Quantum computing will not break tax laws — it will break the architecture that sustains them
The global tax system does not operate on paper. For at least two decades, it has operated on digital signatures, device certificates, hash chains, and encrypted transmissions to tax authorities. That infrastructure, invisible to the vast majority of retail executives, is the one that is today technically exposed to a pressure that does not come from regulators or competitors: it comes from a transformation in computing power that could render useless the cryptographic foundations upon which the fiscal trust of the entire system rests.
This is not an abstract threat or the stuff of science fiction. It is a material transition with a time structure that technology teams can no longer ignore. And retail, due to its scale, its transactional speed, and its simultaneous regulatory exposure across dozens of jurisdictions, is the sector where that pressure is going to be felt with the greatest operational brutality.
Fiscal compliance is a cryptography problem before it is a policy problem
Fiscal compliance, in its technical and regulatory sense, is the set of electronic controls that oblige retailers to record transactions in a complete, verifiable, and unaltered manner, generally in real time or with periodic transmission to the tax authority. It works this way in markets as different as Brazil, Serbia, Italy, Poland, Morocco, or Kenya. The underlying mechanism is always the same: a digital signature that certifies that what was recorded was not altered, a certificate that validates that the device that issued it is authorised by the State, and an encrypted channel that protects the transmission to the tax authority.
What makes that architecture possible are public-key algorithms: RSA, ECDSA, Diffie-Hellman. These are the same algorithms that protect e-commerce, banking, and global corporate communications. And they are exactly the ones that Shor's algorithm, executed on a quantum computer of sufficient scale, can break with an efficiency that classical systems cannot match.
The problem is not that quantum computing is powerful in the abstract. The problem is that the curve of progress has accelerated in a measurable way. Google reduced the estimate of physical qubits needed to compromise elliptic curve cryptography — which protects assets like Bitcoin and Ethereum — from approximately ten million to fewer than five hundred thousand. D-Wave announced architectures of more than seven thousand qubits. Google's CEO placed the practical utility of these machines within a window of five to ten years. That, in terms of technology renewal cycles for large retailers with terminal fleets across multiple countries, is not "the future." It is the next investment cycle.
What changes structurally is not that a machine arrives that "hacks everything." What changes is that the trust foundation upon which fiscal evidence rests ceases to be technically sound. A compromised digital signature does not only imply a security vulnerability: it implies that the receipt a tax auditor takes as legal evidence could have been forged without leaving any verifiable trace. And that is not an IT problem. It is a problem of tax law, corporate liability, and exposure to sanctions that in many markets are cumulative per transaction.
Five breaking points that retail does not have on its risk map
There is a difference between knowing that quantum computing exists and understanding exactly where it breaks the logic of a fiscal system. The technical literature identifies at least five zones of exposure, and none of them yet appear in the standard risk reports of large retail operators.
The first is transaction integrity. The most sophisticated fiscal regimes require that every receipt, every accounting entry, and every invoice carries a digital signature certifying its authenticity. If the public-key cryptography underpinning that signature becomes vulnerable, the system loses its ability to distinguish between an authentic document and a fabricated one. This is not a scenario of immediate mass attack: it is a gradual degradation of the reliability of the standard that auditors and courts use as a reference.
The second is device identity. Many fiscal compliance systems validate not only the document, but also its origin: the terminal that issued it must be certified by the tax authority through a device certificate. If that chain of certification can be compromised, the issue is no longer just forging a receipt — it is impersonating an authorised device. An unregistered terminal could operate as if it were fiscally compliant. That opens the door to systemic tax fraud that the current architecture is simply not designed to detect.
The third is transmission to the tax authority. Real-time clearance systems, which represent the direction in which global fiscal compliance is moving, depend on encrypted channels and API authentication. A quantum computer capable of breaking the key-exchange algorithms currently in use could intercept or manipulate that transmission. The roadmap of the United Kingdom's National Cyber Security Centre already sets as an objective the completion of migration to post-quantum cryptography before 2035, with a discovery process beginning in 2028.
