Full Report
France is accelerating its transition to post-quantum encryption: France’s cybersecurity agency ANSSI said on Tuesday it would stop certifying security products that lack quantum-resistant encryption, a move that will force government bodies and critical operators to shift away from older systems. Samih Souissi, ANSSI’s chief of staff, said at the France Quantum conference that the agency would halt such certifications from 2027, and that businesses should be buying only quantum-safe products by 2030. ANSSI approval is required for use in French government agencies and critical infrastructure, making the policy a de facto phase-out of older encryption...
Analysis Summary
# Regulation/Compliance: ANSSI Post-Quantum Cryptography (PQC) Transition Mandate
## Overview
This mandate represents an accelerated transition by the French government to protect national security and critical infrastructure against the future threat of quantum computing. By leveraging its certification authority, the French cybersecurity agency is forcing a market shift toward Post-Quantum Cryptography (PQC) by refusing to validate legacy encryption products.
## Key Details
- **Issuing Authority:** Agence nationale de la sécurité des systèmes d'information (ANSSI)
- **Effective Date:** Phased transition beginning 2027
- **Jurisdiction:** France (National)
- **Status:** Final/Announced Policy
## Requirements
### Mandatory Requirements
1. **Quantum Resistance:** All security products submitted for ANSSI certification must incorporate quantum-resistant encryption algorithms.
2. **Certification Compliance:** Government agencies and Operators of Vital Importance (OIVs) must use ANSSI-certified products for regulated systems.
### Recommended Practices
1. **Early Procurement:** Organizations should begin prioritizing "quantum-safe" labels in procurement cycles immediately.
2. **Hybrid Deployment:** (Implied by ANSSI general doctrine) Use of hybrid models—combining classical and post-quantum algorithms—to maintain security during the transition.
## Affected Organizations
- **Industries:** Government, Defense, and "Critical Operators" (Operators of Vital Importance/OIVs).
- **Organization Size:** All sizes within regulated sectors.
- **Geographic Scope:** Vendors wishing to sell into the French public sector and critical infrastructure markets.
## Compliance Timeline
- **July 2026:** Policy announcement and industry notification.
- **2027:** ANSSI officially halts certifications for products featuring only classical (non-quantum-resistant) encryption.
- **2030:** Target deadline for businesses to have transitioned procurement entirely to quantum-safe products.
## Implementation Guidance
### Assessment Phase
- **Inventory Crypto-Assets:** Identify all legacy encryption protocols currently in use across the network.
- **Vendor Audit:** Query current security vendors regarding their roadmap for PQC and ANSSI certification status.
### Implementation Phase
- **Procurement Update:** Update Request for Proposal (RFP) templates to include requirements for PQC certification.
- **Phased Replacement:** Replace non-compliant security appliances as they reach end-of-life or by the 2030 deadline.
### Validation Phase
- **Certification Check:** Verify products against the ANSSI "Liste des produits certifiés" to ensure they meet the new PQC criteria.
## Technical Requirements
- **Algorithm Strength:** Deployment of algorithms resistant to Shors’s and Grover’s algorithms.
- **Product Architecture:** Transition from RSA/ECC-based key exchanges to Lattice-based or other quantum-resistant primitives as specified by ANSSI technical guides.
## Penalties & Enforcement
- **Fines:** Dependent on the specific regulatory framework (e.g., NIS2 or French national law) governing the specific operator.
- **Other Consequences:** **De facto exclusion** from the French public sector and critical infrastructure markets. Products lacking certification cannot be legally deployed in high-security government environments.
- **Enforcement:** Enforced through ANSSI's certification and qualification gates.
## Related Standards
- **NIST PQC Standards:** Alignment with the Finalized NIST Post-Quantum Standards (FIPS 203, 204, 205).
- **ISO/IEC 18033:** International standards for encryption algorithms.
- **NIS2 Directive:** European cybersecurity legislation requiring high levels of technical security for critical entities.
## Resources
- **Official Documentation:** hxxps[://]ssi[.]gouv[.]fr/ (Defanged)
- **Guidance Documents:** ANSSI "Scientific and Technical Reports" on Quantum Risk.
## Practical Recommendations
- **Act Now:** Do not wait until 2027 to adjust procurement; the lifecycle of infrastructure often exceeds three years.
- **Agility:** Favor "crypto-agile" solutions that allow for algorithm updates via software patches rather than hardware replacements.
- **Engagement:** Monitor the ANSSI "Catalogue de produits et services qualifiés" for the first wave of PQC-certified entries.