Live · build 2026-07-04 · Tyche Institute

What the world's governments buy to build digital trust

A live, provenance-verified dataset of public-sector procurement across four trust-technology domains: artificial intelligence, post-quantum cryptography, public-key infrastructure, and eIDAS / digital identity. Every record traces to a live government or inter-governmental procurement API. A record with no verifiable source cannot exist here.

4,401
unique records
106
countries
4
domains
4
public sources

Headline finding

The post-quantum procurement gap

Governments have finalized post-quantum standards and set 2030 to 2033 migration deadlines, yet PQC appears in just 50 of 4,401 procurement records (1.14 percent overall, 3.03 percent in the US, 1.0 percent in the EU), the clearest quantum-readiness demand gap in the dataset.

AIPKIeIDASPQCdomain share of 4,401 tagged records

Governments have finalized post-quantum standards (NIST FIPS 203, 204, 205 in 2024) and set migration deadlines running 2030–2033 (NSA CNSA 2.0), yet quantum-safe cryptography is the smallest domain in the dataset by a wide margin: 17 of 561 US records (3.03%), 33 of 3290 EU records (1.0%), and 0 of 547 World Bank records (0.0%). The mandate exists; the procurement signal is, so far, almost invisible.

At a glance

Coverage across domains, regions, time and place

Every figure is computed at build time from the committed dataset. Cross-region comparisons are comparisons of visible procurement, not of total national spend.

Records by domain

All sources combined

PKI1,727AI1,505eIDAS1,119PQC50

Region × domain

Cell = record count; colour by domain, intensity by volume

AIPKIeIDASPQC
EU1,2001,09496333
US73471017
Global2301621550
UK2010
AIPKIeIDASPQC

Records by year

2026 is year-to-date; totals shaped by source publication windows

3763444961,19188620222023202420252026

Top countries

EU dominance reflects TED's near-complete above-threshold coverage, not that these countries buy the most

DEU886POL324FRA267NOR207HRV187CZE181BEL137ROU136NLD118ESP116Bangladesh82IRL74

Explore

Browse the records

Filter by domain and region, or search titles and buyers. Every row links to its live source notice. This runs entirely in your browser over the published dataset.

AIPKIeIDASPQCEUUSGlobalUK

DateDomainTitleBuyer / countrySource

Findings

What the data says

We publish the Trust-Tech Procurement Observatory, a live, provenance-verified dataset of what governments actually buy across artificial intelligence, post-quantum cryptography (PQC), public-key infrastructure (PKI), and eIDAS or digital-identity systems. The current release holds 4,401 unique procurement records spanning 106 countries, drawn from four public tender and award sources. The findings below report demand signals, meaning what buyers put out to tender or awarded, and should be read as a curated coverage sample rather than a complete population census.

Post-quantum cryptography is almost absent from procurement

PQC is the smallest domain in the dataset by a wide margin. Of 4,401 unique records, only 50 (1.14 percent) name post-quantum cryptography. The share is 3.03 percent in the United States (17 of 561 records) and 1.0 percent in the European Union (33 of 3,290 records), and 0 records in the World Bank global set (0 of 547). As policy context, NIST finalized the ML-KEM, ML-DSA and SLH-DSA standards (FIPS 203, 204 and 205) in August 2024, and the US NSA CNSA 2.0 suite sets migration deadlines across 2030 to 2033. The gap between that standards-and-mandate context and the observed procurement share is the single strongest signal in the dataset.

Buyers spend on security infrastructure far more than on AI

Across the whole dataset, AI accounts for 1,505 records while security-oriented procurement (PKI, PQC and eIDAS combined) accounts for 2,896. PKI alone is the largest single domain at 1,727 records, ahead of AI at 1,505 and eIDAS at 1,119. On the US award side, where dollar values are available, PKI-related procurement totals 566,664,128 USD against 154,331,410 USD for AI and 6,269,846 USD for PQC. The pattern that emerges is one of continued, heavy investment in identity and trust infrastructure alongside, and often exceeding, the newer AI spend.

Coverage is real but uneven, and the EU dominates it

The dataset is concentrated in the European Union, which supplies 3,290 of the 4,401 records, followed by the United States at 561 and the World Bank global set at 547, with the United Kingdom contributing 3. By source, TED provides 3,290 records, USAspending 561, World Bank 547 and UK Contracts Finder 3. Germany leads all countries with 886 records, ahead of Poland at 324 and France at 267. This concentration reflects source depth rather than a claim that these countries buy the most; the EU above-threshold tender data is the deepest and most complete lane, while the US and UK lanes are keyword-sparse.

Activity is recent and rising

Records cluster in the most recent years. The dataset holds 376 records dated 2022, 344 for 2023, 496 for 2024, 1,191 for 2025 and 886 for 2026 to date. The 2025 count is the largest in the series. We caution that year totals are shaped by when sources publish and by our collection window, so the rise should be read as a coverage-and-activity signal rather than a precise growth rate.

Narrative drafted by analyst agents and adversarially verified: every figure re-checked against data/consolidated/analysis.json and re-computed against dataset.json (all reproduced exactly).

Method · why you can trust these numbers

Anti-fabrication by construction

This observatory's predecessor was compromised by an automated pipeline that fabricated sources. This one is built so that fabrication is structurally impossible.

Live-fetch-or-dropA record exists only if a harvest script received an HTTP 200 from a listed source this run. No manual insertion, no language model in the harvest loop.
Provenance-requiredEvery record carries its source URL, fetch timestamp, HTTP status, and a sha256 hash of the raw upstream payload. Missing any of these, it is rejected at write time.
ValidatedA validator hard-fails on future dates, placeholder hosts, invented classification codes, and any count that cannot be re-derived from the committed records.
ReproducibleThe full harvest, validation, consolidation and analysis pipeline is open, with no third-party dependencies. Re-run it and reproduce every number.

Data & citation

Open data, openly licensed

Cite this dataset

CC-BY-4.0 · versioned on Zenodo

Sokolov, A. (2026). The Trust-Tech Procurement Observatory. Zenodo. 10.5281/zenodo.21192405

Zenodo record Download dataset.json

Code & descriptor

Full pipeline + data descriptor

Harvesters, validator, consolidation and analysis code, plus the data descriptor, are public on GitHub.

GitHub repository Data descriptor (PDF)

Source attribution: EU TED (EU Publications Office reuse) · US USAspending (public domain) · UK Contracts Finder / Find-a-Tender (OGL v3.0) · World Bank procurement notices (open).