Post-Quantum Security Spurs National Sovereignty Thinking

Encryption & Key Management , Government , Industry Specific Post-Quantum Security Spurs National Sovereignty Thinking AI Export Controls Expose Hidden Risks to Post-Quantum Cryptography Migrations Suparna Goswami (gsuparna) • June 26, 2026     Credit Eligible Get Permission Security leaders warn that post-quantum cryptography migration is creating new dependencies on foreign vendors, hyperscalers and supply chains. (Image: Shutterstock) The U.S. government directive on June 12 that suspended access to some of the world's most advanced artificial intelligence models by foreign nationals has forced governments and CISOs worldwide to reassess their plans for sourcing cyber defense technologies. For organizations on the journey to post-quantum computing cryptography, the AI sovereignty issue couldn't have come at a worse time. See Also: Securing AI Workloads With Ubuntu Pro For quantum-readiness specialists in security, the directive exposed the structural dependencies in cryptographic infrastructure that governments and enterprises will be racing to build. Post-quantum cryptography migration is underway through individual government-led initiatives in every major economy, but the tools driving that migration run through a concentrated set of vendors. For most governments and enterprises, even the architecture of the quantum-safe future relies on external sources such as the U.S. National Institute of Standards and Technology's Post-Quantum Cryptography Standards. These dependencies are core to what a growing number of policymakers, defence strategists and technology leaders now call "quantum sovereignty," the question of who builds, hosts and controls quantum infrastructure, and what happens when that control is exercised against your country? Reliance on out-of-country quantum computing capabilities, or a technical supply chain that is concentrated in a single out-of-country jurisdiction, creates the same sovereignty risks as the United States sees in Anthropic's Mythos and Fable models, said Louise Davey, a quantum risk adviser to the Canadian government and financial institutions, told ISMG. Davey says the question no one in the boardroom is asking is: If our post-quantum cryptography vendor goes dark, what are our options and our recovery time? Some countries understand this risk. Many have not. There is a lot of talk that "quantum computing threatens our encryption," Davey said, adding that there's seldom any discussion about the risks that cascade from being part of greater connected network. "Our entire PQC migration capability sits inside one hyperscaler's toolchain, and that hyperscaler is incorporated in a jurisdiction that has demonstrated willingness to flip switches overnight," Davey said. If cryptographic agility depends on a vendor that can be directed by a foreign government, in reality there is not crypto agility. It is "outsourced dependency dressed up as peace of mind". Sovereignty is not a binary condition; it is a spectrum, Marin Ivezic, CEO of Applied Quantum, a Singapore-based quantum systems integration firm, and author of the book Quantum Sovereignty, said. "Most nations will never manufacture their own quantum processors. That doesn't mean they can't achieve meaningful independence. What matters is whether you understand your dependencies, whether you can survive the loss of any single one, and whether your architecture gives you the option to switch." The awareness gap is not uniform. In some countries the regulatory landscape is moving fast. The U.S., for example, signed an executive order setting a 2030 deadline for federal agencies to transition their most sensitive systems to post-quantum encryption, and directing federal contractors to comply with NIST post-quantum standards by the same date. A separate piece of legislation called the Remote Access Security Act, which passed in January 2026, would extend export controls to cloud access to quantum computers, closing the loophole through which foreign users have continued accessing quantum platforms remotely. The European Union's Quantum Europe Strategy, adopted in July 2025, lists "technological sovereignty" as a primary goal, with a European Quantum Act expected to follow with binding supply-chain security and investment screening rules. Canada has identified quantum as a sovereign capability area in its Defence Industrial Strategy, though Davey acknowledges the country has "the intent, but not yet the clear and widely communicated definition and industrial policy to match." In Asia, India aims to develop indigenous capabilities across the entire quantum stack comprising of quantum computing, quantum communications, quantum sensing and metrology and quantum materials and devices. "The basic philosophy is similar to what India pursued in the nuclear and space domains: avoiding dependence on foreign controlled critical technologies," said Lt. Gen. Madhavan Unnikrishnan Nair, strategic defence advisor to Synergy Quantum. Quantum sovereignty isn't just about possessing a QKD system or a PQC algorithm, said Rajkumar Upadhyay, CEO of C-DOT and chair of the DST taskforce on quantum safe ecosystem implementation. "It is about owning the critical intellectual property, hardware building blocks, manufacturing capabilities, standards participation and deployment ecosystem required to sustain these technologies independently over the long term." This should not be confused with complete isolation or technological self-sufficiency in every component, which may neither be practical nor desirable. "It is to ensure that no single external entity can unilaterally disrupt India's access to critical technologies," Upadhyay told ISMG. Singapore's answer to the same risk is a regulatory one. Rather than building its own quantum stack, the Monetary Authority of Singapore is requiring financial institutions to manage the dependencies they already have. A MAS spokesperson told ISMG that its quantum advisory clarifies supervisory expectations for financial institutions on crypto-agility. "This involves identifying and maintaining an accurate inventory of cryptographic assets that can be swiftly replaced with quantum-safe cryptographic components, as well as proactively addressing IT vendor supply-chain risk." MAS expects financial institutions to maintain accountability for risks arising from their use of third parties, including IT vendors which provide security products and services. "It is important that FIs consider the unavailability of their vendors and have in place viable alternatives," the spokesperson said. China does not take part in the NIST standards process and is developing its own suite of PQC algorithms amid concerns that U.S.-designed standards could have vulnerabilities. Its response to successive rounds of U.S. export restrictions has been to ramp up domestic production of previously imported components like cryogenic systems, control electronics and specialized materials. A review by the Royal United Services Institute concluded the controls may be accelerating the very domestic capability they were meant to stymie. The 15th Five-Year Plan was approved in March 2026 and lists quantum among seven future industries to be prioritized. For security leaders, quantum sovereignty is ultimately an availability problem. The question is not only whether encryption is quantum-resistant, but whether the vendor implementing that encryption will be accessible when you need it, Iveciz said. The complexity of that task becomes clear when you examine what quantum supply chains actually look like. Joe Spencer, director of Global Quantum Intelligence, breaks the dependency risk into three distinct layers that most risk registers have never separately assessed. Materials such as rare earth elements and purified silicon that quantum systems require at the atomic level; components including lasers, cryogenics and control electronics where export controls already govern trade; and talent, where the pipeline of engineers and technicians capable of operating these systems remains thin across every jurisdiction. "The nations that control those capabilities and their enabling ecosystems are the ones most likely to capture the economic, security and geopolitical advantages," Spencer said. Organizations best positioned to manage that risk are the ones asking the dependency questions now like which vendors supply their cryptographic implementations, where those vendors are headquartered, and how quickly they could switch if access were restricted. The ones that wait will discover their dependencies only when those dependencies are tested by events outside their control. The Anthropic export restrictions were one such event. As Davey puts it, the architecture is already being built and choices being made today will determine what options remain.