France Says It Will Won’t Certify Security Products That Aren’t Quantum-Resistent Starting in 2027

Insider Brief

• France’s cybersecurity agency ANSSI will stop certifying security products that lack quantum-resistant encryption starting in 2027, effectively accelerating the country’s transition to post-quantum cryptography.
• ANSSI Chief of Staff Samih Souissi said businesses should purchase only quantum-safe security products by 2030, citing concerns that attackers could store encrypted data today and decrypt it with future quantum computers.
• Industry participants at the France Quantum conference said demand for quantum-safe security solutions is growing, while some experts warned that widely used cryptographic standards such as ECDSA could be among the first vulnerable to future quantum attacks.
• Image: Photo by KOBU Agency on Unsplash

France’s national cybersecurity agency, ANSSI, will stop certifying security products that do not include quantum-resistant encryption beginning in 2027, a policy that will effectively require government agencies and operators of critical infrastructure to move away from traditional cryptographic systems, according to comments made at the France Quantum conference and reported by Reuters.

The move places France among the most aggressive governments in Europe on quantum security and reflects growing concern that sensitive information encrypted today could be vulnerable in the future as quantum computing advances.

Under the timeline outlined by ANSSI Chief of Staff Samih Souissi, products seeking ANSSI certification after 2027 will need to incorporate quantum-safe cryptography. Souissi also said businesses should be purchasing only quantum-resistant products by 2030, Reuters reported.

Because ANSSI certification is required for deployment in French government organizations and critical infrastructure sectors, the policy amounts to a gradual phase-out of security products that rely solely on conventional encryption methods.

“It’s not only a technical issue,” Souissi said, according to Reuters. “It’s a matter of ​governance, industrial planning, regulation, and sovereignty.”

Industry participants at the conference also offered differing views on when the threat from cryptographically relevant quantum computers could emerge, Reuters reported.

However, the decision is also driven in part by concerns over so-called “harvest now, decrypt later” attacks. In that scenario, adversaries collect and store encrypted data today with the expectation that future quantum computers may eventually be capable of breaking the cryptographic algorithms protecting it.

Quantum computers capable of defeating widely used public-key encryption systems do not yet exist. However, governments and cybersecurity agencies increasingly argue that organizations with long-lived sensitive data must begin migrating now because cryptographic transitions can take years to complete.

The policy is expected to create new demand for post-quantum security technologies across Europe.

Pascal Brier, chief innovation officer at consulting and technology services firm Capgemini, told Reuters that interest is increasing as banks, public-sector organizations and other institutions evaluate their exposure to future quantum threats.

“That market is becoming big. It’s going to be very substantial,” Brier said, according to Reuters.

The announcement comes as France continues to invest heavily in quantum technologies through a national plan valued at approximately 3 billion euros (about $3.5 billion USD). The country is seeking to strengthen its position in a global quantum race that includes significant investments from China, the United States and other nations.