TL;DR: France will require products seeking ANSSI cybersecurity certification to demonstrate adoption of quantum-era standards from 2027, with an expectation that all products could be held to the same standard by 2030, according to Swarmnetics. The practical challenge is now less about abstract quantum risk and more about inventorying cryptography, trust dependencies, and sensitive data exposure before transition windows close.
At a glance
What this is: France is moving quantum-safe requirements into cybersecurity certification, making cryptographic readiness a compliance issue for government and critical infrastructure products.
Why it matters: IAM, PAM, NHI, and platform teams need to understand which secrets, certificates, tokens, and trust paths depend on crypto that may not survive the transition to post-quantum standards.
By the numbers:
- 96% of organisations store secrets outside of secrets managers in vulnerable locations including code, config files, and CI/CD tools.
- 97% of NHIs carry excessive privileges, increasing unauthorised access and broadening the attack surface.
- 92% of organisations expose NHIs to third parties, raising concerns about supply chain security.
👉 Read Swarmnetics' analysis of France's ANSSI quantum-safe certification requirement
Context
Quantum-safe certification is becoming a governance issue, not just a cryptography refresh. France’s ANSSI direction signals that product assurance is starting to depend on whether vendors can demonstrate a credible path away from algorithms that may fail in a future quantum environment, especially where government and critical infrastructure are involved.
For identity and access programmes, the issue is broader than encryption at rest or in transit. Certificates, API keys, service accounts, and federated trust chains all depend on cryptographic assumptions, so post-quantum planning has to reach into NHI governance, secrets handling, and certificate lifecycle management as well as application and infrastructure teams.
Key questions
Q: What fails when organisations delay post-quantum planning for identity systems?
A: The failure is not only eventual algorithm weakness. Delayed planning leaves certificates, signing keys, and federated trust chains in place long enough that data captured today can be exposed later, and NHI-driven automation may become difficult to migrate without outages or broken access paths.
Q: When should security teams prioritise post-quantum readiness work?
A: Teams should prioritise it now for identities tied to long-lived confidentiality, hard-to-rotate secrets, and externally exposed trust paths. Those are the assets most likely to remain valuable if attackers capture encrypted material today. Waiting shifts the burden to an emergency migration, which is usually slower and more disruptive.
Q: What do security teams get wrong about quantum-safe migration?
A: They often treat it as an encryption-library refresh. In practice, the hard part is remediating the identity and trust dependencies that sit around encryption, including NHI lifecycles, certificate ownership, vendor compatibility, and the systems that must keep working during migration.
Q: Who is accountable when quantum-safe certification becomes mandatory?
A: Accountability sits across security, platform, procurement, and product owners because cryptographic readiness spans policy, implementation, and supplier dependency. For regulated environments, teams should align the work to governance and audit requirements under the NIST Cybersecurity Framework 2.0 and relevant certification rules.
Technical breakdown
What changes when cryptography becomes a certification requirement?
When a regulator ties certification to quantum-safe standards, cryptography stops being a back-end design choice and becomes a compliance control. That shifts the work from isolated algorithm upgrades to a full inventory of where encryption, signing, key exchange, and certificate trust are embedded. In practice, this includes internal and external services, device identities, API authentication, and any workflow that depends on long-lived certificates or signed tokens. The hardest part is rarely the new algorithm itself. It is understanding where legacy dependencies, vendor constraints, and lifecycle gaps make migration incomplete or inconsistent.
Practical implication: build a cryptographic inventory that includes identity dependencies, not just application data flows.
Why certificate and key rotation matter in the quantum transition
Quantum risk changes the time horizon for secrets and certificates. Material that is safe today may become collectible now and breakable later, which means long-lived credentials create future exposure even when current controls look sound. This is especially relevant for NHIs, where certificates, tokens, and API keys are often embedded in automation and rarely reviewed with the same discipline as human access. Rotation, revocation, and expiry become transition controls, not administrative housekeeping. If cryptographic agility is weak, an organisation can end up with a secure design on paper but a brittle deployment in production.
