France introduces strict requirements: from 2027, certification only for quantum-resistant products
The French National Agency for Information Systems Security (ANSSI) has announced a radical change in its cybersecurity certification policy. Starting in 2027, the agency will cease issuing certificates for products not equipped with encryption resistant to quantum attacks. This statement was made at the France Quantum conference on behalf of the agency's chief of staff, Samih Souissi.
ANSSI certification is a mandatory requirement for using solutions in French government structures and critical infrastructure facilities. Thus, the country is effectively introducing a mandatory standard for post-quantum protection for all sensitive systems. According to Souissi, by 2030, all procurement must be exclusively for quantum-resistant products.
The main motivation for this decision is the "harvest now, decrypt later" strategy. Attackers can already intercept and store encrypted data today, waiting for sufficiently powerful quantum computers capable of breaking traditional algorithms. This creates a long-term threat to information confidentiality, especially for state secrets and critical infrastructure data.
This move by France is not just a local decision but a signal for the entire industry. Major players seeking to enter the French government procurement market will be forced to invest resources in developing post-quantum solutions now. As an analyst, I believe we are witnessing the beginning of a global trend: other EU countries and possibly the US will follow this example within the next 2-3 years. Quantum-resistant cryptography is no longer an option—it is becoming a necessity.