France’s cybersecurity agency ANSSI said that it will no longer certify security products that lack post-quantum cryptography, creating a new procurement standard for government and critical-sector deployments. The decision puts quantum-resistant security controls into the center of public-sector technology approval.
The policy matters beyond traditional cybersecurity vendors. Custodians, exchanges and wallet providers also rely on elliptic-curve signatures used across Bitcoin and other digital assets, meaning crypto key management now faces a sharper institutional due-diligence test.
ANSSI Turns Quantum Readiness Into a Market Gate
ANSSI framed the measure as a certification requirement rather than a blanket ban. From 2027, the agency will refuse certification for products that do not integrate approved post-quantum cryptography primitives, making PQC adoption a commercial requirement for suppliers seeking French public-sector approval.
The agency’s approach uses certification standards to accelerate vendor migration. By naming quantum-resistant algorithms such as ML-DSA and FN-DSA in the announcement, ANSSI is steering the market toward approved cryptographic primitives rather than open-ended future planning.
The urgency reflects a changing technical assessment of quantum risk. Researchers, including work cited from Google, have revised down the quantum resources needed to threaten current signature schemes, reinforcing the harvest-now, decrypt-later threat model.
That model assumes adversaries can collect encrypted or cryptographically sensitive data today and exploit it later once quantum hardware becomes powerful enough. For institutions managing long-lived secrets or transaction records, future decryption risk becomes a present-day governance issue.
Crypto Custody Faces a Signature-Level Risk
The main technical concern is asymmetric cryptography. Bitcoin’s proof-of-work function, SHA-256, is considered more resilient against known quantum attacks, but the elliptic-curve cryptography used to derive public keys and sign transactions is exposed to Shor’s algorithm and future key-recovery attacks.
That distinction is critical for digital assets. Once public keys or signatures are visible on-chain, a sufficiently capable quantum computer could theoretically derive private keys or forge signatures, turning public-ledger transparency into a future attack surface.
The certification deadline will reshape vendor roadmaps. Security companies serving French government and critical infrastructure will need to retool products for PQC compliance, while failure to certify could effectively block them from a meaningful public-sector and critical-infrastructure market.
The indirect impact extends to exchanges, custodians and DeFi platforms. Institutional clients are likely to ask whether key-management systems, signing stacks and custody workflows can demonstrate credible quantum-hardening plans and migration pathways.
Financial-sector authorities are already moving in the same direction. Banque de France experiments with regulatory transfers and collaborative work with the Monetary Authority of Singapore point to a broader supervisory push to test PQC in real financial workflows.
For crypto firms, the operational implications are immediate. Custodians and asset managers need to evaluate quantum-resistant key formats, address reuse practices, wallet upgrade paths and protocol-level dependencies, because today’s exposed transaction data may become tomorrow’s exploitable material.
The market response is likely to include higher development spending on PQC integration and stronger demand for accredited quantum-resistant security stacks. International workstreams across the G7, alongside CNSA 2.0 in the U.S. and parallel strategies in the UK and Canada, suggest France’s certification move is part of a wider regulatory convergence.
The 2027 cutoff now gives suppliers a hard planning horizon. For institutional crypto and cybersecurity providers, ANSSI’s policy turns quantum risk from a distant theoretical concern into a near-term procurement, compliance and operational resilience requirement.
