France has drawn a hard line in cybersecurity policy. The national agency, ANSSI, announced it will cease certifying security products that lack quantum-safe encryption, setting a 2027 compliance deadline.
ANSSI chief of staff Samih Souissi detailed the mandate in Paris. All products serving government entities and critical operators must abandon classical public-key cryptography vulnerable to future quantum computer attacks.
The phased timeline requires vendors to achieve certification under the new rules by 2027, while buyers have until 2030 to transition procurement completely. France aligns with the US NIST post-quantum cryptography standards finalized in August 2024, easing pressure on multinational vendors.
Systems with long lifespans face immediate impact: VPNs, public key infrastructure, and digital certificates. These are prime targets for 'harvest now, decrypt later' strategies.
The immediate winners are post-quantum cryptography firms facing a surge in compliance demand from defense, energy, and financial services sectors. For the digital asset ecosystem, the mandate reinforces that blockchain foundations must eventually undergo the same quantum-resistant upgrades, as most still rely on vulnerable elliptic curve cryptography.