Blog

The White House Just Signaled Now Is the Time to Act On Quantum: What the Executive Orders on Quantum Innovation and Quantum Security Mean for Market Participants

Pillars of court building

    Introduction

    On June 22, 2026, the White House signaled a meaningful shift in U.S. quantum policy with its publication of two executive orders: “Ushering in the Next Frontier of Quantum Innovation (the “Innovation Order”) and “Securing the Nation Against Advanced Cryptographic Attacks” (the “Security Order” and together with the Innovation Order, the “June 2026 Quantum Orders”). Taken together, the June 2026 Quantum Orders convey that, for quantum readiness, the time to act is now.

    The June 2026 Quantum Orders frame quantum information science and technology (QIST) as both a race for U.S. strategic technological dominance and a defensive contest to prevent adversaries from using quantum capabilities against U.S. economic and national security interests. That dual opportunity-and-risk approach echoes recent U.S. federal policy treatment of other frontier technologies, including generative AI. display: inline !important;">

    See Our Primer: For a sector-specific discussion of what quantum risk and post-quantum cryptography migration may mean for financial services firms, fintech companies, digital asset projects, custodians, exchanges, payment providers and market infrastructure providers, see our companion primer, “Quantum Readiness: A Practical Primer for Financial Services and Digital Assets Companies and Projects.

    Intent of the orders

    The Innovation Order is growth-oriented (think “race to the moon”) and designed to secure U.S. advantage in quantum. It seeks to support U.S. leadership across QIST research, manufacturing, commercialization and application and emphasizes quantum computing, sensing, networking, supply chains, workforce development, private-sector partnerships and international coordination.

    The Security Order is risk-oriented. It focuses on transitioning federal information systems to National Institute of Standards and Technology (NIST)-approved Federal Information Processing Standards (FIPS) for post-quantum cryptography (PQC), as well as on assisting critical infrastructure owners and operators with their own transitions.

    For federal contractors, critical infrastructure owners and operators, technology companies, cloud and software vendors and other organizations with material cryptographic dependencies, the practical message is clear: quantum is no longer simply a research and development issue. It is a board- and senior management-level strategic, cybersecurity, procurement, vendor-management, national security and governance issue.

    That does not mean that every organization must replace its systems tomorrow. It does mean, however, that market participants should begin the work now of understanding where and how they depend on cryptography, which data and systems may be most exposed, which vendors and counterparties may drive quantum resilience timetables and where emerging QIST-related opportunities may be material to their strategies.

    Bottom line

    The White House has placed aspects of U.S. quantum innovation and PQC migration on a defined federal timetable. Beyond the U.S. federal government, that timetable is likely to influence private-sector market developments, including procurement expectations, vendor diligence, cybersecurity standards, customer requirements, internal practices and policies, regulatory attention and board oversight.

    For private-sector organizations, this suggests at least three priorities:

    • Mapping cryptographic exposure. Organizations cannot migrate what they cannot identify.
    • Building PQC readiness. PQC migration will require planning across legal, cybersecurity, engineering, procurement, product, compliance, finance and communications teams. Establishing an internal quantum task force will be critical to manage these complex workstreams.
    • Evaluating business opportunities. QIST-related policy support may create new markets, partnerships, investment pathways and supply-chain needs.

    Organizations and teams that move early with respect to quantum preparedness are likely to be better positioned to respond to customers, counterparties, bad actors, regulators, government procurement requirements and broader market expectations. Those that delay may find that quantum readiness becomes a contract requirement, diligence issue, or board-level risk before they have developed the internal capabilities or credible roadmap needed to respond. And failure to properly prepare for PQC migration now could present significant security risks and liability in light of the rapid development of QIST.

    The June 2026 Quantum Orders work together

    The Innovation Order directs the U.S. federal government to update the National Quantum Strategy within 180 days, with policies intended to support the maturing QIST ecosystem. Those policies are to include promoting commercialization and deployment of QIST, supporting the quantum-enabling technology ecosystem and encouraging partnerships with U.S. industry.

    The Innovation Order also establishes the Quantum Computer for Application Development and Discovery Science (QC-ADDS) effort. QC-ADDS is intended to pursue development of a quantum computer at a scale intended to initiate the era of quantum-enabled scientific discovery, with the intent to deliver at least one such computer to a Department of Energy facility and, to the extent possible, make it available to the scientific community.

    The Security Order focuses on the cryptographic risk created by large-scale quantum computers, emphasizing that adversaries may collect U.S. information now and decrypt it later once large-scale quantum computers are operational. The Security Order also establishes federal milestones for PQC migration, including deadlines for high value assets and high impact systems to transition to PQC for key establishment and digital signatures.

