Brief № 025 · Strategy
Quantum security is now a procurement issue
The EuroQCI consultation closes on 24 June. SMEs do not need quantum kit yet, but they do need crypto migration evidence.
On this page
Quantum security has moved from research language into the procurement file. That does not mean a small manufacturer, agency or logistics firm should start buying quantum hardware. It means the next renewal of a cloud contract, identity system, payment gateway or managed security service needs one extra question: how does this supplier plan to survive the cryptographic migration?
The date is not theoretical. The Commission’s dedicated EuroQCI consultation opened on 26 May 2026 and closes on 24 June 2026. It asks for input on future quantum communication activities to be supported from 2027 onwards, because Europe still has bottlenecks to solve before it can deliver certified secure end-to-end quantum communication infrastructure.
EuroQCI is infrastructure, not a shopping cart
EuroQCI is the European Quantum Communication Infrastructure initiative. All 27 Member States signed its declaration in 2019, and the Commission describes the objective as a quantum communication infrastructure covering the whole EU. The current work includes terrestrial infrastructure, space-linked activity and testing infrastructure for quantum key distribution technologies.
That matters for policy, defence, critical infrastructure and telecoms. It is not a normal SME implementation route. A business with 80 employees does not need to decide whether to deploy QKD links next quarter. It needs to understand why European public bodies are suddenly talking about quantum communication in the same breath as certification, IRIS2, secure connectivity and future funding.
The useful reading is operational: Europe is trying to harden the communications layer before quantum capability becomes a mainstream security problem. The SME version of that sentence is simpler. Do not wait for the science to become a product catalogue before asking vendors about the cryptography under the services you already use.
The first job is inventory
Most smaller firms have no map of where cryptography sits. It is inside TLS certificates, VPNs, SSO, backup software, ERP connectors, payment flows, signed documents, email security, IoT devices and archived data. The owner is rarely one person. IT sees the certificates, finance sees payment providers, operations sees equipment vendors, and legal sees retention duties.
That is why quantum security belongs in procurement before it belongs in architecture. The buying team can ask repeatable questions without pretending to be a cryptography lab:
| Procurement area | Question to ask in 2026 | Evidence to request |
|---|---|---|
| Managed IT and security | Which managed services depend on public-key cryptography that will need migration? | Supplier roadmap or security white paper |
| Cloud and SaaS | How will certificates, key exchange and signing algorithms be updated? | Trust centre note or contract annex |
| Hardware and IoT | Can firmware and certificates be updated during the device lifetime? | Support lifecycle and update policy |
| Long-retention data | Which encrypted archives must remain confidential beyond 2030? | Data retention map and encryption policy |
Source: European Commission EuroQCI and post-quantum cryptography materials. Last verified 2026-06-23.
The point is not to score every supplier. It is to find the dangerous blanks. A vendor that can say “we follow the NIS Cooperation Group roadmap and will publish migration milestones” is in a different category from a vendor that treats post-quantum cryptography as a marketing topic.
The 2026 marker is closer than it looks
The Commission’s 2025 post-quantum cryptography release says Member States should start transitioning to post-quantum cryptography by the end of 2026. It also says critical infrastructures should transition as soon as possible, and no later than 2030.
That does not automatically impose a 2026 deadline on every SME system. It does change the procurement baseline. When public infrastructure, telecoms and regulated suppliers begin their transition planning, smaller firms connected to those systems will inherit new questions in due diligence, cyber insurance, public tenders and enterprise sales.
The awkward cases are the systems bought for long life. A three-year SaaS contract can absorb platform updates. A ten-year industrial device, document archive or sector-specific appliance is different. If it cannot receive cryptographic updates, its buyer is accepting a security assumption that may age badly.
Quantum strategy is becoming supply-chain strategy
The wider Quantum Europe Strategy is not only about computing. The Commission frames quantum across computing and simulation, communication, sensing and metrology, with separate work on infrastructures, supply chains, industrialisation, dual-use technologies and skills. That is a supply-chain agenda as much as a research agenda.
For an SME, the sane response is modest. Do not create a quantum committee. Do not buy consultancy theatre. Add a clause, an inventory column and a review date.
Start with the suppliers that protect identity, money, confidential documents and long-lived customer data. Ask whether they have a post-quantum cryptography plan, whether updates are included in the contract, and which parts of the product cannot be migrated without replacement. If the answer is vague, mark the renewal as security-sensitive.
EuroQCI may stay mostly invisible to ordinary companies. The procurement habit it signals should not.
Frequently asked questions
Should an SME buy quantum communication technology now?
Usually no. EuroQCI is infrastructure policy, not a normal SME buying list. Most SMEs should first inventory critical encrypted services and ask vendors for post-quantum migration plans.
What is the practical deadline to watch?
The EU post-quantum roadmap says Member States should start transitioning by the end of 2026, with critical infrastructures moved as soon as possible and no later than 2030.
Sources
- Official Future EuroQCI activities to be supported by the European Commission European Commission accessed
- Official European Quantum Communication Infrastructure - EuroQCI European Commission accessed
- Official Quantum European Commission accessed
- Official EU reinforces its cybersecurity with post-quantum cryptography European Commission accessed
Image credit: Photo: detailed view of fiber optic cables and ports by Brett Sayles, Pexels License (Pexels)
Iris Van Loon covers SME operational reality and advisors for Flint Brief.
Spotted an error or want a right of reply? hello@flintbrief.com (subject [Right of reply]).