As quantum-secure communications become increasingly crucial worldwide, the lack of unified certification standards and trusted governance frameworks risks impairing cross-border information-sharing.
Across the globe, Quantum Key Distribution (QKD) communication networks are being built before the appropriate domestic and international governance frameworks needed to underpin them are in place. The ‘harvest-now, decrypt-later’ threat – in which adversaries intercept and store encrypted communications to decrypt once quantum computers mature – is already active, and the absence of convergent certification standards and trusted-node accountability risks fragmenting quantum-secure communications across incompatible national ecosystems, with direct consequences for allied military inter-operability.
Introduction
Quantum Key Distribution (QKD) has moved from a laboratory curiosity to an infrastructure investment. Governments and critical-infrastructure operators across Europe, China and parts of Asia are deploying or planning QKD-enabled communication networks, driven by concerns over long-term cryptographic vulnerabilities and the strategic appeal of the physics-based security guarantees that QKD offer. The technology, once confined to controlled experimental environments, is now embedded in national quantum strategies and continental infrastructure programmes. As explored in a previous analysis of quantum statecraft, China, Europe and the United States are pursuing distinct models of quantum governance – models whose divergence is now being tested at the infrastructure level, most acutely in the domain of quantum-secure communications.
Yet governance has not kept pace with deployment. As QKD networks expand, three structural gaps are becoming apparent. Firstly, the absence of an agreed framework for adjudicating between QKD and the standard alternative Post-Quantum Cryptography (PQC) is producing divergent national strategies that may prove difficult to reconcile at the infrastructure level. Secondly, the physical architecture of QKD networks introduces structural vulnerabilities in the relay points on which these networks depend, and which current certification regimes are poorly equipped to address. And thirdly, the fragmentation of certification and inter-operability standards across major regulatory jurisdictions risks locking divergent technical architectures into place before convergence becomes possible.
These gaps are not primarily technical. The underlying cryptographic principles of QKD are well understood. What remains unresolved is the institutional question: who certifies QKD systems, under what frameworks and on whose terms? As deployments accelerate, the answers Beijing, Brussels and Washington are giving – or not giving – are beginning to diverge in ways that carry strategic consequences.
The governance choices made in the next few years will shape not only how QKD scales but also whether the infrastructure built around it remains confined to competing regulatory and industrial ecosystems or whether the conditions for meaningful inter-operability can still be established.
The PQC–QKD divide
PQC works by replacing today’s encryption methods – which a powerful quantum computer could eventually break – with new mathematical problems that remain hard to solve even for quantum machines. It runs on existing digital infrastructure. QKD takes a fundamentally different approach: rather than changing the mathematics of encryption, it uses the behaviour of individual light particles to detect whether anyone is eavesdropping on a communication channel. It requires dedicated physical infrastructure. Both address the same threat. The governance problem is that major powers are not choosing between them so much as diverging around them.
The US has effectively settled on PQC as its primary response: the publication of the National Institute of Standards and Technology’s (NIST) first post-quantum cryptographic standards in 2024 marked a significant institutional commitment that extends beyond federal agencies to allied governments, defence contractors and critical-infrastructure operators. The National Security Agency’s (NSA) long-standing scepticism towards QKD for government applications, citing implementation vulnerabilities and the absence of scalable certification frameworks, has reinforced this trajectory, establishing PQC as the practical path to cryptographic resilience within US-aligned security architectures.
China has pursued a different path. Investment in QKD infrastructure has been embedded within broader national strategies for quantum development, with state-directed deployment across government networks, financial systems and critical communications links – pursued, notably, in parallel with an active effort to shape international QKD standards through bodies such as the IEC/ISO joint committee on quantum technologies (JTC 3). For China, QKD is not merely a cryptographic tool but a component of a wider programme of technological self-reliance. China’s own large-scale QKD networks – including the Beijing–Shanghai backbone – rely extensively on trusted nodes, meaning that the structural vulnerability this analysis identifies is not absent from China’s model but embedded within it.
Europe occupies a position between these two trajectories. The European Quantum Communication Infrastructure (EuroQCI) initiative commits European Union member states to deploying QKD-enabled networks across critical government and infrastructure sectors, while European agencies advance PQC standardisation in parallel. Member states vary considerably in the degree to which they have operationalised either approach, producing a strategic posture that is neither fully aligned with Washington nor with Beijing, but which is accumulating institutional commitments in both directions.
What matters here is less the technical merits of each approach than the governance consequences of this divergence. PQC and QKD require different procurement frameworks, certification regimes and assumptions about threat timelines. When major powers embed these differences into national strategies and export their preferred architectures, the risk is the gradual consolidation of incompatible security frameworks – a fragmentation that, if left unaddressed, becomes difficult to reverse.
Certification without convergence
QKD networks carry a structural vulnerability that certification frameworks have yet to adequately address. Unlike PQC, which operates as a software layer on top of existing digital infrastructure, QKD requires dedicated optical channels and – for any deployment beyond short distances – a series of intermediate relay points known as trusted nodes. At these nodes, quantum signals are measured, decrypted and re-encrypted before onward transmission. The security of the entire network, therefore, depends not only on the physics of quantum mechanics, but on the physical security, operational integrity and jurisdictional status of each relay point along the chain.
