The global cybersecurity landscape is experiencing a significant shift as international regulatory bodies prepare for the future arrival of quantum computing. Although a practical, working quantum computer does not yet exist, the theoretical threat these machines pose to modern data protection has caused deep concern among intelligence and security agencies. In a decisive move, the cybersecurity authorities in France have significantly accelerated their transition timeline, demonstrating how seriously the nation views this impending technological challenge.
The French cybersecurity agency, Agence Nationale de la Sécurité des Systèmes d’Information, has announced that it will cease certifying security products that lack quantum-resistant encryption starting in the year 2027. This policy effectively forces government departments and operators of critical infrastructure to phase out legacy cryptographic systems much faster than originally planned.
Shifting Global Timelines and the Regulatory Pressure
To understand the urgency of the French mandate, it is useful to compare it to the timelines established by other leading international authorities. Global agencies are taking varied approaches to handling the transition away from standard, non-quantum secure algorithms:
- The French Cybersecurity Agency: Plans to halt certifications for non-quantum secure products by the year 2027, with an expectation that businesses should exclusively procure quantum-safe products by the year 2030.
- The Australian Signals Directorate: Has provided notice that it plans to disallow non-quantum secure algorithms across protected networks starting in the year 2030.
- The National Institute of Standards and Technology and the National Security Agency: Located in the United States of America, these bodies have targeted the year 2035 for their mandatory transition to post-quantum cryptographic standards.
By moving their timeline forward to 2027, the authorities in France are placing immense pressure on the global technology supply chain. Because many multinational software vendors and cybersecurity providers design their products to comply with European standards, this acceleration will likely establish a new de facto timeline for international markets.
The Core Threat: Harvest Now, Decrypt Later
The primary reason global agencies are deeply worried about quantum attacks today, despite the lack of a functional quantum computer, is a strategy known as “harvest now, decrypt later.”
Hostile actors and sophisticated cyber criminals are actively intercepting and storing vast quantities of encrypted, sensitive internet traffic right now. While they cannot decipher this information using current technology, their objective is to retain the data until quantum computers become powerful enough to break traditional encryption methods.
For data that must remain confidential for decades, such as intellectual property, government records, or sensitive personal information, the risk is active today. Waiting until a quantum computer is fully operational to upgrade defences would mean that all historically intercepted data could be instantly compromised.
The Impact on the End of Life for Transport Layer Security 1.2
This accelerated timeline will almost certainly hasten the end of life for widely used internet protocols, specifically Transport Layer Security version 1.2. Originally published in the year 2008, Transport Layer Security version 1.2 remains highly prevalent for securing data in transit across the internet.
However, Transport Layer Security version 1.2 inherently supports older cryptographic algorithms that cannot resist quantum capabilities. While previous industry expectations suggested that this version might remain viable until the end of the decade, the 2027 French mandate makes a much earlier retirement highly probable. Organisations will likely be nudged to enforce Transport Layer Security version 1.3, which eliminates legacy vulnerabilities and accommodates modern, quantum-resistant frameworks.
The Practical Solution Available Today: Hybrid Encryption
The primary challenge of adopting quantum-safe security measures is that the industry cannot fully verify new algorithms against a real-world quantum computer. To address this uncertainty without compromising current protection, experts have designed a hybrid encryption model. This framework combines proven, modern encryption with a theoretically quantum-secure algorithm layered on top.
The leading hybrid solution, which has already been adopted as the default standard by major internet browsers such as Google Chrome, Microsoft Edge, and Mozilla Firefox, is known as X25519MLKEM768. This algorithm successfully integrates two powerful mechanisms:
- X25519: The current, highly secure elliptic curve encryption method that safely protects the vast majority of modern internet traffic.
- ML-KEM-768: A premier, standardized quantum-resistant algorithm designed to withstand future quantum decryption attempts.
The primary benefit of utilizing a hybrid system is risk mitigation. If a flaw is subsequently discovered within the new quantum algorithm, your data transit remains entirely protected by the established, traditional encryption layer. This dual-structure ensures a stable, reliable transition into the quantum era without exposing current communications to unexpected vulnerabilities.
Proactive Strategies for Your Organisation
Adapting to these evolving international compliance dates requires a structured approach to digital infrastructure management. Consider implementing the following strategies to help enhance your organisation’s defensive posture:
- Conduct an Encryption Audit: Review existing web servers, cloud environments, and internal applications to identify where Transport Layer Security version 1.2 is still enforced or allowed as a fallback option.
- Prioritise Upgrades: Where technically feasible, consider transitioning configurations to support Transport Layer Security version 1.3 as the mandatory minimum protocol.
- Review Vendor Integration: Evaluate the long-term roadmaps of your third-party software providers to ensure they are actively adopting hybrid quantum-resistant frameworks ahead of the 2027 compliance shifts.
Partner with Vertex for Guidance on Evolving Standards
Navigating the complexities of changing international encryption mandates and understanding how they affect your local operations can be a challenging task for any leadership team. Ensuring that your business data remains resilient against both current and future threats requires careful technical oversight and strategic alignment.
To learn more about how shifting global timelines impact your specific infrastructure, or to evaluate your current data protection controls, consider reaching out to the expert team at Vertex Cyber Security. We can provide tailored security assessments and governance strategies to contribute to a stronger, forward-looking defence for your business.