French government cybersecurity researchers will stop certifying security products that lack quantum-resistant encryption, starting in 2025. The move gives vendors a clear deadline to upgrade their encryption or lose the government's seal of approval.
What the certification change means
Beginning next year, any product submitted for certification by French cybersecurity authorities must include encryption that can resist attacks from quantum computers. If it doesn't, it won't get certified. That could be a problem for companies selling to French government agencies, defense contractors, or critical infrastructure operators that often require such certification.
The decision doesn't ban the sale of non-quantum-resistant products outright, but without certification they lose a key trust signal in the French market. For now, the requirement only applies to new certification submissions. Products already certified before 2025 may still be sold, but their status could change over time.
Why quantum-resistant encryption is suddenly urgent
Today's encryption standards—like RSA and ECC—keep data safe from conventional computers. But a sufficiently powerful quantum computer could break them in seconds. While no such machine exists yet, governments and tech companies have been racing to develop and standardize post-quantum cryptography (PQC). The French researchers' move is one of the first concrete regulatory steps that force the market to adopt PQC on a fixed timeline.
The U.S. National Institute of Standards and Technology has already selected several PQC algorithms for standardization, and other countries are watching. France's deadline could push vendors to accelerate their migration plans, especially those that sell across Europe.
What vendors need to do by 2025
Security product makers have less than two years to add quantum-resistant encryption to their software and hardware. That means rewriting cryptographic libraries, updating firmware, and testing compatibility with existing systems. For some products, like VPNs, secure messaging apps, or hardware security modules, the change may be more straightforward. For others, like legacy systems embedded in long-cycle industrial equipment, it could be costly and slow.
The French researchers have not yet published detailed technical requirements, but they are expected to align with international PQC standards. Vendors that fail to adapt risk losing access to a significant government market.
The certification change officially takes effect in 2025. Companies that serve French clients should start planning now—or risk being locked out.
