Giovanni Piccirillo
Apr 17, 2026
21 min read
This article explores quantum computing as a testbed for European Union law's ability to govern a technological inevitability that has not yet fully materialized, but is already capable of retroactively destabilizing the existing digital architecture. From this perspective, the paper considers quantum computing as a conceptual “stress test” for the anticipatory regulation of uncertainty, questioning the resilience of the prescriptive core of the European legal system in the face of systemic threats that exceed traditional ex post liability frameworks. The research questions are three: how can Union law today regulate future quantum effects, certain in scope but uncertain in timing and form? What transformations does the shift from probabilistic uncertainty to radical epistemic uncertainty impose on the categories of legality, liability, and the protection of fundamental rights? To what extent is the governance of the inevitable compatible with proportionality, legal certainty, and the democratic legitimacy of decisions regarding technological security? Methodologically, the article adopts a theoretical and reconstructive approach that combines dogmatic analysis and a systemic reading of the most recent European regulatory architectures. After framing technological inevitability as a general legal problem and outlining the transition beyond the precautionary paradigm towards forms of anticipatory regulation of uncertainty, the paper delves into the temporal dimension of regulation, focusing on the imperative to logically precede the facts and the role of quantum computing as a conceptual stress test of European law. On this basis, it examines the transition from ex post regulation to the governance of the inevitable and the emerging common regulatory rationale in instruments such as the AI Act, DORA, NIS2, and MiCA. It then isolates anticipation as an autonomous legal technique and discusses its systemic implications for security understood as a process, rather than a state, within the European digital ecosystem.
Within the framework of the fracture between the time of technology and the time of the norm, quantum computing presents itself as a limiting case of technological inevitability: a computational capacity whose full realization is still in the future, but whose systemic effects—particularly on public-key cryptography—are already conceptually determined today. Once quantum supremacy is achieved, the possibility of breaking current cryptographic schemes would transform what appears secure today into a retrospective vulnerability, giving rise to a “delayed” risk that affects entire layers of the digital order. Consider, for example, an electronic health record encrypted with pre-quantum algorithms: today's collection of sensitive, formally protected data could translate tomorrow into mass decryption, capable of retrospectively reopening ownership and the scope of protection obligations, as well as the very configuration of damages.
In such a scenario, the traditional sequence of fact, wrongdoing, and sanction reveals its inadequacy: the “fact” no longer presents itself as a one-off event, but as a diffusive process that erodes trust in encryption mechanisms over time; the wrongdoing is not attributable to a single act, but rather to regulatory and organizational choices developed years earlier; the ex post sanction risks being imposed only when the systemic damage is irreversible. Quantum computing, precisely because it makes a retrospective, structural risk legally relevant, thus forces a rethinking of the liability paradigm in EU law, requiring a shift from a logic of ex post reparation to a logic of ex ante configuration of the conditions of security and trust.
In the traditional paradigm, legal liability is organized according to the linear sequence of fact, wrongdoing, and sanction: a definable harmful event, an attributable violation, and an ex post response tailored to the proven damage. Quantum disruptions undermine this framework at its roots, because the “fact” does not manifest itself as a specific episode, but as a process of progressive erosion of regulatory trust; the wrongdoing is not attributable to a single act, but rather to design choices and failures to comply spread over time; the “sanction” intervenes when the damage is already systemic and, to a large extent, irreversible.
In the presence of retrospective risks such as cryptographic failure and mass decryption, waiting for full empirical verifiability of the damage essentially means forgoing the very possibility of protection; it is this gap that makes purely reactive regulation structurally insufficient.
Anticipatory regulation of technological uncertainty is therefore built on four fundamental pillars. The first is systemic vulnerability, understood as the guiding criterion for regulation: the focus is no longer on the single damaging event, but on the overall fragility of digital infrastructures and the domino effect that a quantum disruption can have on the entire procurement ecosystem. The second is ongoing responsibility, or accountability over time, which reframes legal obligation as a duty to organize and maintain suitable risk management structures over the long term, rather than mere instantaneous compliance with static requirements. The third is the use of open standards—performative, dynamic, anchored to the “state of the art”—which allow for progressive regulatory adaptation as technical knowledge and threat scenarios evolve. The fourth pillar is periodic review, which institutionalizes regular cycles of evaluation and update of measures, transforming impact assessments and recurring audits into qualified forums for the exercise of constitutionally oriented discretion.
