What the New Quantum Executive Orders Mean for Business Leaders

On June 22, 2026, President Donald J. Trump signed two executive orders that aim to accelerate U.S. leadership in quantum computing and secure the nation against advanced cryptographic attacks. These executive orders, which are backed by $2 billion in federal funding, not only accelerate innovation but also reset expectations.

The stated goals — achieving a commercially relevant quantum capability by 2028 and adopting post-quantum cryptography on a compressed timeline — seem straightforward. However, an underlying message emerges: quantum is no longer a distant concern. It is a near-term planning issue for business and technology leaders.

Many organizations, however, are still framing the risk too narrowly.

While much of the conversation focuses on the future possibility of encrypted data being decrypted, the more immediate concern is broader and more disruptive: the potential breakdown of trust across systems, software, and digital infrastructure. This risk may arrive sooner than expected.

A policy shift with real enterprise implications

The recent executive order lays out two key priorities. One aims to speed up the development of quantum computing capabilities, fostering collaboration among government, industry, and research institutions. The other seeks to accelerate the shift to post-quantum cryptographic standards, pushing forward the timeline for securing high-value systems.

These actions collectively represent a concerted effort to both harness the benefits of quantum technology and mitigate its potential risks.

For business leaders, the crucial takeaway isn’t just the technology itself, but the accelerated timeline. The interval between groundbreaking innovation and its real-world impact is rapidly shrinking. What was once considered purely experimental is now moving squarely into the realm of the inevitable.

This transformation will ripple far beyond federal agencies. Much like previous cybersecurity and data protection initiatives, these new expectations will extend into the private sector, driven by regulatory demands, interconnected ecosystem requirements, and evolving customer needs.

Organizations that have not yet begun preparing for this transition should reassess their position. As Protiviti notes in its quantum computing services overview, many leaders still underestimate both the risks to critical business processes and the opportunities tied to quantum-enabled capabilities.

The biggest misconception: focusing on the wrong risk

A common narrative around quantum computing centers on the idea of “harvest now, decrypt later.” This refers to adversaries collecting encrypted data today with the intent to decrypt it once quantum capabilities mature.

That risk is real. However, large-scale data decryption is complex and resource-intensive, making it an unlikely first priority for attackers. Instead, a more immediate concern is the ability to compromise trust mechanisms at scale.

This includes areas such as:

• Code signing
• Digital identities
• Software distribution and update mechanisms

If these controls are undermined, the implications are significant. Malicious code can appear legitimate, evade detection, and propagate quickly across environments. In this scenario, the issue is no longer just protecting data — it is maintaining the integrity of the systems that businesses rely on every day.

That shift — from data risk to trust risk — is where organizations must also focus their attention. What’s more, the executive order on PQC sets a clear deadline: migrating to PQC key establishment by the end of 2030, and to PQC digital signatures by the end of 2031. Since signatures are what make those forgery attacks possible, the executive order grants agencies a bit more time to address what could very well be the initial point of attack.

Why the timeline creates exposure

This executive order certainly speeds things along, but let’s be clear: it doesn’t erase risk. If anything, it might just throw a spotlight on some of the gaps we already have.

The reality is, quantum capabilities could be here sooner than many enterprise roadmaps anticipate. Meanwhile, crucial protections — especially those tied to digital signatures — aren’t even universally mandated until later in the decade.

That leaves us with a definite window of exposure.

If your organization is aligning its response solely with compliance deadlines, you might find yourselves caught off guard should threat capabilities progress faster than expected. The real danger here isn’t just falling behind regulatory requirements; it’s falling behind the attackers themselves.

With that in mind, this executive order isn’t a finish line to cross, but rather a clear signal that it’s time to pick up the pace.

Adoption, not technology, is the real challenge

Post-quantum cryptography is not theoretical. Standards have been established, and many technology platforms have begun incorporating quantum-resistant capabilities.

Yet adoption remains uneven.

Many organizations continue to rely on legacy cryptographic methods. In some cases, this is driven by compatibility constraints. In others, it reflects competing priorities and the perceived complexity of migration.

This creates a persistent gap between what is technically possible and what is operationally implemented.

Protiviti’s post-quantum cryptography assessment highlights the importance of understanding where cryptography is embedded across the enterprise and building “crypto-agility” to adapt as standards evolve.

Closing that gap will require more than incremental change. It will require coordinated action across IT, security, and business teams, along with clear prioritization at the leadership level.

Infrastructure and supply chain risks are closer than they appear

Infrastructure readiness presents another critical challenge. Many enterprise environments contain systems and hardware not built to support post-quantum cryptography. Upgrading these assets can be difficult, leading to persistent vulnerabilities that software adjustments alone cannot fully address.

Simultaneously, organizations rely on intricate supply chains spanning software providers, cloud platforms, and various third-party service providers. Attackers are increasingly likely to target these shared dependencies. A breach within a software update mechanism or a commonly used component could rapidly ripple across numerous organizations.

This elevates the importance of expanding traditional third-party risk management to include:

• Cryptographic dependencies
• Software integrity controls
• Distribution and update processes

In a quantum-enabled threat environment, these areas become central to maintaining trust.

What business leaders should do now

The executive order is not simply a policy directive. It is a market signal. Organizations that respond early will be better positioned to manage both risk and opportunity.

Key actions to consider include:

• Reframe the risk: Move beyond a narrow focus on data confidentiality to the broader perspective of preserving trust. Also prioritize system integrity and trust as core elements of the risk model.
• Inventory exposure: Identify where legacy cryptography is embedded across systems, applications, and third-party dependencies. Focus on long-lived data and high-impact processes.
• Accelerate adoption of post-quantum cryptography: Develop a phased roadmap aligned to emerging standards. Prioritize high-risk areas rather than waiting for enterprise-wide transformation.
• Plan for infrastructure changes: Assess which systems cannot support quantum-resistant approaches and incorporate upgrades or replacements into long-term planning cycles.
• Strengthen supply chain controls: Extend risk management practices to include cryptographic dependencies and software distribution mechanisms.
• Prepare for disruption: The transition to post-quantum security will not be seamless. Organizations should expect forced upgrades, tighter requirements, and potential service impacts as standards evolve.

Looking ahead

Quantum computing is poised to fundamentally reshape both innovation and cybersecurity, and a recent executive order has made that trajectory all the more concrete. Yet, what it doesn’t do is eliminate uncertainty. The precise pace of advancement remains somewhat hazy, and the road to widespread adoption will undoubtedly be uneven. Still, the overall direction is unmistakable.

Organizations that view quantum as a “tomorrow problem” risk being caught entirely off guard. Those that proactively begin addressing trust, infrastructure, and ecosystem dependencies today will find themselves far better positioned to navigate the changes ahead.

The critical question is no longer whether quantum computing will have an impact. Instead, it’s about how swiftly organizations can adapt to this evolving reality — and whether their focus is squarely on the risks that truly matter most.