The Netherlands Court of Audit recently published a blunt assessment of the Dutch central government’s readiness for quantum technology. The verdict was uncomfortable reading for a country that presents itself as a European frontrunner in the field.
While the Netherlands has built a thriving quantum research ecosystem and secured an academic leading position, the majority of government organisations have yet to take a single concrete step towards protecting their systems against the cryptographic threat that quantum computers will eventually pose.
The report, Focus on quantum technology in central government, surveyed 63 government organisations. It found that 71% had not begun preparations to defend against the quantum threat. Only four organisations (6%) had incorporated the quantum threat into their risk management frameworks. Just 15 had opened any dialogue with their suppliers about quantum-safe products. No designated executives are responsible for the issue at most institutions.
The timing matters. The Dutch intelligence service AIVD has warned that Q-Day, the point at which a sufficiently powerful quantum computer could crack current asymmetric encryption, could arrive as early as 2030. That leaves fewer than four years for organisations to complete what experts describe as a complex, organisation-wide migration.
The threat is real
To understand why the Court of Audit is concerned, it helps to understand what the Dutch government uses encryption for. The list is not short – protecting confidential information held on citizens and businesses, controlling access to vital infrastructure such as flood defences and bridges, authenticating logins via DigiD (the national digital identity system used by millions), and verifying the integrity of passports and official documents.
If quantum computers render current encryption obsolete, all of these applications are at risk. The consequences range from identity fraud and disrupted benefit payments to compromised infrastructure and exposed state secrets.
Because the precise timing of Q-Day remains uncertain, many institutions have simply not prioritised the issue
There is a further complication that makes the 2030 timeline more urgent than it might first appear. Security researchers and the Court of Audit itself have flagged the risk of so-called “harvest now, decrypt later” attacks, in which malicious actors, including state-level adversaries, are already intercepting and stockpiling encrypted data. They cannot read it today, but they are betting they will be able to once quantum computing matures. That means sensitive Dutch government data being transmitted now may already be at risk of future exposure. The threat is not waiting for Q-Day to begin.
The Court of Audit identifies three main obstacles to progress: a lack of technical capacity, a shortage of expertise, and, perhaps most critically, an absence of urgency within organisations. Because the precise timing of Q-Day remains uncertain, many institutions have simply not prioritised the issue.
That reasoning has a flaw. Migrating to post-quantum cryptography (PQC) is not a quick fix. It requires organisations to first audit where cryptography is embedded across their systems, negotiate with suppliers, update infrastructure and retrain staff. The Court of Audit warns that organisations risk not starting in time.
Even the adoption of a government‑wide cryptography framework has not yet translated into concrete action in most organisations. In March 2025, the Dutch CIO Council formally adopted the Framework cryptography policy for the Central Government, which makes a cryptography policy mandatory for all central government bodies, but the Court of Audit finds that many organisations have not yet aligned their own policies with this framework.
The governance picture compounds the problem. Most organisations have not designated an executive responsible for quantum readiness. Without clear ownership, the migration tends to remain an unassigned task – acknowledged in principle, actioned by no one.
Legal frameworks lag behind
The security gap has a legal dimension that adds further complexity. Victor de Pous, an Amsterdam-based ICT lawyer who has tracked Dutch digital policy for decades, points to a structural paradox in how information security law is currently constructed.
Existing legislation, including the General Data Protection Regulation, the NIS2 Directive and the Cyber Resilience Act, is deliberately written to be technology-neutral. The intention is that organisations should be able to identify and apply appropriate security measures themselves, following what regulators describe as “the state of the art”.
“At the regulation of post‑quantum cryptography, a paradox arises,” De Pous wrote in his Newsware newsletter, noting that information security legislation is designed to be technology‑neutral, yet the quantum threat is so profound and complex that organisations “apparently cannot independently keep up with the ‘state of the art’ in this area”.
