Speaking at the France Quantum conference, Samih Souissi, ANSSI’s chief of staff, announced it will stop certifying security products that do not incorporate quantum-resistant encryption beginning in 2027.
ANSSI said organizations should be purchasing only quantum-safe products by 2030 as part of a broader national transition strategy.
The policy is intended to address concerns over “harvest now, decrypt later” attacks. ANSSI officials said the transition is not solely a technical challenge but also involves governance, regulation, industrial planning, and national sovereignty considerations.
France’s announcement aligns with broader European efforts to prepare for post-quantum cybersecurity. The European Union has called on member states to begin transitioning to post-quantum cryptography by the end of 2026 and to secure critical infrastructure with quantum-resistant protections by 2030.
Josh Marpet, Senior Product Security Consultant, Finite State:
“Considering that certificate lifespans are down to 47 days as per 2029, and Google’s timeline for post quantum cryptography is 2029, and every single cipher suite used currently is deprecated by NIST in 2030, this actually sounds about right. In the next 12 months, if you don’t have a plan to inventory all Asymetric cryptography in your environment and start prioritizing and phasing out all non-post-quantum-cryptography, then you’ve got a problem!
“The priority, of course, is all sensitive (restricted/confidential/your choice) information sent over the open internet. This is where it will get harvested from. Internal data transfers from a data storage location to a data processing location, are, of course, important and need to be protected, but it’s much harder for someone to harvest it trivially. Also, internal data movement should be covered under your zero-trust initiative. You’ve got that running now, right? Just checking.”
John Strand, Owner, Black Hills Information Security, Inc. has this commentary:
“Quantum computing deserves attention, but it shouldn’t become a distraction. Organizations should be aware of the long-term implications and monitor developments closely, especially as we move toward 2030. However, the heavy lifting around post-quantum cryptography belongs primarily to the vendors building the hardware, software, and security products that the rest of us rely on. For most enterprises, the biggest risks today still come from weak identities, poor visibility, unpatched systems, and basic security failures. Focus on getting the fundamentals right while keeping an eye on where quantum technology is headed.”
Steven Swift, Managing Director, Suzu Labs provided this:
“Encryption standards improve over time to keep up with compute. It used to be that once an encryption algorithm was broken, it was time to replace it. These days, we’ve had enough examples of what happens when previously adequate algorithms are defeated by ever more compute. So we plan for the future. This is a double-edged sword.
“On one hand, bulk data collection of encrypted traffic has been well documented to exist. Theory is that if/when we get enough compute to break the encryption, that even if the data is old, some of it will have value. Quantum computing is the technology most commonly discussed as having the potential to allow bulk decryption of such data to happen.
“And on the other hand, we already have robust quantum-resistant encryption algorithms available. These haven’t been widely adopted, because for the most part they’re overkill. Today. But planning for the future makes sense.
“Improving our encryption standards now, well ahead of the time when they may be broken in the future seems like a rational thing to do. Industry adoption is always slow, especially without a mandate. And even once adopted, there are always huge numbers of unsupported devices well past their end-of-life dates.”
Sharon Hagi, CSO, Finite State adds this:
“ANSSI’s direction is correct in principle. Harvest-now-decrypt-later is a threat vector, and waiting until quantum-capable adversaries are operational to begin transitioning is not a strategy… more like prayer. The policy signal matters.
“That said, the framing deserves a bit of refinement.
“Data has a sensitivity half-life. Confidentiality, integrity, and availability requirements are not static properties, they decay at rates determined by the nature of the data and its operational context. A company’s quarterly earnings figures are crown jewels until the 8-K hits the wire, at which point they’re public record. Acute medical telemetry from a connected device is operationally critical for minutes to hours; its clinical relevance, and therefore its confidentiality exposure, decays rapidly. Blanket government and institutional risk assessments that treat all encrypted traffic as equivalently sensitive over decade-long windows are analytically imprecise.
“The risk model needs to incorporate:
- “Data classification over time, not just at point of creation or encryption
- “Threat actor targeting probability — most adversaries harvesting traffic today are after high-value, long-lived secrets (state intelligence, PII, financial infrastructure), not device telemetry or operational status pings
- “Actual attack surfaces specific to device class and deployment context
“The quantum threat is not uniformly distributed across the cryptographic stack. Shor’s algorithm breaks RSA and ECC. It does not break AES-256 or SHA-3 in any operationally practical sense — Grover’s provides at most a quadratic speedup, and the effective security margins of properly sized symmetric primitives still holds for most uses. Architectures that rely on symmetric encryption with out-of-band or pre-provisioned key distribution remain meaningful options for resource-constrained embedded devices where NIST PQC algorithms (e.g. ML-KEM, ML-DSA) impose non-trivial compute, bandwidth and memory costs.
“This doesn’t mean symmetric-only designs are the answer — key management at scale without quantum safe equivalent asymmetric crypto is a real operational burden. But it means the engineering solution space is alot bigger and richer than “migrate everything to PQC or you’re exposed.”
“What’s missing from the policy conversation is a differentiated threat and risk assessment framework — one that accounts for data lifetime and sensitivity decay rate, device class, computational constraints, and realistic adversary capability timelines. The mandate to transition is right. The precision of the planning and execution model needs work. The regulatory momentum is valuable for Finite State as having these conversations with customers about incorporating quantum crypto standards into their product security designs is exactly why we’re here.”
