October 2024 brought a cluster of regulatory and institutional developments that will shape the quantum policy environment into 2025 and beyond. The Netherlands introduced supplemental export controls covering quantum computing, joining a growing group of EU member states restricting technology transfers outside the bloc. The EU adopted the Cyber Resilience Act, which will require cryptographic agility in digital products from December 2027, creating a de facto compliance deadline for post-quantum cryptography migration. The United Kingdom opened the National Quantum Computing Centre and became the first country to publish a government position on quantum technology regulation. NIST advanced 14 candidates to the second round of its additional post-quantum digital signature evaluation. And the BRICS Kazan Summit formally added quantum technologies to its science and technology cooperation agenda, signaling interest from a group that now spans much of the Global South.
Netherlands: Quantum Computing Added to Expanded Export Control Regime
What happened. On October 18, the Dutch government announced supplemental export controls covering quantum computing, additive manufacturing, and semiconductor technologies. The new regulations, which entered into force on December 1, 2024, require a prior export license for controlled items shipped to all destinations outside the European Union. A National General Export Authorization (NL900) permits most exports to a list of trusted countries including Australia, Canada, Japan, the United Kingdom, and the United States. Spain, France, Germany, and Italy had already introduced comparable national controls.
Why it matters. The Netherlands is now part of a coordinated, if not formally multilateral, alignment among EU member states on quantum export restrictions. This cluster of national measures functions as a de facto European quantum export control regime, operating outside the formal EU dual-use regulation and instead through supplementary national rules. The country-neutral licensing requirement (covering all non-EU destinations by default, with exceptions for trusted partners) mirrors the approach taken by the US Bureau of Industry and Security in its September 2024 interim final rule. For quantum companies operating in Europe, the practical effect is that exports of quantum computing items from several major EU member states now require regulatory clearance unless the destination is on a short list of allied countries.
What remains unclear. Whether remaining EU member states will adopt equivalent controls, or whether the European Commission will move toward a unified EU-level instrument. The interaction between these national controls and the EU’s own dual-use regulation (Regulation 2021/821) also remains unresolved. It is not yet clear how enforcement will work across jurisdictions for companies operating in multiple EU member states.
Who should care. Quantum hardware and component manufacturers in Europe. Export compliance teams at quantum computing companies worldwide. Trade policy analysts tracking the emergence of coordinated technology controls outside traditional multilateral regimes like the Wassenaar Arrangement.
European Union: Cyber Resilience Act Creates PQC Migration Deadline
What happened. On October 23, the EU adopted the Cyber Resilience Act (Regulation (EU) 2024/2847), the first legislation to set mandatory cybersecurity requirements for products with digital elements sold in the EU. The regulation requires manufacturers to ensure that products remain cybersecure throughout their lifecycle, including the ability to update cryptographic mechanisms as threats evolve. Beginning in December 2027, products must be designed with the flexibility to update cryptographic components, and industry analysis indicates the Act will drive PQC migration by requiring products to support cryptographic agility.
Why it matters. The CRA converts what has so far been a standards-driven, voluntary PQC migration process into a regulatory compliance obligation for any company selling digitally connected products in the EU market. The December 2027 application date is tight: manufacturers will need to design products capable of receiving firmware and software updates signed with quantum-safe algorithms. Because the CRA applies to the entire product lifecycle, it effectively requires that products shipped from late 2027 onward are architecturally ready for a cryptographic transition even if post-quantum algorithms are not yet mandated as the sole baseline. The standards work underpinning the CRA is moving toward using the European Cybersecurity Certification Group’s Agreed Cryptographic Mechanisms document to define the accepted cryptographic baseline.
What remains unclear. Which specific post-quantum algorithms will be recognized under the CRA’s conformity assessment framework, and whether the European standards bodies will adopt NIST’s FIPS 203, 204, and 205 directly or develop parallel specifications. The timeline for the Agreed Cryptographic Mechanisms document to formally incorporate post-quantum algorithms is not yet public. Whether small and medium-sized manufacturers will be able to meet the cryptographic agility requirements by 2027 is an open question.
Who should care. Manufacturers of IoT devices, industrial control systems, and any product with digital elements sold in the EU. Chief information security officers at companies managing product security compliance. PQC solution vendors and cryptographic library developers.
United Kingdom: NQCC Opens and Government Publishes First National Position on Quantum Regulation
What happened. On October 25, Science Minister Lord Vallance officially opened the National Quantum Computing Centre at the Harwell Campus in Oxfordshire. The 4,000-square-meter facility will house 12 quantum computers based on different hardware architectures, with open access for industry, academia, and the public sector. More than 70 staff will be based at the site, which also hosts a quantum apprenticeship program, 30 PhD studentships, and industry training courses. Separately, on October 8, DSIT published the government’s response to the Regulatory Horizons Council’s report on quantum technology regulation, accepting 11 of 14 recommendations and the remaining three in principle. The response committed to a regulation-by-application approach led by sectoral regulators and the convening of a Regulatory Forum for Quantum Technologies.
