In recent years, quantum computing has made the leap from laboratory research to a technology which has genuine commercial potential. With the UK positioning itself as a world leader in quantum computing innovation, policymakers have pledged to support this emerging field with a so‑called “responsible innovation” regulatory framework[1]. In contrast to the EU’s prescriptive rules, such as the AI Act and the Digital Operational Resilience Act, the UK’s approach is guided by flexible principles as part of a broader “pro-innovation” agenda, intentionally avoiding strict regulatory requirements at this stage.
But the core question remains: given escalating risks in cyber threats, cryptography, and data protection, is this soft-touch regulatory model sufficient for businesses? The answer is complex. Policy makers and regulators must weigh whether adapting existing legal frameworks with enhanced guidance and oversight can effectively address quantum risks or whether new, dedicated regulation is necessary. This article examines the critical risks, evaluates the adequacy of the UK’s current regulatory approach, and considers whether a shift toward stronger regulatory intervention is ultimately unavoidable.
The UK’s ‘Responsible Innovation’ stance
The UK Government’s quantum computing strategy, set out in the National Quantum Strategy 2023, operates on three pillars: investment in research and development, fostering industrial applications, and international collaboration. The strategy outlines a broad 10-year vision to position the UK as a leading quantum-enabled economy by 2033, and emphasises flexible frameworks, industry collaboration, ethical commercialisation, and the role of regulators and standard bodies, in supporting innovation and safety without imposing prescriptive rules at this stage.
Although the strategy does acknowledge responsible innovation as a key principle to drive benefits for the UK’s economy and quantum sector while protecting national capabilities and security, the strategy’s regulatory component is notable for what it does not prescribe: no standalone “Quantum Act”, no statutory regulator dedicated solely to quantum technologies, and no fresh mandating of compliance obligations for firms experimenting with or deploying quantum computing systems. Instead, the Government has chosen to extend its “pro-innovation” AI and digital regulation strategy to quantum computing.
In this context “Responsible innovation” is intended to deliver a balanced approach, navigating between the dangers of overregulation - which could stifle innovation in a globally contested scientific and industrial arena - and regulatory inaction, which risks allowing systemic threats to grow unchecked. The current toolkit relies on guidance, voluntary standards, codes of practice, and regulatory sandboxes. Authorities like the National Cyber Security Centre (NCSC) and the Information Commissioner’s Office (ICO) serve primarily as advisors, fostering safe experimentation rather than imposing strict regulatory controls.
The question is whether this “light-but-watchful” approach remains sustainable as quantum computing begins to affect national and corporate infrastructure. Unlike AI or cloud computing, quantum computing collides directly with the foundations of cybersecurity (cryptography), fuelling what some see as a Y2K‑scale security crisis waiting to happen.
Cyber threats in the quantum era
The cyber risk landscape is already complex, with ransomware, state-sponsored attacks, and supply chain compromises front of mind. Quantum computing multiplies the threat level by introducing adversaries equipped with vastly greater computational power. In particular:
- Breaking classical encryption: Algorithms such as Shor’s[2] expose the vulnerability of widely-used public-key systems (RSA, ECC). Stored data, even if not immediately decryptable, may be harvested today in anticipation of “Q‑Day” - the hypothetical moment when a sufficiently powerful quantum computer becomes capable of breaking widely-used classical encryption schemes, such as RSA, by efficiently running Shor’s Algorithm.
- AI-quantum synergies: Hybridisation of quantum computing and AI can enhance cyber offence capabilities, from faster password cracking to more effective intrusion detection evasion. Quantum-enhanced AI can process massive datasets with unparalleled speed and precision, potentially allowing attackers to automate the discovery of vulnerabilities, craft ultra-realistic deepfake phishing schemes, and adapt attack strategies in real time.
- Infrastructure targeting: Critical national infrastructure - already a major UK policy focus under frameworks like NIS2 - faces a growing quantum threat. If quantum computing-powered cyber-attacks become weaponised, they could exponentially increase vulnerabilities in essential services such as energy grids, healthcare systems, and transport networks.
Although UK regulatory bodies like the NCSC, the Financial Conduct Authority (FCA), and the Bank of England have taken important steps through issuing guidance, launching migration roadmaps, and encouraging quantum risk assessments, there is currently no statutory requirement for businesses to conduct quantum computing-specific cyber risk assessments. The NCSC’s post-quantum preparedness roadmap[3] highlights the urgency for sectors such as finance and critical infrastructure to begin transitioning to quantum-safe cryptography now, and the financial regulators are increasingly emphasising the importance of incorporating quantum computing threats into governance, operational resilience and risk management frameworks, such as the 2024 collaborative report produced by the FCA with the World Economic Forum.
