up:: The Mandates MOC

ANSSI Cryptographic Mechanisms

ANSSI Cryptographic Mechanisms is the reference document published by France’s national cybersecurity agency that tells French systems which cryptographic mechanisms to use and how to size them, and its defining post-quantum feature is a hybrid-first stance: through the transition window ANSSI recommends combining a proven classical scheme with a post-quantum one so the pair is at least as strong as the classical scheme alone, rather than moving to a single post-quantum algorithm the way the U.S. CNSA 2.0 does.

The guidance lives in the “Guide des mécanismes cryptographiques” (identifier PG-083, historically Annex B1 of the Référentiel Général de Sécurité, the RGS), and ANSSI’s quantum posture sits in a companion policy paper, “ANSSI views on the Post-Quantum Cryptography transition.” For any migration touching a French jurisdiction, ANSSI, and not NIST, is the standard the plan gets measured against.

The short version:

  • ANSSI is France’s national cybersecurity agency (Agence nationale de la sécurité des systèmes d’information), and its cryptographic-mechanisms guide is the French counterpart to U.S. NIST/NSA key-size guidance and to Germany’s BSI TR-02102.
  • Its distinctive post-quantum position is hybrid-first: combine a recognized classical scheme with a post-quantum scheme, with no security regression, so the combined mechanism is at least as strong as the classical one it contains.
  • ANSSI applies that hybrid rule to digital signatures as well as key establishment, a stricter posture than CNSA 2.0, because it treats post-quantum signatures as less battle-tested than post-quantum key establishment.
  • The hard lever is certification. From 2027, ANSSI plans to stop granting its security visas and qualification to products that claim long-term protection but omit post-quantum cryptography.
  • It binds French government systems and Operators of Vital Importance directly, and it reaches vendors and the wider French private sector through ANSSI’s qualification and security-visa process.

Think of a bank vault that already has a mechanical lock everyone trusts. ANSSI’s answer to the quantum threat is to add a second, newer electronic lock on the same door and require both to open it, rather than ripping out the trusted lock and betting everything on the new one.

If the new lock later turns out to have a flaw, the door is still no weaker than it was before, because the proven lock is still there. That is the hybrid principle, written into a national rulebook: keep the security you have while you add the security you will need.

What is ANSSI Cryptographic Mechanisms?

ANSSI Cryptographic Mechanisms refers to the body of algorithm and key-size guidance issued by the Agence nationale de la sécurité des systèmes d’information, France’s national cybersecurity authority. It has two parts that work together: a technical sizing guide that names approved mechanisms and minimum key lengths, and a policy paper that sets the agency’s post-quantum migration strategy.

  1. The sizing guide. “Guide des mécanismes cryptographiques, Règles et recommandations concernant le choix et le dimensionnement des mécanismes cryptographiques” (Rules and Recommendations on the Selection and Sizing of Cryptographic Mechanisms), ANSSI reference PG-083, historically published as Annex B1 of the Référentiel Général de Sécurité (RGS). It specifies approved mechanism families and minimum sizing across symmetric encryption, hashing, integrity, key establishment, and signatures, and it prefers mechanisms recognized by the academic community over novel or proprietary constructions.

  2. The post-quantum position paper. “ANSSI views on the Post-Quantum Cryptography transition,” an initial position paper in 2022 followed by a January 2023 follow-up, which sets out the hybrid-first roadmap and the three-phase structure below.

Source: ANSSI / cyber.gouv.fr, “Mécanismes cryptographiques, Règles et recommandations,” publications landing page.

Source: ANSSI, “ANSSI views on the Post-Quantum Cryptography transition” (follow-up position paper, 2023), English publications index.

A few points about its standing change how you cite it:

  • Two documents, two registers. The sizing guide is framed as rules and recommendations and functions as a binding baseline where French regulation or ANSSI’s qualification process requires conformance. The position paper is advisory in tone, and ANSSI is operationalizing it through the 2027 certification requirement described below.
  • The current sizing guide is version 3.00, which integrates the quantum threat into mechanism selection and sizing (the prior widely-cited version was 2.04). [OPERATOR VERIFY: the exact v3.00 publication date on cyber.gouv.fr before quoting it in a client deliverable; the v3.00 PDF is hosted on messervices.cyber.gouv.fr and a March 2026 trade write-up describes the PQC-integrating update, but the precise release date was not read directly from the primary PDF.]
  • It is a France and EU authority, not a U.S. one. A U.S. entity is not obligated by ANSSI unless it sells products into the French public-sector or critical-infrastructure market.