Why it matters. The NQCC’s open-access, multi-architecture model is distinct from most national quantum computing facilities, which tend to be restricted to government use or limited to a single hardware platform. By hosting 12 systems across different architectures, the centre positions itself as an applications testbed rather than a research instrument for a single team. The regulatory response is equally notable: the UK is the first country to formally set out a government position on how quantum technologies should be regulated. The decision that it is too early for legislation, combined with active investment in regulatory capability building and a dedicated quantum regulators’ forum, amounts to a deliberate bet on structured preparation over premature prescription.
What remains unclear. How industry access to the NQCC’s 12 systems will be prioritized and priced, and whether demand will exceed capacity. On regulation, the timeline for the Regulatory Forum for Quantum Technologies to produce actionable guidance is not specified. The extent to which this regulatory approach will be coordinated with international partners, particularly the EU, remains to be seen.
Who should care. Quantum computing hardware and software companies seeking testbed access. UK-based firms developing quantum applications for regulated sectors (financial services, healthcare, defense). International policymakers looking at regulatory models for emerging quantum technologies.
NIST: 14 Candidates Advance in Additional Post-Quantum Signature Standardization
What happened. On October 24, NIST announced the 14 candidate algorithms advancing to the second round of its additional digital signature standardization process. The candidates were selected from 40 first-round submissions received following a September 2022 call for proposals. The evaluation criteria and reasoning were detailed in NIST Internal Report 8528. The second phase is estimated to last 12 to 18 months, and includes code-based, multivariate, isogeny-based, and MPC-in-the-head signature schemes.
Why it matters. This track exists to diversify the post-quantum signature portfolio beyond structured lattices. Both ML-DSA (already standardized as FIPS 204) and the forthcoming FN-DSA rely on lattice-based assumptions. If a future advance were to compromise lattice-based cryptography, the entire post-quantum signature infrastructure would be at risk without alternatives. The 14 second-round candidates span multiple mathematical foundations, which is precisely the point: NIST is building redundancy into the post-quantum toolkit. Organizations planning their PQC migration will need to track which of these candidates reaches standardization, as the eventual selections could affect long-term certificate and code-signing architectures.
What remains unclear. Which candidates will ultimately reach standardization and on what timeline. NIST’s estimate of 12 to 18 months for the second round suggests final selections no earlier than late 2025, with standards potentially years further out. Whether any of these additional signatures will achieve the performance characteristics needed for constrained environments (embedded systems, IoT) is a central evaluation question.
Who should care. Cryptographic engineers and protocol designers. PKI operators and certificate authorities. Standards bodies incorporating PQC into their frameworks, including those working under the EU Cyber Resilience Act.
BRICS Kazan Summit Adds Quantum Technologies to Science Cooperation Agenda
What happened. At the 16th BRICS Summit held in Kazan, Russia, from October 22 to 24, the Russian presidency introduced quantum technologies as a new theme for science, technology, and innovation cooperation, grouped with artificial intelligence under a single heading. The 134-point Kazan Declaration addressed technological cooperation and endorsed new institutional mechanisms. The summit was attended by 36 countries, including newly admitted members Egypt, Ethiopia, Iran, and the United Arab Emirates, and 13 additional nations were added as BRICS partner countries.
Why it matters. The inclusion of quantum technologies in BRICS STI cooperation is a political signal rather than an operational commitment: the Kazan Declaration did not announce funding, joint laboratories, or specific programs. But the framing matters. BRICS now encompasses countries with active quantum programs (China, India, Russia) alongside nations with limited quantum capacity but growing digital infrastructure needs. The grouping creates a potential channel for quantum technology transfer and capacity building outside the orbit of Western-aligned multilateral institutions. For countries navigating the emerging quantum export control regimes being built by the US, EU, and allied nations, BRICS-led cooperation could become an alternative pathway, though one that raises questions about alignment with the security-driven restrictions now being imposed by those same allied blocs.
What remains unclear. Whether the quantum theme will produce concrete programs under the Brazilian presidency in 2025 or remain at the level of political language. The relationship between BRICS quantum cooperation and the export control regimes being built by the US, Netherlands, and other allied states is an emerging tension with no resolution in sight. How China’s role in BRICS quantum initiatives will interact with its own national quantum strategy is also unspecified.
Who should care. Foreign ministries and science diplomacy offices in BRICS member and partner states. Export control policymakers in the US and EU monitoring alternative technology cooperation channels. International organizations working on quantum capacity building, including CERN’s Open Quantum Institute.
Also in October 2024
Norway committed NOK 70 million annually (approximately $6.6 million) for quantum technology research, marking the first dedicated budget line for quantum in the country’s state budget. Three government ministers announced the initiative at OsloMet’s Quantum Hub.
Canada’s Innovation, Science and Economic Development department published the membership and mandate of the Quantum Advisory Council established to advise on the National Quantum Strategy, co-chaired by Raymond Laflamme and Stephanie Simmons.
Chile’s Science Minister presented a report containing 15 recommendations for strengthening the quantum ecosystem, prepared by an expert commission convened by the Ministries of Science and the Interior, with priority applications identified in mining, renewable energy, and cybersecurity.
The United States and South Korea established a vice minister-level Defense Science and Technology Executive Committee to oversee advances in quantum technologies, autonomous systems, and AI within the alliance, announced at the 56th Security Consultative Meeting.
Sector-by-sector analysis of each development covered in this briefing, with cross-jurisdictional comparisons and implementation timelines, is available on the Quantum Policy Radar.