Giovanni Piccirillo
May 5, 2026
12 min read
A hospital retaining patient records for thirty years, an insurance company archiving policyholder medical files, a bank preserving transaction histories under regulatory mandate: each of these organisations is today creating an archive that a quantum-equipped adversary may be able to read in full before the retention window closes. The breach, in formal legal terms, has not yet occurred. The harm, in practical and strategic terms, may already be in motion. NIST, ENISA, Germany's Federal Office for Information Security (BSI), and the NSA have each placed credible operational quantum computing, sufficient to break the asymmetric cryptography protecting those archives, somewhere between 2030 and 2040. That range is not a reassurance. For any organisation holding sensitive data with a secrecy lifespan beyond a decade, it is a deadline.
Data protection law was built around a fundamentally present-tense assumption: that a breach happens now, causes harm now, and can be traced, notified, and sanctioned now. The GDPR's seventy-two-hour notification obligation, its incident-centred enforcement architecture, its concept of a "personal data breach" as an event with a discernible moment of occurrence, all reflect this assumption. The quantum threat, and the harvest now, decrypt later strategy it enables, collapses it. The act of collection and the moment of exposure are separated by a decade or more. The controller may never know interception occurred. The seventy-two-hour clock never starts. No supervisory authority is ever notified. The entire enforcement apparatus is bypassed, not because it failed, but because the threat operates on a temporal plane the law did not anticipate. That gap, between the legal architecture we have and the risk profile we face, is the central problem this article addresses.
Modern digital security rests on two dominant families of asymmetric cryptography: RSA and elliptic curve cryptography. Both derive their strength from the computational intractability of specific mathematical problems. RSA relies on the difficulty of factoring the product of two large prime numbers; ECC exploits the hardness of the elliptic curve discrete logarithm problem. In classical computing terms, these problems scale exponentially with key size. A 2048-bit RSA key would require more computational effort to break than the current global computing capacity could deliver across the age of the universe. This is not a minor safety margin. It is the foundation on which TLS, SSH, digital signatures, public key infrastructure, and virtually every secure communication protocol in commercial and governmental use is built.
Peter Shor's 1994 algorithm changed this calculus entirely. Running on a sufficiently large, error-corrected quantum computer, Shor's algorithm reduces integer factoring and discrete logarithm computation from exponential to polynomial time (Shor, P.W., "Polynomial-Time Algorithms for Prime Factorization and Discrete Logarithms on a Quantum Computer", SIAM Journal on Computing, 1997). The threshold for breaking a 2048-bit RSA key is estimated at approximately 4,000 logical, error-corrected qubits. That threshold has not yet been reached, but it is the target of serious, well-funded research programmes in the United States, China, the European Union, and the United Kingdom, with aggregate national investment running to tens of billions of dollars (McKinsey Global Institute, "Quantum Technology Monitor", 2023). A second algorithm, Grover's, reduces the effective security of symmetric encryption by half, cutting a 256-bit AES key to the equivalent of 128-bit security against a quantum adversary. This does not break symmetric cryptography outright, but it substantially raises the recommended key-length parameters for any organisation that takes the quantum timeline seriously.
The implication is not that all cryptography is broken today. It is that the security guarantees of asymmetric cryptography are conditional, not absolute: they hold as long as no adversary possesses a cryptographically relevant quantum computer. The moment that condition fails, every communication ever encrypted under RSA or ECC becomes potentially readable, including communications stored years earlier. The mathematical vulnerability is not a future event. It is a present structural characteristic of the entire classical cryptographic stack, one that becomes exploitable when, not if, quantum hardware reaches threshold scale.
The legal framework for data security in the European Union does not require perfection. Article 32 GDPR requires controllers and processors to implement technical and organisational measures appropriate to the risk, taking into account "the state of the art." That phrase is the critical hinge. The state of the art is not a fixed reference point; it is a dynamic standard that moves with the frontier of available technology and the reasonable expectations of informed professional practice. What constituted adequate security in 2015 is not necessarily adequate in 2025, and what is adequate in 2025 will not automatically remain so through 2035. The accountability principle under Article 5(2) reinforces this: ongoing compliance must be demonstrated and measures adjusted as the risk landscape evolves.
