France's national cybersecurity agency ANSSI has announced an aggressive timeline for transitioning to post-quantum cryptography, declaring it will cease certifying security products that lack quantum-resistant encryption beginning in 2027. The policy was unveiled by ANSSI Chief of Staff Samih Souissi at the France Quantum conference, establishing France as one of the first nations to set firm regulatory deadlines for quantum-safe encryption adoption.
ANSSI certification is mandatory for security products deployed in French government agencies and critical infrastructure sectors. This regulatory requirement transforms the certification halt into a binding phase-out of traditional encryption methods across essential services. Organizations operating under French jurisdiction will need to replace existing cryptographic systems with quantum-resistant alternatives to maintain compliance.
The agency has set 2030 as the target date by which businesses should exclusively purchase quantum-safe products. This five-year implementation window between the certification halt and the full procurement transition provides organizations time to assess vendors, test implementations, and complete migrations. The staggered approach acknowledges the complexity of replacing cryptographic infrastructure across large-scale deployments.
The policy addresses the emerging threat from quantum computers, which are expected to break widely used public-key encryption algorithms like RSA and elliptic curve cryptography once sufficiently powerful systems become available. While large-scale quantum computers capable of breaking current encryption do not yet exist, adversaries can harvest encrypted data today and decrypt it later when quantum technology matures, a threat model known as "store now, decrypt later."
Organizations affected by ANSSI requirements should begin inventorying cryptographic implementations, identifying systems requiring upgrades, and evaluating post-quantum cryptography standards published by NIST in 2024. Priority should focus on systems handling long-lived sensitive data most vulnerable to retrospective decryption. The French mandate signals that quantum-safe cryptography is transitioning from future planning to immediate procurement and deployment requirements for regulated entities.
Source: https://www.schneier.com/blog/archives/2026/07/france-to-stop-certifying-non-quantum-safe-encryption.html


