Bastioncraft - Newsletter #Data PrivacyBastioncraft - Newsletter #Data Privacyhttps://www.bastioncraft.com/newsletter/tag/data-privacyFri, 03 Apr 2026 05:39:43 +0200http://zoho.com/sites/<![CDATA[2024/12/30 The Looming Cryptography Crisis: Quantum Computing and the Future of Cybersecurity]]>https://www.bastioncraft.com/newsletter/post/2024-12-26-the-looming-cybersecurity-crisis-quantum-computing-and-the-future-of-cryptographyThis first article in a series explores the quantum computing breakthrough, its impact on cryptography, and the global challenges it poses. It introduces the cybersecurity risks and management hurdles of transitioning to quantum-resistant systems, setting the stage for deeper discussions to come.]]>

The Looming Cybersecurity Crisis: Quantum Computing and the Future of Cryptography

Quantum computing is no longer a distant concept; it is becoming a tangible reality with profound implications for industries worldwide. While its potential for innovation is enormous, it

also represents a ticking time bomb for modern cybersecurity systems. Specifically, quantum computing threatens to dismantle the cryptographic protocols that protect sensitive data, authenticate users, and secure critical infrastructure. For organizations, the transition to quantum-resistant cryptography is not just a technical challenge—it’s a strategic imperative. But beware: mismanaging this transition could be as catastrophic as ignoring the threat entirely. Imagine rushing to implement new encryption solutions without understanding your unique needs, only to introduce bottlenecks or vulnerabilities that disrupt your operations. Or worse, poorly communicating the urgency to stakeholders, leaving your customers and partners uncertain and unprepared. Mishandled transitions are the hidden danger of the quantum era, and awareness is the first step to resilience.

This article is part of a series exploring quantum computing and its impact on cybersecurity. Here, we focus on the risks, threats, and the current state of quantum-related cryptography challenges. Whether you're new to this topic or an interested observer, this is your primer to understanding the stakes.

Why Quantum Computing Threatens Cryptography


Traditional encryption systems, such as RSA and ECC (Elliptic Curve Cryptography), rely on the computational difficulty of factoring large numbers or solving discrete logarithms. These tasks are practically impossible for classical computers to perform within a reasonable timeframe. However, quantum computers operate on a fundamentally different principle, leveraging quantum mechanics to process information in ways that are exponentially faster.

For instance, quantum algorithms like Shor’s Algorithm can efficiently solve problems like integer factorization, which RSA encryption depends on, and discrete logarithms, critical to ECC. This means that a sufficiently powerful quantum computer could break these cryptographic systems, rendering sensitive data, such as financial transactions or personal information, vulnerable. Furthermore, attackers may intercept encrypted data today, planning to decrypt it in the future when quantum capabilities mature—a threat known as "store now, decrypt later."

Awareness of the Scope: A Universal Challenge


The breaking change brought by quantum computing is not limited to a single sector or niche application. Instead, it threatens the entire technological backbone of the modern digital world. Cryptography underpins nearly all areas of technology, and its vulnerabilities expose a vast surface of potential exploitation:

  1. Communication Systems: Encrypted email, instant messaging, and secure VoIP calls rely on protocols like TLS and SRTP. Quantum threats could intercept sensitive communications, affecting businesses, governments, and individuals alike.

  2. Data Storage and Cloud Security: Secure cloud storage services and on-premises data encryption use technologies like AES and RSA to protect sensitive information. If these systems are broken, years of stored data could be decrypted and exploited retroactively.

  3. Internet Infrastructure: Secure web browsing (HTTPS), DNS security, and certificate authorities rely on cryptographic principles. A quantum breach could lead to massive disruptions in trust on the internet, enabling widespread phishing and man-in-the-middle attacks.

  4. IoT and Embedded Systems: Devices like smart home systems, industrial IoT sensors, and even medical implants depend on lightweight cryptography for secure operation. These systems often cannot be easily updated, making them particularly vulnerable to quantum-era attacks.

  5. Blockchain and Cryptocurrency: Blockchain technologies use cryptography for transaction security and consensus mechanisms. Quantum threats could undermine the integrity of cryptocurrencies and decentralized systems, potentially rendering them unusable.

