By 2027, ANSSI will no longer accept, at the qualification entry stage, security products that do not include post-quantum cryptography.
Its director-general Vincent Strubel announced this at the Security Conference in early October. His statement echoed a FAQ the agency had published the day before, which carried the same information.
Against this backdrop, the agency has expanded its corpus on the topic. And in parallel, it has hit several milestones. Among others, the issuance of its first security visas for solutions that include post-quantum cryptography. More precisely, CC (Common Criteria) certifications for Thales’ MultiApp 5.2 Premium PQC smart card (September 29) and for Samsung’s S3SSE2A microcontroller (October 1st), which implement the ML-DSA signature scheme.
The assessments were carried out by CEA-Leti, the first accredited center “for the PQC scope.” Other centers are in the process of accreditation: Amossys (Almond group), EDSI (NAGRA Kudelski group), Quarkslab, Serma Safety & Security, Synacktiv, and Thales/CNES.
Guides and reference frameworks to be updated
Beyond 2027, the FAQ mentions the 2030 deadline. With a note: at that point, it “will no longer be reasonable” to purchase products that do not incorporate post-quantum cryptography.
ANSSI invites conducting an inventory now: identify the data and use cases at risk, then the equipment that will need updating, and contact suppliers to learn about their roadmaps.
For now, the agency focuses its guidance mainly on vendors. In this logic, it plans to publish technical recommendations (integration into protocols, crypto agility, certificate management…). And also to update, in 2026, its IPsec DR reference framework to incorporate post-quantum algorithms*. In the meantime, it invites consulting a transition guide signed by Dutch intelligence and two national research institutes (in English; 2nd edition, December 2024).
ANSSI has also been involved in the SGPI’s call for projects “Development of Critical Innovative Technologies.” The application window ran from November 2024 to April 2025. Objective: finance cybersecurity building blocks. One axis focuses on tools to aid the post-quantum transition:
- Automation of the inventory of cryptographic assets (network probes, application/binaries analysis, certificate lifecycle management)
- Identification of vulnerable assets and prioritization of migration actions
- Innovations in risk analysis tools
Other updates are planned in the near term, such as the guide to selecting cryptographic algorithms (update planned for this year).
In the EU, the prospect of a “minimum level of preparedness” by end-2026
In the agency’s corpus, the “founding document” remains a 2022 position paper on migrating to post-quantum cryptography (updated at the end of 2023). It already promoted hybridization, i.e., combining with pre-quantum asymmetric cryptographic algorithms in the short to medium term to avoid regressions**.
ANSSI also co-chairs, alongside its German and Dutch counterparts, the working group tasked with drafting the EU’s roadmap “for the coordinated implementation of the transition to post-quantum cryptography.”
While awaiting the final deliverable, a first document was published in June 2025. It is intended to help achieve a minimal level of preparedness among the member states by the end of 2026. This includes identifying and engaging stakeholders. France is cited as an example for the surveys ANSSI orchestrated among three populations (vendors, users, and consulting providers).
There will also need to be pilots by end-2026 for transitioning high-risk and intermediate-risk use cases. By “high,” for example, is meant, for data protected with public-key cryptography, cases where a confidentiality breach after 10 years or more would still cause significant damage.
A transition expected by 2030 for high-risk use cases
The risk categorization depends more broadly on a score calculated from a model described in the Dutch guide mentioned above. Three factors influence it:
- Weakness of the cryptography used
- Estimated impact in case of a breach
- Time and effort required to migrate to post-quantum (for elements under the organization’s control)
The idea is that high-risk use cases have migrated by 2030 at the latest (and by that horizon, software and firmware updates will use quantum-resistant signatures). The 2035 deadline is targeted for intermediate-risk use cases.
This agenda is backed in particular by a study from the German ANSSI (The Status of Quantum Computer Development; the latest version published January 2025). It estimates that a computer capable of breaking current cryptography could be available by 2040.
The document addressed to the member states cites another report, signed by the Global Risk Institute. In particular, an estimate: there is a 19% to 34% chance that within the next decade, a quantum computer will be able to break RSA-2048 in 24 hours.
* For now, quantum-safe products cannot be DR-certified if they must comply with a framework that does not allow the use of such algorithms.
** The only post-quantum algorithms for which ANSSI does not recommend a systematic use of hybridization are hash-based signature algorithms: SLH-DSA, XMSS, and LMS.
