Trend watch: Privacy-preserving analytics & zero-knowledge proofs in 2026 — signals, winners, and red flags

Zero-knowledge proofs (ZKPs) were once an obscure branch of cryptographic research. In 2026, they are reshaping how enterprises, regulators, and financial institutions handle sensitive data across Europe and globally. The market for privacy-preserving computation reached approximately $7.2 billion in 2025, with projections exceeding $15 billion by 2028, driven by converging regulatory mandates, growing enterprise distrust of centralized data aggregation, and the maturing of practical ZKP implementations that finally deliver production-grade performance. For investors evaluating this space, understanding which signals indicate genuine traction and which represent speculative noise is essential.

Why It Matters

European regulatory pressure has reached a critical inflection point. The General Data Protection Regulation (GDPR) enforcement fines exceeded EUR 4.2 billion cumulatively through 2025, with data processing violations representing the largest category. The EU Data Act, effective September 2025, established new requirements for fair data sharing across cloud services and IoT ecosystems, creating demand for technologies that enable analytics without exposing raw datasets. Meanwhile, the European Health Data Space (EHDS) regulation, moving toward implementation in 2026, mandates privacy-preserving mechanisms for secondary use of health data across the 27 member states.

Beyond regulation, the commercial imperative is compelling. Financial institutions spend an estimated EUR 12-18 billion annually on anti-money laundering (AML) compliance across Europe, yet false positive rates for transaction monitoring remain stubbornly high at 95-98%. Privacy-preserving analytics can enable collaborative fraud detection across institutions without violating data protection requirements or exposing competitive intelligence. McKinsey estimates that cross-institutional analytics enabled by privacy-preserving technologies could reduce AML compliance costs by 25-40% while improving detection rates by 30-50%.

The carbon accounting ecosystem presents another high-value application. Companies must verify Scope 3 emissions across supply chains without exposing proprietary supplier data. Zero-knowledge proofs allow a supplier to prove their emissions fall within a declared range without revealing exact production volumes, cost structures, or customer lists. As the EU Corporate Sustainability Reporting Directive (CSRD) requires audited sustainability data from approximately 50,000 companies, privacy-preserving verification mechanisms are transitioning from theoretical elegance to operational necessity.

Key Concepts

Zero-Knowledge Proofs are cryptographic protocols that allow one party (the prover) to demonstrate knowledge of a fact to another party (the verifier) without revealing any information beyond the truth of the statement itself. In practice, a ZKP can prove that a financial transaction is compliant with regulatory thresholds without disclosing the transaction amount, counterparties, or underlying data. Modern ZKP systems fall into two primary categories: zk-SNARKs (Succinct Non-interactive Arguments of Knowledge), which require a trusted setup ceremony but produce extremely compact proofs, and zk-STARKs (Scalable Transparent Arguments of Knowledge), which eliminate trusted setup requirements at the cost of larger proof sizes.

Homomorphic Encryption (HE) enables computation on encrypted data without decryption. Fully homomorphic encryption (FHE) allows arbitrary computations, while partially homomorphic schemes support limited operations (addition or multiplication, but not both). Recent breakthroughs by companies including Zama and Duality Technologies have reduced FHE computation overhead from 10,000x to 100-500x relative to plaintext operations, making certain analytics workloads commercially viable for the first time.

Secure Multi-Party Computation (MPC) distributes computation across multiple parties such that no single party can access the complete dataset. MPC protocols enable collaborative analytics, for instance allowing competing banks to jointly analyze fraud patterns without any institution seeing another's transaction data. The technology is most mature in financial services, where institutions like ING, ABN AMRO, and BNP Paribas have deployed MPC for collaborative AML screening.

Differential Privacy adds calibrated statistical noise to query results, providing mathematical guarantees about the maximum information leakage from any individual record. Google and Apple have deployed differential privacy at scale in consumer products, and the US Census Bureau used it for the 2020 census. In enterprise applications, differential privacy enables aggregate analytics on sensitive datasets while bounding re-identification risk.

Signals That Matter

Signal 1: Enterprise Procurement Cycles Are Shortening

The most significant leading indicator for privacy-preserving analytics adoption is procurement velocity. In 2023, enterprise proof-of-concept cycles for ZKP and MPC solutions averaged 12-18 months. By late 2025, this compressed to 4-8 months for financial services and healthcare organizations in Europe. ING Bank's wholesale banking division moved from initial ZKP evaluation to production deployment for trade finance verification in under six months during 2025. BNP Paribas integrated MPC-based AML screening across three jurisdictions within nine months. Shortening procurement cycles indicate that technical risk perception has declined and that internal champions have succeeded in securing budget commitment.

