
Digital evidence in cybersecurity: how to ensure its integrity and legal validity
9 de July de 2026When “securely encrypted” stops meaning “secure forever”
For decades, cybersecurity has taken one assumption for granted: if a piece of data is encrypted with a strong algorithm, it stays protected indefinitely. That assumption is cracking. Quantum computing isn’t yet a mass operational threat, but it’s already changing how we need to reason about long-term confidentiality.
This article draws a distinction that matters: on one hand, what institutions such as CCN, ENISA, NIST, and the European Commission have actually and verifiably said about post-quantum cryptography. On the other, the reading Cosmikal makes of what that framework implies for privileged access platforms, our own conclusion, not a quote from those institutions.
Harvest Now, Decrypt Later: the threat that’s already happening
The concept behind this urgency is known as Harvest Now, Decrypt Later (HNDL). An adversary doesn’t need a quantum computer capable of breaking RSA or ECC today to pose a real risk: it’s enough to intercept and store encrypted traffic now, and wait for quantum computing capacity to mature enough to decrypt it later.
The practical consequence is this: any data whose confidentiality needs to survive five, ten, or fifteen years is a candidate to be “harvested” today. Privileged credentials, industrial secrets, government communications, or intellectual property all fall into that category. This is the risk framework backed by NIST and ENISA as the underlying reason not to wait until a quantum computer capable of breaking today’s encryption actually exists.
What the institutional sources actually say
Before applying this framework to any product or technology category, it’s worth being precise about the actual scope of each source:
- ENISA generically recommends building cryptographic inventories, identifying where vulnerable encryption is in use, and planning the post-quantum migration ahead of time. It doesn’t single out any particular product category.
- NIST is advancing the standardization of the post-quantum algorithms that will progressively replace RSA and ECC. It’s foundational work applicable to any encrypted system, not sector-specific guidance.
- The European Cyber Resilience Act, fully applicable from December 11, 2027, requires that the security mechanisms of digital products be able to respond to emerging threats throughout their entire lifecycle, although it doesn’t explicitly mention post-quantum cryptography or any specific product category.
- CCN spoke on July 8 at a breakfast event held by Club Diálogos para la Democracia, alongside INCIBE and the Joint Cyberspace Command, as reported by Infobae. There, Deputy Director General Javier Candau called for sustained investment over a three- to five-year plan, focused mainly on developing offensive artificial intelligence capabilities backed by quantum technology. It’s important to be precise here: this is a request for investment in state offensive capability, not a CCN warning about the vulnerability of the encryption businesses or public administrations use today. We include it here only as context, it confirms that the quantum variable is already on Spain’s institutional agenda, not as direct support for what follows.
In summary: there is a real, verifiable institutional consensus on the need to start planning the post-quantum migration. That consensus is general. None of these sources specifically mentions, prioritizes, or singles out privileged access, virtual desktop, or identity management platforms over other technology categories.
Our reading: why PAM, VDI, and IAM are a logical application of this framework
What follows is Cosmikal’s analysis, not a quote from CCN, ENISA, or NIST. We flag it as such because we think that’s the right way to argue: the reasoning has to stand on its own, not on the authority of whoever states it.
Privileged access management (PAM), virtual desktop (VDI), and identity management (IAM) platforms are, by design, custodians of credentials, session keys, and encrypted channels to critical systems. If you accept the HNDL framework, that an adversary can capture encrypted traffic today to decrypt it once quantum computing allows, then any system whose function is to protect long-lived credentials fits squarely within the definition of a priority target for that kind of capture. That’s the full chain of reasoning; there’s no additional link backed by an external source standing in for it.
Applied to a privileged access platform, post-quantum preparedness comes down to four fronts:
- Cryptographic inventory. Knowing exactly which algorithms protect each session, each credential vault, and each communication channel, instead of assuming “it’s encrypted” means “it’s handled.”
- Cryptographic agility in session encryption. Designing the channels between the user and the work environment with the expectation that algorithms will need to be replaceable without redesigning the whole architecture.
- Short-lived credential rotation. The shorter a credential’s or session key’s useful lifetime, the smaller the window an attacker can exploit even if they “harvested” encrypted traffic today.
