The German Federal Ministry for Research, Technology and Space (BMFTR) published the funding directive for its Quantum Computing Competition on April 7. The program funds industry-led consortia to build error-corrected quantum computers by 2030, with project outlines due May 11. Funding per consortium reaches €20M for R&D and uncapped amounts for pilot fabrication infrastructure. The state aid ceiling under EU rules is €55M per company.
Three hardware platforms are funded: superconductors, neutral atoms, and trapped ions. The ministry states openly that it does not know which platform will dominate by 2030. All three receive parallel investment.
The technical specifications in the directive deserve close reading.
The numbers
Each platform has distinct end-of-project targets. The neutral atom track requires 4,000 addressable physical qubits and 50 logical qubits with a two-qubit gate error rate of 0.01% on logical qubits. Trapped ions must reach 1,000 physical qubits and 50 logical qubits at the same error rate. Superconductors target 300 physical qubits and two logical qubits.
Every project must demonstrate a universal logical gate set and run a quantum Fourier transform benchmark using logical qubits at project end. A midpoint evaluation at month 30 serves as a kill switch: miss the milestones and the funding stops.
The entry bar is already high. Applicants must demonstrate 24 addressable qubits with 99.5% two-qubit gate fidelity before the project starts. This is not a basic research program. The directive’s full title is “Mission-Driven Hardware Competition: Error-Corrected Quantum Computing with Pilot Production Lines.” The “From Lab to Fab” framing is explicit.
Why neutral atoms matter for cryptography
The 4,000 neutral-atom qubit target sits on a trajectory that leads directly to cryptographically relevant quantum computing (CRQC).
The Oratomic/Caltech paper published in January 2025 estimated that approximately 26,000 neutral-atom qubits could break ECC-256 within hours. That estimate assumed error rates and architectures consistent with the trajectory the QCC is now funding. A German-funded consortium hitting 4,000 error-corrected neutral-atom qubits by 2031 puts the hardware roughly one scaling step away from threatening the elliptic curve cryptography that protects most TLS sessions today.
As previously covered on this blog, ECC breaks before RSA under quantum attack. The asymmetry is structural: Shor’s algorithm requires fewer qubits to solve the elliptic curve discrete logarithm problem than to factor RSA keys of equivalent classical security. Organizations that modernized their cryptography most recently, migrating from RSA to ECC for performance and key size advantages, moved toward the vulnerability, not away from it.
What the government is not saying
Federal Research Minister Dorothee Bär’s press statement frames quantum computing as a tool for drug development, traffic optimization, and machine learning. The word “cryptography” does not appear. Neither does “security.”
This is standard for government quantum announcements worldwide. The applications cited are always constructive. The cryptanalytic implications are left unstated. The same hardware that optimizes logistics also runs Shor’s algorithm.
The directive itself is more revealing. It funds “pilot production lines” and requires applicants to build intellectual property portfolios. It mandates that results be exploited only within the EU/EEA and Switzerland. It structures the competition as an industrial capability-building exercise, complete with manufacturing infrastructure. Governments do not build Pilotlinien for science experiments. They build them for technologies they intend to deploy.
The timeline compression
Germany is not alone. Google has set a public 2029 target for a commercially useful quantum computer. The UK-Germany bilateral quantum funding call closes April 15. China’s neutral atom programs continue to advance. Each announcement compresses the timeline that defenders have to complete PQC migration.
The binding constraint is not when a cryptographically relevant quantum computer arrives. The binding constraint is how long migration takes. Large organizations with thousands of endpoints, embedded devices, legacy protocols, and certificate chains measured in years cannot migrate overnight. The false floor series on this blog has documented the gap between what infrastructure claims to support and what it actually negotiates. That gap is the attack surface that harvest-now-decrypt-later exploits today, regardless of when CRQC hardware ships.
What this means
The QCC directive is a primary source document from a G7 government committing public funds to accelerate the exact hardware platform that threatens ECC first. The neutral atom targets align with the Oratomic/Caltech CRQC estimates. The timeline is 2030. The manufacturing infrastructure is being funded alongside the R&D.
Organizations still treating PQC migration as a 2030s problem should note that the governments funding quantum hardware are targeting 2030 as the delivery date, not the start date. By 2030, the funded consortia are expected to have functioning error-corrected machines with demonstrated logical qubit operations.
[PQ]probe captures external cryptographic posture across 20+ protocols. The output shows which endpoints negotiate ECC key exchange, which have migrated to hybrid PQC, and which remain fully classical. That distinction now maps directly to a threat sequencing question: ECC-protected systems sit in the nearer window.