QKD-enabled channels, while research communities iterate algorithms on European-owned systems — a model aligned with the European Union’s preference for common resources that support both public services and competitive markets under regulated access regimes.

Finally, Europe’s posture relative to the United States and China is to de-risk rather than mirror a militarised race. The cited programmes explicitly prioritise open research access, standards development, and public-sector protection. The space-to-ground component with ESA and the terrestrial pilots under EuroQCI are structured to protect communications of governmental institutions and critical services, and the compute resources under EuroHPC are embedded in existing HPC governance rather than segregated into closed national silos, reducing duplication and enabling federated scheduling and auditing. The industrial pilot line under SUPREME answers the remaining structural dependency by bringing junction fabrication and 3D integration into European pilot-line control, which is pivotal for scaling beyond demonstrators and for ensuring that security-critical subsystems — from SNSPDs to cryo-microwave components — are available from European producers on timelines consonant with regulatory roadmaps for cryptographic migration and data-protection mandates (VTT — SUPREME; Munich Quantum Valley — SUPREME). The resulting doctrine fuses research-grade openness with state-grade assurance to pursue “quantum independence” not as isolation but as resilient optionality — a sovereign capability stack that can integrate with allies yet operate securely under European jurisdiction and procurement, sustained by domestic chip pilot lines and public communications networks whose keying material is not contingent on foreign trust anchors.

Architecture and Governance: From the Quantum Technologies Flagship to the EuroHPC Joint Undertaking Cohesion

The governance core of Europe’s quantum effort is anchored in the European Commission’s strategic framing and legal instruments that deliberately fuse basic research, infrastructure procurement, and deployment into a single policy arc. The Communication on a “Quantum Europe Strategy” dated July 2, 2025 reports cumulative investments of €2 billion at European Union level in the previous five years, complemented by more than €9 billion from Member States, while calling for a “dedicated Quantum Pillar” and procurement models that translate research outcomes into operational systems for public and industrial users, with explicit links to secure communications and hybrid supercomputing-quantum workflows; the document is publicly available via EUR-Lex as COM(2025) 363 and sets a budgetary and institutional baseline for coordinated action across programs and agencies (European Commission COM(2025) 363). The legal backstop for funding research remains Regulation (EU) 2021/695 establishing Horizon Europe, while deployment and capacity-building rely on Regulation (EU) 2021/694 for the Digital Europe Programme, both on EUR-Lex, which collectively authorize substantial “non-R&I” spending on computing and networks in parallel with grants for science and innovation (Regulation (EU) 2021/695, Regulation (EU) 2021/694).

The Quantum Technologies Flagship structures upstream research and innovation under a programmatic roadmap that is now codified in the Strategic Research and Industry Agenda (SRIA) 2030, presented in February 2024 in Brussels and hosted by qt.eu. That document sets detailed priorities for computing, communications, simulation, sensing, and enabling components and emphasizes supply-chain autonomy, explicitly mapping how research deliverables should converge with deployment tracks such as the European Quantum Communication Infrastructure and the EuroQCS procurements under the EuroHPC Joint Undertaking (SRIA 2030, SRIA timeline 2022–2025). The SRIA 2030 further integrates skills governance by linking research pillars with the European Competence Framework for Quantum Technologies and its versioned updates, which define reference profiles for workforce development and thus align doctoral training, micro-credentials, and industry reskilling with the hardware and software roadmaps (Quantum Flagship Publications).

Procurement, hosting, and user access are centralized under the EuroHPC Joint Undertaking, a Union body framed by Council Regulation (EU) 2021/1173 and its subsequent revisions, with a tripartite governance mechanism: a Governing Board of public members, an Executive Director, and an Industrial and Scientific Advisory Board composed of the Research and Innovation Advisory Group (RIAG) and the Infrastructure Advisory Group (INFRAG). This design is explicitly described on the public governance page and in the regulation’s recitals, which detail selection via calls for expression of interest and co-ownership arrangements that allocate Union access time as a function of the Digital Europe Programme share in acquisition cost (EuroHPC JU governance, Commission policy overview of EuroHPC Joint Undertaking, OJ publication of Council Regulation (EU) 2021/1173). The advisory groups give implementable shape to procurement and access by channeling requirements from research centers, supercomputing operators, and industry; the RIAG member roll names the institutional representation spanning Jülich Supercomputing Centre, CINECA, Barcelona Supercomputing Center, CEA, and others, which is germane to determining the technology mixes and user-support design in hybrid workflows (RIAG members).

The hosting-entity model ensures that quantum systems are physically integrated with national or regional Tier-0 and pre-exascale supercomputers while owned—at least pro rata—with Union funding by the EuroHPC Joint Undertaking. The regulation text, accessible in the published Official Journal PDF, states that the hosting entity and its private-partner consortium are selected by the Governing Board after an independent evaluation and that the Union owns a share corresponding to its financial contribution from Digital Europe, which then translates into a share of access time (OJ text excerpt on hosting and ownership). Public press pages from EuroHPC JU confirm that hosting agreements signed in 2023 span Czechia, Germany, Spain, France, Italy, and Poland, chosen to maximize architectural diversity and thereby enable broad algorithmic exploration under uniform user-support and benchmarking regimes (EuroHPC announcement of six hosting entities).

Procurement files demonstrate how this governance is now materializing into concrete platforms. In Spain, EuroHPC JU signed the procurement contract for MareNostrum Ona with Qilimanjaro Quantum Tech on January 28, 2025, specifying an analogue quantum computer in the annealing family with an initial minimum of 10 physical qubits, co-funded at €8.5 million and hosted by the Barcelona Supercomputing Center – Centro Nacional de Supercomputación, integrated with MareNostrum 5; the public press note details the consortium composition and the co-funding split between EuroHPC JU and the Government of Spain (EuroHPC JU Spain procurement note). In Italy, the EuroQCS-Italy contract with Pasqal was signed on March 27, 2025, specifying a neutral-atom simulator with at least 140 qubits in first generation and a planned 2027 upgrade to hybrid analogue/digital mode, hosted at CINECA and integrated with Leonardo; co-funding totals €13 million, split 50% from EuroHPC JU and 50% from national sources via MUR and the ICSC center under the RRF framework, with cross-border partners ARNES and Forschungszentrum Jülich in the consortium (EuroHPC JU Italy procurement note). In France, Lucy—a universal photonic system co-acquired with GENCI and hosted by CEA at TGCC—is documented through a vendor page that reiterates the integration with Joliot-Curie and availability to European users in 2025, complementing the EuroHPC JU procurement announcement dated September 26, 2024 for the EuroQCS-France site (Quandela Lucy, EuroHPC JU Lucy press). In Germany, Euro-Q-Exa at Leibniz Supercomputing Centre is specified by EuroHPC JU as a superconducting, gate-based system with a staged plan of 50 physical qubits rising to at least 100 in the second phase, fully integrated with SuperMUC-NG; complementary public releases from IQM and LRZ describe the broader path to 54 and 150 qubit-class devices in the site’s roadmap, illustrating how procurement and national investments braid together (EuroHPC JU Euro-Q-Exa procurement, LRZ quantum computing overview, IQM procurement context). In Czechia, the LUMI-Q consortium contract described by the LUMI site and EuroHPC JU confirms a superconducting system to be installed at IT4Innovations and integrated with KAROLINA, creating the country’s first national quantum computer under the EuroHPC ownership model (EuroHPC JU procurement Czechia, LUMI-Q contract news). In Poland, the EuroQCS-Poland contract signed July 10, 2024 designates a trapped-ion, gate-based machine co-funded at €12.28 million, to be hosted by Poznań Supercomputing and Networking Center and supplied by AQT, again illustrating the same co-ownership and access-time logic (EuroHPC JU Poland procurement note, AQT notice).

Connectivity between quantum and classical resources is governed not only by site engineering but also by the EuroHPC JU project portfolio and its integration mandates. The HPCQS program, whose official website describes two analogue neutral-atom quantum simulators integrated with GENCI’s Joliot-Curie and FZJ’s JURECA, provides the architectural template for cloud-based, federated access, common software stacks, and workflow definition for hybrid tasks in materials, chemistry, and optimization; press pages on EuroHPC JU procurement often reference HPCQS as the base for user enablement, training, and best practices for interconnect and scheduling (HPCQS official site, EuroHPC JU Spain note citing HPCQS, EuroHPC JU Italy note citing HPCQS). This arrangement is not merely technical; it is the governance mechanism by which Union procurement de-risks architectural heterogeneity while preserving performance gains available from superconducting, trapped-ion, neutral-atom, photonic, and annealing approaches, all within supercomputing centers bound by national and Union cybersecurity baselines.

Access and allocation rules are codified and published, with a EuroHPC JU Access Policy updated April 9, 2025, defining modalities such as Regular Access and Extreme Scale Access, continuous calls with two cut-offs per year, and explicit eligibility for academia, industry, and public administrations. The public FAQ and policy pages clarify that access is open to EU and Participating States entities, and that large allocations are justified by anticipated scientific or industrial impact; program news pages list call calendars and system migrations relevant to users preparing proposals, indicating how governance ensures predictability of computational resources and user support (EuroHPC JU Access Policy (April 9, 2025), Supercomputers access policy and FAQ, Access calls update page, Regular Access call page). The policy’s legal anchoring in the Council Regulation guarantees that procurement shares translate to time shares and that cross-border scientific communities can obtain allocations irrespective of the machines’ physical locations, which is central to sovereignty goals that reject dependence on proprietary overseas clouds.

On secure communications, governance is split between terrestrial and space segments under the European Quantum Communication Infrastructure initiative. The European Commission’s EuroQCI policy page explains that terrestrial rollout will leverage cross-border fiber linking strategic sites and that space-based augmentation is planned through a satellite segment, initially with the EAGLE-1 demonstrator, followed by a first-generation constellation developed with the European Space Agency and funded through IRIS²; late 2025 or early 2026 is the stated target for EAGLE-1 launch in Commission materials (EuroQCI policy). The institutional framework was reinforced by an Implementation Agreement signed on January 30, 2025 between the European Commission and ESA, whose public announcements describe the objective to build a quantum-secure network for governmental communications with QKD and quantum-safe cryptography, aligned to Digital Decade sovereignty aims; both institutions published accessible summaries confirming the programmatic link to IRIS² and the intent to integrate terrestrial and space layers (Commission–ESA EuroQCI agreement, ESA connectivity note on EuroQCI). The implementation channel for terrestrial deployment is the Connecting Europe Facility (CEF Digital) managed by HaDEA, which states that EuroQCI projects funded under CEF will secure sensitive communications for public authorities and critical infrastructures and that €90 million was budgeted in a March 31, 2025 call completion update; this is the procurement and grant conduit for national segments and cross-border links that will be federated at Union level (HaDEA EuroQCI overview, HaDEA call completion of March 31, 2025). At present there is no official public release stating that QKD already protects routine European Commission communications; where such a claim would be relevant, the only valid statement under open sources is: No verified public source available.

Test-bed governance and pre-deployment evidence come from the OPENQKD program, whose public deliverables D8.3 and D8.7 document multi-city field trials across Berlin, Madrid, Poznań, and Vienna, including replicability analyses and performance reports with real-world deployment conditions and use cases in commercial and scientific settings; the D8.7 “Second and Final Report on Field Trial Execution” published May 6, 2024 and D8.3 “Report on testbed replicability and performance” provide the traceable technical substrate against which EuroQCI integration and standardization can proceed (OPENQKD D8.7 (May 6, 2024), OPENQKD D8.3, CORDIS results page for OPENQKD). Standards activity that undergirds interoperability is visible at ETSI’s QKD group pages and in published specifications such as ETSI GS QKD 014 V1.1.1 defining a REST-based key delivery API between QKD networks and consuming applications; the work-program page indicates an ongoing 2025 update to include OpenAPI descriptions, while the group page summarizes interface, implementation, and optical characterization work areas that deployments reference when engineering cross-vendor networks (ETSI GS QKD 014 V1.1.1, ETSI QKD group overview, ETSI work-item update page, August 5, 2025). In parallel, the European Union Agency for Cybersecurity (ENISA) maintains public guidance on post-quantum cryptography adoption that EuroQCI planners cite when designing hybrid PQC/QKD controls for critical systems; the agency’s repository provides current-state and mitigation studies with trade-off analyses relevant to energy, latency, and migration risk (ENISA PQC overview, ENISA PQC recommendations).

Programmatic cohesion across research, deployment, and market shaping is deliberately enforced by cross-regime instruments and the evolving mandate of EuroHPC JU. The European Commission on July 16, 2025 publicly proposed an amendment to the EuroHPC regulation to add a dedicated Quantum Pillar and to support AI Gigafactories, explicitly describing this as a first action under the Quantum Europe Strategy of July 2, 2025; the proposal is linked on the EuroHPC JU site, where the governance mechanism for integrating quantum computing, AI, and HPC under a single operational umbrella is laid out as the method to scale users, software stacks, and data centers in tandem (EuroHPC press on amendment and Quantum Pillar, July 16, 2025, EuroHPC JU homepage press slot). The Key Documents repository records work-programme amendments for 2025, a public trace of budgetary and call adjustments that give insight into the cadence by which quantum procurements and access calls are sequenced alongside traditional supercomputing initiatives and skills programs (EuroHPC Key Documents 2025).

