Author: Marcin Bała, MSc Eng., Chief Technology Officer
Published: May 2026 | Updated: May 2026 | Reading time: 9 minutes
You already know why the quantum threat is real. Now one question: what to do in practice? Whether your organization needs QKD, when to start, and what to check before signing a contract with a vendor.
Your Decision in 3 Minutes
One question puts everything in order: how long must your data remain confidential, and how sensitive is it today?
Deploy QKD immediately
Defence, intelligence, diplomacy — confidentiality horizon measured in decades, the longest history of production QKD deployments.
Strategically sensitive data with a 10+ year horizon — intellectual property, patient data, legal documentation.
Critical SCADA infrastructure — energy, water, transport. An attack aided by historical data can have physical consequences.
Regulations require quantum-safe — DORA, NIS2, national mandates for public administration.
Plan deployment within 12–24 months
Banks and financial institutions — transactions with a long legal liability horizon.
Telecom operators — infrastructure built for 10+ years.
Regulations are coming — DORA and NIS2 require quantum risk assessment and a quantum-safe migration plan.
Assess and plan
Start with an inventory: which links carry data with a confidentiality horizon above 10 years?
Deploy PQC (NIST FIPS 203/204/205) immediately as layer one. Plan QKD as layer two for the most critical links.
Questions Before Signing a Contract with a Vendor
This is the most important part of the article. Wrong questions before purchase = a project that stalls halfway through.
01
What is the guaranteed range without a repeater on your fiber?
Vendors quote range under laboratory conditions. Ask for range on real fiber with attenuation of 0.2 dB/km and existing connectors. An OTDR audit before installation is mandatory.
Critical
02
What QBER do you guarantee on my link and what happens when the threshold is exceeded?
QBER above ~11% indicates a potential eavesdropper. Ask: what QBER does the system guarantee on your link? What happens to traffic when QBER exceeds the threshold — fallback to PQC keys or transmission interruption?
Critical
03
What is the key rate at my distance?
Key rate drops exponentially with distance. At 50 km: hundreds of kbps. At 100 km: tens of kbps. Ask for the key rate at your specific distance, not the paper maximum.
04
Does the system multiplex the Q-channel with production traffic or does it require dedicated fiber?
Newer systems multiplex the quantum channel together with DWDM traffic. Older ones require dedicated fiber. Check which model applies and whether your DWDM infrastructure supports the spectral separation required for the Q-channel.
Infrastructure
05
How does integration with the existing KMS work?
Ask: does the vendor support ETSI QKD 004/014 API? Is integration with the existing KMS included in the project price or billed separately? No API support = an additional integration project costing tens of thousands of EUR.
Critical
06
Does the system support hybridisation with PQC?
The best architecture is QKD + PQC together. Ask whether the vendor supports NIST FIPS 203/204/205 as a PQC layer alongside QKD.
07
What does the SLA cover?
The SLA must cover: fault response time (max 4h for critical infrastructure), RTO, minimum 99.9% availability, procedure for QBER degradation. Check whether the SLA covers replacement of quantum modules.
Critical
08
What certifications does the system hold?
For government and financial sectors: ETSI GS QKD standards, compliance with ISO/IEC QKD Security Evaluation, FIPS certifications for cryptographic components.
Compliance
09
Does the vendor perform a fiber audit before installation?
OTDR on every segment, attenuation measurement, identification of connectors with high point attenuation. A good vendor does this before signing the final agreement.
10
What is the firmware and quantum protocol update policy?
How long does the vendor guarantee security updates? Does a protocol update require hardware replacement or only firmware?
11
What is the licensing model and what happens after 5 years?
Some vendors use a subscription-based software key model — without an active licence, the system stops generating keys. Ask about the licensing model after the warranty period and the procedure for migrating to another vendor.
Critical
12
Does the vendor have references from a sector similar to yours in Poland or CEE?
A vendor with references under Polish regulatory and infrastructure conditions is less risky. Request a reference contact before signing.
Three Mistakes That Most Often Cost Money or Block Deployment
01
Buying QKD without a fiber infrastructure audit
The QKD system arrived. The fiber between locations turned out to have too high attenuation. The system does not reach the guaranteed range. The project stalled for 8 weeks while fiber segments were replaced.
OTDR audit before signing the agreement — not after installation.
Most common mistake
02
No KMS integration plan at the purchasing stage
QKD generates keys — but the client had no plan for how those keys would reach the existing encryption system. The QKD vendor did not support the API required by the client’s KMS. Additional integration project: 6 weeks and 80,000 EUR over budget.
Verify API before purchase.
Costly mistake
03
Buying QKD instead of QKD + PQC
QKD operates point-to-point — it does not protect the entire infrastructure. The client secured the data centre link but left cloud connections and VPNs unprotected. QKD without PQC as a base layer is a gap in the security architecture.
PQC for the entire infrastructure, QKD for critical links.
Architectural mistake
Ready for the Next Step? We Start with an Audit, Not a Quote.
If you already know your organization needs QKD, or you want to evaluate it together with us, contact us. We will analyse your links, infrastructure, and regulatory requirements. We will tell you straight what to order and in what order.
FAQ — QKD in Optical Networks
The most widely deployed QKD protocol is BB84, proposed by Bennett and Brassard in 1984. The sending side randomly encodes key bits in one of two photon polarization bases: rectilinear or diagonal. The receiver randomly chooses a measurement basis for each photon. After transmission, both sides compare only which bases they chose — not the values themselves. Photons measured in matching bases form the raw key; mismatched ones are discarded. Any eavesdropping attempt introduces errors detectable via QBER (Quantum Bit Error Rate). A QBER above approximately 11% signals the presence of an eavesdropper — the key is discarded and regenerated. QKD security does not rely on computational difficulty. It relies on the fact that measuring a photon's quantum state irreversibly changes it. No algorithm or quantum computer will ever change this law of physics.
DV-QKD (Discrete-Variable) works with single photons or very weak coherent light pulses. It's the most mature protocol — the basis of most commercial systems today. It requires SPAD or SNSPD detectors; the latter operate at cryogenic temperatures (~4 K), adding OPEX complexity. CV-QKD (Continuous-Variable) encodes quantum information in continuous electromagnetic field variables — amplitude and phase. Its key advantage: it uses standard off-the-shelf telecom detectors with no cryogenics required, significantly lowering CAPEX and OPEX. It's the fastest-growing choice for first commercial deployments. TF-QKD (Twin-Field) is a 2018 protocol that breaks the fundamental range limitation of traditional protocols. Both parties send phase pulses to a central node that performs an interference measurement. In 2025, TF-QKD was demonstrated over 254 km of commercial fiber in Germany — without cryogenics, using standard semiconductor components, in real data centers.
That was true 10 years ago. It isn't today. QKD and classical data can share the same fiber through WDM multiplexing, provided signals occupy different wavelength ranges with adequate isolation between them. The main challenge is Raman noise — scattering of photons by the strong classical laser signal creates background noise that interferes with weak quantum signals. The solution: band separation. QKD on the O-band (1260–1360 nm) with classical traffic on the C-band (1530–1565 nm). Natural physical separation — Raman noise does not propagate effectively across such a large frequency gap. Alternatively: a dedicated C-band channel with filtering at minimum 30 dB isolation from adjacent classical channels.
The telco industry is looking for energy savings. Manufacturers of optical modules respond with miniaturization of processors and the use of the “O” band