  6. Authentication Systems: Password-protected systems, biometric security, and multifactor authentication rely on cryptographic algorithms to ensure user identity. Quantum computing could render these defences ineffective, opening doors to unauthorized access and identity theft.

  7. Code Signing and Software Integrity: Digital signatures used for verifying software updates and code authenticity depend on cryptography. A breach here could lead to malicious software distribution, undermining trust in digital ecosystems.


The State of the Art: Where Do We Stand Today?

Quantum computing is still in its early stages, but progress is accelerating. Several developments underscore the urgency of preparing for its impact:

  1. Quantum Computing Milestones
    - In 2019, Google announced it had achieved “quantum supremacy” by solving a problem a classical supercomputer couldn’t solve within a reasonable timeframe [1].
    - IBM and others continue to develop scalable quantum systems, with IBM recently unveiling its 127-qubit quantum processor, Eagle, and a roadmap for even larger systems (IBM Quantum Roadmap)[2].
  1. Post-Quantum Cryptography (PQC) Development
    - The U.S. National Institute of Standards and Technology (NIST) is leading a global effort to standardize quantum-resistant cryptographic algorithms. Algorithms like Kyber (encryption) and Dilithium (digital signatures) are strong contenders in the PQC race (NIST PQC Project) [3].
  2. Challenges Ahead
    - There is no consensus on when quantum computing will break state-of-the-art cryptography; however, estimations suggest that this breakthrough could occur within the next 5 to 20 years. The uncertainty surrounding the timeline, combined with the “store now, decrypt later” threat, underscores the urgency of immediate preparation.

The Transition: Understanding Mosca’s Inequality


Planning the transition to quantum-safe cryptography requires a careful understanding of timelines and risks. Mosca’s Inequality [4] offers a simple framework to think about this. It essentially states:

The time it takes to break your encryption (B) must be greater than the sum of the time your data needs to remain secure (D) and the time it takes to transition to quantum-safe systems (T).


Let’s break it down with a simpler example:

  1. Data Sensitivity (D): Suppose your organization stores medical records that need to remain confidential for 20 years.
  2. Transition Time (T): It may take your organization 5 years to switch to a post-quantum cryptography system.
  3. Breaking Time (B): If a quantum computer capable of breaking encryption becomes viable in 10 years, you’re in trouble because 10 (B) is less than 20 (D) + 5 (T).

Preparing for the Quantum Era: How to Mitigate Risks

  1. Adopt Post-Quantum Cryptography (PQC)
    Post-quantum cryptography uses algorithms designed to resist attacks from both classical and quantum computers. Start transitioning to quantum-resistant encryption standards now.
  2. Inventory Your Cryptographic Assets
    Assess where and how cryptographic algorithms are used across your systems to identify areas that may be vulnerable to quantum attacks.
  3. Implement Hybrid Cryptographic Solutions
    Until quantum-resistant standards are universally adopted, use hybrid solutions combining traditional encryption with quantum-safe algorithms for added security.
  4. Secure Long-Term Data
    Prioritize securing information with long-term sensitivity, such as medical records or intellectual property, against quantum threats.
  5. Monitor Quantum Advancements
    Stay informed about developments in quantum computing and cryptographic standards. Partner with experts to ensure your organization remains ahead of emerging threats.

What Can You Do Today?


Although quantum computers capable of breaking encryption are not yet here, the steps you take now can protect your organization in the future.

  • Understand the Basics: Educate yourself and your team on how quantum computing differs from classical computing and why it poses unique risks to cryptography.
  • Conduct a Cryptographic Inventory: Identify where cryptographic algorithms are used across your systems and assess which areas are most vulnerable to quantum threats.
  • Focus on Long-Term Data Security: Prioritize securing information that needs to remain confidential for decades, such as medical records or legal documents.
  • Monitor PQC Standards: Stay informed about developments in post-quantum cryptography and align your organization with emerging standards.
  • Engage with Experts: Partner with cybersecurity experts who specialize in quantum readiness. A proactive approach is key to staying ahead of the threat.
References

[1] NIST Announces First Four Quantum-Resistant Cryptographic Algorithms, https://www.nist.gov/news-events/news/2022/07/nist-announces-first-four-quantum-resistant-cryptographic-algorithms
[2] IBM Quantum Roadmap, https://www.ibm.com/quantum/blog/ibm-quantum-roadmap
[3] National Institute of Standards and Technology (NIST) PQC Project, https://csrc.nist.gov/Projects/post-quantum-cryptography
[4] Mosca, M. (2018), ‘Cybersecurity in an Era with Quantum Computers: Will We Be Ready?’ IEEE Security & Privacy, 16(5), 38–41, https://doi.org/10.1109/MSP.2018.3761723.
The Time to Act Is Now

How Bastioncraft Can Help?


