Quantum disentangled #2: Quantum and M&A: Risks and Opportunities

How quantum technologies impact due diligence, deal strategy and risk allocation in M&A and strategic investments.

Quantum technologies are moving from research labs into commercially and strategically significant territory, with public and private investors increasingly confident that quantum technology companies will generate measurable value. A recent McKinsey study[1] found that global public and private sector investments in quantum startups totalled $2 billion in 2024, a 50% increase year-on-year. The same study estimates that the three core pillars – quantum computing, quantum communication, and quantum sensing – could generate up to $97 billion in revenue worldwide by 2035 and up to $198 billion by 2040. This growth is likely to drive significant M&A activity over the coming years alongside a pipeline of quantum IPOs. 

For dealmakers, quantum creates both compelling opportunities for value creation and a new category of long-tail risk that traditional M&A frameworks are not yet fully designed to address. This is important since quantum-related issues are not limited to “deep tech” deals, but may be relevant in any transaction involving sensitive data, long-term confidentiality obligations, regulated customers, or critical infrastructure.

This blog post addresses four practical issues: (1) how quantum changes cyber risk in deals, (2) what “quantum‑infused” cyber due diligence should cover, and how to allocate quantum cyber risk contractually, (3) what to look out for when diligencing quantum businesses, and (4) key takeaways for dealmakers.

Long-term cyber deal risks and cyber resilience

Alongside opportunity, quantum introduces a new and often underappreciated risk: “Harvest Now, Decrypt Later” (HNDL).

Adversaries can already collect encrypted data today – contracts, IP, trade secrets, personal data – with the expectation that it may be decrypted in the future once sufficiently powerful quantum computers exist. For data with long confidentiality lifespans, this is not a hypothetical concern but a present-day exposure, as highlighted in our first blog post in this series here: Quantum | Freshfields.

In an M&A context, this matters because past breaches may become future liabilities or vulnerabilities. Data extracted years before an acquisition may only become readable after the deal has closed, potentially turning an incident that was previously unknown into a legal, regulatory or reputational issue for the buyer. Traditional data due diligence focuses on known vulnerabilities and past incidents. HNDL risk challenges these assumptions because its threat has a delayed impact.

Even where the target company is not a quantum business, diligence should consider quantum-related risks, particularly those relating to cybersecurity that could affect the target’s value. Governments and national cybersecurity centres in the US, UK, Australia and the EU have published post-quantum cryptography (PQC) roadmaps and are urging early migration planning, which affects compliance and integration obligations for target companies’ cyber resilience programmes.

Due diligence should therefore examine how the target protects its data and whether it has begun planning (or executing) a transition to PQC. A company that ignores the quantum threat may soon be seen as not implementing adequate data protection measures, in particular in data-sensitive sectors such as healthcare, finance or defence. Therefore, cybersecurity due diligence must be forward-looking, assessing whether the company’s data would remain secure in a post-quantum scenario. If the value of a target lies heavily in long-term confidential data, the buyer might insist on the target implementing certain cryptographic upgrades pre-closing, or factor in the cost of doing so after closing. 

Regulators are also taking a growing interest in quantum technologies. As of today, the EU, the UK and the US classify certain quantum technologies as strategically sensitive given their dual-use potential. As a result, certain foreign investments and exports in quantum technologies are subject to investment and export controls and generally require prior authorisation. You will find details about how government support for “quantum champions” interacts with FDI screening, export controls and sovereignty-sensitive investments in our next blog post in this series.

Quantum-infused due diligence

Against this background, quantum-aware due diligence needs to go beyond standard technology and cyber checklists. All tech M&A deals where value is driven by long-term confidential data, critical infrastructure or strategically sensitive technologies should address four key areas:

• Cryptography and data inventory: Does the target have a complete inventory of cryptographic assets? What categories of data require long-term confidentiality?
• PQC strategy and implementation: Is there a documented plan to migrate to PQC? How is that plan being implemented and monitored?
• Incident history and monitoring: Have there been incidents involving large-scale data exfiltration, even if the data is believed to remain encrypted? How does the target monitor for, and respond to, potential HNDL‑type activity?
• Regulatory and export control aspects, especially for quantum businesses: Does the target business rely on export-controlled technology?