Practical implication: shorten credential lifetimes where feasible and map every long-lived certificate or token to an owner and expiry path.
How zero trust and NHI governance intersect with post-quantum planning
Zero trust depends on continuous verification of identity, device, workload, and session state. Post-quantum planning affects that model because certificate chains, federation paths, and workload identities are often the trust anchors behind the policy decision. If those anchors cannot be updated cleanly, the organisation may keep the zero-trust label while preserving outdated cryptographic trust underneath. For NHI programmes, the key question is whether the organisation can replace signing and authentication mechanisms without breaking automation, third-party integrations, or service-to-service access. That is a governance problem as much as a technical one.
Practical implication: test cryptographic replacement paths inside zero-trust and workload-identity architectures before mandate dates force them.
NHI Mgmt Group analysis
Quantum-safe readiness is now part of identity governance because trust anchors are identity controls. Certificates, signing keys, API tokens, and federation paths define who and what is trusted in modern systems. When certification regimes begin requiring quantum-safe adoption, the governance question is no longer only about cryptographic strength. It is about whether an organisation can trace every identity dependency and replace it without breaking production access.
Long-lived secrets create a quantum exposure window that most programmes still undercount. The article’s warning about data that can be stolen now and cracked later applies directly to secrets management and NHI lifecycles. A service account certificate or signing key with multi-year utility is a future liability if the cryptographic path behind it cannot be reissued, rotated, or retired on schedule. Practitioners should treat this as a lifecycle problem, not a one-time migration.
Cryptographic agility is the named capability organisations are missing. The practical bottleneck is not just selecting a post-quantum algorithm. It is the ability to swap algorithms, certificates, libraries, and trust chains without halting automation or third-party connectivity. That makes this a governance and dependency-mapping issue across IAM, PAM, NHI, and application teams.
Vendor readiness will determine whether certification becomes a control or a delay. The article makes clear that organisations depend heavily on vendors and software developers to move first. That means procurement, contract language, and upgrade roadmaps are now part of security architecture. Teams should assume that some dependencies will lag and plan compensating controls accordingly.
Post-quantum planning should be folded into zero-trust and workload identity roadmaps now. Zero trust assumes continuous verification, but the trust chain itself must be replaceable for that model to survive the transition. For identity programmes, the right conclusion is to inventory cryptographic dependencies alongside access paths, then prioritise the systems where identity credentials, certificates, and signatures have the longest exposure horizon.
From our research:
- 96% of organisations store secrets outside of secrets managers in vulnerable locations including code, config files, and CI/CD tools, according to the Ultimate Guide to NHIs.
- From our research: Only 20% have formal processes for offboarding and revoking API keys, and even fewer have procedures for rotating them, according to Ultimate Guide to NHIs , Key Challenges and Risks.
- For the next step: Review Ultimate Guide to NHIs , Regulatory and Audit Perspectives to connect cryptographic readiness with audit evidence and control ownership.
What this signals
Cryptographic agility is becoming a programme dependency, not a specialist project. If identity, certificate, and secrets ownership are not mapped now, post-quantum migration will surface as a hidden dependency problem across IAM, application, and infrastructure teams. The organisations that move earliest will be the ones that can inventory trust anchors, not just algorithms.
The strongest indicator of readiness is whether the team can rotate or replace trust material without breaking service-to-service authentication. If that is impossible, the organisation still has a standing trust problem even if its architecture is labelled zero trust. The practical benchmark is whether secrets and certificates can be reissued as part of normal lifecycle management, not emergency remediation.
For practitioners
- Inventory cryptographic dependencies across identity systems Map every certificate, token, signing key, and authentication dependency used by workloads, service accounts, federation, and third parties. Include where it lives, who owns it, how long it lasts, and whether it can be replaced without breaking access.