     

    Together, the June 2026 Quantum Orders reflect a two-prong federal strategy:

    • Accelerate QIST capability through research, commercialization, procurement, supply-chain development, workforce initiatives and international coordination.
    • Reduce quantum-enabled cryptographic risk by moving federal systems toward PQC and by using guidance, procurement and critical infrastructure engagement to shape broader market behavior.

    Key U.S. federal milestones to watch

    Selected milestones from the June 2026 Quantum Orders

     

    Timing

    Action under the June 2026 Quantum Orders

    Market relevance

    30 days

    Under the Security Order, each federal agency head identifies a PQC migration lead and provides contact details to the Director of the Office of Management and Budget (OMB) and the National Cyber Director.

    Creates agency-level accountability and may lead to faster vendor engagement.

    60 days

    Under the Innovation Order, at least three next-generation quantum sensor projects are identified for prioritization, with fielding targeted by September 30, 2028. The Director of the FBI, in coordination with certain agency heads, must propose staffing requirements to expand the QIST Counterintelligence Protection Team.

    Signals federal priorities in quantum sensing and QIST technology protection.

    90 days

    Under the Security Order, OMB guidance must require agencies to review inventories of high value assets and high impact systems, excluding National Security Systems, and to develop and submit PQC migration plans.

    Under the Innovation Order, the Department of Energy (DOE) must publicly release, as appropriate, a summary of QC-ADDS technical specifications; OPM must develop a governmentwide QIST recruitment and retention strategy; and a QIST supply-chain report is due.

    Likely to shape federal expectations for vendors, cloud providers, software suppliers and cybersecurity providers.

    120 days

    Under the Innovation Order, a plan is due to encourage and partner with the private sector on quantum-enabling component technologies in the United States. Reports are due on quantum sensing and networking plans. Labor and National Science Foundation actions are due on QIST workforce training and labor-statistics tracking. State Department recommendations are due on aligning international engagements.

    Potentially important for workforce planning, component supply chains, standards and international collaboration.

    180 days

    Under the Innovation Order, the National Quantum Strategy must be updated within 180 days after the Order and relevant agencies must submit summaries of steps taken to align their processes, policies and programs with the Strategy within 30 days after its publication. In addition, under the Innovation Order, the DOE must explore private-sector partnership models for QC-ADDS; the Department of Commerce must develop a related plan; and a national center must be established to assess quantum computing performance.

    Under the Security Order, NIST must initiate a PQC migration pilot; the National Security Agency must submit the first of an annually recurring National Security Systems PQC migration report; Cryptographic Module Validation Program processes must be revised, as appropriate; and the Federal Acquisition Regulatory Council (FAR Council) must publish a proposed rule requiring covered contractors to comply by December 31, 2030, with applicable FIPS incorporating PQC-compliant algorithms.

    A key inflection point for federal contractors, software providers, cloud vendors and regulated entities.

    210 days

    Under the Innovation Order, the Assistant to the President for Science and Technology must recommend a revised National Quantum Initiative Advisory Committee membership list and task the committee with recommendations for stimulating quantum-enabling technologies in the United States.

    May influence future industry engagement and QIST policy direction.

    270 days

    Under the Security Order, the Cybersecurity and Infrastructure Security Agency (CISA), in coordination with NIST, must release public guidance on minimum elements for a cryptographic bill of materials. The FAR Council must publish a proposed rule amending the Federal Acquisition Regulation (FAR) vulnerability disclosure requirements and contract clauses for covered contractors.

    May affect vendor diligence, software inventory, contracting, incident response and vulnerability disclosure programs.

    One year and annually thereafter

    Under the Innovation Order, a report is due on the national security implications of increasing scale and performance of commercial quantum computers, including implications for PQC migration.

    May shape future controls, guidance and national security expectations.

    December 31, 2027

    Under the Security Order, NIST’s PQC migration pilot project must be completed.

    May provide practical implementation lessons for government and industry.

    September 30, 2028

    Under the Innovation Order, the federal government targets fielding at least three prioritized next-generation quantum sensor projects.

    Relevant to defense, national security, sensing, infrastructure and advanced technology companies.

    December 31, 2030

    Under the Security Order, federal high value assets and high impact systems must transition to PQC for key establishment. The FAR Council is directed to propose rules requiring covered contractors to comply by this date with applicable FIPS incorporating PQC-compliant algorithms.

    Important procurement and compliance date for federal vendors and contractors.

