France sets 2030 as the limit to shield its public data from the quantum threat

The French National Information Systems Security Agency (ANSSI) published on April 9 the French State’s cybersecurity roadmap for 2026-2027, which includes a chapter dedicated to the transition to post-quantum cryptography with specific deadlines for all ministries.

According to the document, information systems that process classified data must operate with post-quantum cryptography before the end of 2030and from that year onwards only encryption products that incorporate this protection can be deployed.

The roadmap establishes three stages prior to that final deadline:

• Before the end of 2026each ministry will need to inventory its durable and sensitive data to identify which ones require priority post-quantum protection.

• Before the end of 2027must identify the affected technical components, such as encryption and digital signature systems.

• And before the end of 2030must complete the deployment of post-quantum cryptography in all systems that process classified information.

Why is France acting now?

The ANSSI document cites two reasons for acting before quantum hardware exists. The first is the time required for a migration of that scale. Updating the cryptography of a State’s entire infrastructure is a process that, according to the document, “must be anticipated and started now.”

The second is the risk known as “harvest now, decrypt later” (store now, decrypt later): The practice whereby malicious actors capture encrypted data today with the intention of decrypting it when they have sufficient quantum hardware. That risk exists regardless of when Q-Day arrives.

With this roadmap, France joins institutions such as Google, which announced that it is targeting 2029 to migrate its own infrastructure, and the United States National Institute of Standards and Technology (NIST), which set post-quantum migration deadlines for 2030 and 2035, as reported by CriptoNoticias.