A Governed Position on Quantum: What Regulated Businesses Should Decide Now
Within the next two years, the boards of most regulated businesses will be asked to state a position on quantum technology. The request will originate from a supervisor, an auditor, a significant customer's security questionnaire, or a non-executive director responding to the same market signals as everyone else. Boards that have prepared a considered position will treat the question as routine governance. Boards that have not will compose one under pressure, and positions improvised under pressure on frontier technology are expensive to correct.
The purpose of a quantum governance programme is to ensure the answer already exists before the question is asked. This is achievable now, at modest cost. It does not require the organisation to purchase any quantum technology, and it does not require anyone to predict when a capable quantum computer will arrive. It requires three decisions to be taken deliberately rather than by default. Regulated organisations have just completed a full cycle of precisely this discipline with artificial intelligence, and the quantum cycle is following the same path, one stage behind.
The precedent the AI Act established
The European Union's Artificial Intelligence Act provides a precise template, and the lesson it offers concerns sequence rather than surprise.
Regulation of a frontier technology does not arrive as a single event. It proceeds in a predictable order: national strategy and industrial policy, then voluntary principles and the formation of technical standards, then a risk-based legal framework, and finally enforcement. Each stage signals the next. The organisations that ultimately complied with the AI Act at the lowest cost were those that built the foundational capability, an inventory of their systems, clear ownership, and an evidence trail, during the earlier and quieter stages, when the work was inexpensive and discretionary.
Those caught unprepared were not caught because the legislation was unexpected; it was visible for years. They were caught because each pre-enforcement stage was treated as a justification for delay, and because the underlying work, mapping systems, assigning accountability, and assembling evidence, takes considerably longer than the interval between an obligation becoming law and that obligation applying to a given firm. The result was a measurable difference in cost and disruption between the prepared and the unprepared.
Quantum is on the same trajectory
Assessed against that sequence, quantum now occupies the stage the AI Act held several years ago.
The strategy and policy stage is established. The proposed EU Quantum Act indicates a significant jurisdiction moving to combine quantum industrial policy with risk-based regulation, and national quantum strategies are multiplying. The standards stage is under way: bodies are developing terminology, benchmarking, and safety standards, with broad support for a standards-first approach intended to keep the eventual rules interoperable rather than fragmented. The dual-use dimension is already active, as quantum technologies appear on export-control lists in recognition that the same capability which benefits a hospital can benefit an adversary.
The commercial signal is arriving in parallel, and frequently ahead of the legislative one. Customers are introducing quantum-readiness questions into security reviews. Auditors are beginning to enquire. Suppliers are placing quantum claims in their roadmaps, a minority of which withstand scrutiny. None of this depends on the existence of a capable quantum computer. It depends only on the market beginning to price in the expectation of one, which it has begun to do.
The three decisions a board should take now
A governed position on quantum is not a research budget or a technology wager. It is the documented outcome of three decisions, each of which a board is equipped to take today.
Where quantum could create value or disruption for the organisation. This is a question of strategy. For most regulated businesses, the defensible answer at present is that quantum will matter modestly, later, and in specific places. That is an acceptable conclusion, provided it is reached deliberately, assessed against the genuine maturity of the technology rather than supplier enthusiasm, and reviewed on a defined schedule. A position of act, pilot, or wait is a decision the board has made; the absence of one is a decision the organisation has allowed others to make on its behalf.
Which obligations will apply, and in what order. This is a question of regulation and standards: the EU Quantum Act and national strategies, the technical standards now forming, the dual-use and export-control regime, and the existing sectoral rules on cryptographic and operational resilience that quantum-readiness already engages. The organisation is not required to comply with rules that have yet to crystallise. It is required to track them and to establish which will reach the business first.
What quantum exposure belongs on the risk register. This is where cryptography enters the analysis, and it enters as one entry among several. Data with a long confidentiality lifetime can be captured now and decrypted once suitable hardware exists; for certain categories of regulated data, that "harvest now, decrypt later" exposure is already live and warrants assessment. It sits, however, alongside vendor lock-in, supply-chain dependency, and the difficulty of assuring quantum results that cannot be readily verified. Cryptographic exposure is the most time-sensitive entry on the register. It is neither the whole register nor a substitute for the wider governance position.
Two of these three decisions are independent of any decision to adopt quantum technology. Regulatory obligations are forming irrespective of the organisation's posture, and elements of the risk register are already live. The adoption question may remain under a watching brief until circumstances require otherwise; the governance question may not.
The operating model that sustains the position
A position recorded once and filed is of limited value, because the underlying conditions, the regulation, the standards, and the maturity of the technology, will change. The objective is therefore not a document but an operating model, and that model rests on three established governance principles.
The first is a position before a product: the organisation determines its view and its intended actions before external pressure forces the matter, while the options remain open and inexpensive. The second is governance embedded in the architecture rather than appended to it: the quantum position is expressed in how systems, procurement, and supplier relationships are actually structured, and is monitored continuously, rather than captured in a policy that is accurate on the day it is approved and outdated within a quarter. The third is ownership at the appropriate level: a single, named accountability for quantum, reporting to the board, so that the decisions identified above are taken explicitly rather than accumulated by default.
These are the same principles that mature artificial-intelligence governance was ultimately found to require, and the regulatory models now forming around quantum draw on the same risk-based, continuously evidenced approach. For a regulated organisation, quantum and artificial intelligence are converging on the same risk committee, and governing them as two applications of a single discipline is the only approach that scales.
The immediate step
The first action is neither a strategy programme nor a procurement exercise. It is an honest assessment of whether the organisation can, today, answer three questions: whether it knows where quantum might matter to the business and has decided to act, pilot, or wait; whether it knows which emerging rules and standards will reach it first; and whether it knows what quantum exposure belongs on its risk register, including the single entry that is already live.
Where the answer is that no function currently owns these questions, the organisation is not behind on the underlying science. It is at the stage that proved most costly for the unprepared during the introduction of the AI Act: the inexpensive, low-visibility stage at which early preparation is close to free and late preparation is not. The advantage lies in acting before the question is asked rather than after it.
Systima helps regulated organisations govern frontier technology, artificial intelligence today and quantum next, with a single discipline: a governed position, accountable ownership, and governance embedded in the architecture rather than appended to it. To assess your organisation's quantum position, see our quantum governance practice or arrange a discovery call.