Signal 2: Regulatory Sandbox Activity Is Accelerating

European regulators are actively facilitating privacy-preserving technology adoption through supervised experimentation. The European Data Protection Board (EDPB) launched its Privacy-Enhancing Technologies (PETs) sandbox in 2025, with 23 projects accepted in the inaugural cohort. The UK Financial Conduct Authority's PETs program, initiated through collaboration with the Bank of England and the Information Commissioner's Office, graduated its first cohort of six projects in late 2025, with three moving to production pilots. The Dutch Authority for the Financial Markets (AFM) approved the first MPC-based collaborative AML platform for operational use in January 2026. Regulatory sandbox activity signals institutional comfort with these technologies and reduces compliance uncertainty for adopters.

Signal 3: ZKP Proving Times Are Reaching Commercial Thresholds

Technical performance improvements are enabling new application categories. ZKP proof generation times for standard compliance attestations (such as verifying that an entity meets Know Your Customer requirements) dropped from minutes in 2023 to under 10 seconds in 2025, with sub-second proving for simple range proofs. Hardware acceleration through dedicated ZKP ASICs from companies like Ingonyama and Cysic is pushing proving times below 100 milliseconds for common patterns. This performance threshold enables real-time applications including point-of-sale compliance verification, instant credit scoring, and live transaction monitoring.

Emerging Winners

Aleo

Aleo has positioned itself as the leading platform for programmable zero-knowledge applications, raising over $300 million in cumulative funding. Their Leo programming language abstracts ZKP circuit design into developer-friendly syntax, reducing the specialized cryptographic expertise required for implementation. Aleo's enterprise solutions division, launched in 2025, has secured partnerships with three of Europe's ten largest banks for regulatory compliance applications. The platform's ability to generate ZKPs for arbitrary computations, rather than fixed-function proofs, provides flexibility that enterprise customers demand.

Zama

Paris-based Zama has emerged as the leading fully homomorphic encryption company globally, with EUR 73 million in Series A funding and growing enterprise traction. Their Concrete framework enables machine learning inference on encrypted data, allowing organizations to deploy AI models that never access plaintext customer information. Zama's collaboration with the French National Health Data System (SNDS) demonstrated that clinical trial matching could be performed on encrypted patient records with 98.5% accuracy compared to plaintext processing, with processing overhead of approximately 200x. For investors, Zama represents the strongest pure-play FHE investment opportunity in Europe.

Partisia Blockchain

Copenhagen-based Partisia combines MPC with blockchain infrastructure to enable auditable, privacy-preserving computation. Their platform has been deployed by the Danish Financial Supervisory Authority for collaborative market surveillance across six Nordic financial institutions. Partisia's approach addresses a key enterprise concern: verifiability. Unlike black-box computation services, their blockchain-anchored MPC produces tamper-evident audit trails that regulators can inspect without accessing underlying data. The company secured EUR 25 million in strategic funding from Nordic institutional investors in 2025.

Red Flags to Monitor

Red Flag 1: Vendor Claims Outpacing Verified Benchmarks

Several privacy-preserving analytics vendors claim "zero overhead" or "no performance impact," assertions that contradict the fundamental computational costs of cryptographic protocols. Even the most optimized ZKP implementations add measurable latency and computational cost. Investors should demand independent benchmark results, not vendor-produced numbers. The NIST Privacy-Enhancing Cryptography program published standardized benchmarks in 2025 that provide reliable comparison baselines. Any vendor unable or unwilling to reproduce NIST benchmark conditions warrants heightened scrutiny.

Red Flag 2: Single-Technology Solutions in a Multi-Tool Problem Space

Privacy-preserving analytics is not a single-technology category. Different use cases demand different tools: ZKPs for attestation and verification, MPC for collaborative computation, FHE for outsourced analytics, and differential privacy for aggregate statistics. Vendors positioning any single primitive as a universal solution are either misunderstanding customer requirements or deliberately oversimplifying. The most credible enterprise solutions combine multiple primitives. For example, using MPC for collaborative model training, ZKPs for compliance attestation, and differential privacy for published analytics.

Red Flag 3: Regulatory Compliance as the Only Value Proposition

Companies whose entire pitch centers on regulatory compliance face two risks: regulatory timelines slip (as GDPR enforcement priorities shift) and compliance requirements can often be met through simpler, cheaper approaches such as data minimization, pseudonymization, or contractual controls. The strongest privacy-preserving analytics companies demonstrate value beyond compliance, including improved analytics accuracy from larger effective datasets, new revenue streams from data monetization, or competitive differentiation in privacy-sensitive markets.

Red Flag 4: Insufficient Attention to Key Management

Cryptographic privacy guarantees are only as strong as key management practices. Several high-profile privacy-preserving analytics implementations have been compromised not through cryptographic weaknesses but through operational failures in key generation, storage, and rotation. Investors should evaluate whether target companies have undergone independent security audits of their key management infrastructure, not just their cryptographic protocols.