In this framework, uncertainty is no longer treated as a simple information gap to be filled, but as a structural fact that requires shifting the focus from ex post proof of damage to ex ante justifiability of regulatory and organizational choices.
Quantum computing's development trajectories compress the time between theoretical maturation and practical weaponization: the interval between an algorithm's conceptual proof of concept and its offensive applicability on cryptographic infrastructures can shrink to the point of making any timely regulatory response impractical. In this context, the obsolescence of pre-quantum infrastructures is not a remote eventuality, but a deferred temporal certainty, projecting an implicit expiration date onto all current encryption schemes.
The window of opportunity within which the law can intervene is, therefore, closely linked to the gap that still exists between theoretical capacity and operational capacity. It is within this interval that the imperative of a post-quantum migration must emerge, not as a technical option, but as a prospective legal obligation of regulatory continuity. Anticipatory temporal regulation here takes on the task of transforming a period of suspension—in which the risk is certain but not yet realized—into a time of decision, compelling public and private actors to plan and implement the transition to resilient architectures before quantum disruption makes the losses of confidentiality and integrity irreversible.
If quantum risk manifests itself as a retrospective threat to guarantees of secrecy and authenticity, the primary focus of anticipatory temporal regulation becomes regulatory trust, that is, individuals' confidence in the stability and reliability of the rules governing the European digital space. This is not simply individual trust in the security of a single service, but a European public good that underpins the functioning of the digital single market, the cross-border flow of data, and the credibility of institutions in guaranteeing fundamental rights in the digital environment.
In the presence of quantum threats, preserving this trust means internalizing the temporality of risk within the framework of legal obligations: mandating cryptographic migration plans, providing for periodic stress tests on quantum scenarios, and mandating structured horizon scanning practices are not extraordinary measures, but rather ordinary tools through which the legal system ensures that the promise of protection embedded in digital rules remains valid over time. The temporal dimension of regulation thus allows trust to be treated not as a given, but as the result of ongoing regulatory maintenance.
As seen above, a purely ex post approach presupposes damage that is recognizable, circumscribable, and accountable in a sufficiently linear manner to activate liability and reparation mechanisms. In the case of quantum disruptions, these conditions are lacking: the cryptographic breach manifests itself as a gradual and often opaque process, the damage spreads across time and space, and the causal chain is dispersed among standardization choices, failures to update, and layered technical decisions. In such scenarios, postponing intervention until the risk has already materialized means accepting that the legal system is intervening on a fabric of trust that is now irremediably compromised. Anticipatory temporal regulation arises precisely from these structural limitations, not as an exceptional derogation from the principles of legality and proportionality, but as their evolution in a context where effective protection requires that the law be, to the extent possible, one step ahead of the facts it is called upon to govern.
The disruptive role of quantum computing emerges first and foremost in its ability to compromise the cryptographic architectures upon which European digital trust is based, transforming pre-quantum encryption into a structural vulnerability. The ability to retroactively decrypt sensitive data archives—such as the aforementioned electronic health records, but also financial databases or digitized land registers—ensures that harm is not limited to a single breach, but rather to a pervasive process that reopens, years later, the scope of protection obligations and the very configuration of the harm. Under these conditions, cybersecurity ceases to be a “point-in-time” property of systems and becomes a temporal variable, dependent on the legal system's ability to anticipate quantum disruption and promptly enforce the migration to post-quantum frameworks.
Quantum computing also makes tangible the triple disruption already outlined theoretically. The temporal disruption manifests itself in the gap between the moment data is collected and encrypted and the moment, even much later, when it becomes vulnerable to quantum decryption: what was compliant and “secure” today may prove radically inadequate tomorrow, without any change in the behavior of the parties involved. The systemic disruption affects the entire digital trust ecosystem, as it affects not only the individual owner or service provider, but the overall credibility of the infrastructures underpinning the digital single market and the protection of fundamental rights online. Finally, the disruption of legitimacy emerges when traditional liability and evidentiary models are no longer able to capture damages that unfold as cumulative and retrospective processes: it becomes difficult to identify a single “perpetrator” of the damage and a precise moment in which the offense occurred, while the quality of regulatory and organizational choices made ex ante becomes increasingly important.
