Cloudflare reports that over 50% of human web traffic now uses post-quantum encryption. Behind Cloudflare’s edge, approximately 1% of origin server traffic is post-quantum protected. That gap — between what the edge reports and what the infrastructure actually does — is the most important number in post-quantum cryptography right now, and almost nobody is talking about it.
But first, the geopolitics. Because the edge numbers tell a story that looks alarming until you understand what you’re actually looking at.
The Data
We pulled PQC adoption data from Cloudflare Radar for 18 countries across adversary, allied, and non-aligned categories over the last 12 months. Cloudflare Radar tracks the share of HTTPS request traffic negotiating post-quantum key agreement — specifically X25519MLKEM768 and its draft predecessor X25519Kyber768. Here is what the numbers look like as of February 2026, sorted by current adoption rate:
| Country | Category | 12-Month Avg | Current | Trend |
|---|---|---|---|---|
| China | Adversary | 29.9% | ~30% | Peak & regress |
| North Korea | Adversary | 31.5% | ~38% | Flat/noise |
| Syria | Adversary | 38.4% | ~43% | Slow growth |
| Myanmar | Adversary | 40.5% | ~45% | Steady growth |
| Cuba | Adversary | 41.0% | ~47% | Steady growth |
| Saudi Arabia | Gulf | 23.7% | ~47% | Strong growth, low start |
| UAE | Gulf | 40.6% | ~55% | Strong growth |
| India | BRICS | 48.7% | ~57% | Steady growth |
| Iran | Adversary | 38.8% | ~58% | Strong growth |
| Russia | Adversary | 45.7% | ~58% | Steady growth |
| Israel | Allied | 51.0% | ~60% | Gradual growth |
| South Africa | BRICS | 50.9% | ~62% | Steady growth |
| Belarus | Adversary | 48.3% | ~62% | Steady growth |
| United Kingdom | Allied | 39.8% | ~65% | Strong growth |
| Venezuela | Adversary | 57.2% | ~67% | Gradual growth |
| Brazil | BRICS | 57.5% | ~69% | Steady growth |
| Germany | Allied | 48.6% | ~70% | Strong growth |
| United States | Allied | 41.5% | ~70% | Strong growth |
At first glance this looks alarming. Russia and Iran above Israel? Belarus above the UK? Venezuela above the United States for most of the year?
It shouldn’t be alarming. It should be clarifying.
This Is a Browser Chart, Not a Security Chart
Every curve in this dataset maps to exactly two events in browser release history.
The first inflection point came in April 2024, when Chrome 124 enabled the draft hybrid key exchange (X25519Kyber768) by default on desktop. That is the moment nearly every country jumped from single digits to the 25–40% range. The second acceleration arrived in October–November 2024, when Chrome 131 and Firefox 132 simultaneously shipped standards-compliant X25519MLKEM768 as the default. That is the uptick visible in the late-2024 section of every chart.
The variation between countries is almost entirely explained by one variable: iPhone market share. Safari did not support post-quantum key exchange until Apple shipped macOS Tahoe and iOS 26 in September 2025. Until that date, every iPhone, iPad, and Safari session on macOS was negotiating purely classical cryptography. No exceptions — and no workaround, since Apple requires all iOS browsers to use its TLS stack regardless of the browser brand.
This is why the United States — with its high iPhone penetration — sat at 41.5% average while Venezuela, where Android dominates, averaged 57.2%. It is why Saudi Arabia started at just 10%, among the lowest in the world, while the UAE with similar infrastructure but different device demographics started at 30%. And it is why the US and UK have surged in late 2025 and early 2026 as iOS 26 adoption propagates.
There is no policy story here. No nation-state PQC strategy. Just Chrome update propagation weighted by how many people in each country use iPhones.
Two Anomalies Worth Noting
China is the only country in the dataset that regressed. PQC adoption climbed from roughly 10% to 47% by late 2024, then fell back to 30%. This almost certainly reflects China’s domestic browser ecosystem. QQ Browser, 360 Secure Browser, Sogou Browser, and other Chromium forks collectively hold massive market share within China. These browsers track upstream Chromium on their own schedules. Some picked up the Kyber draft, then either reverted or failed to transition cleanly to the standardized ML-KEM. China is the only major internet market with enough browser sovereignty to decouple from the global Chrome-driven curve.
