Open navigation
Search
Search
All expertise
Explore our breadth of expertise.
Sectors View all
Practice Areas View all
Offices
Discover the scope of our presence in the jurisdiction.
Global Reach
Learn about our capabilities beyond borders.
CMS Portugal
All insights
Leverage our expert analysis, intelligence and thought leadership for your strategic advantage.
Personalised updates
Receive tailored insights and intelligence that apply directly to your business.
Insights by type
CMS News
Stay up to date with our growth, evolution and our many successes.
Contact us
For all general enquiries.
About CMS
CMS Careers

Select your region

International Europe Africa Asia-Pacific The Americas Middle East
English Português
Legal Update

Quantum Computing in Financial Services: Opportunity, Risk and Readiness

24 Mar 2026 International 9 min read

The financial services industry has always been at the forefront of technological adoption, from the early days of electronic trading to the current wave of artificial intelligence. Now, a new technological shift is emerging that promises to fundamentally reshape how financial institutions operate: quantum computing. 

Although commercially viable quantum systems remain some years from widespread deployment (with the so-called “Q-Day” expected in the mid-2030s), quantum computing presents both extraordinary opportunities and significant challenges for firms navigating an increasingly complex regulatory and commercial landscape.

What is Quantum Computing?

At its core, quantum computing represents a fundamentally different approach to processing information. Traditional computers process tasks sequentially and often struggle with problems involving vast numbers of variables. Quantum computers, however, leverage the principles of quantum mechanics to evaluate multiple possibilities simultaneously.

The significance of this capability for financial services cannot be overstated. Financial markets are characterised by extraordinary complexity, with countless interdependent variables shifting in real time. Classical computers, when faced with this complexity, often resort to simplification and assumptions that lead to inaccuracies in modelling and prediction. Quantum computing, by contrast, can better represent the complexity of financial systems, tackling intricate problems in entirely new ways.

Quantum computers are not general-purpose replacements for existing infrastructure. They will work alongside classical systems, deployed selectively for tasks where they offer a material advantage. The strategic question for firms is not whether to adopt quantum wholesale, but where it may deliver genuine value and how to be ready when the technology matures.

Key Opportunities for Financial Services

Three use cases stand out as particularly promising for quantum computing adoption in financial services.

  • Portfolio optimisation: Quantum algorithms offer the potential to evaluate far greater numbers of portfolio combinations simultaneously, potentially delivering better risk-adjusted returns and more dynamic rebalancing – a material advantage for asset managers and the treasury functions of banks and insurers.
  • Fraud detection: Quantum machine learning could enable pattern recognition across vast transaction datasets in near real time, identifying anomalous behaviour more rapidly and accurately than current systems permit.
  • Risk modelling and derivatives pricing: Quantum approaches to Monte Carlo simulation offer efficiency gains for stress testing and derivatives pricing. Models that currently require extensive processing time could run faster and more accurately.

The message for financial institutions is that early engagement matters. Firms that delay risk being poorly positioned to make timely investment decisions. Even those that engage early, however, are likely to find themselves dependent on a small number of dominant technology providers - a concentration risk the sector has already encountered with cloud and AI infrastructure.

Regulatory Stance: Technology Agnosticism Under Pressure

Regulators have historically adopted a technology-neutral approach to financial supervision, focusing on outcomes and risk management rather than the tools used to achieve them. That posture has not been abandoned, but the market is seeing increasingly direct engagement with emerging technologies such as artificial intelligence and quantum computing specifically.

In October 2025, the FCA published a dedicated Research Note examining the potential applications of quantum computing across UK financial services, the first substantive publication of its kind from the regulator. The note is clear that new regulations are unlikely to be required in the near term, given that potential quantum applications intersect with established regulatory themes, including explainability, fairness, operational resilience. It does, however, signal that the FCA intends to be a proactive rather than reactive participant in this transition, and that the Consumer Duty's requirements around explainability and sound decision-making will apply to quantum-powered models just as they do to AI.

In the same month, the Bank of England published its approach to innovation in AI, distributed ledger technology, and quantum computing. The BoE described the three as the cross-cutting technologies it is prioritising for further action, and identified quantum computing as requiring immediate strategic attention, notwithstanding the uncertainty around deployment timelines. Its message to firms is unambiguous: the time to start planning for a post-quantum future is now.

Most recently, in January 2026, the G7 Cyber Expert Group (co-chaired by the Bank of England and the US Treasury) published a coordinated roadmap for the financial sector's transition to post-quantum cryptography. While explicitly non-prescriptive and not constituting formal regulatory guidance, this is a significant document. It represents the collective view of financial authorities across all G7 economies and the EU, and it establishes a shared planning horizon of 2035 for the completion of post-quantum cryptography migration across governmental and private sector financial systems, with critical systems targeted for completion between 2030 and 2032. Firms should expect this non-prescriptive framing to harden over time.

The "Harvest Now, Decrypt Later" Threat

Of all the implications of quantum computing for financial services, the cybersecurity dimension is the most urgent. And the most immediately relevant to firms' operational resilience obligations.

