France to stop certifying products without quantum-safe encryption
France will bar security certification for products lacking quantum-safe encryption from 2027, forcing ministries and critical operators to plan procurement around post-quantum rules now.

France has drawn a hard line on the quantum transition: the national cybersecurity agency, ANSSI, will stop certifying security products that do not use quantum-resistant encryption. In practice, that turns post-quantum cryptography from a technical best practice into a gatekeeper for public-sector and critical-infrastructure sales, reshaping what vendors can sell and what government buyers can approve.
ANSSI says the shift will take more than a decade and will touch the entire cybersecurity field. The agency first set out its migration view in 2022, expanded it in 2023, and has consistently pushed hybrid approaches that combine a known pre-quantum public-key algorithm with a post-quantum algorithm. Its public guidance now tells organizations to inventory cryptographic uses immediately, start with the most critical systems, and treat 2030 as the point after which buying products without PQC will no longer be reasonable. From 2027, ANSSI is aiming to require PQC at the entry stage for product qualification.

That timetable matters because it changes procurement before the threat fully matures. France is no longer simply warning about future quantum computers that could break current encryption and expose long-lived state and corporate secrets later. It is telling vendors that certification, market access and purchasing decisions will increasingly depend on products being quantum-safe from the start. For ministries, utilities and other critical operators, that means security upgrades and replacement cycles will need to be planned around post-quantum requirements well ahead of the 2030s.
The policy already has precedents. In 2025, ANSSI issued its first French security certifications for products containing post-quantum cryptography, including Thales’s MultiApp 5.2 Premium PQC smart card and Samsung’s S3SSE2A microcontroller. Those evaluations were carried out by CEA-Leti, described as the first accredited center for the PQC scope. The message to industry is clear: early movers can win a certification advantage, while laggards risk being shut out of a major market.
France is moving in step with a wider international shift. NIST says organizations should begin migrating to quantum-resistant cryptography now, with vulnerable algorithms to be deprecated and removed by 2035, and CISA says its PQC initiative is meant to support government and critical-infrastructure operators through the transition. In June 2025, cybersecurity authorities from 21 European states warned that broken public-key cryptography would be devastating for public digital infrastructure. France is now turning that warning into procurement policy.
This article was produced by Prism’s automated news system from verified source data, official records, and press releases, then run through automated quality and moderation checks before publishing. The system is built and supervised by the people who set the standards it runs under. Read our full AI policy.
Did this article answer your question?