- Classify long-lived secrets by future exposure risk Separate credentials that authenticate runtime access from those that also protect data or trust chains over multiple years. Prioritise the ones that could expose archived data or enable replay if current algorithms are later weakened.
- Test cryptographic agility in NHI workflows Run controlled replacement tests for certificates, libraries, and trust anchors in service-to-service authentication paths, especially where automation, CI/CD, and federated access depend on fixed cryptographic assumptions.
- Update vendor and procurement requirements Require suppliers to disclose post-quantum roadmap status, dependency on legacy algorithms, and support for certificate and signature migration. Tie renewal decisions to replacement timelines for products used in government or critical infrastructure.
- Fold quantum-safe planning into zero-trust roadmaps Review whether identity verification, workload identity, and session trust can be reissued or rotated without breaking policy enforcement. Use the NIST Cybersecurity Framework 2.0 to structure governance, change management, and recovery planning.
Key takeaways
- Quantum-safe certification is turning cryptography into a governance and assurance issue, not just an engineering upgrade.
- The main exposure is long-lived trust material, especially where certificates and NHI secrets outlast the systems that depend on them.
- Identity teams should inventory trust anchors now, because cryptographic agility will determine whether migration is controlled or disruptive.
Standards & Framework Alignment
This section maps relevant standards and security frameworks to the operational risks and controls described in this guidance.
NIST CSF 2.0, NIST SP 800-53 Rev 5, NIST Zero Trust (SP 800-207), NIST SP 800-63 and NIST AI RMF set the governance and control requirements practitioners need to meet.
| Framework | Control / Reference | Relevance |
|---|---|---|
| NIST CSF 2.0 | PR.AC-1 | Quantum-safe transition depends on identity verification and trust path integrity. |
| NIST SP 800-53 Rev 5 | SC-12 | Key establishment and management are central to post-quantum migration planning. |
| NIST Zero Trust (SP 800-207) | Zero trust depends on replaceable trust anchors and continuous verification. | |
| NIST SP 800-63 | SP 800-63C | Federation and assertion trust are directly affected by cryptographic migration. |
| NIST AI RMF | GOVERN | Governance is needed to assign ownership for cryptographic migration across teams and suppliers. |
Use SC-12 to inventory key lifecycle dependencies and plan replacement of vulnerable cryptographic mechanisms.
Key terms
- Cryptographic agility: The ability to change cryptographic algorithms, key lengths, or trust models without reworking every application. For machine identities, it reduces the risk that long-lived services will fail when standards shift or when post-quantum migration becomes necessary.
- Quantum-Safe Standards: Quantum-safe standards are cryptographic methods designed to remain resistant when practical quantum computing becomes capable of breaking today’s widely used public-key schemes. In governance terms, they are a transition target for systems that need to protect data, signatures, and authentication over long time horizons.
- Trust anchor: A trust anchor is the root authority that signs federation metadata and establishes the policies other participants inherit. In practice, it controls who can join, what cryptographic rules apply, and how trust is delegated across an ecosystem. The security posture of the whole federation depends heavily on this layer.
What's in the full analysis
Swarmnetics' full article covers the operational detail this post intentionally leaves for the source:
- How ANSSI certification requirements are expected to apply to government and critical infrastructure products from 2027.
- The article's discussion of Google’s 2029 internal readiness target and NIST’s 2030 deprecation timeline for current encryption.
- The practical constraints around compatibility, legacy systems, and vendor dependency that slow post-quantum migration.
- The specific rationale for reviewing zero-trust implementations and sensitive data storage during quantum readiness planning.
Deepen your knowledge
The NHI Foundation Level course, the industry's only accredited NHI security programme, covers NHI governance, machine identity security, and secrets management. It helps security practitioners connect identity lifecycle controls to the broader access and assurance decisions their programmes depend on.
Published by the NHIMG editorial team on July 14, 2026.
NHI Mgmt Group — the independent authority on Non-Human Identity, IAM, and Agentic AI security. nhimg.org