Digital security at a turning point: Utimaco highlights three critical security trends for 2026

AACHEN, Germany, Jan. 20, 2026 /PRNewswire/ -- The course for the future of digital security is currently being reset. The damage caused by cyberattacks on German companies alone has been estimated at around €289 billion over the past twelve months, which is higher than ever before. The threat landscape is continuing to change as a result of new technologies such as artificial intelligence and, in the future, quantum computing, making attacks more complex and difficult to predict. Even confidential data that is currently protected by encryption can be misused in the wrong hands according to the motto "harvest now, decrypt later."

In view of this threat situation, Nils Gerhardt, CTO at Utimaco, emphasises the need for strategic action and names three trends that will significantly determine the resilience of organisations in 2026.

1) Digital sovereignty: The path to cryptographic independence

Recent cyberattacks on critical infrastructure, including several European airports, highlight our dependence on large technology providers. The dominance of a handful of providers in key critical areas such as cryptography poses risks, especially where security-critical core functions are affected. Digital sovereignty must therefore become a technically secure reality. A broad base of trustworthy solutions forms the foundation for this, especially in cryptography, which must not be used as an opaque black box.

Governments and regulatory authorities recognise the urgency of this issue, as demonstrated by international initiatives such as the Cyber Security and Resilience Bill in the UK, the EU's NIS2 directive, the European IPCEI projects, and the Singapore Cybersecurity Act. Companies should incorporate geopolitical realities into their strategic planning as a criterion for security-critical components, particularly in the area of encryption, and anchor this in their procurement guidelines. This means actively moving away from a purely price-oriented approach in favour of transparent and verifiable supply chains. In addition, organisations should view the requirements of regulations such as NIS2 not as a mere compliance obligation, but as an opportunity to increase internal cybersecurity through strategic investments in security technologies and to strengthen the digital resilience of the entire ecosystem.

2) Post-quantum cryptography (PQC). The clock is ticking until 2035

The constant progress in the development of commercial quantum computers poses the risk that current asymmetric cryptography could be cracked in less than a decade - some forecasts even put the deadline even earlier. The "harvest now, decrypt later" approach is particularly relevant: digital identities will no longer be secure, and attackers are already collecting sensitive, encrypted data today in order to decrypt it later using quantum computers. This creates an immediate need for action for companies with data that needs to be protected in the long term, such as those in the critical infrastructure or financial sectors. Post-quantum cryptography (PQC) offers the strategic answer here, but time is of the essence: The EU PQC Roadmap requires all member states to develop a comprehensive national plan for implementing PQC by the end of 2026, while at the same time the NIST guideline prohibits support for today's common practices from 2035 onwards. According to Forrester, spending on quantum security is expected to account for more than five percent of total IT security budgets in the coming years.

A key element of any PQC migration is a complete cryptographic inventory that records all procedures, key lengths, and algorithms used. On this basis, the technological transition must take place via a central and tamper-proof cryptographic infrastructure that serves as a trusted anchor (root of trust).

Ideally, companies are already using crypto-agile hardware today: devices that can be updated with the new PQC algorithms as needed without having to replace the entire infrastructure. While PQC and other quantum cryptographic methods are likely to remain limited to highly specialised scenarios, crypto-agile key and lifecycle management enables pragmatic and secure migration in the long term.

3) Gen-AI and the data protection dilemma

The exponential growth of AI models and data sets in connection with generative AI systems creates a new vulnerability and exacerbates existing data protection issues. According to a study by 451 Research (Voice of the Enterprise (VotE): Data & Analytics, Generative AI Adoption 2025), concerns about data protection and security are among the main obstacles to the implementation of GenAI tools. Risks arise both from the unintentional feeding of confidential information into training models and from more sophisticated attacks such as "prompt injection." Since security and privacy are the most important deciding factors when selecting large language models (LLMs), companies urgently need to shift their control mechanisms from perimeter security to the data level.

The priority is consistent encryption of relevant data so that security controls are applied directly to the data itself before it enters LLM environments. In addition, systematic detection and classification of sensitive data is required to ensure that only authorised and cleaned data sets are released for AI applications. Since many attacks address the "human factor," clear guidelines for the use of GenAI tools and ongoing employee training are also essential to prevent "shadow GenAI" and ensure qualified human review of all AI-generated content.

"The digital future will be shaped by a race between new technologies and the necessary security measures. For organisations, it's not just about defending against current threats; it's about strategically investing in an independent, quantum-secure, and AI-resistant future," says Nils Gerhardt, CTO at Utimaco. "For these reasons, we are convinced that digital sovereignty is not a luxury, but a necessity. It is the security anchor in a time of exponential threats. Now is the time for companies to actively integrate these strategic security trends into their business planning for 2026 in order to secure the long-term competitiveness and resilience of their organisation, build crypto agility as a core strategic competence, and create trust through European technology to protect sensitive data and critical systems in the long term."

About Utimaco

Utimaco is a global platform provider of trusted Cybersecurity and Data Protection solutions and services with headquarters in Aachen (Germany) and Campbell, CA (USA). Utimaco develops on-premises and cloud-based hardware security modules, solutions for key management and data protection as well as Public Warning Systems. Utimaco is one of the world's leading manufacturers in its key market segments.

400+ employees around the globe create innovative solutions and services to protect data, identities, citizens and digital assets with responsibility for global customers and citizens. Customers and partners in many different industries value the reliability and long-term investment security of Utimaco's high-security products and solutions. Find out more on www.utimaco.com.

Media contact

Utimaco
Silke Paulussen
+49 241 1696-150
Silke.Paulussen@utimaco.com
pr@utimaco.com

Photo - https://mma.prnewswire.com/media/2864430/Nils_CTO_Utimaco.jpg
Logo - https://mma.prnewswire.com/media/2864429/utimaco_Logo.jpg