France Sets Bold Timeline for Transition to Post-Quantum Cryptography
In a significant move towards enhancing national cybersecurity, France’s national cybersecurity agency, ANSSI, has introduced a stringent timeline for the adoption of post-quantum cryptography. The agency has declared that as of 2027, it will cease certifying security products that do not incorporate quantum-resistant encryption. This announcement was made by ANSSI Chief of Staff Samih Souissi during the France Quantum conference, positioning France as one of the pioneers in establishing regulatory deadlines for the implementation of quantum-safe encryption.
The implications of ANSSI’s certification policy are far-reaching. Certification from ANSSI is a mandatory requirement for security products deployed in French government agencies and critical infrastructure sectors. Consequently, the cessation of certification for non-quantum-safe products signifies a compulsory phase-out of traditional encryption methods utilized in essential services. This regulatory mandate necessitates that organizations operating within French jurisdiction transition from existing cryptographic systems to quantum-resistant alternatives in order to remain compliant.
To facilitate this transition, ANSSI has set 2030 as the deadline by which businesses should only procure quantum-safe products. The allowance of a five-year timeframe between the halt of certification and the full shift towards the adoption of quantum-resistant solutions aims to provide organizations with sufficient time to assess available vendors, test the practicality of implementations, and carry out necessary migrations. This staggered approach recognizes the complexity and challenges associated with overhauling cryptographic infrastructure, particularly in large-scale deployments where potential disruptions can have significant consequences.
The urgency behind this policy is underscored by the looming threat posed by quantum computers, which are anticipated to possess the capability to compromise widely used public-key encryption algorithms, such as RSA and elliptic curve cryptography. Although large-scale quantum computers that could effectively break current encryption standards have not yet emerged, the danger lies in the possibility of adversaries collecting encrypted data now, only to decrypt it later when quantum technology reaches maturation. This vulnerability is commonly referred to as the “store now, decrypt later” threat model, raising significant concerns for data privacy and security.
In light of ANSSI’s new requirements, organizations within its jurisdiction are advised to commence a thorough inventory of their existing cryptographic implementations. This initial step involves identifying systems that are in need of upgrades and evaluating the post-quantum cryptography standards that are expected to be published by the National Institute of Standards and Technology (NIST) in 2024. In particular, organizations are urged to prioritize systems that handle long-lived sensitive data, as these are most susceptible to retrospective decryption should quantum capabilities advance.
The French mandate marks a critical shift in the approach towards cryptography, emphasizing that the transition to quantum-safe solutions is no longer a distant concern relegated to future planning. Instead, it represents an immediate demand for procurement and deployment of robust encryption methods by organizations that are under regulatory frameworks. This proactive stance reinforces France’s commitment to safeguarding its digital infrastructure and mitigating the risks associated with the evolving technological landscape.
As the world increasingly leans on digital solutions, the importance of secure communication becomes paramount. The measures being implemented by ANSSI serve as a clarion call for not only organizations within France but also countries globally to reassess their own cybersecurity policies in light of advancements in quantum computing technology. Collaboration, innovation, and swift adaptation will be key in navigating this new frontier in cybersecurity.