National initiatives in France, Germany, and the Netherlands are bound into this Union architecture through co-funding, site hosting, and technology specialization. The Netherlands’ Quantum Delta NL was awarded €615 million from the National Growth Fund on April 9, 2021, with official pages detailing that the investment finances shared fabrication facilities, Houses of Quantum, and a scale-up pipeline, and that Dutch institutions work across EU programs to prevent fragmentation; Quantum Delta NL’s programme pages and the documents repository provide the authoritative confirmation of the budget and structure (Quantum Delta NL National Growth Fund award, Programme overview). Germany’s federal ministry documents a December 11, 2024 framework for quantum technologies aligned to the Future Strategy for Research and Innovation, adding specificity on photonics and processors while referencing prior multi-year federal allocations that dovetail with EuroHPC procurements at LRZ; the public English PDF sets the policy frame for national-EU synergy in component, hardware, and application stacks (BMBF quantum technologies framework, December 11, 2024). The Quantum Flagship itself highlights the ambition to avoid import dependence on critical components—a recurrent theme in SRIA 2030 and echoed in Quantera’s September 2024 white paper—that translates into procurement requirements on openness, on-premises hosting, and integration with public supercomputing rather than opaque off-site services (SRIA 2030, Quantera white paper, September 2024).

The EuroQCI terrestrial deployments are synchronized with the evolution of satellite assets under ESA to minimize vendor lock-in and to retain cryptographic control on European soil. Commission pages explain that EuroQCI is built from domestically developed products and systems and that IRIS² is the future envelope for space segment scaling, while HaDEA’s calls target cross-border links and integration of national segments into a seamless EU network; this underscores a governance tenet of sovereignty that is operationalized through procurement rules requiring EU manufacturing and standards compliance rather than through purely declarative strategy (EuroQCI policy, HaDEA EuroQCI, HaDEA March 31, 2025 update). Standards activity at ETSI coupled with ENISA guidance ensures that EuroQCI does not operate in a vacuum but rather in a hybrid posture where quantum-safe public-key algorithms and key distribution networks coexist, a necessary discipline given the heterogeneity of critical infrastructure owners and the persistence of legacy systems; the bolded governance implication is that Europe’s approach to sovereignty relies as much on certification and interoperability as on hardware delivery (ETSI QKD group, ENISA PQC overview).

Program updates since 2024 also show that governance is adaptive, not static. EuroHPC JU has continued to publish procurement signatures and hosting additions, with Luxembourg and the Netherlands selected in 2024 to host new quantum computers on top of the original six sites, as reflected in public EuroHPC press pages and partner announcements; this indicates that the hosting model scales by adding nodes and that the advisory structure can absorb new technologies without rewriting the legal framework (EuroHPC JU Spain press with 2024 additions). The access-call infrastructure itself is being modernized—EuroHPC publicly announced a migration of access-call platforms in September 2025—and the Key Documents archive lists 2025 work-programme amendments, both of which show operational governance functions that are often ignored in high-level strategy but are essential to maintain researcher and industry confidence in consistent resource allocation and support (Access-calls platform migration notice, Key Documents 2025).

Cross-program links to semiconductors and compute are also governance features, not mere context. The European Chips Act—Regulation (EU) 2023/1781 on EUR-Lex—creates capacity for pilot lines and advanced packaging that serve cryo-electronics, control hardware, and photonic integration needed by quantum platforms, and its instruments can be aligned with Horizon Europe projects and Digital Europe procurements by Member States co-hosting quantum systems; this is how sovereignty over quantum devices becomes achievable rather than aspirational, since enabling technologies and supply chains are financed under consistent state-aid and Union rules (Chips Act 2023/1781). The governance nexus thereby extends from SRIA to EuroHPC procurement and EuroQCI deployment and into semiconductor industrial policy, which the Commission makes explicit in the Quantum Europe Strategy when it argues for expanding innovation-oriented procurement and for engaging hospitals, infrastructure operators, and government agencies as launch customers for quantum-enabled solutions, with dedicated financial incentives noted in the public EUR-Lex PDF (COM(2025) 363).

Institutional cohesion is further visible in the way national strategies are embedded in Union mechanisms. Quantum Delta NL’s coordination with France and Germany is described in public diplomatic and innovation-network publications, but the more legally relevant artifacts are the co-funded EuroHPC procurements mapped earlier, where national ministries and EuroHPC co-finance under a standardized split and publish vendor contracts and hosting details; these press notes should be read as governance documents because they operationalize ownership, access rights, and integration milestones under a transparent rule set (EuroHPC JU Italy procurement note, EuroHPC JU Spain procurement note, EuroHPC JU Germany procurement note, EuroHPC JU Poland procurement note). Finally, by proposing a EuroHPC “Quantum Pillar,” the Commission formalizes the administrative locus for these interlocking activities, ensuring that budgeting, calls, procurement, and access are all handled within the same Union entity that already runs LUMI, Leonardo, MareNostrum 5, and other Tier-0 systems, thereby anchoring quantum sovereignty in an institution that controls, operates, and allocates compute at continental scale (EuroHPC press on Quantum Pillar, July 16, 2025).

Compute Build-Out 2025–2026: Photonic and Superconducting Systems at TGCC/GENCI and LRZ, Hybrid HPC–Quantum, and Franco-German Integration

Evidence for a consolidated compute build-out in France originates with the EuroHPC Joint Undertaking procurement of Lucy, a universal photonic platform supplied by Quandela and hosted at TGCC under CEA with coupling to GENCI’s Joliot-Curie; the public procurement note specifies the hosting country and integration mandate, while vendor and national operator pages disclose pre-deployment access and on-premises coupling to the national Tier-0 environment, confirming that users across the European Union obtain controlled access via the EuroHPC allocation framework and national pathways through GENCI (EuroHPC JU — Lucy procurement, Quandela — Lucy, GENCI — early remote access to 12-qubit system, CEA — Joliot-Curie at TGCC, CEA — TGCC site overview). The GENCI announcement on March 18, 2025 states that early remote access for European researchers to a 12-qubit photonic system matching the Lucy architecture is available, building on a 6-qubit access phase introduced at SC/24, thereby enabling software maturity, workload preparation, and middleware validation months before full installation within the hardened TGCC facility managed by CEA’s DAM operational teams (GENCI — early remote access (March 18, 2025), Quandela — SC/24 remote access note). The TGCC pages document that Joliot-Curie is operated within a secured national computing campus in Bruyères-le-Châtel with procedures and access controls honed for mixed academic–industrial workloads, which is material for sovereignty because quantum workflows will traverse the same authentication, audit, and storage regimes as conventional HPC jobs under GENCI/CEA governance (CEA — TGCC overview, CEA — Joliot-Curie).

Convergence of photonics and neutral-atom hardware into the TGCC/Joliot-Curie stack is already validated through the HPCQS program, which couples analogue neutral-atom devices to Tier-0 resources in France and Germany under EuroHPC co-funding; PASQAL reports the **June 19, 2024 delivery of a quantum processing unit to GENCI/CEA with integration via the Eviden Qaptiva toolchain to offload hybrid sections from Joliot-Curie, and GENCI’s **March 20, 2025 update documents Ruby reaching 35 trapped atoms on track for 100 in H/1 2025, evidencing progressive enablement of application developers ahead of general availability (PASQAL — first QPU delivered to GENCI/CEA (June 19, 2024), GENCI — Ruby deployment milestone (March 20, 2025), HPCQS — Franco-German hybrid overview). The same HPCQS pathway established cross-border coupling to JURECA DC at Forschungszentrum Jülich (FZJ) with PASQAL’s 100+ controllable-qubit devices, demonstrating the bidirectional operational model: applications are scheduled and authenticated through established national HPC centers while quantum subroutines are dispatched over secure channels to on-premises quantum hardware abutting those centers (HPCQS news — GENCI/CEA, FZJ, PASQAL milestone, PASQAL — hybrid milestone (Nov 9, 2023)).

Superconducting capacity growth and hybrid integration in Germany are detailed in the EuroHPC JU procurement page for Euro-Q-Exa, which specifies a staged delivery at Leibniz Supercomputing Centre (LRZ) of a 54-qubit system in H/2 2025 and a 150-qubit system by end-2026, explicitly framed as a digital, gate-based platform with “state-of-the-art entangling capabilities” coupled to SuperMUC-NG under a hybrid model; this timing and scale are the authoritative baseline for 2025–2026 superconducting availability at national Tier-0 level in Germany (EuroHPC JU — Euro-Q-Exa procurement (Oct 15, 2024), LRZ — Euro-Q-Exa overview). LRZ’s publication on the first hybrid integration shows the operational precedent: a 20-qubit superconducting system from IQM was successfully integrated with SuperMUC-NG, with test runs demonstrating bidirectional dataflow and scheduling; IQM’s press releases corroborate that the hybrid HPC–quantum stack at LRZ originated in Q-Exa and will be scaled under the Euro-Q-Exa path, aligning vendor roadmaps with EuroHPC procurement staging (LRZ — first hybrid integration, IQM — Euro-Q-Exa collaboration). The Euro-Q-Exa procurement text is explicit about two separate systems and their qubit counts by delivery window, which is a more precise commitment than generic “scaling” statements; it assures researchers and regulated-sector users that capacity increases and firmware maturation will arrive on a schedule synchronized with EuroHPC access calls and middleware updates (EuroHPC JU — Euro-Q-Exa procurement (Oct 15, 2024)).

The technical rationale for hosting photonic and superconducting modalities in separate sovereign facilities emerges from the way workloads map to hardware while respecting security and compliance obligations. Photonic platforms such as Lucy implement universal gates with interferometric meshes, single-photon sources, and on-chip detectors; they are energy efficient, resilient to some noise sources, and natively suited to certain linear-optical transformations relevant to chemistry-inspired sampling and Gaussian boson sampling benchmarks. Superconducting processors, exemplified by Euro-Q-Exa, leverage nanofabricated Josephson junctions at millikelvin temperatures to provide high-frequency, low-latency control conducive to error-mitigation workflows and variational algorithms in optimization and materials. The coexistence of these modalities inside TGCC/GENCI and LRZ aligns with the EuroHPC doctrine of architectural diversity: researchers can prototype cross-backend algorithms under a common HPC scheduler and security perimeter while regulators and asset owners—particularly those in sectors bound by DORA and **NIS 2—retain assurance that processing and intermediate data remain under European Union jurisdiction and audit (EuroHPC JU — governance and access policy, EUR-Lex — DORA Regulation 2022/2554, **EUR-Lex — NIS 2 Directive 2022/2555).

Operational integration steps in France show how sovereignty and performance are pursued simultaneously. The GENCI/CEA/Quandela press dossier dated **September 25, 2024 confirms co-acquisition under EuroHPC and identifies attocube systems AG as a partner, underscoring the European sourcing of critical opto-mechanical subsystems and environmental control; the document notes the deployment at TGCC and the coupling to Joliot-Curie, establishing that quantum jobs will be managed via the existing scheduling, accounting, and user authentication mechanisms of the national Tier-0 complex (GENCI press — EuroQCS-France acquisition (Sep 25, 2024), **CEA — TGCC). On the analogue neutral-atom path, HPCQS integration at TGCC employs the Eviden Qaptiva software to orchestrate hybrid execution, and the GENCI and PASQAL announcements specify milestones in trapped-atom counts and coupling to Joliot-Curie; by binding software, scheduling, and on-premises devices into one operational envelope, these steps minimize data egress and reduce compliance friction for entities that must demonstrate residency and control of sensitive workloads (PASQAL — QPU delivered (June 19, 2024), GENCI — Ruby milestone (March 20, 2025)).

At LRZ, the hosting of superconducting processors adjacent to SuperMUC-NG has implications for I/O paths, cryo-infrastructure, calibration cadence, and job orchestration. LRZ’s summary of the initial hybrid integration explains that quantum resources were embedded into the supercomputer environment rather than left as a peripheral cloud, allowing deterministic latency windows for feedback-heavy routines such as error-mitigated variational algorithms, and facilitating audit of data movement across the interconnect. The EuroHPC contract’s promise of 54 and 150 qubit milestones by H/2 2025 and end-2026 gives system administrators and users a service-planning horizon against which to align firmware upgrades, compiler versions, and low-level driver updates; IQM’s roadmap materials put these counts in the context of device-level fidelity trajectories relevant to NISQ-era utility (LRZ — hybrid integration summary, EuroHPC JU — Euro-Q-Exa procurement, IQM — technology roadmap).

