Challenge
A mid-sized nation with an established national quantum programme had invested heavily in quantum research over several years — funding university labs, attracting international researchers, and launching pilot projects in quantum computing, sensing, and secure communications. The programme was widely regarded as successful: it had produced published research, functioning prototypes, and growing international visibility.
But when senior officials in the ministry responsible for science and industrial strategy began asking harder questions, the answers were uncomfortable. Almost all of the quantum computing hardware being used in national labs had been procured from a single foreign vendor. The software stacks running on those systems were proprietary, maintained by companies headquartered in a jurisdiction whose export control policies were becoming increasingly unpredictable. The cloud-based quantum services used for several national research projects were operated by a hyperscaler whose terms of service included the right to withdraw access with limited notice. And the handful of domestic quantum startups that had emerged from the programme were being courted by foreign investors whose acquisition interest appeared motivated less by commercial logic than by access to the underlying IP and talent.
None of these dependencies had been deliberately chosen. They had accumulated organically — each individual procurement decision was sensible in isolation, each vendor relationship was productive, each cloud service was convenient. But taken together, they meant that significant parts of the national quantum programme could be disrupted or degraded by decisions made in foreign capitals, foreign boardrooms, or foreign regulatory agencies. The ministry’s concern was not abstract: in adjacent technology domains, the country had already experienced supply chain disruptions caused by export control changes, and a major cloud provider had recently withdrawn services from a neighbouring country following a geopolitical dispute.
The government’s question was direct: Where exactly are we vulnerable, how severe are the risks, and what would we do if something actually broke? They needed more than a policy paper — they needed a systematic assessment of every significant dependency in their quantum technology stack, and a concrete test of whether their existing plans and procurement structures would survive a real disruption.
How Applied Quantum Helped
We were engaged to deliver two linked workstreams: a Quantum Sovereignty Assessment covering the full national quantum programme, followed by a facilitated Sovereignty Stress Test exercise with senior stakeholders across government, defence, and the national research community.
Phase 1: Sovereignty Assessment
The assessment began with a comprehensive mapping of the national quantum programme’s technology dependencies, conducted layer by layer across the entire stack. We worked with programme managers, procurement teams, lab directors, and security officials to inventory every significant foreign dependency — not just the obvious hardware purchases, but the less visible ones that often carry more risk.
At the hardware layer, we catalogued QPU sources, control electronics vendors, cryogenic system suppliers, and ancillary components — tracing each to its country of origin, export control classification, and the availability of alternative suppliers. We found that while the programme used hardware from three vendors, all three sourced critical subcomponents from the same upstream manufacturer — creating a hidden single point of failure that no individual procurement review had surfaced.
At the software layer, we mapped SDK dependencies, firmware sources, compiler toolchains, calibration software, and cloud platform APIs. Several of the software components turned out to be maintained by small teams within larger companies, meaning that a corporate reorganisation or product discontinuation — not just a geopolitical event — could disrupt access. We also identified that one widely used open-source quantum library, while nominally community-maintained, had over 80% of its commits coming from employees of a single foreign company.
At the talent layer, we analysed the national quantum workforce by nationality, visa status, security clearance eligibility, and concentration risk. We found that two of the programme’s most critical experimental teams were led by researchers on fixed-term visas, and that a single university department accounted for nearly half of the country’s quantum engineering graduates — a concentration that made the talent pipeline fragile.
At the standards and IP layer, we assessed which cryptographic standards the programme’s security infrastructure relied on, whether those standards were at risk of geopolitical bifurcation, and where IP generated by the programme was legally domiciled. We identified that several joint research agreements with foreign partners included IP assignment clauses that could, under certain circumstances, give the foreign partner control over commercially valuable results.
At the investment layer, we reviewed the ownership structures of the domestic quantum startups that had emerged from the programme. Two of the four most promising companies had received investment from entities with connections to foreign state investment vehicles — not necessarily problematic, but requiring scrutiny under the country’s emerging investment screening framework.
For each dependency, we rated severity (what breaks if this goes away), replaceability (how quickly an alternative could be stood up), and geopolitical exposure (the trajectory of risk in the relevant jurisdiction). The output was a structured dependency map with a colour-coded risk matrix — making it immediately clear to non-technical policymakers which dependencies were routine, which were manageable, and which were unacceptable single points of failure.
We then developed a sovereign optionality report for each high-severity dependency: what alternative sources existed, what domestic or allied capabilities could be developed, what procurement or architectural changes would reduce exposure, and what the estimated cost and timeline of each mitigation would be. Critically, we did not recommend autarky — total self-sufficiency in quantum technology would be prohibitively expensive and counterproductive for a mid-sized nation. Instead, we applied the sovereign optionality framework: for each dependency, the question was whether the country had a credible alternative path if the primary source became unavailable.