At Bastioncraft, we understand the implications of quantum computing on cybersecurity. Our expertise includes:
  • Conducting risk assessments to identify cryptographic vulnerabilities.
  • Implementing quantum-resilient solutions tailored to your needs.
By preparing for the quantum era now, your organization can protect its digital assets and maintain trust in an increasingly uncertain cybersecurity landscape.

Secure your future with Bastioncraft’s expert guidance.
Contact Me
]]>Fri, 27 Dec 2024 12:54:12 +0100<![CDATA[2025/01/30 The European AI Act Explained]]>https://www.bastioncraft.com/newsletter/post/2025-01-30-the-european-ai-act-explainedThe EU's AI Act creates a framework classifying AI by risk: unacceptable, high, limited, minimal. High-risk AI must meet strict rules on risk management & oversight. Voluntary codes apply to lower risks. Bastioncraft helps align AI systems with these rules for compliance & ethics.]]>

The European AI Act Explained

The European Union's Artificial Intelligence Act (AI Act) establishes a comprehensive regulatory framework to ensure the safe and ethical development and use of AI within the EU. For companies currently developing AI without adhering to these regulations, significant adjustments are necessary to achieve compliance.

1. Subject Matter, Scope, and Definitions


Title I of the Artificial Intelligence Act (AI Act) establishes the foundational aspects of the regulation, detailing its subject matter, scope, and definitions.


Subject Matter:

The AI Act aims to enhance the functioning of the internal market by setting a uniform legal framework for the development, placement on the market, and use of artificial intelligence systems within the European Union. This framework is designed to ensure that AI systems are safe, respect existing laws on fundamental rights and Union values, and promote trust in AI technologies.


Scope:
The regulation applies to:

  • Providers placing AI systems on the market or putting them into service within the EU, regardless of whether these providers are established within the Union.
  • Users of AI systems located within the EU.
  • Providers and users of AI systems that are established in a third country, where the output produced by the system is used within the Union.


Certain exceptions are outlined, such as AI systems developed or used exclusively for military purposes.


Definitions:
Title I provides precise definitions for key terms used throughout the regulation, including:

  • Artificial Intelligence System (AI System): Software developed with one or more techniques and approaches listed in Annex I, capable of generating outputs such as content, predictions, recommendations, or decisions influencing environments they interact with.

  • Provider: A natural or legal person, public authority, agency, or other body that develops an AI system or has an AI system developed and places it on the market or puts it into service under their own name or trademark, whether for payment or free of charge.

  • User: Any natural or legal person, public authority, agency, or other body using an AI system under their authority, except where the AI system is used in the course of a personal non-professional activity.

  • Placing on the Market: The first making available of an AI system on the Union market.

  • Putting into Service: The supply of an AI system for first use directly to the user or for own use within the Union for its intended purpose.

These definitions are crafted to be technology-neutral and future-proof, accommodating the rapid evolution of AI technologies.

By establishing clear subject matter, scope, and definitions, Title I lays the groundwork for the subsequent provisions of the AI Act, ensuring a consistent and comprehensive approach to AI regulation within the EU.



2. Prohibited Artificial Intelligence Practices

Title II of the Artificial Intelligence Act (AI Act) delineates specific AI practices that are strictly prohibited within the European Union due to their unacceptable risk to safety, fundamental rights, and Union values. These prohibitions are designed to prevent the deployment of AI systems that could lead to significant harm or ethical violations.


Prohibited AI Practices:

  1. Subliminal Manipulation: AI systems that deploy subliminal techniques beyond a person's consciousness to materially distort their behavior in a manner that causes or is likely to cause physical or psychological harm are prohibited.

