France has stopped certifying products that don't use quantum-safe encryption, a move that's pushing entire industries to rethink their security roadmaps. The decision, effective immediately, applies to all new and renewed certifications under French cybersecurity standards.
Why the certification freeze matters
Quantum computers, once they reach sufficient power, can crack today's public-key cryptography — the stuff that protects everything from banking apps to government databases. France's certification agency is now saying: if a product can't withstand that future threat, it won't get a seal of approval today. That's a hard deadline for manufacturers who've been treating quantum readiness as a someday problem.
The move doesn't just affect French companies. Any firm that wants to sell certified hardware or software in France — or that relies on French-certified components in global supply chains — now has to show it's using post-quantum cryptographic algorithms. The shift puts pressure on chipmakers, cloud providers, and IoT device builders to adopt new standards quickly.
Accelerating a global trend
France isn't the first to act, but its move is the most direct certification-linked requirement so far. The U.S. National Institute of Standards and Technology has been standardizing quantum-safe algorithms for years, and several European countries have issued guidance. France, however, has turned guidance into a hard block. Other nations are expected to follow — some may tighten import rules or demand similar certifications from foreign vendors.
Industry groups warn that the timeline is tight. The dominant encryption methods — RSA and ECC — are still safe from today's quantum machines, but experts estimate a large-scale quantum computer capable of breaking them could arrive within a decade. Upgrading entire systems takes years of design, testing, and deployment. France's freeze means companies can't wait until the last minute.
What's at stake for businesses
For companies that rely on long certification cycles — think medical devices, automotive electronics, industrial control systems — the new requirement creates an immediate hurdle. A product that was designed for a three-year certification cycle might already be obsolete under French rules. Retrofitting quantum-safe encryption into existing designs isn't trivial. It often requires new hardware, larger key sizes, and changes to firmware that have to be re-tested and re-certified from scratch.
Smaller firms without dedicated crypto teams are especially vulnerable. They may lack the resources to evaluate post-quantum algorithms or to replace legacy cryptographic libraries. Some may lose access to the French market entirely unless they scramble to comply.
On the other hand, cybersecurity vendors that already offer quantum-safe solutions see a sudden opening. The certification requirement creates a clear buying signal: if your product can't get a French stamp, it's going to be harder to sell anywhere in Europe.
What happens next
French authorities haven't released a grace period or transitional measures. Companies with pending certification applications are now being told their submissions won't be processed unless they include quantum-safe encryption. The agency is expected to publish a detailed list of accepted post-quantum algorithms in the coming weeks. Until then, manufacturers are left guessing which standards to implement — and whether their choice will hold up when the final list arrives.
