The divergent approaches to quantum safe networks and their impact on the future of telecommunications security

March 3, 2026

Sheena Jacob, Partner, CMS Singapore

Lisa McClory, Of Counsel, CMS UK

The global telecommunications sector is confronting a “quantum threat” to classical cryptographic algorithms. Up to now, this has generally been thought of as a theoretical problem to be parked and addressed sometime in the 2030s. Now, as we enter 2026, the issue has gained increasing momentum due to the maturing of quantum technology and novel cyber risks. This includes “harvest now, decrypt later” attacks, whereby threat actors stockpile encrypted data to unlock it once future quantum technology is available.

Quantum technology is part of the problem, but also part of the solution. National actors have coalesced around two distinct regional approaches to policy in this area: one focusing on building secure physics-based hardware, and the other on scaling quickly but staying agile by relying principally on quantum-proof software. 

Major markets across the EU and in Asia are increasingly viewing physics-based hardware infrastructure as a vital aspect of sovereignty, supported by public investment. In contrast, the US, UK, and NIST-aligned markets are prioritising algorithmic methods and software scalability as the primary response to combat this threat.

Large network providers are on the front line of this, confronted with the challenge of testing and launching new quantum technology alongside existing networks, and doing that at scale, over distances that challenge the frontiers of quantum science. 

For global carriers, this makes for an increasingly complex digital landscape. Managing the collision of hardware vs software, new algorithms and shifting standards, challenges of interoperability and deciding where and how to invest and build will, however, be absolutely fundamental to market access, with commonly adopted algorithms and hardware implementations likely to emerge as dominant in years to come. The stakes for telcos are high: failure to adapt means obsolescence, and with the added pressure of regulatory compliance deadlines, there is little time to reach important decisions on how to deploy capital and adapt.

The infrastructure-sovereignty approach (hardware-based)

The first strategic grouping encompasses the EU, China, and major Asian economies such as Japan, South Korea, and India. Policy in these regions treats the physical layer of the network as a vital sovereign asset. Markets adopting this approach prioritise the establishment of secure physical networks for Quantum Key Distribution (QKD) – a mechanism for establishing symmetric keys using quantum states of light. Because measuring a quantum particle alters its state, attempts to intercept the exchange are detectable.

While these regions are also standardising new cryptographic algorithms, they operate on the conviction that mathematics alone is just a temporary shield: algorithms thought to be secure today could be broken by a new mathematical discovery tomorrow. Sovereign networks are seen as an important part of national security architecture and this is therefore driving significant public investment into physical infrastructure in regions which adopt this approach.

Infrastructure developments

China’s national programme for secure physical networks includes the Beijing-Shanghai QKD backbone network, the longest QKD network in the world, spanning thousands of kilometres in fibre-optic cables. 

In the EU, the bloc’s physical network strategy is implemented through the EuroQCI (European Quantum Communication Infrastructure), an initiative to establish a secure quantum communication network across all 27 EU Member States, to be used by important EU sectors: government institutions, healthcare systems, financial networks and power grids. The European Commission has framed QKD as an enabler of technological sovereignty, particularly for governmental and defence uses. This initiative is funding a dual network of terrestrial fibre and satellites to secure critical government and utility communications across the EU bloc. 

Across Asia more broadly, South Korea has moved toward commercialising quantum-secured links for public-sector and critical services, Japan has accelerated cryptographic communication pilots and networks for high-value data exchanges, and India, through its National Quantum Mission, is pursuing a “dual-track” approach: developing localised QKD capability for strategic links alongside algorithmic upgrades.

In many of these locations, requirements are emerging through procurement requirements and sectoral guidance, rather than agreed standards and legislative approaches. Operators in critical sectors in these markets will need to meet the expectations to integrate physical-layer security and deal with known risks and technical limitations, such as implementation challenges and system fragility due to degradation in photons transmitted over longer distances.

The technology gap: Trusted nodes and the space domain

The primary technical constraint on the physical infrastructure model is the fragility of the signal. Photons transmitted through fibre degrade over distances, and quantum states cannot be amplified by traditional repeaters without undermining security (the no-cloning theorem).

To bridge long distances without dense terrestrial infrastructure, the industry is looking to space. Satellites in Low Earth Orbit can facilitate key establishment between distant ground stations. In the near term, most space-based systems operate as trusted nodes – intermediate points that momentarily hold key material in classical form. This does, however, also raise governance and sovereignty questions. If a satellite or its ground segment functions as a trusted node, the operator could technically access the key material during transit. Consequently, nations are calling for “sovereign constellations”. The EU’s secure connectivity efforts, for example, emphasise EU control over the quantum space segment and associated ground infrastructure, and EuroQCI expressly envisages both terrestrial and space-based components, with the European Space Agency leading on development of a satellite constellation for continuous, reliable quantum communication across Europe.

The software approach: Scalability and mathematics

A second group – led by the United States and the United Kingdom – advocates a software-based approach focused on post-quantum cryptography (PQC). PQC replaces current public-key primitives with mathematics designed to be secure against quantum attacks.

The rationale is that QKD networks are expensive and rigid, whereas PQC-first approach is faster to operationalise and scale. Software can be updated, but hardware has a much longer lifespan and is slower, more expensive installation process.