The cryptography challenge
The most visible regulatory flashpoint is cryptography. Put simply, today’s public-key cryptography is not quantum safe. The US National Institute of Standards and Technology (NIST) is working towards issuing global standards for post‑quantum cryptographic algorithms, a process expected to conclude with stable recommendations in 2027. Businesses and governments worldwide are already investing in PQC (post‑quantum cryptography) migration strategies. But regulatory uncertainty arises here:
- Timing of migration obligations: When will UK regulators require firms to be post‑quantum secure? Early? At “Q‑Day”? Or on a voluntary timeline?
- Cost allocation: Migrating entire ICT estates is costly and complex. Most is outsourced to specialist providers. Outsourcing transactions will increasingly see suppliers and customers negotiating who bears financial responsibility for upgrades to maintain compliance once PQC standards mature. The absence of statutory direction leaves the parties exposed to contractual disputes.
- Cross‑border divergence: If UK regulators continue with light-touch guidance but US or EU regimes mandate PQC adoption by law, multinationals could face a fragmented compliance landscape.
In legal practice, this is already emerging as a live issue in high‑value IT outsourcing contracts. Parties increasingly draft “technology evolution” and “change of law and regulation” clauses to anticipate PQC migration, yet these clauses operate in a vacuum of national legal certainty.
Data Protection implications
Quantum computing also challenges established UK data protection laws. Key elements include:
- Lawful processing and security obligations: Articles 5 and 32 UK GDPR require personal data to be processed securely. Post‑quantum vulnerabilities arguably place controllers on notice that classical encryption may no longer be “appropriate.” Yet, in the absence of ICO enforcement or clear regulation, businesses face uncertainty about the threshold for non‑compliance.
- Risk of retrospective compromise: A unique quantum computing risk is that even if personal data is today processed in compliance with GDPR standards, retention over the medium to long term may result in catastrophic breaches once quantum computing decryption becomes available. For sensitive datasets (e.g. medical or financial data retained for statutory purposes), this could mean compliance today is non‑compliance tomorrow.
- Cross‑regulatory tension: The various regulators have responsibilities which overlap imperfectly. In particular, the ICO, NCSC, and the Department for Culture, Media and Sport (DCMS) all issue guidance covering different aspects of data protection, cybersecurity, and digital innovation, leaving businesses unclear about which authority sets definitive standards for acceptable encryption and quantum transition readiness.
The limits of ‘Responsible Innovation’
Although the UK Government’s flexible approach promises to enable innovation in an experimental field while avoiding premature constraints, its limits become clear when dealing with risks that are foreseeable, globally recognised, and systemic. Unlike AI, where potential harms are diffuse and situational, the cryptographic threat of quantum computing is precise. No responsible government disputes that existing public‑key infrastructure will be insecure post‑Q‑Day. The question is only when. The “responsible innovation” model arguably conflates regulatory uncertainty with scientific uncertainty. The latter may persist (timing and feasibility of quantum computing), but the former need not. And by avoiding statutory direction, the Government effectively transfers risk to businesses, compelling them to manage existential threats through contracts, voluntary sector adoption, and fragmented best practice. In areas like cyber resilience and data protection, this may be inadequate relative to the systemic security threat.
Ultimately, the pressing question is not whether “responsible innovation” is sufficient today
- given the absence of operational quantum machines capable of breaking encryption, it arguably is - but whether it will remain sufficient in the years leading to Q‑Day. On current trajectory, the answer leans towards no. The Government will need to pivot to legal compulsion, bringing the UK into line with international migration to PQC and ensuring businesses are protected against both regulatory uncertainty and catastrophic quantum‑era cybersecurity collapse.
[1] See, for example, the Model for Responsible Innovation, a practical toolkit released in November 2024 by the Department for Science, Innovation and Technology’s Responsible Technology Adoption Unit.
[2] Shor’s Algorithm is a quantum computing method developed by mathematician Peter Shor that can efficiently factor large composite numbers into their prime factors - something classical algorithms struggle to do in a reasonable time for very large numbers. This efficiency stems from using quantum principles like the Quantum Fourier Transform, enabling it to solve the factoring problem in polynomial time instead of exponential time on classical computers.
[3] The NCSC’s post-quantum preparedness roadmap is found in its publication titled “Timelines for Migration to Post-Quantum Cryptography” and related guidance materials published in early 2025. This roadmap outlines a structured, three-phase plan for organizations to transition to quantum-resistant encryption by 2035.
