France To Stop Certifying Security Products Without Quantum-Safe Encryption

France’s cybersecurity agency will stop certifying security products that do not include quantum-resistant encryption, in a move expected to accelerate the shift away from older cryptographic systems across government and critical infrastructure.

ANSSI, France’s national cybersecurity agency, said the change will begin in 2027. The policy means security products that lack quantum-safe encryption will no longer receive the agency’s approval, which is required for use across French government bodies and critical operators.

The decision effectively creates a phase-out pathway for older encryption technologies in some of the country’s most sensitive systems. Businesses are also being urged to buy only quantum-safe products by 2030, giving technology suppliers and large organisations a clear deadline for preparing their systems.

The move reflects growing concern about the long-term security risks posed by quantum computing. While today’s quantum computers are not yet powerful enough to break widely used encryption at scale, security agencies are increasingly focused on the threat of future machines that could undermine current protections.

One of the key concerns is known as harvest now, decrypt later. In this scenario, attackers steal and store encrypted data today, then wait until quantum computers are capable of breaking the encryption used to protect it. This is especially concerning for government records, health data, defence material, financial information and other sensitive data that may need to remain confidential for many years.

Post-quantum cryptography is designed to protect systems against that future risk. Instead of relying on mathematical problems that could become vulnerable to powerful quantum computers, quantum-safe encryption uses algorithms believed to be resistant to both classical and quantum attacks.

The French policy is likely to have a significant impact on vendors selling into the government, defence, public service, banking, telecommunications and critical infrastructure markets. Suppliers seeking ANSSI certification will need to show that their products are ready for the post-quantum era or risk being locked out of sensitive deployments.

It also puts pressure on organisations to begin mapping where encryption is used across their systems. For large businesses and government agencies, the challenge is not simply replacing one technology with another. Encryption is embedded across networks, identity systems, software products, databases, payment platforms, cloud services, connected devices and internal applications.

That means the transition to quantum-safe systems could take years. Organisations will need to identify sensitive long-term data, review cryptographic dependencies, update procurement policies, test new standards and ensure that new systems can adapt as post-quantum technology matures.

The market for quantum-safe security products is already growing. Banks, public services and large enterprises are beginning to assess what needs to change, creating new demand for consulting, software, hardware security modules, cloud services and cryptographic migration tools.

France is also positioning the shift as a matter of sovereignty and industrial planning, not just technical security. By setting certification requirements, the country is using cybersecurity regulation to shape the market and encourage suppliers to build quantum-resistant systems before the threat becomes urgent.

The policy sits within a wider European push to prepare for post-quantum cryptography. EU member states have already been urged to begin the transition by the end of 2026 and to ensure critical infrastructure moves to post-quantum protections by 2030. Internationally, the United States has also moved forward with post-quantum standards, giving organisations clearer options for deployment.

For businesses, the message is increasingly direct. Waiting until quantum computers can break existing encryption would be too late, especially for data that has already been stolen and stored. The transition needs to begin before the threat fully arrives.

France’s decision is likely to be watched closely by other governments and regulators. If more countries follow with similar certification rules, quantum-safe encryption could quickly move from a specialist cybersecurity concern to a standard requirement for doing business with governments and critical industries.

The immediate impact will be felt by security vendors, public agencies and critical operators in France. The longer-term effect may be much broader. By tying certification to quantum readiness, ANSSI has sent a clear signal that the post-quantum transition is no longer a distant research problem. It is becoming a procurement, compliance and national security priority.

Photo Credit: DepositPhotos.com