France's cybersecurity agency will stop certifying products that lack quantum-resistant encryption starting in 2027, with a full shift to post-quantum standards targeted for 2030. The move sets a hard deadline for manufacturers to upgrade their security before quantum computers become a real threat to current encryption methods.
Why the deadline matters now
Today's encryption, like RSA and ECC, relies on mathematical problems that a sufficiently powerful quantum computer could solve in minutes. While such machines don't exist at scale yet, the agency argues that data encrypted now could be stored and decrypted later — a risk known as "harvest now, decrypt later." By forcing products to adopt quantum-resistant algorithms before certification, France aims to make sure devices sold from 2027 onward are ready for the post-quantum era.
What the certification covers
The agency's certification program covers a wide range of products, including hardware security modules, smart cards, VPNs, and software libraries used in critical infrastructure. Without certification, those products can't be sold into government or regulated markets in France. The 2027 cutoff applies to new certifications; existing certificates will be phased out over the following three years, with full compliance required by 2030.
How manufacturers can prepare
Companies that want to keep selling certified products in France after 2026 need to start integrating post-quantum algorithms now. The U.S. National Institute of Standards and Technology has already finalized several quantum-resistant algorithms, such as CRYSTALS-Kyber for key exchange and CRYSTALS-Dilithium for signatures. French authorities are expected to align with those standards, though they may add their own requirements. Testing and redesign cycles for hardware can take 18 to 24 months, so waiting until 2025 would be risky.
Broader implications for the tech industry
France is the first European country to issue a concrete ban on non-quantum-safe encryption for certification. Other nations and the European Union are watching closely. If France's approach proves workable, similar mandates could spread across the bloc, forcing a global shift in how hardware and software vendors handle long-term data security. The agency has not yet published a detailed timeline for algorithm selection or testing criteria, but officials say they will release guidance later this year.
The 2027 deadline means manufacturers have roughly three years to adapt. For those that miss it, the French market — and potentially others — will be closed to their products.