Franco-German integration is not rhetorical; it is embodied in shared projects, mirrored hosting, and synchronized middleware. HPCQS is co-funded by EuroHPC JU, France, and Germany, and deploys neutral-atom devices at TGCC/Joliot-Curie and FZJ/JURECA DC, with public releases stating 100+ controllable-qubit capacities and verified coupling to national Tier-0 machines. The photonic Lucy at TGCC and the superconducting Euro-Q-Exa at LRZ represent complementary modality anchors that can be addressed under uniform EuroHPC access calls, enabling cross-border research teams to compare algorithmic behavior under identical governance and security perimeters. This symmetry permits methodical benchmarking of chemistry, materials, and optimization workloads across modalities while maintaining compliance with residency and data-handling constraints familiar to financial-market infrastructures under DORA and to critical-infrastructure operators under **NIS 2 (HPCQS news, EuroHPC JU — access policy, **EUR-Lex — DORA, **EUR-Lex — NIS 2).

A crucial governance–engineering feature across TGCC and LRZ deployments is the insistence on on-premises installation with co-ownership by EuroHPC, which preserves jurisdictional control over hardware, firmware, telemetry, and key management. The EuroHPC procurement notes and access policies clarify that time-sharing corresponds to European Union co-funding shares, with allocations available to academia, industry, and public administrations through regular calls; CEA and LRZ pages document the existing security posture of their data centers, implying that quantum subsystems will inherit and extend those controls rather than introduce unverified side channels via remote clouds (EuroHPC JU — access policy, **CEA — TGCC, LRZ — Euro-Q-Exa overview). The GENCI/CEA/Quandela dossier also highlights European suppliers for environmental and opto-mechanical subsystems, reinforcing a supply-chain strategy that reduces reliance on extra-European vendors for calibration, stabilization, and packaging—critical for maintainability and for regulatory audits where component provenance and control-plane sovereignty can be questioned (GENCI press — EuroQCS-France acquisition).

From an application standpoint, the 2025–2026 window makes three classes of hybrid experiments realistic under sovereign constraints. First, chemistry and materials simulations that map to analogue neutral-atom arrays or photonic circuits can be executed with tight classical–quantum loops mediated by Joliot-Curie schedulers, exploiting the HPCQS toolchain to keep sensitive pre-competitive data within France while comparing performance to superconducting executions scheduled at LRZ under the Euro-Q-Exa environment; the cross-site comparison is enabled by uniform EuroHPC allocation and reporting rules. Second, combinatorial optimization instances with industrial data sensitivity—finance portfolio rebalancing under regulatory back-testing, energy dispatch with grid-operator data, or supply-chain resilience—can be trialed via variational routines on LRZ’s superconducting hardware with latency-critical feedback from SuperMUC-NG, while photonic and neutral-atom pathways at TGCC provide complementary heuristic baselines. Third, algorithmic and compiler research into error-mitigation and noise-tailored ansätze can be performed across modalities to quantify how device-level non-idealities interact with mitigation strategies when the control plane, telemetry, and job orchestration are all audited under GENCI/CEA and LRZ procedures; this is essential for any subsequent certification in regulated sectors and is feasible precisely because the systems are sovereignly hosted and governed (HPCQS — project overview, EuroHPC JU — Euro-Q-Exa procurement, GENCI — early access to 12-qubit system).

Capacity signaling and user-onboarding are being handled with unusual transparency, which reduces execution risk for 2025–2026. The EuroHPC press items enumerate qubit counts and delivery windows; GENCI’s news stream discloses intermediate milestones such as 35 trapped atoms and 12-qubit photonic access; LRZ and IQM document integration states and the prior 20-qubit hybrid. This cadence of verifiable public artifacts allows research groups and regulated users to plan proposals, migrate code, and design validation experiments with less uncertainty than would be possible under purely vendor-hosted cloud timelines. It also creates a compliance-friendly record for audits: references to EuroHPC calls, CEA/LRZ operational notices, and vendor installation milestones with dates provide a paper trail that satisfies internal control requirements for change management in sectors supervised under DORA and **NIS 2 (EuroHPC JU — access policy and calls, GENCI — Ruby milestone, LRZ — hybrid integration).

The practical meaning of Franco-German integration extends into middleware and standards. The HPCQS materials emphasize portability: applications route through standard HPC job schedulers and interface layers that abstract differences in control electronics, calibration regimes, and native gate sets. This is not cosmetic; portability within sovereign facilities diminishes the risk of vendor lock-in and hastens knowledge transfer between teams at TGCC/GENCI and LRZ. In turn, it enables comparative studies into compiler passes, pulse-level optimizations, and noise-adaptive circuit synthesis when the only variable is the hardware modality; such studies yield defensible evidence for procurement committees and regulatory consultations that must judge cost-effectiveness and security posture of scaling paths. The transparency of EuroHPC procurement pages, combined with installation updates from GENCI and LRZ, supplies audit-ready provenance for software stacks and firmware as they transition through versions over 2025–2026 (HPCQS — news and integration, EuroHPC JU — Euro-Q-Exa procurement, GENCI — early 12-qubit access).

The build-out also intersects with industrial-policy measures for components, which, while not the core of compute installation, affect reliability and maintainability. The Chips Act framework enables pilot lines for cryogenic control, superconducting device fabrication, and integrated photonics, of which the SUPREME pilot-line consortium is a notable 2025 initiative at Union level; although chip-line details pertain primarily to supply-chain sovereignty, the presence of European upstream capacity influences mean-time-to-repair, calibration cycles, and firmware–hardware co-design in sovereign data centers hosting quantum devices, and thus indirectly shapes the operational availability of Lucy, HPCQS devices at TGCC, and Euro-Q-Exa at LRZ (EUR-Lex — Chips Act 2023/1781, VTT — SUPREME press, Fraunhofer IAF — SUPREME press). By hosting compute in public facilities with established maintenance teams and by sourcing critical subsystems from European vendors where possible, France and Germany reduce exposure to export-control shocks and vendor discontinuities—risks that are structurally higher when relying on offshore cloud-based quantum access.

Security and compliance implications are immediate in the 2025–2026 horizon. The European Commission’s post-quantum cryptography roadmap issued on **June 23, 2025 directs Union institutions and market operators toward inventory, prioritization, testing, and staged deployment of standardized post-quantum algorithms; sovereign compute sites at TGCC and LRZ provide controlled environments to evaluate cryptanalytic behavior, circuit-level optimizations, and hybrid protocols that may combine classical post-quantum schemes with physics-based keying experiments under EuroQCI pilots, all without exporting sensitive telemetry to extraterritorial clouds. Although EuroQCI is a communications program, the overlap in operational teams and national security postures at CEA/DAM and LRZ favors cross-pollination of security practices and incident-response procedures governing hybrid jobs and secure communications (European Commission — post-quantum cryptography roadmap (June 23, 2025), EuroHPC JU — access policy, **CEA — TGCC).

The installation milestones and access-enablement steps in France and Germany therefore define a credible, verifiable trajectory for sovereign quantum compute within 2025–2026. Lucy’s pre-deployment remote access at 12 qubits, with SC/24 antecedents at 6, provides a stable target for software stacks and algorithm developers; HPCQS’s neutral-atom integration at TGCC and FZJ/JURECA DC proves end-to-end hybrid scheduling with concrete trapped-atom counts and coupling to Tier-0 supercomputers; Euro-Q-Exa’s contracted 54 and 150 qubit deliveries at LRZ establish superconducting gate-model availability inside a national HPC perimeter already validated by the 20-qubit hybrid. Each assertion is matched by public, dated artifacts on EuroHPC JU, GENCI, CEA, LRZ, PASQAL, and IQM domains, yielding a chain of custody for facts and timelines compatible with the evidentiary demands of regulated users and with the strategic aim of quantum independence that avoids dependence on United States or Chinese vendors for access, scheduling, or maintenance (EuroHPC JU — Lucy procurement, GENCI — 12-qubit access (March 18, 2025), PASQAL — QPU delivered (June 19, 2024), EuroHPC JU — Euro-Q-Exa procurement (Oct 15, 2024), LRZ — hybrid integration).

Quantum Networks and Communications: QuTech Testbeds, EuroQCI, OPENQKD, and ESA’s Space-to-Ground Layer

The metropolitan-scale quantum networking work led by QuTech formalized a live entanglement link between independently operated nodes in Delft and The Hague over 25 km of deployed optical fiber, an advance documented in TU Delft’s research update of October 31, 2024, which emphasizes autonomous node control, integration with existing telecom infrastructure, and repeatable entanglement creation under field conditions; the public communication corroborates that the link’s node design is a blueprint for subsequent extensions across the Netherlands and into cross-border pilots anchored in university and national lab facilities (TU Delft — A rudimentary quantum network link between Dutch cities (October 31, 2024), QuTech — Quantum Internet Milestones). The same QuTech program supplies the roadmap for a staged “first entanglement-based quantum internet,” explicitly listing the Delft–The Hague pair as the foundational link and describing additional nodes to increase functionality, routing, and multiplexing capabilities, thereby defining a practical engineering trajectory from laboratory networks to metropolitan backbones that can interoperate with future repeater technologies within Europe’s regulatory perimeter (QuTech — Quantum Internet Milestones).

The translation of those Dutch achievements into a transnational testbed is visible in the press release from the Fraunhofer Institute for Laser Technology of January 23, 2025, which reports the transfer of a complete quantum internet node, developed with TNO in Delft, to Aachen for further development and for regional connections to Jülich and Bonn; the institute’s statement attributes the Delft–The Hague entanglement result to the QuTech-led team and highlights the use of diamond NV-center spin qubits interfaced to photonic hardware and frequency conversion optimized for fiber transport, underscoring the cross-border engineering pipeline between Netherlands and Germany that is consistent with European Union sovereignty goals for communications infrastructure (Fraunhofer ILT — First node for the quantum internet of the future (January 23, 2025)). The Fraunhofer update states that the Aachen node derives directly from experience with the 25 km Delft–The Hague fiber path and that hardware partners include Element Six for diamond substrates and TOPTICA Photonics for stabilized lasers, showing how component-level sourcing integrates with public research operators to produce repeatable, field-deployable nodes compliant with European standards and certification paths, a prerequisite for eventual handover to regulated communications carriers within Germany under security baselines aligned to **NIS 2.

The European Commission’s policy line for sovereign quantum communications is articulated through the European Quantum Communication Infrastructure (EuroQCI) program overview and the January 30, 2025 Implementation Agreement with the European Space Agency, which jointly define a terrestrial fiber segment under Member States and a satellite segment under ESA, with integration into IRIS² as the space backbone for secure connectivity; the Commission page and the ESA announcement describe an architecture that couples cross-border terrestrial links to space-to-ground QKD services to protect governmental communications, data centers, hospitals, energy grids, and other critical infrastructures under a unified European Union governance umbrella (European Commission — EuroQCI policy, European Commission — Commission and European Space Agency sign EuroQCI implementation agreement (January 30, 2025), ESA — ESA and the European Commission to build quantum-secure space communications network (January 30, 2025)). The same EuroQCI page in printable PDF form specifies that the NOSTRADAMUS project began in January 2024 as a four-year testing and evaluation infrastructure, to be transferred to the Joint Research Centre in Ispra, and that the terrestrial and space segments will be integrated as part of IRIS²; this positions testing, validation, and eventual certification as a centralized EU function rather than a loose collection of vendor labs (European Commission — EuroQCI printable brief (PDF)).

The operational funding conduit for cross-border terrestrial links is handled by HaDEA under Connecting Europe Facility (CEF Digital), which publicly lists the co-funding rate bands of 30–50–70% and a €90 m budget for 2021–2027, and records that the first EuroQCI call closed with 24 proposals by March 27, 2025; the public program page explicitly states that CEF Digital will finance interconnections between national quantum segments and their interfaces to the space component, thereby translating policy architecture into grant-funded deployments under European Commission oversight (HaDEA — Quantum communication infrastructure (EuroQCI)). The call fiche for DIGITAL-IRIS2-2025-QCI adds the coordination dimension by requiring a pan-European approach to deployment synchronization with ESA and the Commission, creating a pipeline in which national fiber rings, trusted nodes, and control planes are built under common milestones and documentation requirements so that EuroQCI can act as one network of networks rather than fragmented national projects (European Commission — Call: DIGITAL-IRIS2-2025-QCI).