  2. Exploitation of Vulnerabilities: The use of AI systems that exploit vulnerabilities of specific groups, such as children or individuals with disabilities, to materially distort their behavior resulting in or likely to result in harm is forbidden.

  3. Social Scoring by Public Authorities: AI systems used by public authorities for social scoring, which involves evaluating or classifying individuals based on their social behavior, known or predicted personal or personality characteristics, leading to detrimental or unfavorable treatment, are banned.

  4. Real-Time Remote Biometric Identification in Public Spaces for Law Enforcement: The use of AI systems for real-time remote biometric identification of individuals in publicly accessible spaces by law enforcement authorities is prohibited, with certain exceptions strictly defined by law.


These prohibitions reflect the EU's commitment to ensuring that AI development and deployment uphold ethical standards and protect individuals' rights and freedoms. Companies developing AI systems must ensure that their technologies do not engage in these prohibited practices to remain compliant with the AI Act.


3. High-Risk AI Systems

Title III of the Artificial Intelligence Act (AI Act) focuses on high-risk AI systems, establishing specific requirements and obligations to ensure their safe and ethical deployment within the European Union. This title is structured into three chapters:


3.1. Classification of High-Risk AI Systems


This chapter outlines the criteria for identifying AI systems as high-risk. An AI system is classified as high-risk if it meets one of the following conditions:

  1. Safety Component of a Regulated Product:

    • The AI system is intended to be used as a safety component of a product, or is itself a product, covered by specific Union harmonization legislation that requires third-party conformity assessment.

  2. Standalone High-Risk AI Systems:

    • The AI system is listed in Annex III of the AI Act, which includes systems used in critical areas such as:
      • Biometric identification and categorization
      • Management and operation of critical infrastructure
      • Education and vocational training
      • Employment, worker management, and access to self-employment
      • Access to and enjoyment of essential private and public services
      • Law enforcement
      • Migration, asylum, and border control management
      • Administration of justice and democratic processes

3.2. Requirements for High-Risk AI Systems


This chapter specifies mandatory requirements that high-risk AI systems must fulfil to ensure their safety and compliance with fundamental rights:

  1. Risk Management System:

    • Implement a continuous risk management process to identify, analyse, estimate, and evaluate risks associated with the AI system.

  2. Data Governance:

    • Utilize training, validation, and testing data sets that are relevant, representative, free of errors, and complete to minimize risks and discriminatory outcomes.

  3. Technical Documentation:

    • Maintain comprehensive technical documentation that provides all necessary information for assessing the system's compliance with the AI Act.

  4. Record-Keeping:

    • Ensure automatic recording of events (logging) during the AI system's operation to facilitate traceability and post-market monitoring.

  5. Transparency and Provision of Information:

    • Design and develop the AI system to ensure that its operation is transparent to users, providing them with clear instructions for use.

  6. Human Oversight:

    • Implement appropriate human oversight measures to prevent or minimize risks to health, safety, or fundamental rights.

  7. Accuracy, Robustness, and Cybersecurity:

    • Ensure that the AI system achieves an appropriate level of accuracy, robustness, and cybersecurity, and performs consistently as intended.


3.3. Obligations of Providers and Users of High-Risk AI Systems

This chapter delineates the responsibilities of providers and users concerning high-risk AI systems:

  1. Obligations of Providers:

    • Ensure compliance with the mandatory requirements outlined in Chapter 2.
    • Conduct conformity assessments before placing the AI system on the market or putting it into service.
    • Implement quality management systems to ensure consistent compliance.
    • Register the high-risk AI system in the EU database established by the Commission.

  2. Obligations of Users:

    • Use the AI system in accordance with the provider's instructions.
    • Monitor the system's operation and inform the provider or distributors of any serious incidents or malfunctions.
    • Keep logs generated by the AI system, where appropriate.

By adhering to the provisions set forth in Title III, stakeholders can ensure that high-risk AI systems are developed, deployed, and utilized in a manner that upholds safety standards and fundamental rights within the European Union.