Deal strategy and risk allocation

Quantum risk will often be difficult to fully predict or insure, so a layered set of contractual tools can help to allocate risks. 

• Representation and warranties

Even with rigorous due diligence, it can be challenging to confirm that a target is free from incidents compromising data security. Buyers should therefore seek protection through comprehensive cybersecurity representations and warranties confirming, at minimum, that the target has implemented reasonable security measures and maintains up-to-date security policies and procedures. In quantum-exposed deals, this can be extended to include quantum readiness, such as following PQC roadmaps, especially in data sensitive areas. Given the long-tail nature of quantum cyber risk and the potential delay in detecting HNDL-related exposures, buyers should also consider negotiating longer survival periods for key cybersecurity warranties, where appropriate. 

Buyers may in addition seek knowledge-qualified representations that the target is not aware of data leaks or other indicators likely to be HNDL targets, recognising that definitive proof may not be available until quantum-enabled decryption becomes feasible (expected by some sources around 2035).

• MAC / material adverse change

A cyberattack occurring between signing and closing – especially one exposing long-term confidential data – could represent a material adverse change (MAC) in the target’s business. Parties may want to consider whether quantum-relevant cyber incidents should be expressly addressed in MAC definitions or carve-outs. 

• Additional covenants

If due diligence reveals shortcomings in the PQC migration process, the target could be obliged by a covenant to implement and monitor further PQC measures, both before and after the closing date.

• W&I / R&W insurance

Representations and warranties (R&W) insurance may ultimately expand to cover quantum-related risks, much as cyber insurance coverage has evolved over the past few years. In practice, insurers typically condition coverage for cyber-related warranties on dedicated cyber due diligence. A similar development may emerge for quantum risks, with coverage depending on targeted technical due diligence around HNDL risks, cryptographic inventories and PQC migration plans. If so, “quantum diligence” could become a distinct workstream alongside the buyer’s traditional tech review.

Taken together, these tools enable buyer and seller to allocate quantum-related risks – including HNDL, PQC transition risk and IP deficiencies – in a more predictable way.

In addition, businesses investing in the quantum sector itself should pay particular attention to:

• IP and freedom to operate

When acquiring a quantum business, robust IP representations regarding ownership, sufficiency, completeness and freedom to operate are essential. This is important in all tech M&A deals, but even more for quantum businesses given the surge in patent registrations relating to quantum computing, particularly in the US, China and Europe. These filings have been led by a relatively small number of leading global quantum technology companies, resulting in a rapidly evolving and concentrated patent landscape.

• Key employees

Retaining key employees and their knowledge is particularly important since quantum know-how is specialised, and key roles may be difficult to replace. Buyers need to identify critical employees early in the process and focus on ensuring retention, e.g. by revising employment agreements and offering attractive incentivisation packages.

Conclusion

As quantum innovations move forward, dealmakers must develop a quantum-informed approach to identify and allocate risks in M&A deals and investments. In practice, this means:

• Early regulatory analysis for quantum-focused businesses: Start FDI and export control assessments early and flag any quantum or data-sensitive exposures.
• General cyber due diligence upgrade: Update diligence checklists to include HNDL risk, PQC migration, cryptographic inventories and compliance with national and international quantum cyber guidelines.
• Contractual protections: Discuss targeted representations and warranties (with longer-tail survival periods, where appropriate), specific MAC wording, covenants and, where relevant, indemnities dealing specifically with quantum and cyber risks.
• Integration planning: Make PQC readiness, export compliance, and retention of employees with quantum know-how integration priorities.

By embedding these priorities into their deal strategy, buyers and investors can position themselves to capture the opportunities while minimising risks created by quantum technologies.