Field validation of terrestrial quantum communications within Europe is evidenced by OPENQKD’s public deliverables, which provide granular performance, interoperability, and use-case data from multi-city testbeds. The Second and Final Report on Field Trial Execution (D8.7), published May 6, 2024, documents concurrent connections supported by local key management systems, latency and throughput measurements for IPsec tunnels bootstrapped by QKD, and sector-specific demonstrations including health-sector traffic protection, thereby furnishing a replicable evidence base for real-world operation beyond laboratory conditions; the project’s publication index offers the audit trail for earlier interim deliverables and indicates the progression from demonstration to operational lessons transferable to EuroQCI deployment teams (OPENQKD — D8.7 Second and Final Report on Field Trial Execution (May 6, 2024), OPENQKD — Publications index). The CORDIS project page further situates OPENQKD within **Horizon 2020, confirming Commission funding scope and the role of field trials across Vienna, Madrid, Poznań, and Berlin in testing vendor equipment, software-defined control, and key delivery interfaces under diverse metropolitan constraints, which collectively inform EuroQCI’s technical guidelines and procurement specifications (CORDIS — OPENQKD results).

The PETRUS consortium and allied research networks publicly demonstrated a “mini-EuroQCI” during the Digital Assembly hosted in Stockholm on June 15–16, 2023, where a live video conference was protected by QKD keys transported over a hybrid network with remote quantum devices in Barcelona and Florence, key injection into cryptographic appliances at UPM in Madrid, and endpoints in Stockholm; the consortium’s news item, together with corroborating posts from QSNP and national EuroQCI initiatives, establishes that the EU communications layer can be run with QKD-seeded keys across borders and across heterogeneous vendor stacks, an operational precursor to CEF Digital-funded links now in procurement (PETRUS — Demonstration of European QKD technology at the Digital Assembly 2023 (June 2023), QSNP — Quantum Key Distribution Stockholm demo (September 12, 2023), **EuroQCI Spain — Mini-EuroQCI demonstration at Digital Assembly 2023). Within the EuroQCI policy brief, NOSTRADAMUS is identified as the four-year DG CNECT program to stand up a testing and evaluation infrastructure and transfer it to JRC Ispra for certification-grade evaluation; JRC’s site confirms the hosting selection and function of the evaluation laboratory for EuroQCI, while a **May 2, 2024 presentation accessible via ETSI’s workshop repository sets out the project’s blueprint for testing and validation services necessary for future accreditation by a European security authority (European Commission — EuroQCI printable brief (PDF), JRC — Quantum technologies (EuroQCI evaluation lab), ETSI — NOSTRADAMUS presentation (May 2, 2024)).

Interface standardization across vendor equipment is carried by ETSI’s QKD industry specification group, whose published ETSI GS QKD 014 V1.1.1 defines a REST-based key delivery API using HTTPS and JSON to deliver block keys with identifiers to consuming applications; the openly accessible specification is the practical fulcrum for interconnecting QKD networks to cryptographic devices, IPsec stacks, or session-layer services, and the group’s public page shows the status of related specifications and the broader liaison with quantum-safe cryptography standardization, ensuring that EuroQCI deployments can enforce interoperable control planes and key-management exchanges across multi-vendor networks (ETSI GS QKD 014 V1.1.1** — Protocol and data format of REST-based key delivery API, ETSI — QKD group page). The existence of a standardized REST interface is operationally significant because CEF Digital grants are deploying cross-border connections where different national operators will fit distinct QKD stacks behind their trusted nodes; consistent API behavior backed by a public ETSI document reduces integration risk and underpins certification evidence for interoperability that JRC evaluators can reproduce during conformance testing.

The satellite segment that will augment EuroQCI is publicly represented by EAGLE-1, described by ESA as due to launch in late 2025 to early 2026 with three years of in-orbit validation supported by the European Commission; the ESA mission page is explicit about schedule and validation objectives, positioning EAGLE-1 as a precursor for a first-generation constellation feeding QKD keys to ground stations and, in later phases, interacting with the terrestrial EuroQCI to assure coverage breadth and routing resilience under IRIS² integration (ESA — Eagle-1). The European Commission’s agreement with ESA of January 30, 2025 similarly frames the space segment’s objective as delivering quantum-secure services to governmental users, aligned to the Digital Decade sovereignty program, and clarifies that terrestrial deployments will be coordinated with space assets to ensure an end-to-end secure posture across the European Union (European Commission — Commission and European Space Agency sign EuroQCI implementation agreement (January 30, 2025)).

Policy coherence across quantum communications and cryptography is codified in **COM(2025) 363, which characterizes secure communications as a priority axis of Quantum Europe Strategy and calls for dedicated procurement models to turn research into operational networks, with explicit cross-references to EuroQCI and hybrid networking with terrestrial and satellite layers; that EUR-Lex publication of **July 2, 2025 provides the authoritative policy anchor for budgetary and governance alignment across Horizon Europe, Digital Europe Programme, and CEF Digital, allowing Member States and EuroHPC operators to plan quantum-safe networking alongside compute integration without legal ambiguity (**European Commission — COM(2025) 363 Quantum Europe Strategy (HTML), **European Commission — COM(2025) 363 (PDF)). Complementing that strategy, the European Commission announced on **June 23, 2025 a coordinated implementation roadmap for the transition to post-quantum cryptography, requesting that all Member States start transition by end-2026 and that critical infrastructures complete the move by end-2030; the press page and the accompanying roadmap library entry make clear that PQC adoption is a near-term obligation while QKD becomes an additional security layer in EuroQCI, and they provide a migration calendar that operators of health, finance, and energy networks can use to sequence upgrades and inventory cryptographic dependencies under **NIS 2 expectations (European Commission — EU reinforces its cybersecurity with post-quantum cryptography (June 23, 2025), European Commission — Coordinated Implementation Roadmap for the Transition to Post-Quantum Cryptography (June 23, 2025)). The ENISA study on post-quantum cryptography, publicly accessible from the agency’s publication server, presents families of PQC schemes and migration considerations, and it is frequently cited in EuroQCI planning materials as an informational basis for hybrid PQC/QKD deployments in critical sectors where layered defenses and protocol agility must be proven during audits (ENISA — Post-Quantum Cryptography: Current state and quantum mitigation).

The claim that QKD already protects routine European Commission communications lacks an authoritative, public institutional confirmation; the correct statement under the evidence available to **August 2025 is: No verified public source available. Commission pages discuss EuroQCI pilots, NOSTRADAMUS evaluation infrastructure, and funding actions under CEF Digital, but none asserts an operational production switchover of Commission communications to QKD; the focus remains on testing, evaluation, procurement, and phased deployment timelines compatible with integration into IRIS², and on the **June 23, 2025 PQC roadmap as the mandatory migration path for cryptography in governmental and critical-infrastructure systems (European Commission — EuroQCI policy, European Commission — EU reinforces its cybersecurity with post-quantum cryptography (June 23, 2025)).

Network-architecture implications from the QuTech/Fraunhofer pathfinders translate directly into EuroQCI’s terrestrial segment because independently operating nodes, frequency conversion stages, and stabilization routines have been shown to function on installed metropolitan fibers rather than laboratory spools; the Fraunhofer ILT description of diamond NV-center qubits with 637 nm emission and frequency conversion for telecom transport clarifies how end-node photonics will be engineered in racks colocated with trusted nodes, while the TU Delft update stresses end-to-end control necessary for operational hand-over to telecom operators under EU procurement frameworks. In this configuration, trusted nodes remain within national operator facilities or public data centers subject to **NIS 2 governance, while key delivery to applications follows the ETSI GS QKD 014 REST format over HTTPS, enabling standardized integration with IPsec gateways and hardware security modules; OPENQKD’s evidence of concurrent key extractions and stable, QKD-seeded IPsec throughput in health-sector use cases demonstrates that such interfaces can be scaled for multi-tenant workloads without degrading service levels below typical operational thresholds (Fraunhofer ILT — First node for the quantum internet of the future (January 23, 2025), TU Delft — A rudimentary quantum network link between Dutch cities (October 31, 2024), ETSI GS QKD 014 V1.1.1**, OPENQKD — D8.7 (May 6, 2024)).

Program governance ensures that these technical layers are procured, audited, and certified within a unified European Union framework. **COM(2025) 363 argues for innovation-oriented procurement and for scaling pilot infrastructures into EU-wide services, and links quantum communications directly to sovereignty aims over data flows among governmental authorities and regulated industries; the Commission’s EuroQCI brief and HaDEA’s CEF Digital page specify that cross-border links and space integration will be publicly funded against precise milestones, with the **March 31, 2025 call status post confirming the first wave of EuroQCI terrestrial proposals received for evaluation (**European Commission — COM(2025) 363 (PDF), European Commission — EuroQCI policy, HaDEA — Quantum communication infrastructure (EuroQCI)). The ESA EAGLE-1 schedule of late 2025 to early 2026 for launch and three years of in-orbit validation gives terrestrial teams a synchronization target for downlink trials and end-to-end key-delivery experiments across space and fiber segments, while the Implementation Agreement of **January 30, 2025 commits the European Commission and ESA to co-development and integration steps that will be required for governmental service readiness under IRIS² (ESA — Eagle-1, European Commission — Commission and European Space Agency sign EuroQCI implementation agreement (January 30, 2025)).

The Netherlands’ pathfinding role is significant for EuroQCI because metropolitan entanglement links create operational experience with timing distribution, dispersion management, and quantum-classical co-existence on municipal fiber that will be required for cross-border trusted-node topologies. QuTech’s milestones page and TU Delft’s **October 31, 2024 communication indicate that node autonomy and deployed-fiber compatibility have been achieved over 25 km, which, when combined with the Aachen node deployment in **January 2025, yields a Benelux–Germany axis where repeaters, quantum memory integration, and multi-node switching can be tested under real telecom constraints relevant to CEF Digital-funded interconnections (QuTech — Quantum Internet Milestones, TU Delft — A rudimentary quantum network link between Dutch cities (October 31, 2024), Fraunhofer ILT — First node for the quantum internet of the future (January 23, 2025)). The PETRUS-orchestrated demonstration in Stockholm further shows that quantum-seeded keys can be injected into off-the-shelf crypto appliances to protect video conferencing between endpoints separated by national borders and vendor ecosystems, indicating that EuroQCI’s application layer can adopt existing enterprise security devices so long as ETSI’s key-delivery and key-management interfaces are respected (**PETRUS — Demonstration at Digital Assembly 2023, QSNP — QKD Stockholm demo (September 12, 2023)).

The certification and evaluation agenda is moving from concept to institution. NOSTRADAMUS, launched in **January 2024 under DG CNECT, aims to define the blueprint for QKD testing and validation services and to operate a prototypical testbed as a precursor to formal accreditation; an ETSI workshop presentation dated **May 2, 2024 outlines the plan to provide evaluation services required by a European security authority, while JRC confirms that it will host the evaluation laboratory in Ispra and will receive the infrastructure as NOSTRADAMUS matures, ensuring that product assessment for EuroQCI can be carried out on neutral ground under EU control (ETSI — NOSTRADAMUS presentation (May 2, 2024), JRC — Quantum technologies (EuroQCI evaluation lab), European Commission — EuroQCI printable brief (PDF)). The HaDEA page’s publication of co-funding bands and the €90 m envelope for 2021–2027 supplies transparency for member-state co-investment strategies and for operators’ financial planning, reducing uncertainty around eligible costs for cross-border dark-fiber leases, trusted-node hardening, and vendor integration of ETSI interfaces; by writing those parameters into a public page with updates such as the **March 31, 2025 tally of 24 proposals, HaDEA creates a predictable environment that accelerates operator commitment to EuroQCI’s terrestrial rollout (HaDEA — Quantum communication infrastructure (EuroQCI)).

The composite picture that emerges from these publicly verifiable sources is a layered, sovereign quantum communications stack in Europe. Metropolitan entanglement links and autonomous nodes demonstrated by QuTech and deployed by Fraunhofer ILT prove that field-grade hardware can be run on in-situ fibers with stable entanglement over 25 km, informing EuroQCI trusted-node engineering and synchronization practices. Multi-city OPENQKD trials provide operational metrics for QKD-seeded IPsec and for key-management concurrency under realistic cloud and health-sector workloads, anchoring procurement specifications in data rather than conjecture. ETSI’s published REST key-delivery specification gives EuroQCI a vendor-neutral application interface, crystallizing how keys will flow into cryptographic devices without bespoke adapters. HaDEA’s CEF Digital program converts strategy into funded cross-border links with known co-funding rates and a visible call pipeline. NOSTRADAMUS and JRC bring certification-grade evaluation inside EU institutions, while ESA’s EAGLE-1 schedule and the Implementation Agreement of **January 30, 2025 define the space segment’s integration trajectory into IRIS². Finally, the **June 23, 2025 PQC roadmap mandates cryptographic migration timelines that regulated sectors must meet, ensuring that quantum communications and quantum-safe algorithms are deployed as complementary layers, not as mutually exclusive paths, in a sovereign network that avoids dependence on non-EU vendors for key material, node control, or satellite interfaces (TU Delft — A rudimentary quantum network link between Dutch cities (October 31, 2024), QuTech — Quantum Internet Milestones, Fraunhofer ILT — First node for the quantum internet of the future (January 23, 2025), OPENQKD — D8.7 (May 6, 2024), ETSI GS QKD 014 V1.1.1**, HaDEA — Quantum communication infrastructure (EuroQCI), European Commission — EuroQCI policy, European Commission — EU reinforces its cybersecurity with post-quantum cryptography (June 23, 2025), ESA — Eagle-1, European Commission — Commission and European Space Agency sign EuroQCI implementation agreement (January 30, 2025), **European Commission — COM(2025) 363 (PDF)).