Phase 2: Sovereignty Stress Test
With the dependency map established, we designed and facilitated a full-day Sovereignty Stress Test exercise. Participants included senior officials from the science ministry, the defence ministry, the national cyber security agency, the national research council, university lab directors, and representatives from the domestic quantum industry.
We ran four scenario modules, each customised to the country’s actual dependency map:
The first scenario simulated a supplier cutoff: the country’s primary QPU vendor announced it would no longer ship to the region, effective in 90 days, following a change in its home country’s export control regulations. Participants had to determine which labs and projects were immediately affected, what stockpiles of spare components existed, whether alternative QPU suppliers could deliver compatible hardware, and how long a transition would take. The exercise revealed that no one in the room had a complete inventory of installed QPU models and their remaining useful life — a basic operational gap.
The second scenario simulated a cloud access revocation: the hyperscaler hosting the programme’s quantum cloud workloads withdrew service following a diplomatic dispute. Participants had to assess which research projects would lose access to quantum compute, what data was stored on the platform, and whether on-premises alternatives existed. This scenario surfaced the discovery that several research groups had been running workloads on the cloud platform that were nominally classified as non-sensitive but in practice contained data that, in aggregate, would be considered nationally significant.
The third scenario simulated a talent mobility shock: visa policy changes in two allied countries simultaneously made it difficult for foreign quantum researchers to remain in the country. Participants had to assess which teams would lose critical personnel, what knowledge was documented versus held in individual researchers’ heads, and how long it would take to recruit or train replacements. The discussion became heated when it emerged that the programme’s most advanced experimental capability depended on three individuals, none of whom were citizens.
The fourth scenario simulated a standards bifurcation: a major trading partner mandated a PQC standard that differed from the one the national programme had adopted, affecting interoperability for cross-border financial and communications infrastructure. Participants had to assess the cost of maintaining dual compliance and the architectural prerequisites for cryptographic agility.
Each scenario was run through three phases — inject, response, and debrief — with structured scoring so participants could rate their own preparedness consistently across scenarios. A dependency mapping exercise ran in parallel, with participants collaboratively updating the map based on vulnerabilities surfaced during play.
Outcome
The combined assessment and stress test produced a set of findings that fundamentally reshaped the national programme’s approach to procurement, partnership, and risk management.
The most immediate impact was a set of procurement policy changes. The ministry issued updated procurement guidance requiring that all quantum technology acquisitions above a certain threshold include a sovereignty impact assessment — covering supply chain origin, export control exposure, software dependency analysis, and alternative sourcing options. New contracts were required to include source code escrow provisions for critical software components and contractual protections against unilateral service withdrawal.
The programme also initiated a deliberate diversification of its QPU supply chain. Based on our assessment of the hidden single-point-of-failure in upstream components, the national research council funded an evaluation of alternative QPU platforms from different manufacturing lineages — including an open-architecture approach using QOA-compliant components that would give the programme the ability to swap processors without rebuilding the entire control stack.
At the software layer, the programme commissioned the development of a sovereign middleware capability — a nationally controlled integration layer that could abstract over different vendors’ hardware, reducing dependence on any single vendor’s proprietary software stack. This initiative drew directly on our assessment finding that the software layer was the least visible but most strategically consequential dependency.
The talent concentration risk led to two actions: the programme funded additional quantum engineering positions at three universities (rather than concentrating all hiring at one), and the ministry worked with immigration authorities to create a dedicated quantum technology visa category, reducing the processing uncertainty that had been identified as a retention risk.
The investment screening findings were referred to the national investment screening authority, which used our analysis to develop sector-specific guidance for quantum technology acquisitions — distinguishing between commercially interesting and strategically critical capabilities, and setting conditions for foreign investment that preserved domestic control over sensitive IP.
Perhaps most importantly, the stress test changed the institutional culture around sovereignty risk. Before the exercise, quantum sovereignty had been an abstract policy concept discussed in strategy documents. After spending a day watching their plans fail under simulated pressure — and realising that basic operational information like component inventories and data residency records was missing — senior officials treated sovereignty as a concrete operational requirement. The stress test after-action report was circulated to the cabinet-level committee overseeing the national quantum programme, and several of its recommendations were adopted as standing requirements for the programme’s next funding cycle.
The country continues to participate actively in international quantum research and maintains productive relationships with foreign vendors and partners. But it now does so from a position of informed optionality — understanding exactly where its dependencies sit, what its alternatives are, and how quickly it could pivot if circumstances demanded it. That shift — from unconscious dependence to deliberate, managed engagement — was the core outcome of the engagement.