4. Transparency Obligations for Certain AI Systems

Title IV of the Artificial Intelligence Act (AI Act) establishes transparency obligations for specific AI systems to mitigate risks associated with manipulation and to uphold individuals' rights to be informed when interacting with AI. These obligations apply to AI systems that:

  1. Interact with Humans:

    • AI systems designed to interact with individuals must inform users that they are engaging with an AI system. This disclosure ensures that individuals are aware they are not interacting with another human, allowing them to make informed decisions during the interaction.

  2. Detect Emotions or Determine Biometric Data-Based Categories:

    • AI systems that detect emotions or categorize individuals based on biometric data are required to inform the individuals affected. This transparency measure ensures that people are aware of such processing, allowing them to understand and, if necessary, contest the use of their biometric information.

  3. Generate or Manipulate Content ('Deep Fakes'):

    • AI systems that generate or manipulate content to resemble authentic images, audio, or video ('deep fakes') must disclose that the content is artificially generated or manipulated. This obligation is subject to exceptions for legitimate purposes, such as law enforcement or the exercise of fundamental rights like freedom of expression. The disclosure enables individuals to identify and critically assess synthetic content, thereby reducing the risk of deception.

These transparency obligations are designed to empower individuals by providing them with essential information about their interactions with AI systems. By ensuring that users are informed, the AI Act promotes trust and accountability in the deployment of AI technologies within the European Union.

5. Measures in Support of Innovation

Title V of the Artificial Intelligence Act (AI Act) introduces measures designed to foster innovation while ensuring the development and deployment of AI systems align with safety and ethical standards within the European Union. This title emphasizes support for Small and Medium-Sized Enterprises (SMEs) and start-ups, recognizing their pivotal role in driving technological advancement.


Key Provisions of Title V:

  1. AI Regulatory Sandboxes:

    • Member States are encouraged to establish AI regulatory sandboxes—controlled environments where innovators can test AI systems for a limited time based on a testing plan agreed upon with competent authorities. These sandboxes aim to:
      • Foster AI innovation by providing a space to experiment with new technologies during the development and pre-marketing phases.
      • Ensure compliance of innovative AI systems with the AI Act and other relevant Union and Member State legislation.
      • Enhance legal certainty for innovators and improve competent authorities' oversight and understanding of AI's opportunities, emerging risks, and impacts.
      • Accelerate market access by removing barriers for SMEs and start-ups.

  2. Support for SMEs and Start-ups:

    • Title V contains measures to reduce the regulatory burden on SMEs and start-ups, acknowledging their limited resources compared to larger organizations. These measures include:
      • Simplified compliance procedures to make adherence to the AI Act more accessible.
      • Guidance and support initiatives to assist SMEs and start-ups in navigating regulatory requirements.
      • Facilitated access to high-quality data necessary for training and testing AI systems.

By implementing these provisions, Title V aims to create a legal framework that is innovation-friendly, future-proof, and resilient to disruption. It seeks to balance the promotion of technological advancement with the imperative of ensuring that AI systems are safe, ethical, and aligned with Union values.

6. Governance


Title VI of the Artificial Intelligence Act (AI Act) establishes the governance framework for the regulation's implementation and oversight within the European Union. This title delineates the roles and responsibilities at both the Union and national levels to ensure a cohesive and effective application of the AI Act.


Key Components of Title VI:

  1. European Artificial Intelligence Board (EAIB):

    • Establishment: The AI Act proposes the creation of the European Artificial Intelligence Board, comprising representatives from Member States and the European Commission.
    • Functions: The EAIB is tasked with facilitating the harmonized implementation of the AI Act across the EU. Its responsibilities include:
      • Providing guidance and expertise to the European Commission and national authorities on AI-related matters.
      • Promoting cooperation among Member States to ensure consistent enforcement of the regulation.
      • Assisting in the development of standards and best practices for AI systems.

  2. National Competent Authorities:

    • Designation: Each Member State is required to designate one or more national competent authorities responsible for the supervision and enforcement of the AI Act within their jurisdiction.
    • Responsibilities: These authorities are entrusted with:
      • Monitoring compliance of AI systems with the regulation's requirements.
      • Conducting investigations and audits of AI providers and users as necessary.
      • Imposing penalties or corrective measures in cases of non-compliance.
      • Collaborating with other national authorities and the EAIB to ensure a unified approach to AI regulation across the EU.

