Secure communication systems are often built with a difficult assumption: that the cryptographic choices made today will remain suitable for many years.
In practice, that assumption is becoming harder to defend.
Algorithms age. Standards change. Implementation weaknesses are discovered. Compliance expectations evolve. New technologies create new attack models. And now, with the transition toward post-quantum cryptography, organisations must prepare for one of the most significant changes in modern digital security.
This is where crypto-agility becomes important.
Crypto-agility is the ability to update, replace or strengthen cryptographic mechanisms without redesigning an entire system. It allows organisations to move from one algorithm, protocol or key-management approach to another in a controlled way, while maintaining service continuity and operational trust.
For secure communication, this is not a theoretical design preference. It is becoming a practical resilience requirement.
Many communication systems depend on cryptography in several places at once. Encryption protects confidentiality. Digital signatures support integrity and authenticity. Certificates help establish trust. Key exchange mechanisms allow secure channels to be created. Software updates rely on cryptographic verification. Identity systems depend on trusted credentials.
When cryptography needs to change, the impact can therefore spread across applications, devices, networks, services and suppliers.
A system that was not designed for cryptographic change may be difficult to update. Algorithms may be embedded deep in software. Certificates may be tied to legacy assumptions. Hardware may have limited flexibility. Vendor dependencies may slow down migration. Documentation may be incomplete. In some cases, organisations may not even have a clear view of where cryptography is being used.
That is a risk.
Crypto-agility addresses this risk by treating cryptography as a managed and adaptable part of the architecture. Instead of hard-coding choices that are difficult to replace, systems should be designed with clear cryptographic boundaries, configurable components and well-governed update paths.
Why this matters for space research
For space research, this matters for several reasons.
First, many systems in the space domain have long lifecycles. Infrastructure, research platforms and communication environments may need to remain operational for years, sometimes decades. A design that is secure at the time of deployment may not remain sufficient throughout the full lifetime of the system.
Second, space research often involves distributed cooperation. Universities, research organisations, technology providers, infrastructure operators and public-sector stakeholders may all need to exchange data securely. That creates a wider trust environment, where changes in one part of the ecosystem can affect others.
Third, the value of the data can be long-lived. Sensitive research outputs, technical designs, operational information and strategic knowledge may need protection well beyond the moment they are transmitted.
In this context, crypto-agility is not simply about replacing algorithms. It is about preserving trust over time.
A crypto-agile communication system should make it possible to introduce new cryptographic standards, update certificates, rotate keys, change protocols and respond to emerging vulnerabilities without unnecessary disruption. It should also allow security teams to understand which systems are affected when a change is required.
That requires good architecture.
It also requires governance.
Organisations need to know who owns cryptographic decisions, how changes are approved, how suppliers are assessed, how compatibility is tested and how migration is prioritised. Without this governance, crypto-agility can remain a technical ambition rather than an operational capability.
The post-quantum dimension
The post-quantum transition makes this even more relevant.
Migration to post-quantum cryptography will not happen in a single step. Organisations will need to assess current systems, prioritise high-risk areas, test new implementations, manage hybrid approaches where needed and coordinate changes across their technology stack. Systems that are already designed for cryptographic flexibility will be easier to migrate. Systems that are not will require more effort, more time and more risk management.
For communication environments connected to space research, the lesson is clear: the ability to adapt must be designed in early.
COSMOS-SECURE is focused on secure communication in space research with this long-term perspective. The project recognises that future-ready security is not only about selecting strong cryptographic mechanisms today. It is also about ensuring that communication systems can evolve as requirements change.
This is particularly important as the cybersecurity landscape becomes more complex. Organisations must defend against current threats while preparing for future ones. They must maintain interoperability while improving resilience. They must protect sensitive information without slowing down research cooperation.
Crypto-agility helps make that balance possible.
It gives organisations a structured way to change security mechanisms without losing control of the systems that depend on them. It supports long-term maintainability. It reduces the risk of being locked into obsolete technologies. And it gives decision-makers a clearer path for managing cryptographic transition.
Practical first steps
For many organisations, the first step is visibility.
Before cryptography can be managed, it must be understood. That means identifying where cryptographic mechanisms are used, which algorithms and protocols are in place, what data they protect, which systems are most exposed and which suppliers are involved.
The next step is prioritisation.
Not every system carries the same level of risk. Communication channels protecting long-lived sensitive data, critical operational processes or multi-partner collaboration should be examined carefully. Systems with long replacement cycles or limited upgrade paths should also receive early attention.
Finally, organisations should build crypto-agility into future procurement and system design. New communication systems should be assessed not only by the strength of their current security, but by their ability to adapt when cryptographic requirements change.
Security that cannot evolve eventually becomes a constraint.
For COSMOS-SECURE, crypto-agility is an essential principle for building communication systems that remain trusted in the years ahead. Space research needs secure communication, but it also needs communication that can keep pace with technological change.
The future of cybersecurity will not be static. Secure systems should not be static either.