France just drew one of the hardest lines in cybersecurity policy anywhere in the world. The country’s national cybersecurity agency, ANSSI, announced it will stop certifying security products that don’t incorporate quantum-safe encryption, with a 2027 deadline for compliance.
What ANSSI is actually requiring
ANSSI chief of staff Samih Souissi laid out the timeline during the France Quantum conference in Paris on June 16. The core mandate is straightforward: all products used by government entities and critical operators must move away from classical public-key cryptography that quantum computers could theoretically crack.
The phased approach gives organizations until 2030 to exclusively procure quantum-safe products. In English: vendors have until 2027 to get certified under the new rules, and buyers have until 2030 to fully transition their procurement pipelines.
The US National Institute of Standards and Technology finalized its first set of post-quantum cryptography standards back in August 2024, including algorithms designated ML-KEM, ML-DSA, and SLH-DSA. France is aligning with those global benchmarks rather than inventing its own, which makes the transition somewhat less chaotic for multinational vendors already adapting to NIST’s framework.
