Quantum Computing as a Service in Finance: Standards and Contracts as Proof of Control

Introduction: QCaaS makes Quantum a Third-Party Governance Problem

Quantum tools are beginning to move from experiments into ordinary financial workflows—pricing, optimisation, fraud detection, and (in time) trading and risk. But practical access to quantum computing is unlikely to come through infrastructure controlled by banks and market firms. It will come through vendor-controlled, cloud-hosted stacks sold as ‘quantum computing as a service’ (QCaaS), bundled with proprietary toolchains.

The key legal risk is not a gap in ‘quantum law’. It is the difficulty of meeting existing duties when a critical layer of the stack is opaque, non-portable, and hard to audit, reproduce, or independently verify. This is why standards (auditability, interoperability, exit readiness)—and the contracts that make them real—matter more than bespoke new rules.

Existing Duties Already Apply: DORA, Outsourcing Rules, and Operational Resilience

QCaaS raises familiar legal questions: who is accountable for ICT risk, how a firm evidences control over outsourced technology, and whether it can continue delivering important services when a third party fails. In the EU, that starting point is the Digital Operational Resilience Act (DORA) (Regulation (EU) 2022/2554), applicable since 17 January 2025. It requires a governance framework for ICT risk, oversight of ICT third-party service providers, and credible exit planning and testing. In the UK, parallel expectations arise under the Prudential Regulation Authority (PRA) and Financial Conduct Authority (FCA) outsourcing/third-party risk regimes (including PRA SS2/21) and the operational resilience framework built around mapping dependencies, testing, and impact tolerances. The core operational resilience requirement to be able to remain within impact tolerances applied from 31 March 2025.

If QCaaS affects execution quality, risk controls, or market conduct outcomes, the ‘systems and controls’ logic is not new either. MiFID II already treats algorithmic trading as an area where firms must have robust governance, testing, monitoring, and change controls; RTS 6 is a concrete hook for record-keeping and control expectations in automated workflows. UK regulators have also repeatedly scrutinised algorithmic trading compliance in supervisory work. In sum, the existing legal framework already pushes firms towards demonstrable control over complex, technology-driven processes.

Post-Quantum Cryptography: the Near-Term Compliance test Case

Cryptography is the fastest path by which ‘quantum’ becomes a day-to-day compliance problem. A sufficiently capable quantum computer could undermine widely used public-key cryptography, and financial systems depend on it for authentication, transaction integrity, secure communications, and regulatory reporting. Firms do not need quantum hardware to start responding. Post-quantum cryptography (PQC) is a transition strategy: replacing vulnerable algorithms with quantum-resistant ones while maintaining operational continuity.

Here, standards and timelines are rapidly becoming concrete. In August 2024, the US National Institute of Standards and Technology approved three initial PQC standards (FIPS 203/204/205). The UK National Cyber Security Centre has published migration guidance with milestones for 2028, 2031 and 2035. And in January 2026, the G7 Cyber Expert Group issued a roadmap for a coordinated transition to PQC in the financial sector. These signals matter legally because they make ‘anticipatory governance’ operational: they create reference points for supervisory planning, procurement requirements, audit programmes, and (eventually) enforcement arguments about what ‘reasonable steps’ looked like at a given time.

The EU’s broader cybersecurity agenda is also beginning to name PQC explicitly. The European Commission’s January 2026 proposal to amend NIS2 (COM(2026) 13 final) would require Member States to adopt national policies for the transition to PQC as part of national cybersecurity strategies. For financial institutions, this does not replace DORA; it reinforces the direction of travel: crypto-agility and migration planning are moving from ‘good practice’ to ‘expected practice’.

Standards as a Legal Mechanism: ‘Proof of Control’ and ‘Reasonable Steps’

Financial regulation is typically technology-neutral and principle-based: it sets obligations (resilience, governance, accountability) without prescribing a single technical implementation. Supervisors, auditors, and courts therefore look for evidence that a firm remained in control and took reasonable steps: documented risk decisions, reproducible testing, audit trails, incident forensics, and credible exit readiness. In practice, standards are the common yardstick used to judge whether those duties have been met. They translate high-level legal obligations into measurable controls and artefacts.

That translation is essential when the quantum layer sits outside the firm. QCaaS offerings can be tightly coupled to proprietary interfaces, versioning, hardware access policies, and vendor-specific ‘black box’ components. Without agreed standards for documentation, benchmarking, and interoperability, firms struggle to contest performance claims, validate outputs, or demonstrate governance over model lifecycle and change management. More importantly, they struggle to prove they can switch providers or fall back to classical alternatives without breaking critical services—a key operational resilience question.

This is also where ‘standards’ should be read broadly. Technical standards can specify formats, performance benchmarks, logging requirements, and cryptographic profiles. Management and assurance standards (and sector guidance) can define what good documentation, validation, monitoring, and change control look like. The legal mechanism is the same: standards create the evidence a firm needs to show (to supervisors and, if necessary, courts) that it exercised effective oversight of a vendor-controlled stack.

Contracting for QCaaS: Clauses that Operationalise Standards

Because QCaaS concentrates control in the provider, a standards-first approach only works if contracts force the production of auditable artefacts. QCaaS pilots should therefore be ‘contractually governable’. A practical minimum checklist reads like clause headings:

• Audit, access, and evidence preservation
• Validation and change governance (including PQC migration commitments and ‘crypto-agility’)
• Subcontracting and supply chain transparency
• Interoperability and benchmark rights
• Exit and portability

Conclusion: Making QCaaS Governable Under Existing Duties

Quantum finance does not need a bespoke ‘quantum rulebook’ to become governable. It needs standards and contracts that make existing operational resilience, third-party risk, and model governance duties auditable—especially when the quantum stack sits outside the firm. If firms cannot port, reproduce, and evidence control, they will not be able to claim compliance, no matter how promising the technology.

Julien Chaisse is a Professor of Law at the School of Law, City University of Hong Kong. 

Dyuti Pandya is an Analyst at the European Centre for International Political Economy (ECIPE).