The fourth is long-term archiving. Fiscal data in most jurisdictions must be retained for between five and ten years. This activates the problem that specialists call "harvest now, decrypt later": malicious actors who today lack the capacity to decrypt the files they have captured, but who store them knowing that at some point in the coming years they will have that capacity. This is not a future threat: it is an active practice documented by intelligence agencies and cybersecurity bodies. The fiscal records being generated today are already susceptible to this type of attack.
The fifth is QR code verification. Several fiscal compliance systems, especially in emerging markets, expose the chain of trust directly to the consumer or the auditor through a QR code that links to a verifiable signature. If that signature rests on a compromised algorithm, the QR code loses its legal value — not its physical existence. The code remains readable, but the verification it produces is no longer reliable.
None of these five points implies that the fiscal system will collapse tomorrow. What they do imply is that the architecture currently sustaining the legal validity of millions of daily transactions has a technical expiration date that shortens as quantum hardware advances.
The migration that nobody is planning yet
The United States National Institute of Standards and Technology published in 2024 its first three finalised standards for post-quantum cryptography. That means that replacement algorithms exist, are ready, and can be implemented. The question is no longer whether technical alternatives exist: they do. The question is who is going to absorb the cost, the complexity, and the time of a migration that for global retail means something very specific.
Large retail operators do not face one migration. They face many. Every jurisdiction in which they operate has its own fiscal compliance regulatory framework, its own device certification requirements, its own validation bodies, and its own transition timelines — timelines that do not yet exist because no government has issued a mandate for post-quantum migration in fiscal systems. That means that when the mandate arrives, it will not arrive synchronised. It will arrive in stages, with different deadlines in Brazil, in Italy, in Serbia, in Mexico, in Nigeria. And terminal manufacturers, fiscal software vendors, and systems integrators will have to respond to all of those requirements in parallel.
The operational burden of that situation is disproportionate for operators with presence across many markets simultaneously. A retailer with operations in twenty countries will need to coordinate the renewal of device certificates, the updating of cryptographic libraries, validation with local tax authorities, and the migration of historical archives — all within regulatory windows that will not be aligned with one another.
What is technically called "cryptographic agility" — the capacity of a system to change algorithms without replacing the entire underlying infrastructure — ceases to be an advanced architecture concept and becomes a basic operational necessity. Fiscal systems that today are built as monolithic blocks, where business logic and the cryptographic trust layer are tightly coupled, are going to be significantly more difficult and costly to migrate. Those that have a clean separation between the two layers will have a structural advantage that does not appear in any current KPI, but that over an eight-to-twelve-year horizon could represent the difference between a manageable migration and a compliance crisis.
There is an additional factor that worsens the situation for retail in particular: post-quantum algorithms generate signatures and certificates of a larger size than their current equivalents. In high-volume transactional systems, this is not a minor technical detail. It can affect terminal latency, the bandwidth of transmissions to the tax authority, and the storage capacity of long-term archives. The cost of migration is not measured only in engineering hours: it is also measured in infrastructure redesign and possibly in next-generation hardware for certified terminals.
What breaks before the tax law does
The most precise observation that emerges from this analysis is not that quantum computing is going to change tax laws. Laws do not operate at the level of algorithms. What operates at that level is the technical architecture that makes laws executable and verifiable.
And that architecture has a characteristic that makes it particularly fragile in the face of this transition: it was designed under the implicit assumption that the public-key cryptography underpinning it is practically inviolable within relevant time horizons. That assumption is being revised. Not due to regulatory whim or product innovation, but because quantum physics is advancing along a curve that fiscal certification systems did not anticipate and for which they have no established adaptation mechanisms.
The inflection point will not be the moment when a quantum computer breaks a fiscal signature in a spectacular attack. It will be the moment when a regulatory body, a court, or an auditing agency decides that the cryptographic standards currently in use are no longer sufficient to guarantee the integrity of fiscal evidence. That moment could arrive before the technology that justifies it does, because regulation frequently anticipates risks when the costs of failing to do so become politically unsustainable.
For retail executives with fiscal exposure across multiple markets, the strategic question is not when a sufficiently powerful quantum computer will arrive. The question is whether their fiscal compliance architecture can change its cryptographic layer without operationally collapsing. That answer, today, the majority of them do not have.