This trusted-node dependency is well understood in technical literature, but its governance implications remain largely unaddressed in policy frameworks. A QKD link is only as secure as its least trustworthy node. Who operates those nodes, under whose legal jurisdiction they fall, and which audit and verification mechanisms apply are questions that existing certification regimes – including standards developed by the European Telecommunications Standards Institute (ETSI) and the national frameworks being developed in China – do not consistently answer. In practice, state actors deploying QKD infrastructure have handled trusted-node security through administrative and physical controls rather than through transparent, internationally recognised certification. This may be adequate for closed national networks, but it creates significant problems for any cross-border or alliance-level deployment.
The broader certification landscape compounds this problem. ETSI has developed QKD equipment standards, and China operates its own national certification framework. The US, having largely declined to endorse QKD for government use, has no equivalent domestic regime. The result is a fragmented certification environment in which QKD systems developed and deployed under different national frameworks cannot be straightforwardly assessed for mutual trustworthiness. International standardisation has yet to bridge the gap: the IEC/ISO JTC 3 liaises with adjacent committees on information technology and fibre optics, a jurisdictional division that leaves cross-domain QKD certification without a unified authority and reproduces national-level fragmentation internationally. For critical infrastructure operators or alliance partners seeking to integrate QKD into shared security architectures, the absence of convergent certification standards is not merely a technical inconvenience. It is a structural barrier to the kind of trusted inter-operability that cross-border quantum-secure communications would require.
This stands in notable contrast to the trajectory of PQC standardisation. The NIST process, whatever its limitations, produced publicly documented, internationally scrutinised standards that other governments can adopt or formally recognise. The absence of an equivalent process for QKD certification leaves deployment decisions to be made against incompatible and opaque benchmarks.
Nowhere are these governance gaps more consequential than in defence. Armed forces increasingly depend on secure communications networks for command and control, intelligence-sharing and joint operations across coalition partners. NATO’s 2024 Quantum Technologies Strategy commits the Alliance to developing frameworks, policies and standards to enhance quantum inter-operability and to transitioning its cryptographic systems to quantum-safe cryptography. It does not, however, specify certification pathways for quantum-secure communications equipment – a gap that becomes consequential as member states deploy QKD infrastructure under divergent national frameworks. Trusted-node dependencies introduce additional points of potential compromise in forward-deployed or expeditionary contexts where physical security of relay infrastructure cannot be guaranteed. Military-procurement cycles, which typically span decades, are already locking in infrastructure choices made under the current governance vacuum, thereby creating costly and operationally disruptive migration requirements at precisely the moment when quantum-resilient communications become strategically critical.
Looking ahead
Over the coming months and years, several developments will indicate whether the governance gaps identified here are narrowing or hardening into lasting structural features of the quantum-security landscape.
The first indicator will be the trajectory of QKD certification frameworks, with Europe as the critical test case. The upcoming EU Quantum Act offers an opportunity to establish a more coherent European framework that links QKD certification to broader quantum infrastructure governance. Whether it does so – or whether it defers the hard questions of trusted-node accountability and cross-border inter-operability – will signal whether the EU can translate its regulatory capacity into meaningful governance leadership in this domain. The convergence of two processes in mid-2026 makes this indicator particularly acute: the EU Quantum Act is expected in Q2 2026, while IEC/ISO JTC 3 is scheduled to meet in Jinan, China, in late May 2026. Whether these two processes reinforce each other or consolidate divergent frameworks in parallel will be an early signal of whether international coordination on QKD governance is gaining traction or losing ground.
A second indicator will be the choices made by third countries, particularly across the Indo-Pacific. Japan has pursued a hybrid approach, advancing both PQC adoption and QKD trials within its national-security and critical-infrastructure frameworks. Singapore has explored linkages with European quantum-communication initiatives, while South Korea’s emerging quantum partnerships – including collaboration with EU-linked research programmes – reflect an effort to maintain strategic flexibility. These countries are not yet locked in, but as certification regimes consolidate and infrastructure investments accumulate, the space for hybrid or non-aligned postures will narrow. How these middle-ground actors navigate the divide between competing quantum-governance ecosystems will itself shape the broader trajectory of QKD deployment globally.
The governance gaps identified here are narrowing but not yet closed; the window for corrective action, while shrinking, remains open. The underlying security challenge that motivates both PQC and QKD investment is shared, and concrete steps are available: mutual-recognition arrangements between ETSI and ISO/IEC for QKD equipment certification would reduce fragmentation without requiring full harmonisation, and a multilateral framework for trusted-node auditing would address the most acute governance gap in cross-border deployments. The decisions taken in the next 12 months – in Brussels as the EU Quantum Act takes shape, and in Jinan as IEC/ISO JTC 3 convenes – will determine whether 2026 becomes the year that QKD governance begins to converge, or the year that fragmentation becomes structural.