Split Across the Atlantic: Navigating the EU–US PQC Gap 

How contrasting EU and US accounting and regulatory models are shaping two very different PQC roadmaps for global financial institutions.

It’s the big headache no one wants to admit publicly right now: the EU and the US are approaching post-quantum cryptography (PQC) on different terms – and it’s opening a growing strategic gap. 

In Europe, PQC upgrades can be treated as CapEx thanks to DORA and IFRS. In the US, the same upgrades hit the P&L immediately as OpEx. Same threat. Same technology. Completely different financial reality. 

No surprise this leaves CISOs, CIOs and CEOs stuck between what security teams know needs to happen – and what finance teams feel they can approve. 

So how do you build a viable PQC roadmap when the money works for you in one jurisdiction and against you in another? 

To cut through the noise, we turned to Tim D Williams a leading expert in cryptography, risk and regulatory strategy.  

Here, Tim helps make sense of the EU–US PQC divide — and what leaders can actually do next. 

EU vs US in Banking 

Financial institutions worldwide are preparing for the era of post-quantum cryptography (PQC) — upgrading encryption to resist future quantum attacks. But banks in the EU and the US face very different regulatory and accounting environments for funding these critical upgrades. That disparity is already shaping how fast they move – and how these costs show up on their balance sheets. 

Below, we break down the key differences and why they matter for CISOs and CEOs today. 

EU Advantage: DORA + CapEx Treatment for PQC 

European banks benefit from supportive regulation and accounting standards. The EU’s Digital Operational Resilience Act (DORA) explicitly requires financial institutions to strengthen ICT and cryptography management. To comply with this mandate — including transitioning to quantum-safe algorithms — EU banks can use International Financial Reporting Standards (IFRS) to capitalise PQC investments

Under IFRS, development spending for new technology (like PQC migration) can be classified as an intangible asset, provided it meets certain criteria. In practice, this means EU banks can treat PQC implementation as capital expenditure (CapEx) — recorded on the balance sheet and depreciated over time. 

Why does this matter? 
Capitalising costs avoids a major one-time hit to profit and loss (P&L) statements. Instead, PQC becomes a long-term investment in resilience — strengthening the balance sheet and aligning with EU regulation. 

US Challenge: No Mandate, GAAP = OpEx 

In the US, things look very different. There’s no regulation equivalent to DORA, and Generally Accepted Accounting Principles (GAAP) require most upgrade costs to be expensed immediately — as operating expenditure (OpEx)

As a result, PQC migrations in the US must be recognised in the current period, directly reducing earnings with no future asset recorded. This accounting treatment can discourage early action: security teams know what’s needed, but finance teams see short-term cost spikes. 

As Finance Alliance explains, CapEx builds assets; OpEx cuts straight into operating profits. And when it comes to quantum risk, those delays may prove costly. 

International Banks Can Trial in the EU. US-Only Banks Lag 

For multinational banks, there’s an obvious strategy: start PQC upgrades in EU subsidiaries. EU accounting and compliance incentives make it easier to run early pilots, build internal capability, and refine the roadmap before expanding to US operations. 

That early experience reduces risk and cost when it’s time to scale. But US-only banks miss this opportunity. Without EU operations or a regulatory nudge, they’re more likely to delay — and risk falling behind both technologically and strategically. 

What the US Government Is Doing: Smoothing the Budget Curve 

Even the US government is aware of the challenge. A White House report estimates it will cost $7.1 billion for civilian federal agencies to complete PQC migration by 2035. 

To ease the financial impact, the Office of Management and Budget (OMB) is encouraging multi-year cost smoothing — allowing agencies to spread the expense over four years or more. 

According to R Street Institute, this approach avoids the typical “use it or lose it” mindset in annual budgets. It also sends a signal to the private sector: the cost of inaction will be greater than the accounting discomfort of doing it right. 

Takeaways for CISOs and CEOs 

  • Don’t let accounting rules delay readiness. 
  • Use the EU as a testbed. 
  • Lobby for change. 
  • Think in multi-year phases. 
  • Act before regulators force your hand. 

More reading:

Ready to transform your security approach?

PQC Explained: Read Our Guide Discover Our Platform Free PQC Readiness Assessment