Alignment around standards

The policy direction for the “software-first” approach was established in 2024 when the US National Institute of Standards and Technology (NIST) finalised its first set of PQC standards, including FIPS 203 (ML-KEM), intended as the primary standard for general encryption. Signature standards are also being finalised and are progressing through ISO/IEC, aiming to establish a global baseline. The goal is to reach global consensus around the building blocks of algorithmic security and so to enable ‘crypto-agility’: the ability to change cryptographic components within systems without disruption.

In markets looking at software and standards, there is also a growing focus on implementation, which reflects the emphasis on pace and scalability. The US National Security Agency’s Commercial National Security Algorithm Suite 2.0 (CNSA 2.0) has set timelines for National Security systems to complete transition to quantum resistant algorithms by 2035. In its white paper of August 2025 on quantum networking technologies, the UK National Cyber Security Centre (NCSC) has also set out PQC migration pathway aligned with NIST standards, based around phased milestones. NCSC has expressly stated it does not support the use of QKD for government or military applications, citing scalability concerns and difficulty integrating specialised hardware with existing networking infrastructure, as well as additional cyber risks arising from increased complexity.

The compliance landscape: Navigating the divergence

For a multinational network operator, this difference in approach creates a challenging compliance landscape.

In markets that prioritise sovereignty (EU and parts of Asia), operators serving critical infrastructure (such as utilities, finance, and government) may need to build around or integrate with physical-layer security. This can entail adopting hardware and interfaces governed by regional requirements, and also ensuring integration with classical key management systems. Profiles for multi-vendor interoperability and key-management integration are not yet mature, which can introduce change and uncertainty into deployment plans.

PQC nonetheless remains a baseline and a more universal requirement, even for regions where hardware networks are seen as essential: QKD networks are only part of the solution and also need compatible software. The means of interconnection and standards may, however, change regionally. Operators should be prepared to build systems that can accommodate this change, i.e. to build for ‘crypto-agility’ and prepare to migrate to standardised algorithms. NIST will be the minimum standard for interconnecting with US and UK markets and is likely to be influential across all global markets, so is likely a key baseline to build around.

Future developments

The migration to future quantum-resilient networks is a massively important change for networks, which could be seen as similar in scale to the internet’s transition from IPv4 to IPv6. The need for QKD hardware will continue to represent a point of difference across jurisdictions for network providers, with divergence driven by national security concerns, but also by jostling for commercial advantage. Private initiatives will probably be well placed to find innovative solutions, potentially on a sectoral basis, and potentially as part of public-private collaborations. This means that network providers will need to gear up and be ready to meet rigorous demands of public procurement processes.

There are big differences in public capital allocation across regions which accelerate the technical divergence, with US and UK activity based more around private sector innovation and compliance, while major economies in the EU and Asia are tending to treat quantum security as a public utility, allocating direct state capital to build push initiatives ahead. Economic opportunities for telcos will therefore differ accordingly in regions where networks are operational.

Overall, however, a main takeaway is that the future of network security will require network providers to be innovative and adaptable. Leading businesses have the opportunity to embrace and commercialise exciting new technologies, moving far beyond security into providing commercial-grade networks with extended quantum functionality, leveraging new opportunities involving space and sensors, AI enablement and smart infrastructure. Whilst the world might currently be divided on the ‘how’, there is consensus on the when: the next decade of market leadership essentially belongs to businesses who stop waiting for standards to settle and get building. The winner will be the operator who first solves the ultimate challenge: engineering a sovereign network that is also frictionlessly global. 

Sheena is a leading Asian regional technology lawyer with  strong cybersecurity, media, privacy and technology. Holding US, England & Wales and Singapore qualifications as well as double international privacy certifications from the IAPP, Sheena has been active in technology in Asia for more than 25 years.  She represents a significant number of industry players in the media industry including several of the leading streaming platforms and has strong experience with cybersecurity and data protection issues across Asia. She also acts for some of the top technology global players on issues across Asia. Sheena advises on regulatory issues in the media, telecoms and tech sectors in Asia and is consistently ranked as a top 50 TMT lawyer in Asia. She is known for her sound, commercial and practical advice. She has also handled a number of high profile data cyber incidents and ransomware attacks and works closely with clients to resolve issues with customers and regulators. She is one of only a few women lawyers active in the cybersecurity and AI space in Asia and has advised clients on complex legal issues involving AI, quantum safe networks and digital infrastructure. 

Sheena has been on the Global Board of iTechlaw, the first Singaporean to hold this post as well as the IAPP Asia Advisory Board and the Board of AmCham Singapore. She was also the only lawyer in Singapore listed as one of the Top Women in Cybersecurity and has written numerous articles on privacy, cybersecurity and the regulation of AI.  She currently sits on a number of industry committees including BritCham and AmCham Singapore. 

Lisa is Of Counsel in the emerging technology team at CMS UK, specialising in global projects involving the application of new technology and advanced data-driven systems, including crypto, digital assets, DeFi, AI, trade finance and digitalisation, quantum, robotics and space ventures, sustainable business and green investment.

She works on corporate finance, venture capital, regulatory, data and commercial projects, assisting clients with a strategic overview of new regulatory challenges and creating bespoke legal approaches that blend a practical and nuanced understanding of law, data systems and technology.

Lisa is Honorary Professor of Law in the Queen Mary University of London School of Law, a member of the Law Society of England and Wales Technology and Law Committee and of the Design Board of the open source legal standards and metadata project, noslegal.org. She is a LawtechUK tech mentor and has the Open Data Institute Data Ethics Professional qualification. Lisa represents the UK Law Society on the UK Civil Justice Council AI Working Group.