Faced with this quantum stress test, EU law is being pushed towards solutions based on adaptive standards and experimental spaces that transcend the logic of static prescriptions. The notion of crypto-agility becomes a central regulatory criterion: it is not enough to adopt a given encryption scheme once and for all; it is necessary to demonstrate the ability to replace and update it promptly in light of evolving quantum capabilities. From this perspective, structured horizon scanning practices and stress testing on quantum scenarios are not optional tools, but essential components of a governance system that aims to test hybrid post-quantum solutions in high-impact contexts, before threats materialize on a large scale. These experiments—which will be explored more fully in the following sections in terms of governance of the inevitable and common regulatory rationality—allow the legal system to move from “downstream” protection of harm to ex ante co-design of resilience conditions, placing quantum computing at the center of a broader reflection on the future forms of European technological standardization.
The unique nature of quantum disruptions requires, first and foremost, rethinking the ontology of harm on which legal liability has historically been built. In the classical model, harm is conceived as a singular event, circumscribed in time and space, attributable to a specific conduct, and susceptible to subsequent assessment and repair. In the quantum context, however, harm takes the form of a diffusive process: the progressive compromise of cryptographic architectures, the retroactive decryption of archives, and the slow erosion of digital trust do not erupt in a single moment, but rather accrue over time as the result of design choices, inertia in updating, and delays in post-quantum migration. Quantum computing thus makes it clear that the object of protection is no longer simply the “point” at which harm occurs, but the overall trajectory of exposure to risk, which the legal system must learn to govern before the damage becomes irreversible.
Governance of the inevitable is structured around tools that aim to organize risk over time, rather than react to damage already done. Among these, the following are of systematic importance:
Together, these tools mark the shift from accountability focused on “what happened” to accountability focused on “what was done – or omitted – to prevent and manage risk throughout the entire technology lifecycle”.
From a constitutional perspective, the governance of the inevitable represents the completion of the transition from reactivity and mere precaution to true systemic anticipation. It is no longer simply a matter of suspending or limiting certain developments in the face of uncertainty, but of integrating anticipation into the core principles that govern the European legal system, redefining how legality, proportionality, and the protection of fundamental rights are expressed in the face of quantum risks. Systemic anticipation implies that the law adopts temporality as an explicit parameter of legitimacy: a legal framework that not only respects formalities but also establishes transparent and verifiable procedures for updating is compliant with the law; an intervention that takes into account not only the present impact but also plausible future damage scenarios is proportionate; the protection of rights is effective when the legal system commits to preserving the conditions for their exercise over time, and not merely to compensating for their violation ex post. The following sections show how this systemic anticipation is embodied, on the one hand, in new regulatory architectures (AI Act, DORA, NIS2, MiCA) and, on the other, in the construction of anticipation as an autonomous legal technique, capable of combining digital sovereignty, legal certainty, and democratic legitimacy.
The most recent European regulatory measures regarding artificial intelligence, digital operational resilience, network and service security, and crypto-asset markets outline, beyond their specificities, a common regulatory framework: risk management, resilience, and temporal accountability become the structural lexicon of EU law. The AI Act, DORA, NIS2, and MiCA do not simply introduce sector-specific obligations, but rather construct a cross-cutting category for managing uncertainty, in which operators are required to demonstrate not only timely compliance, but also the ability to identify, assess, and mitigate technological risks that cannot be fully modeled over time. Within this framework, the temporal dimension is embedded in the very content of the obligations: risk management is not a one-off obligation, but rather an ongoing process, punctuated by periodic reviews, recurring audits, and state-of-the-art updates.
