Governance — sovereign control, EU compliance, security clearance

Why governance is an engineering problem, not a policy afterthought

A 100-qubit superconducting transmon machine sitting on Irish soil is not a piece of cloud infrastructure with a flag painted on it. It is a physical artefact: a dilution refrigerator pulled to roughly 10–15 mK, a chip carrier with fixed-frequency or tunable transmons coupled in a heavy-hex lattice, microwave control electronics in the 4–8 GHz range, and a software stack that compiles user circuits down through pulse-level OpenPulse instructions to AWG hardware. Every one of those layers is a governance surface. Who can read the calibration data? Who can submit a circuit? Who can change the readout discriminators? Who can take a snapshot of the qubit Hamiltonian parameters and walk out the door with it?

Sovereign quantum policy is the discipline of answering those questions in writing, and then enforcing the answers in silicon, in firmware, and in the access-control plane. For Ireland Quantum 100 the answer starts with the basic premise: the machine is owned, operated, and physically located in Co. Tipperary, under Irish law, with EU regulatory alignment on top. That premise is what makes everything below tractable.

Sovereign control: what it actually means at the cryostat

Sovereign control is not a marketing word. It is a set of concrete properties that have to hold simultaneously:

• Physical custody. The dilution unit, the magnetic shielding, the room-temperature electronics rack and the qubit packaging all live inside an access-controlled hall in Tipperary. No remote hardware reset path exists outside the building.
• Calibration sovereignty. Daily calibration produces a large body of derived data — qubit frequencies, T1/T2 distributions, single-qubit gate fidelities, two-qubit CR or iSWAP gate fidelities, readout assignment matrices. This data is a fingerprint of the chip and stays inside the Irish boundary.
• Compilation sovereignty. The transpiler stack — Qiskit, PennyLane, Cirq frontends mapped through our pulse-level backend — runs on Irish-hosted infrastructure. User circuits are not round-tripped through a foreign cloud to get scheduled.
• Key sovereignty. Identity, signing keys, and audit logs sit in HSMs under Irish jurisdiction. There is no offshore root of trust.

The reason these have to hold together is that breaking any single one collapses the others. If your calibration telemetry leaks, an adversary can reconstruct your gate set and your error model, which is half of the work needed to forge a job result. If your transpiler is foreign-hosted, your circuit IP is foreign-hosted. Sovereign quantum is a system property, not a checkbox.

EU compliance: GDPR, NIS2, AI Act, and the Dual-Use Regulation

Quantum EU policy is still being written, but the surrounding regulatory frame is already binding. The relevant instruments for a machine like this are:

• GDPR. Climate-relevant protein folding and any biomedical-adjacent chemistry workload can pull in data that touches Article 9 special categories. Workload intake has to classify and segregate.
• NIS2. A sovereign compute facility serving research and industrial users falls inside the essential-services scope. That drives 24-hour incident reporting, supply-chain due diligence on the cryogenic and microwave vendors, and board-level accountability for cyber risk.
• EU AI Act. Variational quantum algorithms that train classical surrogate models for, say, grid optimisation can become components inside high-risk AI systems. The compute provider has obligations to the system integrator on logging and traceability.
• Regulation (EU) 2021/821 — Dual-Use. Quantum computing hardware and certain cryogenic components are listed. Export, re-export, and even some forms of remote technical assistance are controlled.

The engineering response is to bake compliance into the job-submission API, not to bolt it on at the contracts desk. Every submitted circuit gets a workload class, a data-classification tag, a residency tag, and a signed user identity. Every shot returned carries a provenance record that survives downstream re-use. If a researcher publishes a paper using results from the machine, the provenance chain back to the calibration snapshot of that day is reproducible.

Quantum security clearance: tiering users and workloads

Not all users need the same access, and not all qubits need the same isolation. We are operating a tiered clearance model that maps cleanly to the underlying hardware reality.

Tier 0 — Open research

Academic users running standard benchmarks, VQE on small molecules, QAOA on toy graphs. Shared queue, public calibration data, results published by default. This is the bulk of the early-access cohort.

Tier 1 — Industrial climate workloads

Chemistry workloads on carbon-capture amines, perovskite photovoltaic candidates, solid-state electrolyte screening for batteries. Reserved time slots, NDA-bound results, but shared physical hardware. Logical isolation is enforced at the scheduler.

Tier 2 — Sensitive workloads

Vetted users only, background-checked operators on shift, dedicated calibration windows so that the chip parameters during the job are not co-observed by Tier 0 users. The clearance process here is real Garda vetting plus EU-level checks where the user is non-Irish.

Tier 3 — Reserved

State or critical-infrastructure workloads. Air-gapped submission path, no internet-facing endpoint, results couriered. We do not expect heavy Tier 3 traffic in the first year of operation, but the path exists.

The point of tiering is that it lets us run an open scientific facility and a credible secure facility on the same physical machine without the two contaminating each other. The cost is scheduler complexity and a stricter calibration discipline.

Auditability and the provenance chain

A quantum result without provenance is folklore. For every job we retain: the OpenQASM 3 source, the transpiled pulse schedule, the calibration snapshot ID, the chip ID, the firmware version of the control electronics, the shot-by-shot raw readout (where storage allows) or the aggregated counts, and the signed hash chain linking all of the above. That record is what lets a journalist, a regulator, or a peer-reviewer verify that a published result actually came off this machine on the day cla