Sectoral Penetration: Financial-Market Resilience, Health-Data Assurance, Critical-Infrastructure Control, and Cross-Border Interoperability

The entry into application of Regulation (EU) 2022/2554 on digital operational resilience for the financial sector on January 17, 2025 binds banks, insurers, investment firms, market infrastructures, and information-technology suppliers to uniform expectations for governance, risk classification, incident exchange, testing, and third-party oversight, while amending prior sectoral rules to avoid fragmentation that would otherwise increase cross-border operational risk within the European Union. The legal text establishes common definitions, sets supervisory mandates for competent authorities, and introduces Union-level oversight for critical information and communication technology providers that serve financial entities across multiple jurisdictions, thereby closing a long-standing coordination gap that had allowed divergent supervisory practices to persist across national regimes, as confirmed by the consolidated Official Journal version that explicitly states the application date. A parallel public-facing supervisory implementation track is visible on the European Insurance and Occupational Pensions Authority, which states that DORA “entered into application on January 17, 2025” and clarifies sectoral scope and objectives for resilience against disruptions caused by cyberattacks or system failures, anchoring both prudential and conduct angles under a single digital-operational framework in financial services, as set out by the supervisory explainer at EIOPA Digital Operational Resilience Act.

Harmonised incident reporting under DORA replaces a patchwork of legacy templates and timetables, with the European Banking Authority publishing draft joint technical standards that specify initial reporting timelines of 4 hours after classification and 24 hours after detection, followed by an intermediate report within 72 hours and a final report within 1 month, aligning the financial regime with NIS2 requirements for horizontal cybersecurity and expressly referencing proportionality and cross-authority information sharing to prevent duplicated burdens and blind spots, as shown in the supervisory portal for Joint Technical Standards on major incident reporting. The same alignment rationale was carried into the final report delivered by the European Supervisory Authorities in July 2024 on incident classification and reporting, which explicitly ties DORA reporting to **Directive (EU) 2022/2555 on measures for a high common level of cybersecurity across the Union, ensuring coherent triggers and materiality thresholds that can scale across entities and borders in the internal market, as documented in the ESAs paper JC 2024-33 Final report on the draft RTS and ITS on incident reporting. To streamline the migration from legacy payment-specific guidance, the EBA formally repealed the PSD2 major-incident reporting guidelines with effect from January 17, 2025, replacing them with the harmonised DORA regime as indicated in the regulatory notice at Guidelines on major incidents reporting under PSD2.

Union-level oversight for critical information-technology third-party providers is being operationalised through a common methodology and a single point of contact architecture so that cloud, software, and analytics vendors supporting multiple financial entities are subject to consistent supervisory expectations rather than fragmented national regimes, as described by the ESAs Joint Committee’s guidance published on July 15, 2025 that details the objectives, scope, and coordination mechanisms for the new oversight system over critical providers under DORA, available in the document JC 2025 29 Guide on DORA oversight activities. Subcontracting chains in critical functions, a frequent locus of concentration and vendor-lock risk in cloud ecosystems, are addressed by a dedicated regulatory technical standard that requires pre-contract due diligence, layered risk assessments, and enforceable contractual rights to ensure visibility across each tier of providers, as set out in the ESAs final report of July 2024 titled JC 2024 53 Final report DORA RTS on subcontracting. This architecture gives supervisors explicit leverage to demand quantum-resilient cryptographic controls, provable key-management processes, and verifiable incident telemetry from upstream suppliers once migration plans move from advisory to mandatory status for financial entities within the internal market.

Threat-led penetration testing is now codified as a binding requirement for significant institutions under DORA, with the ESAs finalising a Union-wide technical standard that sets scoping, threat-intelligence, execution, and remediation criteria for tests that emulate advanced attackers on live production systems, as detailed in the July 2024 paper JC 2024-29 Final report DORA RTS on TLPT. The supervisory lineage of this approach runs through the European Central Bank’s threat-intelligence-based ethical red teaming framework, with the updated TIBER-EU publication making explicit that sectoral application can extend beyond finance while preserving core objectives of realistic testing on critical live systems, as provided in the ECB document TIBER-EU Framework 2025. National implementations have already translated the Union framework into operational practice, including the De Nederlandsche Bank implementation document of March 27, 2025 that maps TIBER-EU to DORA testing obligations and organises testing services under national authority coordination, which is evidenced in the paper TIBER-EU implementation document DNB. A supervisory speech by the Banca d’Italia directorate on February 27, 2025 publicly confirms that TLPT is mandatory for institutions classified as critical and that TIBER-IT adapts the Eurosystem methodology to the Italian context for coordinated testing across competent authorities, as recorded in Threat-led penetration testing from TIBER-IT to DORA. The supervisory trajectory here signals a shift from compliance-box audits toward empirically measured resilience against attacker tradecraft, which becomes non-optional once quantum-resilient cryptography enters production because adversaries can selectively target weakest-link cryptographic endpoints to downgrade protections.

The restructuring of retail payment plumbing under the Instant Payments Regulation reinforces this operational turn by compressing end-to-end processing windows and widening access to central-bank infrastructures, which raises the security stakes for key exchange, authentication, and fraud analytics at Union scale. The legal basis entered into force through Regulation (EU) 2024/886 on instant credit transfers in euro, with the Official Journal version confirming publication on March 19, 2024, and the European Central Bank clarifying that non-bank payment service providers that meet defined criteria will gain access to TARGET services, including T2 for settlement and TIPS for instant payments, starting October 2025, as stated at Instant Payments Regulation — ECB policy note. A core design implication for quantum resilience is that instant-payment verification paths and fraud-curbing controls rely on cryptographically authenticated messaging across multiple intermediaries under stringent timeouts, which magnifies the risk that any latent algorithmic weakness or key-management misconfiguration will propagate rapidly across borders. The sector therefore benefits from the European Commission-backed migration pathway toward post-quantum primitives published on June 23, 2025, which sets a coordinated timeline and role clarity for Member States and Union bodies to prioritise replacements of widely deployed public-key schemes, as described in A coordinated implementation roadmap for the transition to post-quantum cryptography. The same portal confirms the policy intent to reinforce Union cybersecurity with post-quantum cryptography and provides the contextual announcement at EU reinforces its cybersecurity with post-quantum cryptography.

Standardisation milestones from the National Institute of Standards and Technology have resolved algorithmic uncertainty for the first tranche of lattice-based key exchange and signatures that underpin practical migration. The key-encapsulation baseline is formalised in FIPS 203 Module-Lattice-Based Key-Encapsulation Mechanism Standard, often referred to as ML-KEM, with the full publication accessible as NIST FIPS 203 PDF. Digital signatures based on module-lattice constructions are codified in FIPS 204 Module-Lattice-Based Digital Signature Standard with the authoritative text at NIST FIPS 204 PDF, while a stateless hash-based family derived from SPHINCS+ is finalised in FIPS 205 Stateless Hash-Based Digital Signature Standard with the complete document at NIST FIPS 205 PDF. The Federal Register notice also records numerical changes to decapsulation-failure parameters in FIPS 203 following public comments and technical updates, which underscores the importance of rigorous implementer guidance for security-level mapping and deployment, as noted in Announcing issuance of FIPS 203 and related PQC standards. Financial market infrastructures charged with systemic settlement and clearing must therefore plan for dual-stack operations where classical and post-quantum algorithms coexist during migration intervals, with resilience expectations articulated in the European Central Bank’s Cyber resilience oversight expectations for financial market infrastructures, which supplement global CPMI-IOSCO principles and give authorities a benchmark to assess cryptographic governance, key lifecycle, and incident learning at the level of central securities depositories, central counterparties, and payment systems.

Empirical threat telemetry for finance corroborates the regulatory pivot toward harmonised incident management and advanced testing. The European Union Agency for Cybersecurity released a sector-specific threat landscape for finance on February 21, 2025, covering incidents from January 2023 through June 2024 and documenting the prevalence of ransomware, data exfiltration, and availability attacks against banks, insurers, and financial service providers in the Union, as published at ENISA Threat Landscape: Finance Sector. The general ENISA threat-landscape series identifies systemic patterns that link human-operated extortion campaigns, supply-chain exploitation, and social-engineering vectors with sectoral impacts, including finance, and is publicly available in the September 19, 2024 edition at ENISA Threat Landscape 2024. These data points strengthen the case that quantum migration is not an isolated cryptographic exercise but a component in a multi-layered operational programme that includes telemetry sharing, coordinated testing, and continuous red-teaming under TIBER-EU and TLPT to validate that post-quantum deployments do not inadvertently erode availability or introduce downgrade paths.

Health-data assurance is being recast under a dedicated legal framework that sets primary use, cross-border access, and secondary-use parameters for clinical, research, and policy datasets while dovetailing with national e-health infrastructures. The legal instrument is Regulation (EU) 2025/327 on the European Health Data Space, adopted with the aim of enabling secure exchange and reuse of electronic health data within the internal market, with explicit links to the Data Act, medical device law, and Union cybersecurity certification. The European Commission health portal explains that the EHDS establishes a common framework for the use and exchange of electronic health data across the European Union, strengthens patient control, and organises the reuse of certain data for research and innovation under safeguards, as presented at European Health Data Space Regulation overview. The cross-border service backbone, branded MyHealth@EU, already supports clinical exchange for patient summaries and e-prescriptions and is being extended to laboratory results, imaging, and discharge reports under the EHDS roadmap, as described in the Commission’s page My rights over my health data. The cross-border clinical-exchange programme’s purpose and current operational scope are further outlined in the Commission’s page on Electronic cross-border health services.

The authentication and trust anchoring layer for cross-border e-health flows is undergoing its own upgrade under the revision of Union electronic identification and trust-services law. The legislative basis is Regulation (EU) 2024/1183 amending the electronic identification and trust services framework to establish the European Digital Identity Wallet, which introduces harmonised wallet assurance levels, extends qualified trust services, and enables attribute attestations that can bind clinical roles, patient consents, and device identities within consistent trust chains across borders. A Publications Office summary page confirms the objective to ensure secure online and offline identification and seamless access to digital services throughout the Union under the updated framework, as presented at Establishment of the European Digital Identity framework and wallets. The e-health implementation community’s documentation and academic literature underline that the revised eIDAS regime adds wallet-centric mechanisms for clinical credentials and attribute proofs, which are directly relevant to MyHealth@EU expansions and EHDS consent management and are consistent with the revised legal text’s requirement for high-assurance identity proofing and secure elements for cryptographic material, as seen in the consolidated multilingual EUR-Lex page Regulation (EU) 2024/1183 consolidated view.

Quantum-resilient cryptography in health is a functional necessity because medical records, imaging archives, and genomic datasets have confidentiality horizons that extend decades beyond typical financial transaction lifecycles. The Commission’s post-quantum roadmap gives public authorities and operators of essential services a governance mechanism to prioritise migration where long-term confidentiality is critical and to stage replacement of public-key components that underpin MyHealth@EU interfaces and EHDS secondary-use platforms, as detailed in Coordinated implementation roadmap for post-quantum cryptography. As authentication, consent, and logging move under the eIDAS wallet regime, signature and encryption schemes aligned with FIPS post-quantum standards become the practical target for vendor implementations in medical software and cross-border gateways. Clinical organisations operating across borders remain obligated to meet horizontal cybersecurity rules, with the NIS2 legal text framing measures for a high common level of cybersecurity in network and information systems throughout the European Union, as accessible via Directive (EU) 2022/2555 on measures for a high common level of cybersecurity across the Union. Health-sector incident escalation and crisis coordination benefit from best-practice studies that ENISA assembled for cyber-crisis management, including operational-level procedures, actor roles, and cross-border coordination, which are documented in the November 2024 study ENISA Best Practices for Cyber Crisis Management. These procedural templates become indispensable when migrating authentication endpoints, certificate chains, and key stores to post-quantum algorithms to avoid availability regressions during switchovers.

Critical-infrastructure control systems for energy, transport, and other essential services sit under dual legislation for network security and physical-operational resilience. The horizontal cybersecurity baseline remains NIS2, while a companion law on the resilience of critical entities imposes risk-management and continuity obligations for operators whose disruption would significantly affect public services in the internal market, as established in Directive (EU) 2022/2557 on the resilience of critical entities and confirmed in the Official Journal PDF at Directive (EU) 2022/2557 Official Journal text. Sectoral workstreams coordinated by ENISA for energy harmonise good practices and training across national cybersecurity authorities and grid operators, supplying situational reports and implementation guidance that inform national transposition of NIS2 and support operational preparedness for cyber-physical contingencies in electricity and gas networks, as summarised at the agency’s energy sector page Energy sector cybersecurity — ENISA. The combination of network-security obligations, critical-entity resilience rules, and post-quantum migration under the Commission roadmap converges on a practical requirement for layered defences around industrial-control communications, including authenticated control-channel encryption, secure time synchronisation, and tamper-evident logging with long-term integrity, particularly for high-voltage substations and transmission operators that operate across borders under synchronised frequency regimes.