North Korea is statistical noise. At 31.5% average with a perfectly flat line, the data reflects negligible traffic volumes passing through Cloudflare. There is no trend because there is no meaningful sample.
PQC Passivity Is Not Preparedness
Everything above measures whether clients — browsers on consumer devices — negotiate PQC key exchange with Cloudflare’s edge servers. Cloudflare has supported PQC on its server side since October 2022. So what this data actually shows is: when a person in Iran opens Chrome and visits a site behind Cloudflare, that connection uses post-quantum key agreement. When a person in the United States does the same thing, so does theirs.
This tells us exactly nothing about what matters for national security.
The concern that makes PQC urgent is harvest-now-decrypt-later: the assumption that adversaries are capturing encrypted traffic today and storing it for future decryption once sufficiently powerful quantum computers exist. If that threat model is real — and most intelligence agencies behave as though it is — then the question is not whether Iranian citizens’ browsers negotiate ML-KEM with Cloudflare. The question is whether Iranian government services, military command systems, intelligence networks, and critical infrastructure are running post-quantum cryptography on their servers. Whether Russian state systems have migrated. Whether Chinese military communications are PQC-ready.
Cloudflare Radar cannot answer that question. It was never designed to. And yet the data gets cited as if it measures PQC readiness, when it actually measures PQC passivity — the degree to which a country’s population happens to use browsers that auto-updated.
What Would Real Measurement Look Like?
A meaningful PQC readiness assessment for any country or organization would need to answer a different set of questions entirely. Not “what percentage of inbound browser traffic uses ML-KEM?” but rather: What share of your externally-facing services support post-quantum key agreement? Are you getting better or worse over time? Which protocols and ports are still classical-only? Where are you in the migration, and what is your trajectory?
That requires scanning infrastructure from the outside, tracking results over time, and comparing against baselines — not measuring passive browser behavior through a CDN.
The Edge Is a False Floor
The gap between the Cloudflare Radar headline (“52% of human web traffic is post-quantum encrypted!”) and the infrastructure reality is where the actual risk lives. Cloudflare’s own data, presented at the Fraunhofer PQC Conference, revealed that while over 50% of client-to-edge traffic now uses PQC, approximately 1% of origin-server-to-Cloudflare traffic is PQC-protected. The connection between your browser and the CDN edge is quantum-safe. The connection between the CDN and the actual server hosting the application is classical. The encryption terminates at the edge. Behind it, the traffic is still classically encrypted. The edge is a false floor. Stand on it and you fall through.
The broader server-side picture is no better. F5 Labs found that among the top one million websites, only 8.6% support hybrid PQC key exchange, and a quarter of those sites do not even support TLS 1.3 — the prerequisite for PQC. Forescout’s internet-wide scanning found that only 6% of SSH servers support PQC at all. Cloudflare’s own scan of the top 100,000 domains showed server-side PQC support rising from 28% to 39% over the course of 2025 — encouraging movement among the internet’s most visible properties, but still a minority even at that tier.
The Clock
The consumer browser side is effectively solved. Chrome, Firefox, and now Safari all default to PQC key exchange. Client adoption will converge toward 90%+ globally within the next 12–18 months as device upgrade cycles complete and iOS 26 saturates. Embedded systems, IoT devices, and older enterprise applications using non-browser TLS libraries are a different story — but for the web traffic that Cloudflare measures, the client side is done.
The server side is where the gap yawns open — and where most organizations haven’t started. Every month of delay is another month of traffic vulnerable to adversaries stockpiling encrypted sessions. The countries in the table above aren’t racing each other on PQC adoption. Their browsers are auto-updating at roughly the same pace. The race that matters is happening behind the edge, in the origin infrastructure, and it is largely invisible to public measurement tools.
That is where you should be looking.