How do I know which category applies to me?

Five categories cover the range of applicants: Category A, Technology Vendor (organisations that build and sell a quantum or AI security product); Category B, Systems Integrator/Consultancy (organisations that deploy or advise on technology built by others); Category C, Academic/Research Institution (universities, national laboratories, publicly funded research bodies); Category D, End-User Organisation (organisations that have deployed quantum security technology and have a practitioner perspective to contribute); and Category E, Independent Expert (individuals operating in a personal capacity, not under an institutional banner).

Choose the category that best describes your primary relationship to the field. If you sit across two categories, the form includes a hybrid note field. Select your primary category, describe the secondary role there, and you will be assessed against the question set for the primary. The secondary role may open complementary formats if the primary assessment is not a fit.

Ready to apply? Start at the application form. The programme team issues a tailored proposal within one working day, with the full qualification outcome confirmed within ten working days.

What if I hold more than one role — for example, I am a vendor founder who also holds an academic post?

This is common in quantum security, where academic roles frequently predates the commercial entity. Select your primary category and note the secondary role in the form's hybrid field. You are scored on the primary category question set.

The secondary role is not discounted. If you apply as a Technology Vendor and your academic co-authorship of the underlying security proof is described in the external scrutiny question, it directly strengthens that part of the application. A researcher wanting recognition for their academic body of work should apply as Category C; the commercial product is not a detriment, it simply does not form part of the assessment in that category. The question to ask is: what relationship do you want with QSECDEF?

Do you accept AI security applications as well as quantum security?

Yes. The programme covers both disciplines equally. A PQC library, a QKD system, an AI model assurance tool, and an adversarial defence system are all in scope. The vetting question set asks you to name the specific mechanism your technology relies on: ML-KEM (NIST FIPS 203) and BB84 QKD are as valid as a formal verification approach for neural network robustness. If your product carries a high-risk classification under the EU AI Act, you are expected to disclose it at application. Non-disclosure is a more significant concern than the classification itself.

What does the application process actually involve?

A foundational section covers identity verification, a sanctions and export-control self-declaration, and seven attestations covering the absence of technically fraudulent claims and a minimum requirement for an external verification pathway. These apply before any category-specific question. After that, you answer four or five questions calibrated to your category: the mechanism your product relies on, published standards alignment, external scrutiny received, and honest technology limits for a vendor; certifications, deployment references, methodology, and conflict-of-interest disclosure for an integrator; and equivalents for academic, end-user, and independent expert applicants.

The programme team issues a tailored proposal within one working day of submission, with the full qualification outcome confirmed within ten working days.

What happens if my application is placed on the Development Pathway?

Where an application is substantively sound but falls short on one or two specific criteria, QSECDEF assigns it to a development pathway rather than a decline. This is not a lesser outcome. It means the application passed the foundational filter — no fraudulent claims, no auto-reject triggers — and the gaps identified are ones that can, with time and ordinary professional activity, be closed. The applicant is told precisely which criteria were not met and what evidence would satisfy them. A formal reassessment window opens at 12 months, or earlier if the applicant provides documented evidence that the gap has been addressed. There is no fee for reassessment. The standard applied at reassessment is identical to the standard applied at first application. Development pathway status is not published and is not visible to other members or to the QSECDEF audience. It is a working designation, held between QSECDEF and the applicant, for as long as it is useful.

The gaps that produce a Development Pathway outcome are, in every category, resolvable through normal professional activity: commissioning an independent audit, publishing a preprint, securing a missing referee, obtaining an employer's written approval to participate. None require changes to the underlying technology or research approach.

If you have questions about the process before applying, or are unsure which category fits your situation, the programme team is reachable at info@qsecdef.com. To begin an application, go to the application form.

Can I reapply if my application is declined?

A declined application (Tier E, Declined) means the submission triggered an auto-reject condition: a technically fraudulent claim, or failure to meet the foundational criteria applied before any category-specific question is reached. Reapplication is possible after 24 months if the programme team agrees there has been material change in the applicant's circumstances or programme of work.

A decline (Tier E) and a Development Pathway assignment (Tier D) are structurally different: a decline reflects disqualifying signals; a Development Pathway means no such signals were present. If you receive a Development Pathway outcome, reapplication is not the route forward. The programme team communicates a direct reassessment path.

What does membership cost, and is the application itself refundable?

Vetting and the commercial participation tiers are separate acts. Vetting determines whether you meet the standard. The commercial tier — Vetted Profile, Featured Listing, Member Organisation, or Headline Sponsor — determines the level of participation for those who do. Every commercial tier clears the same vetting gate. A higher tier is a participation decision, not a quality ranking.

Pricing, renewal conditions, and cancellation rights are set out in the Membership Agreement issued as part of your proposal. There is no commitment until you receive and accept the agreement.

What information will I be asked to provide?

All applicants provide their full legal name, professional role, employer, a professional-domain email, and a verifiable profile. Category-specific questions are free-text: technology vendors describe their core mechanism, standards alignment, external scrutiny, and technology limits; integrators provide certifications, deployment references, methodology, and disclosed commercial relationships; academic institutions provide affiliation, publications, funding, and a principal investigator contact; end-user organisations describe their role, scope, deployment, and an internal sponsor; independent experts provide credentials, employment history, recent outputs, two named referees, and advisory conflicts.

How is my personal data handled, and what choices do I have?

QSECDEF processes your application under legitimate interests: receiving, assessing, and recording it are necessary to operate the programme. That basis applies regardless of any optional data choices you make on the form.

Beyond that core processing, the form gives you five independently selectable opt-in choices: listing your organisation in the public member directory (if accepted); including your name and job title alongside that listing; receiving QSECDEF event invitations, news, and programme updates by email; sharing your application with programme advisers and review panel members involved in the assessment process; and including your organisation's technology area in anonymised sector research. All five default to off. Submitting with all five unchecked is entirely valid, and each can be withdrawn at any time. For full details, see our privacy policy.

Who reviews my application, and are unsuccessful outcomes published?

Applications without flagged answers are scored against the documented tier rubric by the programme team. Flagged applications go to technical review within five working days. Unsuccessful outcomes are not published. A declined application produces a standard rejection notice. A Development Pathway outcome is communicated directly and privately to the applicant; it does not appear in the directory or in any member-facing communication. The only outcome visible externally is an accepted listing, and only then if the applicant has consented to directory inclusion.

A listing is a technical legitimacy check, not a guarantee of product quality or commercial viability. QSECDEF does not accept responsibility for commercial decisions made on the basis of listing status alone. For the full explanation of what listing signals to procurement leads and CISOs, read How Expert Membership Works. To apply, go to the application form.