Summary
- France’s cyber agency is moving post-quantum cryptography from guidance into product-certification pressure.
- Government bodies, critical infrastructure operators, banks, and suppliers will face earlier procurement consequences than many expected.
- Cryptographic migration is a governance, inventory, supplier, and budget problem, not only a technical one.
ANSSI, France’s national cybersecurity agency, is set to stop certifying security products that do not include quantum-resistant encryption from 2027, putting a date on a cryptographic migration that many organisations still treat as a distant technical exercise.
The change gives France one of Europe’s clearest public-sector signals on post-quantum security. ANSSI certification is required for technology used across French government agencies and critical infrastructure, so the decision will reach beyond public administration into the vendors, integrators, managed service providers, and regulated businesses that supply sensitive markets.
The underlying risk is often described as “harvest now, decrypt later”. Attackers may copy encrypted data today and store it until quantum computers become capable of breaking current public-key cryptography. That threat is not confined to defence or intelligence agencies. Banks, healthcare providers, telecoms operators, cloud companies, manufacturers, and energy groups all hold data whose value may outlast the encryption protecting it.
ANSSI has already urged organisations to begin preparing for post-quantum cryptography through hybrid mechanisms that combine existing algorithms with quantum-resistant alternatives. Certification policy now gives that advice commercial weight, because suppliers that cannot show credible quantum-safe capability risk being locked out of sensitive French procurement.
Security vendors will need to prove more than theoretical readiness. Buyers will expect product roadmaps, standards alignment, migration support, performance evidence, and assurances that new cryptographic implementations do not introduce fresh operational weaknesses. The same pressure will spread through identity platforms, VPN providers, hardware vendors, cloud services, secure messaging systems, embedded devices, and operational technology suppliers.
Many organisations will struggle before they reach the procurement stage. Cryptography is often hidden inside applications, certificates, protocols, backups, industrial systems, payment infrastructure, and third-party software. Without a clear inventory, migration becomes reactive and expensive, with security teams forced to prioritise systems whose cryptographic dependencies are poorly documented.
France’s move also widens the European sovereignty debate. Control over cloud hosting, data residency, AI models, and supplier ownership often receives more political attention, but encryption is just as central to operational control. If an organisation cannot migrate cryptography on its own timetable, its resilience depends on vendor roadmaps, emergency patches, and the willingness of suppliers to support old systems properly.
The standards landscape will add another layer of work. European organisations will have to follow ANSSI’s position, the direction of EU cyber policy, and international standards, including those emerging from the US National Institute of Standards and Technology. Fragmented requirements would raise costs for suppliers, although stronger alignment could accelerate market confidence in quantum-safe products.
Early movers may gain an advantage in public-sector and critical-infrastructure markets where security certification shapes procurement. The burden will fall hardest on organisations that treat encryption as background plumbing rather than as a managed asset with ownership, budget, and board visibility.
France has made post-quantum security harder to ignore. From 2027, quantum-safe encryption will begin to look less like future-proofing and more like a condition of market access.










