In August 2024, NIST published the first official post-quantum cryptography standards. This event should concern everyone responsible for data security - from CISOs to boards. Not because quantum computers will arrive tomorrow, but because data encrypted today may be decrypted in a few years’ time.
A patient adversary: harvest now, decrypt later
Imagine an attacker intercepting a company’s encrypted communications without attempting to break them - instead, archiving everything and waiting. This is the “harvest now, decrypt later” strategy against which security agencies in the US, UK, EU and Australia have warned. According to them, such activity is likely already being carried out by state actors.
The RSA and elliptic-curve algorithms underpinning most contemporary systems were designed with classical computers in mind. A quantum computer running Shor’s algorithm could break them within minutes. “Q-Day” may arrive around 2035 - this sounds distant, but financial data, intellectual property and medical records often need to remain confidential for decades.
“The quantum threat is not a matter of laboratory futurism, but of genuine strategic planning,” emphasises Jarosław Kamil Zdanowski, Partner at SNOK. “Organisations storing sensitive data should already be treating cryptographic migration as part of their security roadmap.”
New standards: a foundation for resilience
NIST, following a decade of collaboration with the world’s leading cryptographers, approved three quantum-resistant algorithm standards in 2024: ML-KEM, ML-DSA and SLH-DSA. In March 2025, a backup algorithm, HQC, based on different mathematics, was added.
These tools are not, however, a straightforward replacement for current solutions. They require larger keys, generate larger digital signatures, and their deployment means updating protocols and hardware modules. NIST notes that migration will take years and recommends a hybrid approach - using classical and post-quantum algorithms in parallel during the transition period.
Where AI meets cryptography
Organisations are investing heavily in artificial intelligence: automation systems, predictive models, generative solutions. But are they simultaneously securing training data, models and communication channels to a standard resilient against future threats?
AI and post-quantum cryptography create a paradox: machine learning can support the development of new encryption algorithms, but advanced AI systems in the hands of attackers may also accelerate the analysis of intercepted data. Defence must be multi-layered: quantum-resistant encryption, access control, monitoring and the ability to rotate keys quickly.
“In projects combining AI automation with SAP transformation, we are observing growing awareness of long-term data security,” notes Dariusz Kurkiewicz, Team Leader Cybersec & SAP BASIS at SNOK. “ERP systems store sensitive information for many years. The question of encryption resilience over a decade-long horizon is becoming part of audits and risk assessments.”
Critical systems: ERP, finance, customer data
Discussions of post-quantum cryptography often focus on the government and defence sectors. Yet organisations running SAP systems have just as much at stake. SAP HANA databases, S/4HANA environments, BTP solutions - all rely on encryption based on algorithms vulnerable to future quantum attacks.
SAP offers solid mechanisms: AES-256 encryption, secure communication protocols. The problem is that migrating to post-quantum solutions in such complex environments requires an inventory of every point where cryptography is used and a multi-year roadmap. Organisations that start early will gain an advantage.
“Many clients are unaware of how many points in their SAP infrastructure rely on cryptography: from authorisation, through integrations, to backup encryption,” points out Paweł Machowiec, Expert at SNOK. “A cryptographic inventory is the first step towards informed management of quantum risk - and it is something that can begin now.”
The SNOK perspective: from audit to roadmap
Experts at SNOK have been supporting organisations in SAP and cybersecurity for over 25 years. Facing the challenges of post-quantum cryptography, we offer support: from readiness assessment, through the construction of strategic roadmaps, to integrating security into automation projects and AI deployments. We work with partners such as SecurityBridge and bowbridge Software GmbH to provide visibility across the entire SAP landscape.
Will your encryption survive the decade?
This is a question that should be raised at the next board meeting. The answer requires an honest assessment: which algorithms you use, how long your data must remain confidential, and whether you have a plan for transitioning to quantum-resistant solutions.
Waiting for a specific Q-Day date is a risky strategy. Data intercepted today could be decrypted years from now - the consequences of such a breach would be just as severe as an attack occurring in real time. Organisations that treat post-quantum cryptography as part of a long-term security strategy will be better prepared for the future.
Would you like to discuss your organisation’s readiness for a post-quantum world? Contact theSNOKteam.
#PostQuantumCryptography #Cybersecurity #SAP #AI #SNOK #TechThursdayWithSNOK