AN ACT establishing the North Carolina Cybersecurity and quantum resilience study commission and appropriating funds for that purpose.

The General Assembly of North Carolina enacts:

SECTION 1.(a)  This act shall be known and may be cited as the North Carolina Cybersecurity and Quantum Resilience Study Act.

SECTION 1.(b)  The North Carolina Cybersecurity and Quantum Resilience Study Commission (Commission) is established to investigate the potential impacts of emerging quantum computing technologies on the security of State systems, legacy encryption methods, and critical infrastructure—including the Internet of Things (IoT) and smart city initiatives. The Commission shall review vulnerabilities and provide recommendations on necessary future measures to enhance the state's cybersecurity posture. To help guide the Commission work, the General Assembly finds that:

(1)        Advances in quantum computing pose potential risks to traditional encryption methods, such as Rivest–Shamir–Adleman (RSA) and Elliptic Curve Cryptography (CC), that many State and local systems rely on.

(2)        Emerging technologies and IoT integrations, common in smart city initiatives, could be at risk if quantum computing breakthroughs compromise existing security protocols.

(3)        North Carolina is home to a robust academic and technological ecosystem which can contribute significantly to understanding and mitigating these risks.

(4)        A proactive study is necessary to understand the scope of these vulnerabilities and to inform potential legislative or administrative actions in the future.

SECTION 1.(c)  The Commission shall be composed of twenty‑one (21) members, with seven members appointed by the Governor, seven members appointed by the President Pro Tempore of the Senate, and seven members appointed by the Speaker of the House of Representatives, as follows:

(1)        Five representatives from cabinet agencies appointed by the Governor.

(2)        Three cybersecurity experts from both the public and private sectors appointed by the President Pro Tempore.

(3)        Two academic experts in quantum computing and cybersecurity from North Carolina institutions appointed by the President Pro Tempore

(4)        Three industry representatives involved in IoT, smart infrastructure, and cryptographic technologies appointed by the Speaker.

(5)        Two public policy experts with experience in technology and cybersecurity appointed by the Speaker.

(6)        Six members of the general public knowledgeable about State government or information technology.

SECTION 1.(d)  The Commission is charged with the following duties:

(1)        Conducting a comprehensive review of state IT systems and critical infrastructure to identify vulnerabilities associated with legacy encryption methods.

(2)        Evaluating the potential impact of quantum computing on these systems.

(3)        Analyzing current and emerging quantum‑resistant cryptographic standards.

(4)        Assessing risks in IoT and smart city implementations.

(5)        Providing a roadmap and recommendations for necessary legislative, regulatory, or administrative measures to bolster cybersecurity against future quantum threats.

SECTION 1.(e)  The Commission's tasks and deliverables include:

(1)        Risk assessment to identify and document systems and sectors most vulnerable to quantum‑related cyber threats and evaluate the state's current cybersecurity measures and determine gaps in protection.

(2)        Research collaboration to engage with local universities and industry experts to gather insights on quantum‑resistant cryptographic techniques.

(3)        Develop a recommendation roadmap to propose a timeline for transitioning to quantum‑safe encryption methods where needed and outline potential policies or incentives for upgrading critical infrastructure security.

SECTION 1.(f)  The Commission shall submit a comprehensive report with findings, a detailed risk assessment, and recommended actions to the General Assembly by July 1, 2026.

SECTION 2.(a)  Effective July 1, 2025, there is appropriated from the General Fund to the General Assembly the sum of two hundred fifty thousand dollars ($250,000) to fund the work of the Commission, including research initiatives, public hearings, stakeholder meetings, and report development. The Commission may explore potential partnerships or federal grant opportunities to supplement research and study efforts.

SECTION 2.(b)   The Commission shall be convened within 30 days of this act's enactment. The Commission members shall elect a chair and vice‑chair. Members of the Commission shall receive reimbursement as provided by Chapter 138 of the General Statutes.

SECTION 2.(c)   Sensitive information received by the Commission shall remain confidential and does not constitute a public record as defined by G.S. 132‑1. For the purposes of this subsection, the chair and vice‑chair of the Commission may designate jointly information as sensitive after balancing the need for public access against security concerns and confidentiality requirements.

SECTION 2.(d)  The Joint Legislative Committee on Information Technology shall monitor the commission's progress. The Commission's report and recommendations will be reviewed by the General Assembly to determine any further legislative or administrative actions necessary during the 2026 Regular Session of the 2025 General Assembly, with provisions for subsequent studies or actions as needed.

SECTION 3.  Except as otherwise provided, this act is effective when it becomes law.