Who does ANSSI guidance apply to?

ANSSI guidance governs French public-sector systems directly and reaches the private sector through the certification and qualification processes ANSSI controls. The audiences fall into five tiers:

  1. French government and public-administration systems. The primary in-scope audience. The RGS lineage makes these mechanisms and key sizes the baseline for state information systems.
  2. Operators of Vital Importance (OIV) and critical infrastructure. In scope through French critical-infrastructure regulation, where ANSSI qualification is a practical requirement for the security products these operators deploy.
  3. Vendors seeking ANSSI qualification or a security visa. Bound in practice through the certification levels (Certification de Sécurité de Premier Niveau, CSPN, and higher qualification tiers), because conformance to ANSSI’s mechanism rules is part of what the certification assesses. This is the channel through which the 2027 post-quantum requirement bites.
  4. The French and EU private sector generally. An advisory reference, though many French enterprises and EU national bodies treat ANSSI guidance as the de facto standard even where no legal obligation attaches.
  5. Explicitly out of scope. U.S. federal agencies, U.S. National Security Systems, and U.S. contractors, which are governed instead by CNSA 2.0 and NIST IR 8547. ANSSI reaches a U.S. entity only when that entity sells into the French public or critical-infrastructure market.

Source: ANSSI / cyber.gouv.fr, publications landing page.

What does ANSSI recommend for the post-quantum transition?

ANSSI’s post-quantum guidance has four moving parts: a hybrid requirement, a no-regression rule, a data-lifetime trigger, and a certification cutoff.

  1. Hybrid mechanisms. For products offering protection beyond 2030, ANSSI recommends hybrid mechanisms that combine a recognized pre-quantum (classical) scheme with a post-quantum scheme, rather than deploying the post-quantum scheme on its own.
  2. No security regression. The hybridization technique has to guarantee that the combined mechanism is at least as strong as the recognized pre-quantum scheme it contains. Adding the post-quantum layer can only help; it can never leave the system weaker than the classical scheme alone.
  3. Hybrid for signatures too. ANSSI extends the hybrid recommendation to digital signatures as well as key establishment, on the reasoning that post-quantum signature schemes are newer and less scrutinized than their key-establishment counterparts.
  4. A data-lifetime trigger. The v3.00 sizing guide ties the obligation to data lifetime: any mechanism intended to be used beyond January 1, 2030, or exposed to a retroactive-decryption risk, must target a post-quantum security objective. This writes the harvest-now-decrypt-later rationale directly into national sizing rules.

Source: ANSSI, “ANSSI views on the Post-Quantum Cryptography transition” (2023 follow-up), publications index.

Source: Solutions Numériques & Cybersécurité, “Cryptographie, l’ANSSI actualise ses règles face à l’échéance post-quantique,” March 24, 2026, article, for the v3.00 rule that mechanisms used beyond January 1, 2030 or exposed to retroactive attack must target a post-quantum objective. [OPERATOR VERIFY the exact numeric sizing rules against the live v3.00 PDF before citing specific bit-lengths to a client.]

The classical symmetric and hash layer is far calmer. AES and the SHA-2 and SHA-3 hash families remain approved at appropriate sizes, and the quantum threat to them is treated as a sizing question, Grover’s algorithm halving effective symmetric key strength, not a replace-the-primitive question. The asymmetric layer is where the transition concentrates.

Why does ANSSI recommend hybrid, and what does hybrid mean here?

ANSSI recommends hybrid because the post-quantum algorithms are young. Structured-lattice schemes like ML-KEM and ML-DSA were standardized only recently, and the cryptographic community has had far fewer years to attack them than it has had to attack RSA and elliptic-curve cryptography. ANSSI’s judgment is that a scheme this new should not carry the full weight of a sensitive system’s security on its own yet.

