TL;DR: France will require products seeking ANSSI cybersecurity certification to demonstrate adoption of quantum-era standards from 2027, with an expectation that all products could be held to the same standard by 2030, according to Swarmnetics. The practical challenge is now less about abstract quantum risk and more about inventorying cryptography, trust dependencies, and sensitive data exposure before transition windows close.
NHIMG editorial — based on content published by Swarmnetics: France to Require Quantum-Safe Standards for ANSSI Cybersecurity Certification
By the numbers:
- 96% of organisations store secrets outside of secrets managers in vulnerable locations including code, config files, and CI/CD tools.
- 97% of NHIs carry excessive privileges, increasing unauthorised access and broadening the attack surface.
- 92% of organisations expose NHIs to third parties, raising concerns about supply chain security.
Questions worth separating out
Q: What fails when organisations delay post-quantum planning for identity systems?
A: The failure is not only eventual algorithm weakness.
Q: When should security teams prioritise post-quantum readiness work?
A: Teams should prioritise it now for identities tied to long-lived confidentiality, hard-to-rotate secrets, and externally exposed trust paths.
Q: What do security teams get wrong about quantum-safe migration?
A: They often treat it as an encryption-library refresh.
Practitioner guidance
- Inventory cryptographic dependencies across identity systems Map every certificate, token, signing key, and authentication dependency used by workloads, service accounts, federation, and third parties.
- Classify long-lived secrets by future exposure risk Separate credentials that authenticate runtime access from those that also protect data or trust chains over multiple years.
- Test cryptographic agility in NHI workflows Run controlled replacement tests for certificates, libraries, and trust anchors in service-to-service authentication paths, especially where automation, CI/CD, and federated access depend on fixed cryptographic assumptions.
What's in the full analysis
Swarmnetics' full article covers the operational detail this post intentionally leaves for the source:
- How ANSSI certification requirements are expected to apply to government and critical infrastructure products from 2027.
- The article's discussion of Google’s 2029 internal readiness target and NIST’s 2030 deprecation timeline for current encryption.
- The practical constraints around compatibility, legacy systems, and vendor dependency that slow post-quantum migration.
- The specific rationale for reviewing zero-trust implementations and sensitive data storage during quantum readiness planning.
👉 Read Swarmnetics' analysis of France's ANSSI quantum-safe certification requirement →
Quantum-safe standards for certification: are identity controls ready?
Explore further
Quantum-safe readiness is now part of identity governance because trust anchors are identity controls. Certificates, signing keys, API tokens, and federation paths define who and what is trusted in modern systems. When certification regimes begin requiring quantum-safe adoption, the governance question is no longer only about cryptographic strength. It is about whether an organisation can trace every identity dependency and replace it without breaking production access.
A few things that frame the scale:
- 96% of organisations store secrets outside of secrets managers in vulnerable locations including code, config files, and CI/CD tools, according to the Ultimate Guide to NHIs.
- Only 20% have formal processes for offboarding and revoking API keys, and even fewer have procedures for rotating them, according to Ultimate Guide to NHIs , Key Challenges and Risks.
A question worth separating out:
Q: Who is accountable when quantum-safe certification becomes mandatory?
A: Accountability sits across security, platform, procurement, and product owners because cryptographic readiness spans policy, implementation, and supplier dependency. For regulated environments, teams should align the work to governance and audit requirements under the NIST Cybersecurity Framework 2.0 and relevant certification rules.
👉 Read our full editorial: Quantum-safe certification pressure is now an identity problem