Quantum Computing and the Rule of Law
On 10 June 2025, the American Bar Association (ABA) hosted a webinar titled “Quantum Computing and Cybersecurity: What is Reasonable Security in the Age of AI and Quantum?” The session, featuring Ryan McKenney, General Counsel of Quantinuum, alongside other legal and cybersecurity experts, focused on a stark yet timely warning: quantum computers are coming, and they will break the cryptographic systems that underpin today’s digital infrastructure
Quantum computing promises transformational advances in many fields of commerce, such as finance and logistics, as well as providing deeper insights into areas like drug discovery, material science, and climate change. But it also introduces a profound threat to the legal and commercial foundations of our digital society. Ryan McKenney didn’t mince his words—he called the looming ability of quantum computers to crack RSA and other public-key encryption schemes “very scary.” In simple terms, within a decade, everything from encrypted personal data to patent files, trade secrets, and corporate emails could be vulnerable to exposure or manipulation. That’s not science fiction; it’s a scenario for which legal and compliance teams should already be preparing.
Building In-House Quantum Resilience
One of the central messages from the ABA webinar was that legal teams—especially in-house counsel—must move beyond theoretical discussions and begin developing practical quantum-readiness plans. These should include internal audits of encryption use, assessments of high-risk data flows, and policies for adopting crypto-agile infrastructures (systems that can be updated to accommodate post-quantum encryption algorithms).
However, internal planning alone is insufficient. The most effective strategies will come from a hybrid model: building in-house competence while relying on specialist external advisors for deep technical and regulatory expertise. This means engaging with patent lawyers who understand quantum technologies, cybersecurity consultants who can evaluate cryptographic risk, and public policy experts who can monitor regulatory shifts. It also means educating boards and executives about what’s at stake—because quantum risk is not just an IT problem; it’s a governance issue.
A Wake-Up Call for Europe
This is not only a challenge for the U.S. market. European companies—especially those operating in regulated sectors such as banking, telecoms, healthcare, and defence—face equally urgent pressure to prepare. The European Union has already taken steps through its Quantum Flagship and digital sovereignty initiatives. Agencies like ENISA (the EU Agency for Cybersecurity) are issuing guidance, and the EU’s post-quantum cryptography standards will soon follow the NIST model from the United States.
Yet many European businesses remain underprepared. That’s a risk, particularly given the strict data protection regime (GDPR) and Europe’s ambitions for digital autonomy. Without planning, European companies could find themselves caught between outdated encryption standards and evolving legal liabilities. The risk is compounded by the global nature of quantum threats—a malicious actor with a quantum computer in one country can decrypt stolen data from anywhere.
Now is the time for European boards, GCs, and compliance officers to act. Quantum resilience requires investment—and the cost of inaction could be catastrophic.
Turning Risk Into Opportunity
There is, however, a positive vision here. Businesses that prepare early can not only avoid disaster—they can also gain a strategic edge. It’s likely that post-quantum readiness will increasingly be seen as a mark of trustworthiness, much like GDPR compliance or ISO certification. Companies that can prove they are securing customer and corporate data against emerging threats will differentiate themselves, especially in security-conscious markets like SaaS, health tech, and financial services.
We are on the threshold of a technological shift as profound as the move to the internet in the 1990s or cloud computing in the 2000s. Legal teams must start leading, rather than merely waiting for regulators to tell them what to do.
If you’re working on this challenge—whether as in-house counsel, a policymaker, or a technologist—I’d love to hear your perspective. And if your organisation is seeking guidance on how to prepare, from legal audits to quantum-resilient IP strategies, feel free to get in touch.
#QuantumComputing #Cybersecurity #BusinessLaw #Technology #RiskManagement
Image used under royalty-free from Pixabay