The Union’s quantum-communications initiative adds a specialised option for link-level key exchange where operators face risk models that justify additional physical-layer assurance. The official policy page for the European Quantum Communication Infrastructure, which is intended to extend terrestrial and space-based quantum-key distribution capabilities across the internal market, sets out objectives and programme structure for secure communications among public authorities and critical-infrastructure operators, providing a layered approach in which quantum-generated keys can feed classical cryptographic protocols, as presented at European Quantum Communication Infrastructure — EuroQCI. The Commission’s June 23, 2025 post-quantum roadmap explicitly positions algorithmic post-quantum cryptography as the default migration path for general-purpose systems, while acknowledging that quantum-key distribution can complement, rather than replace, cryptographic protections where link-distance limits and availability constraints can be managed by operators, as set out in EU reinforces its cybersecurity with post-quantum cryptography. For operators of essential services that interconnect across borders, this layered stance means that priority investments go to post-quantum algorithms in application and transport layers, with selected high-value inter-operator links evaluated for quantum-key distribution where feasible and cost-effective within continuity-of-service constraints.

Cross-border interoperability in finance now benefits from legal guarantees that instant payments in euro must be fully available across the European Union and European Economic Area, with obligations on payment service providers to send and receive instant transfers and with alignment to SEPA scheme practices. The legal instrument remains Regulation (EU) 2024/886 on instant credit transfers in euro, and the European Payments Council’s explainer confirms the impact on providers throughout the EEA, indicating operational changes to ensure instant-transfer functionality, as described at SEPA Instant Credit Transfer overview. Since instant transfers depend on fail-safe authentication and strong customer verification under strict timeouts, this regulatory layer increases the urgency of post-quantum planning for key-exchange endpoints, hardware security modules, and certificate-path validation used to protect payment orders and notifications in pan-European infrastructures. The same time-compression logic extends to market infrastructures under the ECB’s cyber-resilience expectations and DORA testing rules, creating a coherent set of incentives to implement cryptographic agility in transaction gateways and to validate performance under live-system red-team exercises.

Interoperability in health will hinge on attributebased claims and high-assurance identification that can cross borders without degrading privacy promises, which is why the eIDAS revision’s wallet and extended trust-services model is a structural enabler for the EHDS. The revised law’s Official Journal entry at Regulation (EU) 2024/1183 and the Publications Office summary page on the European Digital Identity confirm that the legal framework aims to ensure secure identification and seamless access to digital services across the Union, a precondition for clinical data exchange under MyHealth@EU and for signing data-access permits under EHDS, as restated at European Digital Identity framework and wallets summary. As clinical systems and research platforms start implementing post-quantum algorithms for signatures and encryption, trust-service providers will need to update certificate policies, revocation, and timestamp services to maintain legal validity periods across decades-long confidentiality horizons for health data and biobank records.

The strategic coherence across sectors is reinforced by the ENISA policy and threat-landscape corpus, which documents adversary techniques and sectoral impacts that shape the practical choices for migration sequencing and testing. The September 2024 edition of the ENISA Threat Landscape enumerates primary threat categories, including availability attacks, ransomware, and supply-chain compromises, and provides mitigation considerations that dovetail with DORA testing and NIS2-driven governance, as provided at ENISA Threat Landscape 2024. The agency’s news and methodology updates through August 2025 indicate continued refinement of analytical frameworks that Member State authorities and operators can use to benchmark posture and plan sector-specific migrations without fragmenting the Union’s internal market for cybersecurity capabilities, as evidenced at ENISA Publications index. In practice, the combined legal and supervisory scaffolding means financial entities, hospitals, and grid operators must synchronise three streams of work that mutually constrain each other. First, governance and oversight structures under DORA, NIS2, and critical-entity resilience law establish non-negotiable obligations for risk management, incident classification, and reporting. Second, testing and validation under TIBER-EU and TLPT provide empirical assurance that post-quantum deployments sustain confidentiality, integrity, and availability under realistic attack simulation. Third, cross-border interoperability layers under the Instant Payments Regulation, EHDS, MyHealth@EU, and eIDAS wallets supply the legal and technical guarantees that identity, consent, and transaction messages can move securely and quickly across Union borders under consistent trust anchors.

The resulting architecture enables the European Union to reduce structural dependencies on non-European cryptographic ecosystems while advancing an evidence-based migration schedule built on internationally standardised algorithms and legally enforced operational controls. The legislative bedrock is public and enforceable through the Official Journal entries for Regulation (EU) 2022/2554 DORA, Directive (EU) 2022/2555 NIS2, Directive (EU) 2022/2557 critical-entities resilience, Regulation (EU) 2024/886 instant credit transfers, Regulation (EU) 2024/1183 European Digital Identity, and Regulation (EU) 2025/327 EHDS. The supervisory and implementation corpus is likewise public and continuously updated through the ESAs, ECB, and ENISA channels, including JC 2025 29 DORA oversight guide, JC 2024-29 TLPT standard, Cyber resilience oversight expectations for FMIs, TIBER-EU Framework 2025, ENISA Finance Sector Threat Landscape 2025, and ENISA Threat Landscape 2024. These instruments collectively permit sector-specific implementations that meet heterogeneous operational constraints in payments, clinical workflows, and industrial control while maintaining a convergent, quantum-resilient baseline across the internal market.

Industrial and Supply-Chain Sovereignty: Pilot Lines, Standards, Equipment, and Skills

The legal infrastructure for semiconductor and quantum manufacturing sovereignty in the European Union was codified when the European Parliament and Council adopted Regulation (EU) 2023/1781 on September 13, 2023, complemented by the establishment of the Chips Joint Undertaking via Council Regulation (EU) 2023/1782 referenced in the European Commission’s July 2, 2025 Communication “A Quantum Strategy for Europe,” which situates chips and quantum pilot lines as training grounds for industry and talent. The Chips for Europe Initiative defines extended pilot lines to bridge laboratory demonstrations to manufacturing scale, with public platforms that lower development costs and de-risk industrialization; the Chips Joint Undertaking describes their mission as prototyping and scaling innovations to speed market entry and reduce risk, explicitly listing pilot lines as a core instrument for sovereignty and resilience, as set out on its official page for pilot lines at chips-ju.europa.eu – Pilot lines. The sovereign computing layer depends on these measures to internalize manufacturing know-how, supply qualified tooling and materials, and enforce interoperable standards that allow national programs to compose into a continental capability, a logic also echoed in the Quantum Flagship Strategic Research and Industry Agenda 2030 of February 2024, which ties semiconductor pilot and production lines to quantum hardware roadmaps under the Chips Act, available at qt.eu – SRIA 2030.

The European Union’s most tangible industrialization step for quantum chips in 2025 is the selection of SUPREME as a multi-year pilot line to stabilize and scale fabrication processes for superconducting quantum devices. The coordinator VTT Technical Research Centre of Finland announced on July 9, 2025 that SUPREME would gather 23 partners from 8 Member States under a six-year framework partnership to improve repeatability and yield in European superconducting quantum chips, a scope formally communicated in the press release mirrored by Fraunhofer IAF and HPCwire at Fraunhofer IAF press release and HPCwire off-the-wire. Multiple partners clarify operational milestones: the Institut de Física d’Altes Energies (IFAE) stated July 11, 2025 that pilot-line operations are expected to begin in early 2026, with access for external users in 2027, and a component focus spanning Josephson junctions, traveling-wave parametric amplifiers, and single-photon detectors, documented at IFAE – SUPREME announcement. Additional partner communication from FBK on July 14, 2025 confirms the VTT leadership and the 23-partner, 8-country composition at FBK magazine – SUPREME. In the Chips ecosystem, this kind of open-access pilot line is functionally identical to the extended pilot lines the Chips Joint Undertaking describes for semiconductors: in both cases, the public facility compresses iteration times, institutionalizes process control, and anchors supplier learning around common process design kits, an intent stated directly by the JU at Chips JU – Pilot lines.

The transition from academic qubit prototypes to foundry-reproducible devices has already been demonstrated within Europe using 300 mm platforms, providing the process baseline for superconducting and silicon-spin pipelines. On March 25, 2024, a Nature article reported superconducting transmon qubits fabricated in a 300 mm CMOS pilot line at imec, with relaxation and coherence times exceeding 100 microseconds, confirming the feasibility of industrial processes for coherent devices; the paper can be accessed at Nature – Advanced CMOS manufacturing of superconducting qubits. Imec’s April 1, 2025 public technical note reinforced that silicon spin qubits are progressing on the 300 mm line with record-low charge noise (average 0.61 μeV/√Hz) and integration flows tuned for variability control and yield, see imec – Taking a quantum leap from lab to fab and imec – Physical qubits for quantum computing. This lab-to-fab reproducibility is pivotal for SUPREME because superconducting junctions and microwave components that satisfy foundry design rules can be transferred, audited, and improved using standard metrology, enabling die-scale characterization and multi-project wafer runs analogous to traditional semiconductors, a service routinely provided by Fraunhofer IAF in other domains as signposted at Fraunhofer IAF – Multi-Project Wafer Runs. In parallel, CEA-Leti’s February 18, 2025 release documented a FD-SOI CMOS readout chip achieving simultaneous microsecond readouts for tens of quantum devices with a 10× reduction in power and 2× footprint reduction, a critical cryo-CMOS enabler for scaling peripheral electronics; see CEA-Leti – qubit readout solution. A July 15, 2025 CEA-Leti update on niobium superconducting interconnects indicates process modules for higher-density wiring, implying tighter integration between qubit planes and control layers, at CEA-Leti – Niobium Superconducting Interconnects. Such device-adjacent modules enable practical die stacking, control-line routing, and repeatable packaging, lowering the barrier for multi-vendor subassemblies to be qualified within a European process design kit.

Metrology and measurement infrastructure coordinate this industrialization across national institutes through the European Association of National Metrology Institutes (EURAMET) European Metrology Network for Quantum Technologies (EMN-Q). The EMN-Q’s mission is to deliver globally accepted measurement services for quantum devices and systems by aligning national metrology institutes and deploying common research and knowledge-sharing programs; the network’s overview and associated projects are detailed at EURAMET – EMN for Quantum Technologies and EURAMET – Support for EMN-Q. An open June 2023 draft Strategic Research Agenda produced around EMN-Q summarizes a plan to develop sector roadmaps and a systematic engagement model across stakeholder communities, available via INRiM at EMN-Q Draft SRA V1.0. The alignment between pilot lines and metrology networks is not cosmetic; it creates a shared vocabulary for coherence times, noise spectra, loss tangents, cryogenic performance, and microwave chain calibration that equipment suppliers and foundries can verify across sites, thereby anchoring supplier quality plans and acceptance criteria in transnational metrics.

Standards for interfaces, security, and interoperability are organized through a multi-layer structure led by ETSI, CEN-CENELEC, ISO/IEC JTC 1/SC 27, and sectoral fora. In quantum communications, ETSI’s Industry Specification Group on QKD maintains specifications for control and interoperation, and in August 2025 registered a work item to update GS QKD 014 (REST-based Interoperable Key Management System API) to include an OpenAPI description and improve URI structure, response handling, and quality-of-service parameters; the official ETSI work-program entry is at ETSI Work Item – QKD; REST Interoperable KMS API Updates. A broader ETSI entry tracking the QKD API standardization focus is also visible at ETSI Work Item – QKD; Interoperable KMS API (GS QKD 014). CEN-CENELEC’s Focus Group on Quantum Technologies issued a March 16, 2023 European Standardization Roadmap that maps needs across computing, communication, sensing, and enabling technologies, signposting risks of incompatible specifications and redundant efforts unless a matrix approach is applied; the release is public at CEN-CENELEC – Standardization Roadmap on Quantum Technologies and summarized on the Interoperable Europe portal at Interoperable Europe – Quantum Technologies (RP2024). This roadmap is mirrored and contextualized within the StandICT.eu repository at StandICT – FGQT Roadmap entry, demonstrating cross-institutional visibility.

