The Netherlands Leads in Quantum Technology but Lags on Quantum Security

The Netherlands has positioned itself as a European quantum powerhouse, channeling roughly $670 million through the Quantum Delta NL initiative to build networks, sensor labs, and startup ecosystems. Yet the recent Court of Audit report reveals a glaring security blind spot: the majority of central government entities have not started the arduous transition to post‑quantum cryptography (PQC). With the intelligence community flagging a possible Q‑Day by 2030, the window for a systematic migration—auditing cryptographic assets, renegotiating supplier contracts, and retraining staff—is rapidly closing. The risk is compounded by "harvest‑now, decrypt‑later" attacks, where adversaries already collect encrypted traffic for future decryption once quantum computers mature.

Three interlocking obstacles impede progress. First, a shortage of technical expertise leaves agencies ill‑equipped to assess and replace legacy encryption. Second, governance gaps—most ministries lack a senior executive accountable for quantum readiness—mean initiatives remain unowned and low‑priority. Third, the current legal framework is deliberately technology‑neutral, expecting organisations to adopt the "state of the art" on their own. As ICT lawyer Victor de Pous notes, this self‑regulation model has repeatedly failed to keep pace with fast‑evolving threats, suggesting that dedicated quantum‑security legislation will soon become inevitable.

The broader European context adds urgency. The European Commission’s forthcoming Quantum Act, expected in 2026, will set binding migration deadlines and funding mechanisms for member states. The Netherlands’ pending national quantum strategy must therefore align with EU requirements while leveraging its substantial quantum R&D investments. Accelerating PQC adoption not only safeguards critical services like DigiD and flood‑defence controls but also preserves the country’s reputation as a quantum leader. Other EU nations face similar gaps, making the Dutch experience a cautionary benchmark for coordinated, well‑funded quantum‑security rollouts across the continent.