
Do you find this conversation relevant to your current challenges or interests? Then dive deeper with our whitepaper “Getting a Grip on Cryptography Before It Becomes a Risk.” Discover how to take ownership of your cryptographic landscape, align it with business priorities and compliance requirements, and prepare your organization for the future. You’ll find more details in the closing section of this article. Enjoy reading!
First collaboration
Andreas: “Admir, we’ve known each other for many years in the world of cryptography and PKI. It’s great to finally highlight our collaboration — especially now, when applied cryptography is evolving faster than ever.
Together, Keyfactor delivers the technology — from certificate lifecycle automation to machine identity management — while SITS | Traxion brings integration expertise and advisory services to make it operational in complex environments. That combination is what makes us successful. Technology alone is not enough — it needs the right guidance and local context.”
Looking 2–4 years ahead
Andreas: “Admir, we’ve both been active in PKI and crypto for ages. What do you see as the most important trends for the next two to four years?”
Admir: “If we exclude artificial intelligence — because that’s not a trend but a disruption — we see a set of technologies and conditions that become highly relevant. One is the geopolitical situation: global, widely spread supply chains are forcing organizations to think differently about resilience than a few years ago. We see more inward-looking approaches, especially in Europe, where data sovereignty and having cryptography under European control is becoming more important. You see something similar in North America.
So, before we even talk about algorithms, the playing field itself is changing: Organizations want to know where their cryptography runs, who controls the keys-material and how fast they can adapt.”
Post-quantum cryptography: the foundations are there, but the work is big
Admir: “If we zoom in on applied cryptography, the dominant theme is clearly post-quantum cryptography (PQC) and the transition to quantum-resilient services. The good news: in the last two to three years we’ve made solid progress — algorithms are being standardized, relevant protocols are being updated, and HSM manufacturers already have pretty good implementations.
But it’s not all simple. PQC based protocols behave differently than classical crypto-protocols — for example in key negotiation — and that means implementers need to learn how to do it right. We have the foundations, but protocols and applications will keep evolving over the coming years.”
Andreas: “Exactly. And PQC is not just ‘switch the algorithm’. The whole protocol layer and even the application behavior needs to change. So yes, everyone talks about ‘Q-day’, but the real work is in software, stacks, and integrations.”
Admir: “That’s right. That’s why some verticals are already experimenting now — banks, financial services, governments — because they need to protect data for 10–20 years. Others, like traditional manufacturing, are more focused on ‘it has to work today’ and are less affected by ‘harvest now, decrypt later’.”
Shorter certificate lifetimes → forced automation
Admir: “There’s another trend that’s a bit more down-to-earth but very impactful: for public-facing certificates we see drastically shorter lifetimes. That trend started years ago, but it’s accelerating. Part of it is to raise the security level, part of it is to get away from always-on OCSP/CRL dependencies.
But… once certificates are short-lived, you must automate. Large enterprises and governments often have workflows already. But for medium and even smaller organizations, this will now become necessary — otherwise a certificate owner is on holiday and suddenly a service is down.”
Andreas: “We often see this in critical environments — for example, when a single expired certificate can take down an application or block user access. Automating lifecycle management avoids that risk and gives IT and security teams peace of mind.”
Regulations: NIS2, DORA, CRA – don’t pay twice
Admir: “In Europe we have, for the better I would say, several regulations that push the industry: NIS2, DORA, and also CRA. All of these push both vendors and implementers to build more resilience.
My concern is this: if organizations treat PQC on one track and compliance on another, they may end up paying twice — once for compliance, once for the quantum transition. It’s better to interconnect those efforts: modernize crypto while you’re meeting NIS2/DORA requirements.”
Andreas: “For many clients, compliance isn’t just a burden — it’s also the perfect moment to modernize. If you’re revising policies or preparing for NIS2, it’s the right time to align your cryptography strategy and build agility in from the start.”
Crypto-agility and “modernization of cryptography”
Admir: “I hear the term cryptographic agility much more often now — sometimes also called ‘modernization of cryptography’. The idea is simple: today we think certain post-quantum algorithms are safe, but we don’t know what we’ll discover in two, five, or ten years. So while we move from classical to PQC, we should at the same time build solutions that can switch to another algorithm without major pain.”