The question of technological foreseeability is therefore central to any assessment of quantum-era security obligations. In regulatory theory and tort doctrine, liability does not typically attach to risks that were genuinely unforeseeable at the time of the relevant decision. The quantum threat does not qualify for that exemption. The NSA issued its first public advisory on post-quantum migration in 2015. NIST launched its post-quantum cryptography standardisation process in 2016, concluding with the publication of final standards, ML-KEM, ML-DSA, and SLH-DSA, in August 2024 (NIST, "Post-Quantum Cryptography Standards", 2024). ENISA has published multiple reports on quantum-safe cryptography. Germany's BSI has issued concrete migration recommendations with timelines and algorithm preferences. Any organisation with a functioning security team that argues the quantum risk was unforeseeable as of 2025 is advancing a position that supervisory authorities and courts will find increasingly difficult to accept. Foreseeability in regulatory law does not require certainty. It requires that a reasonable and informed actor in the relevant sector would have recognised the risk as material. That threshold, for most sectors handling sensitive long-lived data, has already been crossed.
A prospective reading of Article 32 thus produces a concrete obligation for organisations processing data with extended retention requirements: the security assessment must span the full lifecycle of the data, not merely the moment of collection. If health records will be retained for thirty years, and quantum decryption is a credible threat within that window, then the measures implemented today must be evaluated against the security requirements that will prevail throughout that window. This is not a reinterpretation of the GDPR; it is a faithful application of a standard the regulation already contains. What is missing is not legal capacity, but the regulatory will to apply it.
Consider the hypothetical that the source article poses: an insurance company encrypts policyholder medical data using RSA-2048 in 2025; a state actor harvests and archives that ciphertext the same year; in 2034, when a cryptographically relevant quantum computer is operational, the data is decrypted and exploited for discriminatory purposes. Who bears responsibility? The answer is not simple, but it is not unanswerable.
The data controller carries primary ex ante responsibility. Article 32 required the insurance company to assess the risk at the time of processing and to implement measures adequate to that risk. Post-quantum algorithms are available and deployable as of 2024; a failure to migrate to, or at minimum to plan migration toward, quantum-resilient cryptography constitutes a deficiency in the technical measures implemented. The ex post question, whether the controller can be sanctioned after the delayed breach is discovered years later, turns on whether a supervisory authority can establish a causal link between the 2025 security decision and the 2034 harm. That causal chain is temporally extended but structurally direct. The controller's choice not to implement available quantum-resilient measures is the proximate cause of the exposure, even if the adversary's decryption is the proximate mechanism of the harm. The distinction between cause and mechanism is familiar to courts from environmental and product liability cases involving latent, long-deferred harm.
Cloud providers, software vendors, and key management infrastructure operators occupy a complex secondary position. Processors under Article 28 GDPR must implement security measures at least equivalent to those required of the controller. A cloud provider that continues to offer only classical-cryptography-based encryption services after post-quantum alternatives have become standard practice may be in breach of its processor obligations. Cryptographic vendors, whose software libraries and services underpin the security architecture of entire industry sectors, bear a distinct responsibility as systemic enablers. Their inaction on post-quantum migration creates exposure across their entire customer base simultaneously, a form of cascading liability that existing enforcement frameworks have not yet had to address. Standard-setting bodies and industry compliance frameworks that promulgate security baselines lagging behind the foreseeable threat horizon create what amounts to a systemic negligence problem: collective inertia that regulators may eventually be compelled to address as an industry-wide failure rather than a series of individual ones.
GDPR sanctions under Article 83 are calibrated to the seriousness of the infringement, the categories of data affected, and the degree of negligence. A delayed confidentiality breach affecting health data or financial records could attract fines at the upper tier, up to four percent of global annual turnover. The civil liability exposure under Article 82, for non-material damage including discrimination, identity compromise, or competitive harm unfolding years after the original security failure, could significantly exceed the regulatory sanction. National courts adjudicating such claims will face the additional challenge of quantifying harm whose full extent may not be apparent for years after the decryption event itself.