France to phase out certification of products lacking quantum-safe encryption
Posted in Commentary with tags France on June 18, 2026 by itnerdSpeaking at the France Quantum conference, Samih Souissi, ANSSI’s chief of staff, announced it will stop certifying security products that do not incorporate quantum-resistant encryption beginning in 2027.
ANSSI said organizations should be purchasing only quantum-safe products by 2030 as part of a broader national transition strategy.
The policy is intended to address concerns over “harvest now, decrypt later” attacks. ANSSI officials said the transition is not solely a technical challenge but also involves governance, regulation, industrial planning, and national sovereignty considerations.
France’s announcement aligns with broader European efforts to prepare for post-quantum cybersecurity. The European Union has called on member states to begin transitioning to post-quantum cryptography by the end of 2026 and to secure critical infrastructure with quantum-resistant protections by 2030.
Josh Marpet, Senior Product Security Consultant, Finite State:
“Considering that certificate lifespans are down to 47 days as per 2029, and Google’s timeline for post quantum cryptography is 2029, and every single cipher suite used currently is deprecated by NIST in 2030, this actually sounds about right. In the next 12 months, if you don’t have a plan to inventory all Asymetric cryptography in your environment and start prioritizing and phasing out all non-post-quantum-cryptography, then you’ve got a problem!
“The priority, of course, is all sensitive (restricted/confidential/your choice) information sent over the open internet. This is where it will get harvested from. Internal data transfers from a data storage location to a data processing location, are, of course, important and need to be protected, but it’s much harder for someone to harvest it trivially. Also, internal data movement should be covered under your zero-trust initiative. You’ve got that running now, right? Just checking.”
John Strand, Owner, Black Hills Information Security, Inc. has this commentary:
“Quantum computing deserves attention, but it shouldn’t become a distraction. Organizations should be aware of the long-term implications and monitor developments closely, especially as we move toward 2030. However, the heavy lifting around post-quantum cryptography belongs primarily to the vendors building the hardware, software, and security products that the rest of us rely on. For most enterprises, the biggest risks today still come from weak identities, poor visibility, unpatched systems, and basic security failures. Focus on getting the fundamentals right while keeping an eye on where quantum technology is headed.”
Steven Swift, Managing Director, Suzu Labs provided this:
“Encryption standards improve over time to keep up with compute. It used to be that once an encryption algorithm was broken, it was time to replace it. These days, we’ve had enough examples of what happens when previously adequate algorithms are defeated by ever more compute. So we plan for the future. This is a double-edged sword.
“On one hand, bulk data collection of encrypted traffic has been well documented to exist. Theory is that if/when we get enough compute to break the encryption, that even if the data is old, some of it will have value. Quantum computing is the technology most commonly discussed as having the potential to allow bulk decryption of such data to happen.
“And on the other hand, we already have robust quantum-resistant encryption algorithms available. These haven’t been widely adopted, because for the most part they’re overkill. Today. But planning for the future makes sense.
“Improving our encryption standards now, well ahead of the time when they may be broken in the future seems like a rational thing to do. Industry adoption is always slow, especially without a mandate. And even once adopted, there are always huge numbers of unsupported devices well past their end-of-life dates.”
Sharon Hagi, CSO, Finite State adds this:
“ANSSI’s direction is correct in principle. Harvest-now-decrypt-later is a threat vector, and waiting until quantum-capable adversaries are operational to begin transitioning is not a strategy… more like prayer. The policy signal matters.
“That said, the framing deserves a bit of refinement.
“Data has a sensitivity half-life. Confidentiality, integrity, and availability requirements are not static properties, they decay at rates determined by the nature of the data and its operational context. A company’s quarterly earnings figures are crown jewels until the 8-K hits the wire, at which point they’re public record. Acute medical telemetry from a connected device is operationally critical for minutes to hours; its clinical relevance, and therefore its confidentiality exposure, decays rapidly. Blanket government and institutional risk assessments that treat all encrypted traffic as equivalently sensitive over decade-long windows are analytically imprecise.
“The risk model needs to incorporate:
“The quantum threat is not uniformly distributed across the cryptographic stack. Shor’s algorithm breaks RSA and ECC. It does not break AES-256 or SHA-3 in any operationally practical sense — Grover’s provides at most a quadratic speedup, and the effective security margins of properly sized symmetric primitives still holds for most uses. Architectures that rely on symmetric encryption with out-of-band or pre-provisioned key distribution remain meaningful options for resource-constrained embedded devices where NIST PQC algorithms (e.g. ML-KEM, ML-DSA) impose non-trivial compute, bandwidth and memory costs.
“This doesn’t mean symmetric-only designs are the answer — key management at scale without quantum safe equivalent asymmetric crypto is a real operational burden. But it means the engineering solution space is alot bigger and richer than “migrate everything to PQC or you’re exposed.”
“What’s missing from the policy conversation is a differentiated threat and risk assessment framework — one that accounts for data lifetime and sensitivity decay rate, device class, computational constraints, and realistic adversary capability timelines. The mandate to transition is right. The precision of the planning and execution model needs work. The regulatory momentum is valuable for Finite State as having these conversations with customers about incorporating quantum crypto standards into their product security designs is exactly why we’re here.”
Leave a comment »