This shared rationale is expressed through an increasingly close hybridization of hard law and soft governance. On the one hand, texts such as DORA and NIS2 impose legally binding obligations regarding the governance of operational risk and the security of networks and information systems, for example, by establishing risk management requirements along the entire ICT supply chain or business continuity plans for essential entities. On the other hand, these obligations explicitly refer to technical standards, guidelines, and certification schemes developed in hybrid contexts or by standardization bodies, as is the case for risk classification and mitigation measures under the AI Act or the technical requirements applicable to crypto-asset market infrastructures in the MiCA. The regulatory mandate is thus defined by a dynamic interplay between binding provisions and flexible guidance tools, which allows the level of protection to be updated over time without having to continually modify the legislative text.
This hybrid architecture, however, generates significant systemic tensions. The outsourcing of significant parts of safety standard definition to technical bodies and private actors fuels the risk of substantial privatization of regulatory production, with repercussions on the transparency and democratic nature of decisions regarding acceptable risk levels. At the same time, the use of open standards and flexible concepts—such as “adequate measures”, “operational resilience”, or “state of the art”—introduces a physiological degree of uncertainty, raising questions about their compatibility with legal certainty and the prohibition of substantial retroactivity. The challenge, therefore, is to maintain a solid foundation in the principles of legality, predictability, and protection of trust, while accepting that the concrete content of the obligations must be able to evolve rapidly as the technological context changes.
The interaction between these tools is not neutral with respect to the future governance of quantum risk, but it paves the way for a regulation of quantum computing that can build on already proven risk management, resilience, and continuous updating mechanisms. The risk management requirements imposed by DORA and NIS2, for example, can be extended to quantum scenarios, including the threat of cryptographic failures in risk registers and requiring migration plans to post-quantum solutions for critical infrastructure. Similarly, the risk classification and impact assessment mechanisms envisaged by the AI Act offer a conceptual framework for treating systems incorporating quantum capabilities as high-impact areas, subject to enhanced governance and transparency requirements.
From this perspective, common regulatory rationality is not just a product of the present, but a platform on which to build, tomorrow, specific obligations of crypto-agility and post-quantum migration, preventing the regulation of quantum computing from having to be invented from scratch and instead allowing it to be placed within a governance of the inevitable that is already being consolidated.
Anticipation is an autonomous legal technique that reorganizes the way obligations are constructed in EU law, shifting the focus from control over individual conduct to the overall design of risk structures over time.
Dynamic standards.
Dynamic standards are regulatory parameters that refer to a mobile “state of the art”, making technical and scientific evolution an integral element of the structure of the obligation. They do not definitively establish the content of the measures to be adopted, but require that they be constantly adapted to the level of protection required at a given time, as reflected in technical standards, best practices, and guidelines. In this way, the relationship between legality and reference to sub-statutory sources is redefined: determinacy no longer depends solely on the text, but on the quality and controllability of the procedures through which the “state of the art” is identified, updated, and made accessible to operators and recipients.
Organizational obligations.
Organizational obligations shift the focus from the specific case to the structure: what is required is not only the abstention from certain behaviors, but the establishment and long-term maintenance of internal structures capable of identifying, assessing, and managing risk. This requires a rethinking of culpability, which no longer consists solely in the violation of a specific rule, but in the failure to establish adequate procedures, skills, and controls for known or knowable risks. Diligence is measured from an organizational and prospective perspective (diligence in planning and updating), and strict liability itself tends to incorporate structural aspects: the entity is held accountable not only for individual incidents, but for the choices made in configuring and maintaining its risk management system.
Adaptive standardization.
Adaptive regulation institutionalizes regulatory experimentation and public-private co-regulation as stable components of the regulatory framework. Regulatory sandboxes, regulatory pilots, and experimental regimes allow for the testing of new technical or organizational solutions—including post-quantum ones—under controlled conditions before their generalization. At the same time, the intertwining of legislative acts, delegated acts, and technical implementation through standards developed by standardization bodies makes the updating of regulatory content a continuous, rather than episodic, function. The result is a legal system in which the boundary between formal sources and technical standards becomes more porous, but in which the task of political direction and assurance remains with public institutions.
Impact on principles.