Investment Outlook for Europe

The European privacy-preserving analytics market is projected to grow at 35-40% CAGR through 2028, outpacing the global average of 28-32%. Three factors drive European outperformance. First, regulatory intensity: the combination of GDPR, the Data Act, EHDS, and sector-specific requirements creates demand density unmatched in other jurisdictions. Second, public sector adoption: European governments are more willing to adopt and mandate privacy-preserving technologies for healthcare, financial supervision, and census applications. Third, research depth: European institutions including INRIA, ETH Zurich, and the Max Planck Institute maintain world-leading cryptographic research programs that seed commercial innovation.

For investors, the most attractive entry points are Series A and B companies with proven enterprise deployments and at least two production customers. Late-stage privacy-preserving analytics companies face valuation compression as larger cybersecurity and cloud platforms (including Microsoft, Google, and AWS) integrate basic PET capabilities into existing offerings. The differentiation window for pure-play PET companies is approximately 3-5 years before platform integration commoditizes core functionality.

Action Checklist

• Map regulatory exposure across GDPR, Data Act, EHDS, and sector-specific requirements to identify highest-priority privacy-preserving use cases
• Evaluate current data sharing practices for cross-organizational analytics that could benefit from MPC or ZKP-based approaches
• Request independent benchmark data from vendors, specifically NIST PEC-aligned testing results
• Assess key management maturity across existing infrastructure before layering cryptographic privacy solutions
• Engage with regulatory sandbox programs (EDPB, FCA, national DPAs) to reduce compliance uncertainty for pilot deployments
• Prioritize multi-primitive platforms over single-technology vendors for enterprise-scale deployments
• Allocate 2-4% of data infrastructure budget for privacy-preserving technology evaluation and piloting in 2026

FAQ

Q: What is the difference between zero-knowledge proofs and homomorphic encryption in practical applications? A: Zero-knowledge proofs are best suited for verification and attestation, proving that a statement is true without revealing underlying data. Homomorphic encryption is best suited for outsourced computation, performing analytics on data that remains encrypted throughout processing. In practice, a bank might use ZKPs to prove regulatory compliance to a supervisor, while using FHE to run credit scoring models on encrypted customer data in a cloud environment. The two technologies address different points in the data lifecycle and are often deployed together.

Q: How mature are privacy-preserving analytics for production enterprise use? A: Maturity varies significantly by technology and use case. MPC for collaborative AML screening is production-ready, with multiple European deployments processing millions of transactions. ZKPs for compliance attestation are entering early production, with proving times now commercially viable. FHE for general-purpose analytics remains pre-production for most workloads, though specific applications like encrypted search and simple statistical queries are viable. Differential privacy is fully mature and widely deployed by technology companies.

Q: What are realistic implementation timelines and costs for a mid-size European enterprise? A: Budget EUR 200,000-500,000 for initial evaluation and pilot, with 6-9 months from initiation to pilot results. Production deployment typically adds EUR 500,000-2 million depending on integration complexity, data volumes, and regulatory requirements. Ongoing operational costs run 15-25% of initial implementation annually. These figures assume existing data infrastructure; organizations requiring significant data engineering work should add 30-50% to both timelines and budgets.

Q: What skills does an organization need to evaluate and deploy privacy-preserving technologies? A: Core requirements include: applied cryptography expertise (at minimum one engineer with graduate-level cryptographic protocol knowledge), data engineering capacity for pipeline integration, and legal/compliance resources to map regulatory requirements to technical capabilities. Most European enterprises outsource cryptographic expertise during initial evaluation and build internal capability during production deployment. University partnerships with institutions like ETH Zurich, KU Leuven, or INRIA can provide access to research-grade expertise at lower cost than commercial consulting.

Sources

• European Data Protection Board. (2025). Privacy-Enhancing Technologies Sandbox: First Cohort Report. Brussels: EDPB.
• McKinsey & Company. (2025). Privacy-Preserving Technologies in Financial Services: The EUR 18 Billion Opportunity. Frankfurt: McKinsey Financial Services Practice.
• NIST. (2025). Privacy-Enhancing Cryptography: Standardized Benchmark Results. Gaithersburg, MD: National Institute of Standards and Technology.
• UK Financial Conduct Authority. (2025). PETs in Financial Services: Sandbox Outcomes and Regulatory Guidance. London: FCA.
• Zama. (2025). Concrete FHE Framework: Enterprise Performance Benchmarks. Paris: Zama Technologies.
• European Commission. (2026). European Health Data Space Implementation Progress Report. Brussels: DG SANTE.
• ING Group. (2025). Privacy-Preserving Trade Finance: Zero-Knowledge Proof Deployment Report. Amsterdam: ING Wholesale Banking.