Cryptographic assurance for control planes and hybrid HPC/QC infrastructures relies on baseline module security and testing standards maintained by ISO/IEC JTC 1/SC 27. The updated ISO/IEC 19790:2025 and ISO/IEC 24759:2025 establish requirements and test procedures for cryptographic modules, furnishing a common evaluation substrate for systems that will carry quantum control, telemetry, and keying traffic in European data centers; the authoritative catalogue pages are ISO – 19790:2025 and ISO – 24759:2025, with public previews at VDE Verlag – 19790:2025 preview and VDE Verlag – 24759:2025 preview and policy cross-reference by NIST’s CMVP at NIST CSRC – FIPS 140-3 related standards. The committee’s mandate and resources are enumerated at ISO – JTC 1/SC 27 committee page and JTC1Info – SC 27 resources hub, while IEC/ISO JTC 1 infographics trace quantum-related standardization on the IEC portal at IEC – Quantum computing taxonomy. The result is a converging standards substrate in which ETSI specifications define quantum-network interoperability, CEN-CENELEC roadmaps align Europe-specific needs, and ISO/IEC JTC 1/SC 27 provides globally recognized cryptographic baselines that suppliers can certify against, a necessary condition for the procurement and audit regimes embedded in sovereign computing infrastructure.

Workforce formation and equipment literacy are formal pillars of sovereignty. The European Chips Skills Academy (ECSA) operates a four-year Erasmus+ consortium to address microelectronics talent gaps with scholarships, apprenticeships, and access to laboratories across member states; organizational details are provided by the official consortium site at chipsacademy.eu – Start page and chipsacademy.eu – Consortium. SEMI’s releases corroborate outputs, including a comprehensive skills strategy published November 5, 2024 and a May 16, 2024 summer school program, at SEMI – ECSA skills strategy and SEMI – ECSA summer school. On April 10, 2025, the European Commission announced four sectoral digital skills academies for 2025–2027 under the Digital Europe Programme, targeting quantum technologies, AI, semiconductors, and virtual worlds, emphasizing technological sovereignty as a policy objective; the official announcement is hosted on the Digital Skills and Jobs platform at EU – Digital skills academies launch. For quantum-specific competence mapping, the Quantum Flagship coordinates the European Competence Framework for Quantum Technologies (CFQT), most recently updated to Version 2.5 in April 2024 and disseminated via the Publications Office of the European Union and Quantum Flagship portals; the official documents are publicly reachable at Publications Office – CFQT record, Quantum Flagship – CFQT v2.5 (April 2024), and Quantum Flagship – Competence Framework v2.5 PDF. A 2025 peer-reviewed article in EPJ Quantum Technology documents the update’s proficiency triangle and qualification profiles that are now used to map curricula and job roles in Europe’s quantum ecosystem, see EPJ Quantum Technology – Extending the CFQT (2025). The Quantum Flagship also centralizes education initiatives and working groups at qt.eu – Education & Training, translating the framework into courses and micro-credentials usable by employers and pilot-line operators.

Industrial policy instruments beyond the Chips Act augment quantum-adjacent capabilities. The Important Project of Common European Interest on Microelectronics and Communication Technologies (IPCEI ME/CT) was approved on June 8, 2023 to mobilize state-aid-backed investments across 14 member states covering 68 projects from 56 companies in the microelectronics value chain, as summarized by the European Commission’s competition policy page at EC – Approved IPCEIs in the Microelectronics value chain and the Commission’s press note at Press release – IPCEI ME/CT. Country-level strategies connect these programs with quantum manufacturing clusters: Belgium’s support for imec, Finland’s semiconductor strategy emphasizing quantum and the Espoo ecosystem, and other national actions are referenced in Council documentation consolidating 2023 digital policy state-of-play, such as ST-13558-2023-ADD-1, while a sector strategy example is Finland’s April 23, 2024 “Chips from the North” report at Technology Industries of Finland – Chips Strategy. The policy architecture thus couples EU-level instruments (Chips Act, Chips JU, IPCEI ME/CT) with national platforms and corporate R&D pipelines to carry quantum manufacturing work from process modules to system subassemblies within Europe.

Supply-chain sovereignty also depends on export-control compliance for high-end instrumentation, quantum-grade materials, cryogenics, and microwave subsystems. The European Union recast its dual-use regime under Regulation (EU) 2021/821, in force after September 2021, consolidating licensing for exports, brokering, technical assistance, and transit of dual-use items; the consolidated text is published by EUR-Lex at Consolidated 2024 version – 2021/821 and the EUR-Lex explanatory summary is at EUR-Lex – Dual-use export controls. The Commission’s January 30, 2025 implementation report reflects 2022–2023 data and key developments in 2024, available at EU Monitor – Implementation of Regulation (EU) 2021/821. Because quantum pilot lines will source dilution refrigerators, RF sources, photonics components, cryo-wiring, and superconducting films with potential dual-use categorizations, harmonized licensing processes reduce uncertainty for suppliers operating across Member States, making Europe’s public pilot platforms more predictable partners for global equipment vendors.

Industrial uplift can be tracked in the formulation of public strategies and the consolidation of industry positions. The Quantum Flagship published the Quantum Europe Strategy on July 2, 2025, prioritizing five action areas that converge on defragmentation, industrial deployment, and strategic autonomy; the official pdf articulates pilot platforms as places where SMEs, researchers, and large firms co-develop, see qt.eu – Quantum Europe Strategy (July 2025). The European Quantum Industry Consortium (QuIC) aligned its industry roadmap with these policy arcs, posting a January 2024 Strategic Industry Roadmap and a 2025 update page that frames 2035 milestones, accessible at QuIC – Strategic Industry Roadmap (2024) and QuIC – SIR 2025. The Quantum Flagship SRIA 2030 of February 2024 integrates the Chips Act’s pilot-line objective directly into quantum roadmaps, emphasizing interoperability with EuroHPC and EuroQCI infrastructures; the document is at qt.eu – SRIA 2030. These coordinated documents signal to equipment makers and suppliers that standardizable modules—superconducting junction stacks, cryo-CMOS readout ASICs, integrated photonics for control and interconnect, and certified crypto modules—will find consistent specifications and demand across multiple EU hosts.

Procurement-ready examples illustrate how national platforms feed into continental capacity. Finland’s VTT and IQM Quantum Computers announced a 50-qubit system on March 4, 2025, built over four years and made available for research and business use, reinforcing the Espoo cluster’s readiness for larger systems and integration into HPC environments, as noted at IQM – VTT 50-qubit announcement. Subsequent May 13, 2025 IQM releases indicate tenders toward 150 and 300 superconducting qubit systems by 2026–2027 with VTT, aligning hardware scale with the SUPREME pilot timeline, documented at IQM – press releases. In parallel, Netherlands public investment through the National Growth Fund supplied €615 million to Quantum Delta NL for the quantum ecosystem, connecting device development, networks, and sensing programs that can consume pilot-line output; the program references and documents are at Quantum Delta NL – Overview and documents and Quantum Delta NL – Programme overview. These national pipelines absorb and validate process outputs (e.g., gate dielectrics, resist stacks, low-loss metals, TLS mitigation layers) while graduating suppliers into certified catalogs for EU buyers.

Sovereign control further depends on ensuring that multi-vendor subsystems interconnect and can be audited end-to-end. The ETSI QKD API (GS QKD 014) modernization cited above is one pillar; a complementary pillar is the maturation of broader information-security controls that govern modules used in quantum control stacks and key-management backends. The public catalogue entries for ISO/IEC 19790:2025 and ISO/IEC 24759:2025 form globally accepted references for cryptographic module design and testing—even when the cryptography is post-quantum—ensuring that modules embedded in quantum system control planes can be validated against the same assurance levels as traditional hardware security modules, with the authoritative entries at ISO – 19790:2025 and ISO – 24759:2025. The NIST CMVP explainer clarifies their relationship to FIPS 140-3 validations and to vendor/laboratory procedures, an interoperability bridge for EU buyers that source global modules, see NIST CSRC – FIPS 140-3 related references. When combined with CEN-CENELEC’s roadmap and ETSI profiles, these instruments permit European integrators to specify tender documents that require compliance across quantum interfaces and conventional security boundaries, decreasing vendor lock-in and ensuring replacement options for any critical subcomponent.

Standardization intersects with metrology at the device and system levels, making the EMN-Q role central. Calibration of qubit frequency noise, dielectric losses, amplifier noise figures, and detector timing jitter requires reference methods and transfer standards, precisely what the EMN-Q proposes to harmonize through sector roadmaps and a measurement-services framework; see EURAMET – EMN for Quantum Technologies and EMN-Q project description. Convergence here reduces variability in SUPREME’s wafer characterization across sites and shortens feedback cycles between design kits and process corners, a precondition for translating yield improvements into system-level QPU availability metrics that end users can plan around.

The sovereign-skills dimension binds suppliers and operators to shared curricula and proficiency levels. The CFQT’s Version 2.5 enumerates 8 domains and 42 subdomains with proficiency levels, instruments that have already been used to map course content and design programs across universities and RTOs, documented at EPJ Quantum Technology – Extending the CFQT (2025) and operationalized on the Quantum Flagship education hub at qt.eu – Education & Training. Because pilot-line operations require technicians who can, for example, deposit superconducting films with specified Q loss at milliKelvin temperatures, calibrate RF up/downconversion chains at cryogenic stages, and interpret qubit spectroscopy for on-wafer variability screens, the proficiency-triangle framing allows consortia to write job descriptions and apprenticeships with standardized competencies. The European Chips Skills Academy and the Digital Europe sectoral academies then implement these profiles at scale, as referenced above at chipsacademy.eu and EU – digital academies news (April 10, 2025), yielding a pipeline of lab technicians, process engineers, and systems integrators versed in quantum-specific safety, cleanroom, and cryogenic operations.

A final axis of sovereignty concerns interoperability between pilot-line outputs and Europe’s HPC and secure-communications infrastructures. The Quantum Flagship SRIA 2030 and Quantum Europe Strategy emphasize harmonization with EuroHPC accelerators and EuroQCI as Europe deploys quantum accelerators into data centers and quantum keying into networks, with the primary sources at qt.eu – SRIA 2030 and qt.eu – Quantum Europe Strategy (July 2025). Interoperability at this layer presumes device-level standardization (e.g., QKD API endpoints), module assurance (ISO/IEC 19790:2025/24759:2025), and metrology transfer standards (EMN-Q). The Chips JU pilot-line doctrine creates the institutional mechanisms to embed these standards in process flows and acceptance tests; its mandate is public at chips-ju.europa.eu – Pilot lines. ETSI’s ongoing QKD work items sustain the communications interface side, as shown at ETSI – QKD Work Item updates, while ISO/IEC JTC 1/SC 27 and NIST CMVP codify cryptographic baselines that are already used in European procurements, documented at ISO – SC 27 committee and NIST CSRC – CMVP standards. This integration ensures that European quantum systems can be swapped, audited, and upgraded without violating the sovereign security model that the European Commission articulated on July 2, 2025, see eur-lex.europa.eu – COM(2025) 363.

The structural effect of these instruments is to reduce Europe’s dependency on non-European suppliers for critical quantum components and interfaces by building domestic capacity at each layer: device fabrication (SUPREME and foundry integration at imec and CEA-Leti), metrology (EMN-Q), interface interoperability (ETSI QKD work items), cryptographic assurance (ISO/IEC 19790:2025/24759:2025), and workforce formation (ECSA, CFQT, Digital Europe academies). The institutional architecture is sufficiently explicit and recent to support procurement-grade requirements without speculative claims, with primary sources above. As SUPREME transitions from setup to early 2026 operations and prepares 2027 external access, and as Chips JU extended pilot lines broaden to more quantum-relevant modules, Europe’s sovereign computing stack consolidates around verifiable, standardizable, and skill-sustained capabilities that can be audited and reproduced at multiple sites within the European Union, closing critical dependence loops across finance, health, and defense data-processing layers envisioned in Quantum Europe Strategy 2025, with the reference at qt.eu – Strategy (July 2025).

Benchmarks and Risk Scenarios 2025–2030: Dependency Reduction, Security Outcomes, and Governance for Sustained Quantum Independence

A policy architecture centered on shared targets and measurable outcomes is formalized in the European Commission communication COM(2025) 363, which states that over €11 billion have been invested by the European Union and Member States in quantum technologies in the preceding five years and establishes a lifecycle implementation framework that links research, pilot lines, infrastructure, and early market creation under a single strategic loop, including the piloting of at least two Grand Challenges between 2025 and 2027 alongside a high-level governance board and dedicated skills actions, as set out in EUR-Lex — COM(2025) 363 and the accompanying policy library page at European Commission — Quantum Europe Strategy. A structural benchmark for 2025–2030 emerges directly from that framework: funding streams and governance must converge on infrastructure readiness, cryptographic migration, and industry scale-up, with transparent indicators tied to open institutional evidence rather than proprietary vendor claims.

A continental compute and networking layer is explicitly expanded through the proposed amendment to the European High-Performance Computing Joint Undertaking to create a dedicated Quantum Pillar, a step that binds accelerators, control stacks, and access policies to common procurement and service frameworks under EuroHPC JU; the July 16, 2025 press release confirms the new pillar and links it to ultra-scale AI Gigafactories, which cements a unified resource model for hybrid HPC and quantum services, as documented at EuroHPC JU — Commission proposes amendment and the Directorate-General CONNECT news item at European Commission — EuroHPC amendment and Quantum Pillar. The resulting benchmark for dependency reduction is operational rather than symbolic: the number of quantum accelerators integrated behind EuroHPC access points and the availability of standardized software stacks that allow workload portability across hosts become the testable signs that sovereign compute capacity is moving from prototype to service.