The entire financial ecosystem relies on cryptographic protections that, while robust against classical computing attacks, could be rendered obsolete by a sufficiently powerful quantum computer. Current encryption standards depend on mathematical problems that are computationally infeasible for classical machines. A quantum computer of sufficient capability could break these protections, compromising the confidentiality of everything from interbank messaging to client account access.

Bad faith actors are acutely aware of quantum computing's potential to compromise existing cryptography. The "harvest now, decrypt later" threat, which refers to the practice of intercepting and storing encrypted data today with the intention of decrypting it once quantum capability arrives, is a current-day operational concern. For financial institutions, this means that data compromised today could become readable in the future, with potentially severe consequences for client confidentiality and institutional reputation. The window for orderly transition is finite, and the risk is already in play.

Outsourcing and Third-Party Dimension

CMORG's Guidance for Post-Quantum Cryptography, published in April 2025, highlights the relevance of quantum to third-party reliance in the financial services sector. Financial institutions are heavily dependent on third-party technology providers, and the pace of post-quantum cryptography (“PQC”) readiness among vendors varies significantly. CMORG advises firms to assess vendors' cryptographic protocols, review their PQC migration roadmaps, and consider incorporating quantum-safe requirements into new contracts and service-level agreements.

From a legal perspective, this is not optional. The FCA and PRA outsourcing frameworks require firms to maintain appropriate oversight of third-party arrangements supporting important business services, including the ability to assess and manage operational risk arising from those arrangements. In the EU, DORA imposes specific contractual requirements around ICT third-party risk management, and the ICT Risk Management RTS note the necessity for firms to adopt a flexible approach to deal with emerging cryptographic threats, including quantum. A firm that cannot demonstrate it has assessed its critical vendors' quantum readiness, and taken steps to address gaps, will struggle to satisfy those obligations as supervisory expectations evolve.

The contractual implications are practical and immediate. Existing outsourcing agreements may not require vendors to maintain current cryptographic standards, let alone future quantum-safe ones. Change-in-law and change-in-standards clauses may or may not capture PQC migration obligations depending on how they are drafted. Exit provisions may not adequately protect the firm if a critical vendor fails to migrate within regulatory timelines. These are questions that legal and procurement teams should be working through now in new contracts, in renewals, and in vendor oversight management. 

What Should Firms Be Doing Now?

Helpfully, there is guidance to help financial firms understand what needs to be done now. The National Cyber Security Centre's (“NCSC”) March 2025 guidance on migration timelines sets out a three-phase roadmap for UK organisations: completing a cryptographic inventory and migration plan by 2028; executing high-priority upgrades between 2028 and 2031; and completing migration across all systems by 2035. Regulated sectors, including banking and financial services, are expected to migrate earlier than the general economy, and the scale of the effort means preparatory work is a priority now. The CMORG guidance translates these timelines into practical steps for financial institutions.

Some practical steps for firms to take now are:

  • Cryptographic inventory: Map all cryptographic systems, protocols, and data assets across the enterprise including third-party and legacy systems. This is the foundational step in every piece of authoritative guidance, and the 2028 deadline is closer than it appears.
  • Vendor assessment and contract review: Audit critical technology providers' PQC readiness. Where gaps exist, engage vendors on their migration roadmaps and review whether existing contractual protections are adequate. Incorporate PQC requirements into new contracts, renewals, and SLAs as a matter of course.
  • Governance: The harvest-now-decrypt-later threat should be incorporated into enterprise risk frameworks and reported at board level. Operational resilience scenario testing should consider whether quantum cyber scenarios warrant inclusion in important business services mapping and stress exercises.
  • Regulatory monitoring: Track the evolution of the applications landscape building on the FCA Research Note and the BoE's innovation approach and the cryptography migration guidance from the NCSC, CMORG, and the G7 Cyber Expert Group. The current non-prescriptive framing is likely to harden.

Looking Ahead

The weight of authoritative guidance is now growing, aligned, and increasingly specific. The FCA, the Bank of England, the G7 Cyber Expert Group, CMORG, and the NCSC have all reached the same conclusion: the quantum transition is a present operational and governance responsibility, not a future technology problem.

For financial services firms, the message from an outsourcing and operational resilience perspective is clear: your third-party contracts, your vendor oversight frameworks, and your resilience testing all need to reflect the quantum threat. And they need to start doing so now. The firms best placed to navigate the quantum horizon will be those that have treated it not as a question for the IT department, but as a legal and governance question for the whole organisation.

More insights
Banking & Finance

Explore more

Event Portugal

IP Insights webinar series 2026

28 Apr 2026
Expert Guide International

Real estate finance law in Portugal

22 min read
Publication Portugal

New Legal Framework for the Securitization of Credits

18 Mar 2026 3 min read
Back to top Back to top
Law-Now, RegZone, LEXplicite and Blogtt have moved to CMS.law. Law-Now has moved to CMS.law. RegZone has moved to CMS.law. LEXplicite has moved to CMS.law. Blogtt has moved to CMS.law.
Learn more Learn more Learn more Learn more
If you want to use third party tools, please enable personalisation cookies as part of your cookie preferences. You can change this setting at any time via the button below or in our Cookie Notice.