Anticipation profoundly impacts European constitutional principles. Legality takes the form of a “dynamic procedural legality”: it is guaranteed not only by the clarity of the legislative text, but also by the transparency, participation, and accountability of the processes through which standards and organizational obligations are updated. Proportionality carries a strong temporal dimension, since assessing the proportionality of an anticipatory intervention means measuring the interference not only with respect to the current state of the art, but also in light of reasonably foreseeable future risk scenarios. Finally, the protection of legitimate trust and fundamental rights must address a framework in which the technical prerequisites for their implementation can change rapidly: it becomes essential to ensure that regulatory updates are predictable, communicated, and progressive, and that effective remedies exist against arbitrary or retroactive deviations.
From this perspective, the idea – already emerging in narrative terms – of the transition from a right to “chase” to a right to co-design technological trajectories translates, on a dogmatic level, into a set of procedures and tools that allow the legal system to actively participate in the configuration of risk conditions, rather than simply recording their outcomes ex post.
Security, in the context of quantum technologies, can no longer be understood as a state of compliance fixed at a given point in time, but as an iterative process that spans the entire lifecycle of digital infrastructures. First, this translates into structured requirements for resilience testing, business continuity plans, and state-of-the-art updates. Resilience testing serves to periodically verify the ability of systems and services—including cryptographic ones—to withstand increasingly sophisticated attack scenarios, including scenarios that require quantum decryption capabilities. Business continuity plans require the preparation of ex ante response strategies that allow essential services to be maintained or restored in the event of a shock, preventing a sudden failure of cryptographic defenses from paralyzing critical infrastructures. Finally, state-of-the-art updates require monitoring the evolution of available post-quantum solutions and promptly integrating appropriate innovations into systems, preventing technical inertia from transforming theoretical vulnerabilities into concrete risks.
Connecting this approach to quantum case studies means recognizing that the threat concerns not only future attacks, but also the possible retroactive decryption of data already collected. From a post-quantum perspective, security as a process therefore implies the adoption of gradual cryptographic migration paths for healthcare archives, financial records, or public databases, accompanied by impact assessments that estimate the effects of possible delays or omissions. Resilience tests must integrate scenarios in which a quantum-capable adversary exploits data already intercepted (“harvest now, decrypt later”), while continuity plans must include strategies for managing a loss of confidentiality that is not isolated, but widespread over time.
In terms of liability categories, security as a process establishes the shift from the centrality of ex post traceability to the obligation of resilience by design. It is no longer sufficient to be able to reconstruct “who did what” after an incident: the legal system requires operators to demonstrate that they have integrated resilience—including crypto-agility in light of quantum risk—into their design, management, and update processes. This is directly linked to ongoing responsibility and the organizational obligations already outlined: fault lies not only in failing to respond correctly to an event, but also in failing to implement the structures and review cycles that could reasonably have prevented or mitigated the effects of a quantum disruption. In this sense, overcoming the illusion of permanent technological stability becomes the starting point for a paradigm in which operational continuity, upgradeability, and accountability over time are not exceptional remedies, but essential components of the new notion of security in EU law.
Quantum computing represents the legal problem of our time because it condenses, in an extreme form, the paradox of having to regulate systemic effects that are certain but not yet materialized, revealing the structural inadequacy of ex post paradigms and requiring an ontological leap toward a form of standardization that logically precedes the facts.
On an operational level, this framework suggests several takeaways for the EU legislator. First, the urgency of defining and enforcing coordinated post-quantum cryptographic standards at the EU level, avoiding national fragmentation that would weaken regulatory confidence and the overall resilience of the European digital space. Second, the need to assign standardization bodies a key but politically driven role in defining quantum technical standards, ensuring that the translation of anticipation into technical specifications does not escape public control. Third, the need to strengthen democratic controls over technical co-regulation—through transparency, participation, and effective judicial review—so that the definition of acceptable risk thresholds is not effectively privatized. Finally, the importance of promoting global regulatory convergence on post-quantum security, to prevent a fragmentation of standards from amplifying the very technical discontinuities that the governance of the inevitable aims to absorb, and to place the Union in a credible leadership position in defining the rules of the future quantum digital order.