A cryptographic-security benchmark with legal relevance is articulated on June 23, 2025 when the Member States, supported by the European Commission, issued a coordinated implementation roadmap for post-quantum cryptography, providing a timeline and governance structure for algorithm migration in public administrations and critical sectors; the official library entry is available at European Commission — Roadmap for the Transition to Post-Quantum Cryptography, with the policy announcement captured at European Commission — EU reinforces its cybersecurity with post-quantum cryptography. A complementary interoperability benchmark appears in the United Kingdom’s guidance that sets phased milestones to identify services for upgrade by 2028, complete priority overhauls by 2031, and finish migration by 2035, providing a cross-jurisdictional anchor for European planners who must coordinate supply chains across borders; the institutional sources are NCSC — PQC migration timelines and NCSC — setting direction for the UK migration to PQC. A defensible governance indicator for 2025–2030 is thus the share of high-value systems in finance, health, customs, and energy whose key-establishment and digital-signature paths have moved to post-quantum standards with dual-stack fallbacks validated under operational testing.

A communications-layer benchmark is provided by the European Quantum Communication Infrastructure program, where the Health and Digital Executive Agency reported on March 31, 2025 that the first CEF-Digital call for EuroQCI closed with twenty-four proposals, demonstrating immediate absorptive capacity among national operators and consortia; the institutional record is at HaDEA — EuroQCI call completed with 24 proposals. The European Space Agency complements the terrestrial expansion with the Eagle-1 space segment, scheduled for launch in late 2025 or early 2026 with three years of in-orbit validation to test quantum key distribution services supported by the European Commission, with primary sources at ESA — Eagle-1 overview and European Commission/DEFIS — Quantum technologies for space factsheet. A risk-adjusted benchmark for 2025–2030 should therefore track coverage of trusted nodes across cross-border corridors, mean time to key refresh on inter-authority links, and the proportion of endpoints that pass conformance tests under recognized standards rather than counting raw fiber kilometers or satellite passes.

A standards-based assurance benchmark binds interoperability, certification, and migration sequencing. The International Organization for Standardization and the International Electrotechnical Commission publish the ISO/IEC 23837 series specifying security requirements and evaluation methods for quantum key distribution, making objective conformance testing practicable for procurement and audit; the authoritative entry for test and evaluation methods can be consulted via the ISO online browsing platform at ISO/IEC 23837-2 — Information security — Security evaluation of QKD. A separate indicator tracks the uptake of quantum-safe hybrid key-establishment profiles coordinated through ETSI technical work and ecosystem convenings, with the June 3–5, 2025 ETSI/IQC Quantum-Safe Cryptography Conference in Madrid supplying state-of-practice guidance from standards bodies and implementers, as archived at ETSI — IQC Quantum-Safe Cryptography Conference 2025. A governance-ready metric is the number of procurements that reference ISO/IEC 23837 evaluation activities and ETSI quantum-safe specifications for key exchange and signatures in their mandatory requirements, since such clauses directly constrain vendor lock-in and ensure testable compliance.

A finance and investment benchmark indicates whether scale-up capital is available at the cadence required by pilot-line outputs and infrastructure procurement. The European Investment Bank confirmed on January 30, 2025 record €100 billion in new investments supporting energy security in 2024, a planned €95 billion target for 2025, and a doubling of financing for security and defence projects to €1 billion in 2024 with a further doubling in 2025, signaling institutional risk appetite for strategic-technology infrastructure that includes cyber-resilience and dual-use capabilities; the official press release is EIB — Record results in 2024; €95 billion target for 2025. A complementary indicator for dedicated quantum industrialization is the EIB venture financing that has supported European quantum-computing firms in growth phases, as exemplified by the public project entry for IQM under the Pan-European Guarantee Fund, at EIB — IQM Quantum Computing (EGF VD). A credible benchmark through 2030 is whether European quantum suppliers can repeatedly close later-stage rounds and project finance for manufacturing equipment and service deployment without resorting to non-European control stakes that would reintroduce dependency vectors.

A governance-relevant workforce benchmark is embedded in COM(2025) 363, which notes that the European Union graduates over 110,000 students annually in physics, ICT, engineering, and related disciplines relevant to quantum technologies and sets actions for a European Quantum Skills Academy by 2026, a pilot for researchers-in-residence in 2025, and mobility programs thereafter; the institutional text appears at EUR-Lex — COM(2025) 363. An evidence-based indicator is the proportion of those graduates who are absorbed into pilot lines, HPC centers, critical-infrastructure operators, and certified trust-service providers, rather than exclusively academic placements, because sovereign compute requires operator-level skills for cryogenic engineering, quantum control, and cryptographic assurance. A policy-tracking benchmark should therefore follow the number of degree programs and apprenticeships that adopt the competence profiles referenced by COM(2025) 363 and align them with procurement and accreditation.

A macro-risk benchmark for the innovation environment is supplied by the Organisation for Economic Co-operation and Development, which in January 2025 published a policy primer identifying supply-chain constraints, talent competition, and dual-use governance as decisive determinants of national outcomes in quantum technologies; the analytic baseline is the official report at OECD — A quantum technologies policy primer (2025) and its full PDF at OECD — Policy primer PDF. The World Economic Forum’s Global Risks Report 2025 adds a cross-sector risk contour that includes technology security, geopolitical fragmentation, and supply shocks, which sharpen the argument for domestic pilot lines and harmonized standards; the institutional document is WEF — Global Risks Report 2025. A governance-useful indicator is therefore the fraction of European tenders that require domestic maintenance, spares, and metrology services for quantum-relevant equipment, since this reveals whether supply-chain constraints are being mitigated through design rather than merely subsidized.

A pragmatic benchmark for communications security connects terrestrial and space segments into a single resilience picture. The EuroQCI funding stream under CEF-Digital demonstrates demand with twenty-four proposals at the first call, while the ESA Eagle-1 program provides a testbed for satellite-assisted key distribution over multi-year validation. The public pages at HaDEA — EuroQCI call completed and ESA — Eagle-1 support a benchmark that tracks the number of cross-border authorities onboarded to quantum-secured links and the proportion of those links that run hybrid cryptographic regimes in line with European Commission guidance on post-quantum algorithms. A complementary indicator is the volume of operational-technology telemetry and administrative data carried on paths anchored by qualified trust-service providers so that identity assertions and signatures achieve legal robustness in the European Union when quantum-generated keys are introduced.

A regulatory-operational benchmark that limits systemic security regressions during rapid deployment is the consolidation of incident-reporting regimes across sectors. In financial services, the European Banking Authority publishes timelines for major-incident reporting under the Digital Operational Resilience Act, indicating four hours after classification and twenty-four hours after detection for the initial report, seventy-two hours for an intermediate report, and one month for the final report, a harmonization set out on the supervisory portal at EBA — Joint technical standards on major incident reporting. A second indicator is the transition from payment-specific guidance to consolidated DORA regimes, with the practical implementation captured in EBA materials on registers of information and dry-run tooling dated March 31, 2025, at EBA — DORA registers of information FAQ. The governance outcome is observable: reduced reporting friction enables live oversight while post-quantum deployments are introduced into payment gateways, custody systems, and market infrastructures, minimizing blind spots during algorithm transitions.

A governance benchmark for infrastructure integration is established by the Quantum Pillar under EuroHPC JU, which delineates responsibility for hybrid scheduling, interconnect management, and secure access. The institutional confirmation in July 2025 at EuroHPC JU — Quantum Pillar proposal implies that workload orchestration, resource accounting, and compliance logging must meet uniform standards across hosts. The European Commission news explainer at Commission — EuroHPC amendment and Quantum Pillar provides the policy foundation for a benchmark that counts the number of quantum accelerators accessible through EuroHPC entry points and the share of user projects that can redeploy between facilities without code rewrites tied to vendor-specific toolchains.

A cross-reference benchmark for algorithm adoption and certification ties European migration plans to globally recognized standards. The National Institute of Standards and Technology finalized the first tranche of post-quantum standards for key establishment and digital signatures through FIPS 203, FIPS 204, and FIPS 205, providing the algorithmic anchors that European procurements can reference for interoperability with international partners; the authoritative pages are NIST — FIPS 203, NIST — FIPS 204, and NIST — FIPS 205, with the full texts available at NIST FIPS 203 PDF, NIST FIPS 204 PDF, and NIST FIPS 205 PDF. An outcome-oriented European benchmark is the proportion of new public tenders that require conformity to those standards or to EN equivalents where they exist, combined with test vectors and implementation-security guidance to avoid decapsulation failures, side channels, and downgrade paths.

A risk-scenario benchmark for supply chains is articulated in OECD work that highlights constraints in specialized equipment and materials, including cryogenic systems, quantum-grade microwave components, and photonics; the January 2025 policy primer at OECD — Quantum technologies policy primer and the related brief at OECD — Quantum technologies as a new paradigm provide a structured risk inventory. A governance-relevant indicator here is the ratio of European to non-European sources for critical subsystems in funded projects, verified at contract award and at acceptance testing, thus converting strategic autonomy into measurable procurement outcomes rather than aspirational claims.

A resilience-planning benchmark evaluates whether sectoral authorities organize exercises and stress tests that simulate quantum-era threats and migration errors. The ETSI/IQC forum in Madrid during June 2025 demonstrates community best practice for hybrid cryptography and key-management transitions at scale, as visible at ETSI — Quantum-Safe Cryptography Conference 2025. A complementary benchmark monitors whether EuroHPC facilities run red-team assessments on quantum-accelerator management planes and KMS back-ends during post-quantum integration, documenting impacts on job scheduling, telemetry, and certificate validation to ensure that algorithm changes do not impair availability or forensic traceability.

A transparency benchmark for strategy execution is embedded in COM(2025) 363 through the creation of a high-level advisory board, skills programs, and cross-pillar linkages to defense and space roadmaps, which together require public reporting against milestones rather than purely ex-ante commitments; the institutional basis appears at EUR-Lex — COM(2025) 363. A practical indicator is the publication cadence of board recommendations, uptake by Member States, and adjustments to calls and tenders reflecting those recommendations, thereby exposing governance quality to external scrutiny.

A near-term risk scenario for 2025–2027 concerns divergence in migration timetables across sectors that share infrastructure, such as health networks using MyHealth@EU gateways connected to hospital systems that also rely on national payments and identity stacks. The European Commission post-quantum roadmap at Roadmap for the Transition to Post-Quantum Cryptography provides the foundation for synchronized planning; a governance-grade benchmark is the proportion of cross-sector gateways that publish algorithm rollout roadmaps and test windows aligned to the roadmap, reducing the probability that unsynchronized updates will break authentication, revocation, or logging flows across administrative domains.

A medium-term risk scenario for 2028–2030 is over-reliance on a narrow set of vendors for post-quantum toolchains, which would reintroduce strategic dependence even if hardware is domestically produced. The OECD policy primer at A quantum technologies policy primer points to ecosystem concentration as a recurring risk in emerging technologies. A governance-relevant benchmark is the presence of at least two independently maintained, standards-conformant stacks for compilers, control, and cryptography in each national program funded under COM(2025) 363, verifiable through open documentation and conformance testing that guards against monocultures.

A financial-stability risk scenario reflects hybrid HPC/AI/quantum infrastructure used for model training, simulations, and cryptographic services in market infrastructures. The institutional signal that such convergence is imminent is the EuroHPC amendment proposal introducing a Quantum Pillar, at EuroHPC JU — Commission proposes amendment. A governance-useful benchmark is a requirement for all EuroHPC-hosted quantum services to pass threat-led exercises and continuity drills that include cryptographic-downgrade scenarios and faulty certificate chains during urgent patch cycles, with results and corrective actions recorded for supervisory review.

A final benchmark for sustained quantum independence centers on the alignment of industrial scale-up with public-interest safeguards. The EIB’s capital-deployment profile in 2024–2025 at EIB — Record results 2024; €95 billion target 2025 and the European Commission’s coordinated strategy at EUR-Lex — COM(2025) 363 frame a policy environment where capital support, standards conformance, skills programs, and infrastructure integration are all publicly verifiable. A governance-grade indicator through 2030 is the fraction of funded projects that publish conformance reports referencing ISO/IEC 23837, NIST FIPS standards, and ETSI quantum-safe specifications, plus independently auditable results from migration drills aligned with the European Commission roadmap for post-quantum cryptography. The absence of such disclosures would be a measurable early warning that strategic autonomy has stalled at the level of claims rather than execution.

---

Copyright of debugliesintel.com
Even partial reproduction of the contents is not permitted without prior authorization – Reproduction reserved