France just drew one of the hardest lines in cybersecurity policy anywhere in the world. The country’s national cybersecurity agency, ANSSI, announced it will stop certifying security products that don’t incorporate quantum-safe encryption, with a 2027 deadline for compliance.

What ANSSI is actually requiring

ANSSI chief of staff Samih Souissi laid out the timeline during the France Quantum conference in Paris on June 16. The core mandate is straightforward: all products used by government entities and critical operators must move away from classical public-key cryptography that quantum computers could theoretically crack.

The phased approach gives organizations until 2030 to exclusively procure quantum-safe products. In English: vendors have until 2027 to get certified under the new rules, and buyers have until 2030 to fully transition their procurement pipelines.

The US National Institute of Standards and Technology finalized its first set of post-quantum cryptography standards back in August 2024, including algorithms designated ML-KEM, ML-DSA, and SLH-DSA. France is aligning with those global benchmarks rather than inventing its own, which makes the transition somewhat less chaotic for multinational vendors already adapting to NIST’s framework.

The systems most directly affected are the ones with long operational lifespans. Think VPNs, public key infrastructure, and digital certificates. These are exactly the kind of systems that could be vulnerable to a “harvest now, decrypt later” attack strategy, where adversaries collect encrypted data today and wait for quantum computers powerful enough to break it tomorrow.

Why this matters beyond France

France’s decision represents arguably the most aggressive government mandate on post-quantum cryptography adoption in Europe to date. ANSSI has been publishing position papers on this topic for years and has been actively engaged in European standardization efforts. But moving from “we recommend this” to “we won’t certify you without it” is a meaningful escalation.

What this means for investors

The immediate winners here are firms specializing in post-quantum cryptography solutions. Companies like CryptoNext Security, which focus specifically on this technology, stand to see a meaningful surge in demand as organizations race to comply with the 2027 certification deadline. Highly regulated sectors, including defense, energy, telecommunications, and financial services, will likely be the first movers.

For the broader crypto and digital asset ecosystem, France’s mandate reinforces a point that’s been quietly building for years: the cryptographic foundations underlying blockchain technology, digital wallets, and decentralized protocols will eventually need the same quantum-resistant upgrades. Most major blockchains still rely on elliptic curve cryptography, which falls squarely in the category of classical public-key cryptography that quantum computers could theoretically defeat.

The 2027 deadline gives the market roughly 12 months to prepare. In cybersecurity procurement cycles, that’s not a lot of runway.