France's cybersecurity agency ANSSI has said it would stop certifying security products that lack quantum-resistant encryption, a move that will ​force government bodies and critical operators to shift away from older ‌systems.

For years, post-quantum security has been treated as a future problem.

Something for standards bodies, cryptographers and long-range technology teams to worry about. Useful, important, but not urgent enough to reshape buying decisions today.

That position is now collapsing.

France’s cybersecurity agency, ANSSI, has said it will stop certifying security products that do not include quantum-resistant encryption from 2027. It has also indicated that businesses should be buying only quantum-safe products by 2030.

That matters because ANSSI certification is not just a badge. For French government agencies and critical operators, it is part of the trust framework that determines what can be bought, deployed and relied on. In practical terms, France is turning quantum safety from a technical roadmap into a procurement gate.

This is the real story.

Not that quantum computers are arriving tomorrow. Not that every classical system suddenly fails overnight. The point is sharper than that: governments are beginning to decide that products without a credible quantum-safe path are no longer acceptable for critical use.

The compliance wall is moving forward

The post-quantum transition has always had a strange timing problem.

The threat is future-facing, but the exposure starts now. Sensitive traffic can be intercepted today, stored, and decrypted later if future quantum capability breaks the public-key systems used to protect it. This is the “harvest now, decrypt later” problem.

That changes how buyers have to think.

A system procured in 2026 may still be in service in 2030, 2035 or beyond. That is especially true in defence, aviation, critical infrastructure and autonomous systems, where platforms are expensive, certification cycles are slow and fielded assets do not get replaced every few years.

So the question is no longer: “Is a cryptographically relevant quantum computer available today?”

The better question is: “Will this product still be trusted through the lifetime of the mission, the contract and the asset?”

France has effectively answered that question from a procurement perspective. If a security product does not have quantum-resistant encryption, it is on the wrong side of the direction of travel.

This is not just an enterprise IT problem

Most public discussion around post-quantum migration focuses on enterprise systems: VPNs, browsers, cloud services, identity platforms, payment infrastructure and data centres.

Those systems matter. But they are not the only systems at risk.

The harder problem is at the edge.

Uncrewed vehicles, tactical radios, autonomous platforms, satellite links, maritime systems, airspace infrastructure and critical telemetry all depend on communications that must remain secure under poor conditions. These systems operate in environments where bandwidth is limited, links are intermittent, jamming is expected and latency can become a mission issue.

That is where a simple “swap the algorithm” mindset starts to break down.

A post-quantum handshake may be acceptable inside a clean enterprise network. It is a different question entirely when the platform is airborne, the RF environment is contested, the link is dropping packets and command authority must be maintained without creating a new operational burden.

For defence and autonomy, quantum safety cannot be treated separately from resilience.

A secure link that fails under jamming is not secure enough. A quantum-safe protocol that requires fragile handshakes may still be operationally weak. A system that protects the data but cannot authenticate command authority under degraded conditions does not solve the real problem.

Certification will shape the market

The French move should be read as a market signal.

Vendors that cannot explain their post-quantum roadmap will increasingly be pushed out of sensitive procurement conversations. Buyers will not want vague promises. They will want clear answers:

How is the link secured?

What happens when the channel degrades?

What happens if a message is intercepted?

What happens if a device is captured?

What happens if the link drops mid-mission?

What happens when legacy RSA and ECC-based assumptions are no longer acceptable?

The companies that can answer those questions clearly will move faster through procurement. The companies that cannot will face retrofits, delays, requalification work and a loss of confidence.

This is especially important for OEMs and integrators building long-life platforms. Waiting until the deadline is not a strategy. By the time certification requirements are formalised, the architecture has usually already been chosen. Retrofitting cryptography into a platform after the fact is more expensive, more disruptive and more politically painful than designing it in early.

Delatr’s view: quantum-safe communications must be built for the field, not just the lab

At Delatr, we believe the post-quantum transition is not just about replacing old algorithms with new ones.

That is part of the job, but it is not the whole job.

For uncrewed systems and autonomous platforms, the bigger requirement is secure command and control that survives the real operating environment. That means authentication, confidentiality, replay protection, resilience under jamming, graceful degradation and containment if a platform is lost or captured.

Lineage is being developed for that world.

It is designed as a communications security layer for uncrewed and autonomous systems, sitting between the control stack and the communications bearer. The aim is to secure the command path without forcing platform owners to redesign the aircraft, radio or operator workflow around a new cryptographic architecture.

The problem we are focused on is simple: the command link is becoming one of the most important trust boundaries in modern autonomy.

If an adversary can intercept, replay, spoof, corrupt or store mission traffic for later decryption, the platform becomes a liability. If one captured node can expose wider fleet communications, the risk compounds. If security adds too much latency, radio overhead or power draw, operators will avoid using it where it matters most.

That is why quantum-safe communications need to be practical at the edge.

They need to work across constrained platforms, degraded links and mixed fleets. They need to preserve mission tempo. They need to support existing systems instead of demanding a clean-sheet rebuild. And they need to give procurement teams a defensible answer before quantum-safe compliance becomes a blocker.

The uncomfortable truth for vendors

The uncomfortable truth is that “we use AES” or “we will add PQC later” will not be enough for much longer.

AES may remain strong as a symmetric cipher, but many systems depend on public-key infrastructure for key exchange, identity, signatures and session establishment. Those are the areas being pulled into the post-quantum transition.

Likewise, bolting post-quantum cryptography onto an existing architecture does not automatically make a system operationally fit for defence, autonomy or critical infrastructure. It may address one class of future cryptographic threat while leaving unresolved problems around link resilience, authentication under noise, command integrity and field deployment.

Buyers are getting sharper. Regulators are getting earlier. Certification bodies are moving from guidance to enforcement.

That is the shift France has just made visible.

What happens next

The next few years will separate serious vendors from vendors with a slide.

Serious vendors will map where cryptography exists in their products. They will understand which systems depend on RSA, ECC, Diffie-Hellman, ECDSA and other quantum-vulnerable foundations. They will design migration paths. They will test performance under operational conditions. They will document their assumptions. They will be able to show how their products behave when the link is degraded, not just when the lab network is clean.

Defence and critical-infrastructure buyers should start asking those questions now.

Not in 2030.

Not when a certification deadline forces a rushed retrofit.

Now.

France’s decision is not the end of the post-quantum transition. It is one of the first clear signs that the transition is becoming enforceable. Other governments and allied procurement frameworks will not ignore it. Once one major state starts tying quantum safety to certification, the direction of travel becomes obvious.

Quantum-safe communications are moving from “future-proofing” to “permission to operate.”

For autonomous systems, that shift is even more urgent.

The platforms being designed, bought and deployed today will still be operating deep into the post-quantum transition window. The winners will be the teams that treat secure communications as core infrastructure, not as a late-stage compliance patch.

France has drawn the line.

The rest of the market now has to decide which side of it they want to be on.