Andreas: “So: Do the homework now — visibility, automation, shorter lifecycles — and then you’re ready for PQC later.”
Admir: “Exactly. And longer term you can even imagine higher-abstraction approaches: instead of coding ‘use algorithm X’, you code ‘sign this’ or ‘protect this document’, and the policy layer chooses the right algorithm. That sounds nice, but it’s hard to do right — people tried 15 years ago and it didn’t really take off. But with the quantum transition and multiple new algorithms, it becomes more relevant again.”
Different industries, different urgency
Admir: “We already see banks, financial services and governments doing PoCs with PQC because they must keep data confidential for decades. Industries that are less exposed to long-term data confidentiality — like some manufacturing — look more at availability and ‘it must run today’. But if they have a lot of intellectual property, they will also need to move.
In all cases: automation + crypto-agility + IT modernization will be the winning combination.
Crypto modernization is not just a cost — it reduces outage risks, eliminates manual renewals, and ensures compliance audits can be passed smoothly. That’s tangible ROI.”
Where Keyfactor and SITS | Traxion meet
Andreas: “And that’s exactly where Keyfactor and SITS | Traxion fit together. Keyfactor delivers the technology to manage, view and automate everything — certificates, keys, machine identities — and we come in with consultancy to assess the infrastructure, implement the right tools and make it workable for the customer. It’s technology + guidance.”
Admir: “I agree. As vendors in applied cryptography we are, frankly, already well prepared. The challenge now is to deploy this at the scale of an entire society. That’s where partners like SITS | Traxion are crucial: you help customers decide what to do now and what to postpone, because acting too early is costly and acting too late can be a regulatory problem.”
Andreas: “And let’s not forget: it’s not only the big companies. Mid-sized and smaller organizations will be most affected if they don’t get help — simply because they don’t have in-house crypto experts.”
Admir: “That’s why I even see a role for regulation to say: by 2028, off-the-shelf software should support cryptographic agility. Customers are willing to pay, but not three times for three different transitions. We need a mindset shift in how crypto is used across the whole software stack — databases, web servers, applications.
Ultimately, strong cryptography is about trust — between users, systems, and organizations. It’s the invisible foundation of digital society.”
Andreas: “Exactly. Our mission is to make that trust tangible and manageable. With partners like Keyfactor, we turn complex cryptography into practical security that empowers innovation.”
Future-proof your cryptography today — through automation, agility, and trusted collaboration.
Andreas: “Admir, thank you for the great conversation. Looking back at what we’ve discussed, I would summarize it like this: organizations can’t wait for the perfect moment to modernize their cryptography — they need to start with visibility and automation today. Once that foundation is there, they’re ready to adapt, whether it’s for post-quantum readiness, new regulations, or future innovations.”
Admir: “Exactly. The change is already happening — not next decade, but now. The good news is that the tools and knowledge exist, and partnerships like ours make it possible for any organization to take control of its cryptography with confidence. Let’s use this momentum to build the trust and resilience that the next digital era demands.”
Want to continue the conversation?
The topics we’ve discussed — from automation and post-quantum readiness to crypto-agility and compliance — are shaping how every organization will secure its digital future. If this resonates with your challenges or ambitions, we’d love to continue the exchange.
Do you find this conversation relevant to your current challenges or interests? Then dive deeper with our whitepaper “Getting a Grip on Cryptography Before It Becomes a Risk.” Discover how to take ownership of your cryptographic landscape, align it with business priorities and compliance requirements, and prepare your organization for the future. You’ll learn:
Download the whitepaper and take the next step toward a future-ready cryptographic strategy.
Ready to take the next step? Let’s talk with our experts. sales.nl@traxion.com | +31 418 653 883
Identity & Access Management can be perceived as complex – from access challenges to securing sensitive data. While this article highlights the partnership between SITS | Traxion and Keyfactor, we’re here to support you with your specific needs. We’re happy to help!
Ready to take the next step? Let’s talk with our experts.
Nederland: BeLux:
📧 sales.nl@traxion.com 📧 sales.be@traxion.com
📞 +31 418 653 883 📞 +32 15 28 50 70