    December 31, 2031

    Under the Security Order, federal high value assets and high impact systems must transition to PQC for digital signatures.

    Important for identity, authentication, code signing, transaction authorization and document integrity.

     

    Why private-sector organizations should monitor implementation

    The Security Order does not impose new PQC migration obligations directly onto every private-sector organization. That said, its practical effects may spread through federal procurement requirements, critical infrastructure guidance, vendor contracts, cyber insurance underwriting, customer diligence, rating agency analysis, transaction diligence and board reporting.

    Organizations with material cryptographic dependencies should monitor how agencies implement the June 2026 Quantum Orders, including through NIST guidance, CISA guidance, OMB directives, FAR rulemaking, validation processes and sector-specific engagement.

    For some organizations, implementation of the June 2026 Quantum Orders may also inform governance processes, customer commitments, transaction diligence and risk-factor analysis.

    Selected potential cross-border and investment implications

    The Innovation Order expressly addresses topics like international coordination, strategic markets, capital from like-minded countries, trusted supply chains, investment restrictions, research security, export controls, trade barriers and technology protection. That language should draw attention from investors, startups, universities, multinational companies, strategic acquirers and quantum-enabling technology suppliers.

    QIST and quantum-enabling technologies may increasingly raise issues involving:

    • Committee on Foreign Investment in the United States and foreign investment review, particularly where investors from countries of concern may gain access to sensitive technology, technical information, or governance rights.
    • Export controls, including controls on hardware, software, components, technical data and know-how.
    • Research security, including university collaborations, lab access, personnel screening and data-sharing arrangements.
    • Supply-chain integrity, especially for quantum-enabling components and specialized manufacturing.
    • Sanctions and restricted-party screening, including in cross-border collaborations and sales.
    • Outbound investment restrictions, depending on future regulatory developments and the technologies involved.
    • Critical infrastructure, including the electrical grid, oil and gas facilities and pipelines, transportation systems, and communication systems.

    Practical takeaways for market participants

    1. Brief the board or relevant committee. Provide a balanced overview of quantum risk, QIST-related business opportunity and planned next steps.
    2. Create a cryptographic inventory. Identify where cryptography exists across systems, products, vendors and data flows.
    3. Prioritize long-term sensitive data. Focus first on data that must remain confidential or valuable for years, including customer records, financial data, source code, trade secrets, strategic plans, M&A information and regulated data.
    4. Build flexibility into contracts and technology. Address the ability to update algorithms, replace libraries, rotate keys, update certificates and maintain interoperability.
    5. Update vendor diligence. Add questions about PQC and cryptographic bill of materials to reviews for cloud, cybersecurity, identity, software and critical infrastructure providers.
    6. Monitor FAR rulemaking. Companies that contract with the federal government, or sell to companies that do, should track proposed procurement rules under the Security Order and assess how they may affect product design, pricing, compliance and representations.
    7. Review solicitations and contract terms carefully. Companies that contract with the federal government or fall within the government supply chain should closely review solicitation provisions, contract clauses and government guidance incorporated by reference into binding agreements that may comport with the directives in the June 2026 Quantum Orders. Procuring agencies often include specific terms in solicitations or issue an agency deviation to include requirements prior to promulgation of final FAR rules.
    8. Treat PQC as a multiyear migration program. Assign clear senior-level owners, milestones, budgets and escalation paths.
    9. Include QIST and PQC in M&A and investment diligence. Assess cryptographic inventories, PQC roadmaps, export control exposure, foreign investor rights and dependencies on inflexible cryptographic systems.
    10. Follow NIST, CISA, OMB, the National Cyber Director and the FAR Council. Practical obligations for market participants are likely to develop via guidance, pilots, procurement rules, validation processes and sector-specific engagement.

    What’s next

    Quantum may still feel like the future. But the compliance, procurement, cybersecurity and governance work should begin now. The end goal is not to predict the exact date on which a quantum attack becomes possible. Rather, organizations should build enough visibility, flexibility and governance to respond when customers, regulators, counterparties, or markets ask the tough quantum-related questions.

    For a more detailed discussion of practical implications for financial services firms, fintech companies, digital asset projects, custodians, exchanges, payment providers and market infrastructure providers, see our companion primer, “Quantum Readiness: A Practical Primer for Financial Services and Digital Assets Companies and Projects.

    The information provided is not intended to be a comprehensive review of all developments in the law and practice, or to cover all aspects of those referred to.
    Readers should take legal advice before applying it to specific issues or transactions.

    Key Contacts