The GDPR does not govern in isolation. The EU's broader regulatory architecture for cybersecurity and operational resilience provides additional instruments through which quantum risk can and should be addressed. The NIS2 Directive, which entered into force in January 2023 and whose transposition deadline passed in October 2024, explicitly lists the use of cryptography among the required security measures for essential and important entities across a broad range of sectors. Read in conjunction with the documented quantum threat, this provision creates a regulatory basis for supervisory authorities to expect quantum-readiness planning from covered entities. NIS2's supply chain security requirements are equally relevant: an adversary harvesting encrypted communications in transit may be capturing data passing through multiple service providers, and the cryptographic posture of every intermediary in that chain is part of the security picture.
DORA, the Digital Operational Resilience Act for financial services (Regulation EU 2022/2554), introduces ICT risk management and resilience testing requirements for banks, insurance undertakings, investment firms, and crypto-asset service providers. Its requirements for identifying, classifying, and managing ICT risks, and for testing digital resilience against foreseeable threat scenarios, provide a framework within which quantum risk can be integrated today, without waiting for dedicated legislative intervention. The European Banking Authority and the European Central Bank have both flagged quantum risk in their long-term supervisory outlooks, signalling that sector-specific quantum-readiness standards for financial entities are a question of when, not whether.
In the Italian context, Legislative Decree 231/2001, which establishes the framework for organisational liability of legal entities for certain categories of offence, provides a further vehicle for integrating quantum risk into enterprise governance. The management and control models required by Decree 231 typically include protocols for IT system management and data security. An updated 231 model that fails to account for quantum-era risks in a sector where the threat is material, financial services, healthcare, or defence contracting, may be considered inadequate by a supervising court, potentially exposing the entity to administrative liability. The integration of quantum risk into 231 risk mapping and control protocols is therefore not merely sound governance practice; for organisations in exposed sectors, it is increasingly a legal imperative.
The technical reality of the harvest now, decrypt later threat and the dynamic quality of the GDPR's security standard converge on a single conclusion: the burden of anticipatory responsibility is already accruing. The mathematical vulnerability of classical asymmetric cryptography is a present structural fact, not a future contingency. The collection of encrypted ciphertext by sophisticated adversaries is, by credible assessments, already underway. The post-quantum cryptographic standards necessary to address this risk have been published by NIST and are deployable today. The regulatory frameworks, GDPR Article 32, NIS2, DORA, and national instruments including Decree 231, already contain the legal capacity to impose quantum-readiness obligations; what they lack is authoritative guidance translating that capacity into concrete expectations.
The concept of crypto-agility, the architectural capacity to swap cryptographic primitives without redesigning entire systems, has emerged from this context as a governance imperative rather than a technical nicety. Organisations that have hardcoded cryptographic assumptions into their systems face the highest migration costs and the longest exposure windows. Those that have built for agility can respond to evolving standards rapidly and at significantly lower operational cost. Embedding crypto-agility into procurement requirements, system design reviews, and vendor contracts is one of the most concrete and immediately actionable steps available to compliance officers and technology governance teams. It is also one of the clearest signals a controller can send to a supervisory authority that it has taken the foreseeable risk seriously.
The position that emerges from this analysis is not neutral. Organisations that are today processing sensitive, long-lived data using exclusively classical asymmetric cryptography, and that have not yet conducted a cryptographic inventory, begun migration planning, or engaged with post-quantum hybrid schemes, are accumulating a foreseeable compliance liability. The quantum breach, when it comes, will not be classified as an unforeseeable act of nature. It will be classified as the predictable consequence of a known risk that was publicly documented, technically addressable, and legally required to be managed.
The shift from static to predictive security is not a technical challenge alone. It is an organisational, legal, and cultural one. It requires governance structures that look beyond the next audit cycle, legal frameworks that assign liability across temporal distances, and a compliance culture that treats emerging but foreseeable risks as present obligations rather than future contingencies. The data already being harvested today will not wait for regulatory guidance to catch up, and the organisations that understand this earliest, those that map their cryptographic inventories now, that begin hybrid migration now, that embed quantum risk into their 231 models and DORA ICT frameworks now, are the ones that will be able to demonstrate, when the question is eventually asked in front of a supervisory authority or a civil court, that they saw the breach coming and chose to prevent it.
