The European regulatory ecosystem has undergone a radical transformation in recent years. GDPR, DORA, NIS2, and the AI Act do not merely represent an increase in compliance requirements, but rather define a new landscape in which the cryptographic protection of data is no longer an optional best practice, but a binding legal prerequisite.
However, this evolution is increasingly making it clear that traditional cryptographic models, however sophisticated, present structural limitations that cannot be resolved through incremental optimizations, but instead require a deeper reassessment, also in light of the computational advancements on the horizon.
Traditional methodologies such as role-based access controls, encryption at rest and in transit, pseudonymization, database segregation, and audit trails encounter a fundamental problem: in order to validate personal data, it must be exposed in clear text. Every KYC verification, every compliance check, and every onboarding process entails the exposure of data that, if compromised, generates liabilities extending beyond direct economic damage.
This paradox has a dual impact. From an economic perspective, compliance management absorbs resources for technical implementation, continuous audits, legal consulting, and staff training. The risk of fines can reach up to 4% of global turnover, accompanied by reputational damage that is often more severe than the penalty itself. IBM’s “Cost of a Data Breach 2024” report highlights that the global average cost of a data breach has reached a historic record of $4.88 million, with a sharp increase in the healthcare and financial sectors, where the exposure of data in clear text represents one of the most costly risk vectors.
The most critical limitation, however, lies elsewhere: these methodologies open the door to a concrete risk of system intrusion. Being compliant does not mean being secure; authorized personnel remain a potential attack vector, and every access constitutes a possible point of compromise. Procedural compliance, in other words, does not guarantee security.
Zero-Knowledge Proof (ZKP) cryptographic protocols promise to eliminate this weakness by allowing a party to prove possession of a requirement without revealing the underlying data. Take the example of a financial institution that must verify that a client’s income exceeds €30,000 in order to grant a loan. Traditionally, the client provides payslips and tax documents—materials that disclose exact salary, employer, and financial details—exposed to anyone who handles them. With ZKPs, the employer digitally signs the client’s income and, through an application, the client generates a cryptographic proof that the income exceeds €30,000 to present to the bank. In this way, no sensitive data is transmitted, no database acquires it, and no operator accesses it. The verification takes place, but the risk of compromise is eliminated at its root.
Pilot projects in the banking sector show significant reductions in onboarding times and containment of compliance costs, thanks to the decreased need for personnel to handle sensitive data, lower secure storage expenses, and reduced insurance costs. However, the most relevant value lies in risk reduction: fewer sensitive data exposed in clear text means a smaller attack surface and lower liability in the event of an incident.
Advances in the development of ZKPs are real and rapid: Microsoft, Google, and academic institutions are actively investing in these protocols, with a clear goal—to transform them from an academic tool into a mainstream technology for sectors such as banking, public administration, and healthcare.
While attention focuses on immediate vulnerabilities, an additional threat is taking shape. Malicious actors are already applying the “harvest now, decrypt later” tactic—collecting encrypted data today with the intent to decrypt it once quantum computers reach the necessary capability. For infrastructures with 15–20 year lifecycles, such as 5G networks, or for data that retains value over time (healthcare, financial, governmental), this is far from a theoretical or negligible threat.
The public-key cryptographic algorithms currently in use—RSA, ECC, and their variants—are vulnerable to quantum algorithms. The question is no longer if these systems will become obsolete, but when: the scientific community places the most likely horizon between 10 and 15 years. According to the World Economic Forum (WEF), over $20 trillion of global economic value within digital infrastructures is currently exposed to the risk of quantum decryption. For organizations handling data with multi-decade sensitivity, waiting for quantum computing to mature means being a vulnerable target today.
For a medium-sized financial institution, the compromise of encrypted data translates into estimated exposures between €50 and €250 million. For critical sectors such as energy providers or telecom operators, it means putting core infrastructures worth tens of billions at risk. For companies whose capital largely consists of proprietary projects, research data, and mission-critical industrial designs (e.g., pharma, aerospace, defense), this exposure becomes not only economic but can also jeopardize the security of entire industrial sectors or even nations.
In 2024, the U.S. National Institute of Standards and Technology (NIST) published the first post-quantum cryptography standards: no longer laboratory prototypes, but algorithms ready for implementation. Organizations no longer have the excuse of technology; this migration is already technically feasible, and the window to manage it in an orderly manner is shrinking month by month.
This migration requires a complete inventory of where cryptography is used, which algorithms are in place, what dependencies exist, and a risk assessment specific to each asset: which data has long-term value, which systems have extended lifecycles, and which compromises would have critical impact. These steps are essential, especially since organizations very rarely have visibility in this area. Market research on “Crypto Agility” confirms this gap: fewer than 25% of large companies maintain a list—and therefore a clear view—of their cryptographic assets.
In this context, a last-minute or emergency migration—planned only when it becomes inevitable—is a risky option, with high costs and a significant margin for error.
By Sergio Ajani, Services & Solutions Design Director at Innovaway