By establishing this governance structure, Title VI aims to promote a coordinated and effective regulatory environment for AI within the European Union, ensuring that AI systems are developed and utilized in a manner that aligns with Union values and fundamental rights.

7. Codes of Conduct


Title VII of the Artificial Intelligence Act (AI Act) focuses on the development and implementation of codes of conduct to promote the voluntary adherence of AI system providers to the regulation's principles, especially for AI systems classified as minimal or limited risk. These codes are designed to encourage best practices and ensure that AI technologies are developed and utilized in a manner consistent with Union values and fundamental rights.


Key Aspects of Title VII:

  1. Voluntary Codes of Conduct:

    • Providers of non-high-risk AI systems are encouraged to create and adopt codes of conduct that outline voluntary commitments extending beyond the mandatory requirements of the AI Act.
    • These codes should aim to foster the responsible development and deployment of AI systems, emphasizing ethical considerations, transparency, and respect for fundamental rights.

  2. Content of the Codes:

    • Guidelines for ensuring transparency and providing adequate information to users.
    • Measures to prevent and mitigate biases and discrimination in AI systems.
    • Strategies to enhance the accuracy, robustness, and cybersecurity of AI applications.
    • Procedures for voluntary reporting of AI-related incidents and sharing best practices.

  3. Development and Implementation:

    • The European Commission, in collaboration with the European Artificial Intelligence Board and relevant stakeholders, will facilitate the development of these codes.
    • Providers are encouraged to participate actively in the formulation and adoption of codes relevant to their sector or technology.
    • Adherence to these codes remains voluntary but is strongly recommended to promote trust and accountability in AI systems.

By promoting the establishment of codes of conduct, Title VII aims to create a culture of responsibility and ethical awareness among AI developers and users, complementing the regulatory framework with industry-led initiatives that uphold the Union's commitment to trustworthy and human-centric AI.


8. Final Provisions


Title VIII of the Artificial Intelligence Act (AI Act) encompasses the final provisions that ensure the effective implementation and enforcement of the regulation across the European Union. These provisions address aspects such as penalties, amendments to existing legislation, transitional measures, and the regulation's entry into force.


Key Components of Title VIII:

  1. Penalties:

    • Member States are required to establish rules on penalties applicable to infringements of the AI Act. These penalties must be effective, proportionate, and dissuasive to ensure compliance.

  2. Amendments to Existing Legislation:

    • The AI Act includes provisions to amend certain existing Union legislative acts to ensure coherence and alignment with the new AI regulatory framework.

  3. Transitional Measures:

    • Transitional provisions are outlined to facilitate a smooth transition for stakeholders adapting to the new requirements imposed by the AI Act.

  4. Entry into Force and Application:

    • The regulation specifies the date of its entry into force and the timeline for its application, providing stakeholders with a clear schedule for compliance.

By detailing these final provisions, Title VIII ensures that the AI Act is implemented uniformly across the EU, providing legal certainty and a structured framework for the development and use of artificial intelligence systems.

The Time to Act Is Now

How Bastioncraft Can Help?


Navigating the regulatory landscape of AI, particularly in light of the European Union's Artificial Intelligence Act (AI Act), can be complex. Bastioncraft offers comprehensive solutions to help organizations ensure their AI systems comply with these evolving regulations.

  • Comprehensive Compliance Solutions
    Navigating the regulatory landscape of AI, particularly in light of the European Union's Artificial Intelligence Act (AI Act), can be complex. Bastioncraft offers comprehensive solutions to help organizations ensure their AI systems comply with these evolving regulations.
  • Expert Guidance and Support
    With a team of experts well-versed in cybersecurity and compliance, Bastioncraft offers hands-on guidance throughout your compliance journey. This support ensures that your AI systems adhere to the necessary regulations, mitigating potential risks associated with non-compliance.

By partnering with Bastioncraft, your organization can confidently develop and deploy AI systems that comply with the AI Act, ensuring ethical practices and regulatory adherence.

Secure your future with Bastioncraft’s expert guidance.
Contact Me
]]>Wed, 25 Dec 2024 12:00:00 +0100