- Active monitoring of the standardization roadmap. Tracking the algorithms that NIST and other bodies are consolidating as standards, so as not to migrate twice or adopt a premature implementation that becomes obsolete.
Classic security versus post-quantum readiness: the contrast
The starting point of a traditional PAM and that of an architecture prepared for the post-quantum transition differ on one key point. A classic approach takes current cryptography for granted and treats its renewal as a one-off, distant event. An approach prepared for the post-quantum era treats cryptography as a living component of the system, subject to inventory, rotation, and replacement just like any other element of the attack surface.
That difference isn’t cosmetic. A PAM that doesn’t know which algorithms protect each session can’t plan its own migration: it’s left exposed to a full redesign once the post-quantum standard is finalized, instead of adopting it incrementally.
A concrete example: what HNDL means for a privileged session today
Picture a routine remote session: an administrator connects today to a critical system through an encrypted channel to perform maintenance tasks. Under the classic paradigm, that session is considered secure as long as the encryption used is considered strong at the moment of connection.
Under the HNDL paradigm, an adversary capable of intercepting traffic doesn’t need to break that encryption today: storing it is enough. If that session contained credentials, configurations, or information that needs to stay confidential for five or ten years, “today’s” security isn’t what matters. What matters is whether the organization knows which algorithm protected that session, and whether there’s a plan to replace it before it stops being reliable.
The post-quantum transition isn’t a race, it’s a roadmap
No serious vendor should promise a closed, universal post-quantum certification today: that standard is still being finalized. What is a reasonable responsibility for any vendor is architectural readiness: building on a foundation of cryptographic agility, maintaining an inventory of where and how each session is encrypted, and closely tracking the evolution of the standards so they can be incorporated as soon as they mature, without having to redesign the product from scratch.
How Cosmikal approaches this transition in Endurance
Today, no certification body has a closed “post-quantum certification” standard for privileged access platforms: NIST has finalized the first post-quantum algorithms, but the product certification schemes that will incorporate them are still being built. No vendor can seriously offer that kind of certification today.
Endurance protects connections today with end-to-end encryption, and the credential vault it manages is likewise encrypted. The move toward post-quantum cryptography is part of the product roadmap, in line with the standardization process that various bodies are still finalizing.
That level of rigor connects directly with the defense sector: in June 2026, Endurance was added to the NATO Information Assurance Product Catalogue (NIAPC), NATO’s reference catalogue for information security products intended for defense, critical assets and infrastructure, and other high-sensitivity contexts, becoming the only Spanish solution included in NIAPC’s Access Control category, and the second of European origin in that category.
Frequently asked questions
What is post-quantum cryptography?
It’s the set of cryptographic algorithms designed to withstand attacks carried out with quantum computers, meant to progressively replace schemes like RSA or ECC, which are vulnerable to that kind of computation.
What does Harvest Now, Decrypt Later (HNDL) mean?
It’s the practice of intercepting and storing encrypted traffic today in order to decrypt it in the future, once quantum computing is capable of breaking today’s encryption. It doesn’t require the quantum computer to exist yet: it’s enough for the data captured today to remain sensitive years from now.
Have CCN, ENISA, or NIST specifically flagged a priority category in the face of the quantum threat?
Not explicitly. These institutions set out a general risk framework and recommend inventory and cryptographic migration for any encrypted system. That privileged access platforms are a particularly relevant application of that framework is a reasoned reading based on what they manage, long-lived credentials and sessions, not a literal statement from those sources.
Does an official post-quantum certification already exist for cybersecurity products?
No. NIST has finalized the first post-quantum algorithms, but the product certification schemes that will incorporate them are still under development. No vendor can seriously offer a closed post-quantum certification today.
Sources cited in this article
- Infobae: “El Mando del Ciberespacio advierte de que faltan medios para garantizar la ciberseguridad” (July 8, 2026)
- Official Cosmikal statement: Endurance’s addition to NIAPC (June 2026)
- ENISA: “Post-Quantum Cryptography: Current state and quantum mitigation”
- NIST: “NIST Releases First 3 Finalized Post-Quantum Encryption Standards” (FIPS 203/204/205)
- EUR-Lex: Regulation (EU) 2024/2847, Cyber Resilience Act (official text)