In practice, de Pous argued, this approach is not working. His conclusion that further regulation is all but inevitable does not rest on the claim that it is the only conceivable solution. It rests, rather, on a historical lesson from information security law: open norms and self-regulation have repeatedly proved insufficient to deliver timely and adequately high levels of security.
The evolution from NIS1 to NIS2 illustrates how legislators gradually give such open norms more concrete shape, not only through judicial interpretation, but through additional legislation, guidance and implementing rules. The quantum threat, in his view, will follow the same pattern.
De Pous pointed to several recent examples, including the modernisation of the 1995 Archives Act, the adaptation of competition law for government open source releases, and the transposition of the NIS2 Directive, as “telling examples of digital-domain legislative processes with long delays”, reinforcing his view that this is a structural feature of the Dutch regulatory landscape rather than an exception. He sees no reason to assume quantum-specific regulation will move faster.
Investment without implementation
The contrast with the investment side of the quantum picture is stark. Since 2021, the Netherlands has channelled €615m from its National Growth Fund into Quantum Delta NL, a public-private programme designed to develop the country’s quantum ecosystem across five regional hubs in Delft, Eindhoven, Leiden, Twente and Amsterdam. The programme has delivered tangible results: a quantum network connecting The Hague and Delft, three operational quantum sensor test facilities, and a fund for quantum startups. The National Growth Fund’s advisory committee has praised the programme’s progress.
The Court of Audit’s findings place the Dutch government in an uncomfortable position. Having invested heavily in quantum technology and positioned itself as a European leader, the gap between its ambitions and its internal security preparations is unusually visible
Quantum Delta NL projects that quantum technology could create between 8,000 and 18,000 jobs in the Netherlands by 2040, with the Quantum Delta programme alone potentially generating between €1.5bn and €2.5bn in economic value. Quantum technology has been designated as one of 10 priority technology areas in the country’s National Technology Strategy, and in March 2026, the Netherlands and Germany jointly launched the TechBridge initiative – a collaborative research and development programme targeting quantum applications in the aerospace sector, developed in partnership with Quantum Delta NL and Airbus Tech Hub Netherlands.
The investment in the opportunity side of quantum is real, sustained and internationally recognised. The readiness for the threat side is not.
In its formal response to the Court of Audit, the government described the migration to post‑quantum cryptography as “not optional, but necessary”, while noting that the migration is complex given the range of dependencies involved.
A government-wide Quantum Strategy is currently being developed by the Ministry of Economic Affairs in collaboration with other ministries. It was expected to be presented to parliament in the second quarter of 2026. At the time of writing, neither its concrete targets nor its budget had been made public.
That timing is not coincidental. The European Commission is expected to publish its proposed Quantum Act in the same period, which will set binding requirements and investment frameworks across member states. The Netherlands has stated it welcomes the European strategy, while seeking to preserve room for national choices and ecosystems. How those two timelines interact, and whether Dutch policy will be shaped proactively or reactively by the EU framework, remains to be seen.
EU-wide challenge
The Netherlands is not alone in facing this challenge. No European Union member state has fully completed the transition to post-quantum cryptography, and the European Commission has acknowledged that migrations will be difficult and time-consuming across the board.
But the Court of Audit’s findings place the Dutch government in an uncomfortable position. As a country that has invested heavily in quantum technology and positioned itself as a European leader, the gap between its ambitions and its internal security preparations is unusually visible.
The 71% figure carries weight precisely because it comes not from a commercial supplier or a lobbying body, but from the independent institution tasked with auditing the Dutch state’s financial management and policy effectiveness. When the Court of Audit says most government organisations have not started, that assessment has not been publicly contested.
The government has acknowledged the scale of the problem and the need to accelerate preparations for post‑quantum cryptography, but it has not yet presented a funded, time‑bound plan to fix it. For organisations now weighing up their own PQC migration, and for any entity that exchanges sensitive data with Dutch government systems, that gap is the most important number in the report.