A hybrid construction resolves that tension. It runs a classical algorithm and a post-quantum algorithm together and combines their outputs so that breaking the combination requires breaking both. Two properties matter:

  1. Quantum resistance from the post-quantum half. A future quantum computer that breaks the classical half still faces the post-quantum half, so harvested traffic stays protected.
  2. No regression from the classical half. If the young post-quantum scheme turns out to have a classical weakness, the proven classical algorithm is still standing, so the system is no weaker than a purely classical one. This is the “no security regression” rule stated as an engineering property.

ANSSI structures this as a three-phase roadmap rather than a single cutover date. Through the early phases, post-quantum schemes are deployed only inside hybrid mechanisms; standalone post-quantum deployment becomes acceptable only in the final phase, once the schemes have accumulated more cryptanalytic confidence.

Source: ANSSI, “ANSSI views on the Post-Quantum Cryptography transition” (2023 follow-up), publications index.

How does ANSSI’s hybrid-first stance differ from CNSA 2.0?

This is the contrast a French-jurisdiction plan turns on, because ANSSI’s default answer differs from the U.S. default answer. ANSSI wants a classical scheme and a post-quantum scheme combined through the transition; CNSA 2.0 moves U.S. National Security Systems to selected post-quantum algorithms on a fixed schedule without a standing hybrid mandate.

DimensionANSSI (France)CNSA 2.0 (U.S. NSS)
Default migration patternHybrid, a classical scheme combined with a post-quantum schemeA single post-quantum algorithm per function
Standing hybrid mandate?Yes, through the transition windowNo standing hybrid requirement
Hybrid applied to signatures?Yes, signatures and key establishment bothNo, single post-quantum signature is the target
Standalone post-quantum now?Held back until Phase 3, probably not before 2030Adopted directly on the published schedule
Primary forcing lever2027 certification cutoff for long-term-security productsDated adoption schedule running toward 2033 to 2035

Source: ANSSI, “ANSSI views on the Post-Quantum Cryptography transition” (2023 follow-up), publications index; NSA, “Announcing the Commercial National Security Algorithm Suite 2.0,” CSA U/OO/194427-22, September 2022.

The practical consequence is that a single global pattern does not satisfy both. A U.S. federal system can deploy ML-KEM on its own on the CNSA 2.0 schedule, while a French qualified product needs the same protection delivered as a no-regression hybrid, ahead of the 2027 certification gate. Germany’s BSI TR-02102 sits closer to ANSSI than to CNSA 2.0; France and Germany co-led the EU’s coordinated roadmap and share the hybrid instinct.

What is the ANSSI post-quantum timeline?

ANSSI frames the transition as three phases, then layers a concrete certification deadline and a data-lifetime trigger on top. The phase dates are ANSSI’s stated intent from the position paper, not fixed statutory deadlines.

TimelineSource provisionWhat it means
Phase 1 (present)Position paperHybridization is optional post-quantum defense-in-depth added on top of proven pre-quantum assurance; standalone post-quantum is held back for sensitive systems.
Phase 2 (not earlier than 2025)Position paperHybridization must provide genuine post-quantum assurance with no pre-quantum regression; post-quantum schemes are still deployed only inside hybrid mechanisms.
Phase 3 (probably not earlier than 2030)Position paperStandalone post-quantum cryptography becomes acceptable for some uses, and the strict hybrid requirement relaxes.
From 2027Certification policyANSSI plans to stop granting security visas and qualification to products claiming long-term protection that lack post-quantum cryptography.
Beyond January 1, 2030Guide v3.00Any mechanism used past this date, or exposed to retroactive attack, must target a post-quantum security objective.

Source: ANSSI, “ANSSI views on the Post-Quantum Cryptography transition” (2023 follow-up), publications index, for the three-phase roadmap.

Source: Reuters, reported via PostQuantum.com, “ANSSI Sets 2027 Deadline for Quantum-Safe Certification,” article, for the 2027 certification cutoff, announced June 17, 2026 by Samih Souissi (ANSSI chief of staff) at France Quantum 2026 in Paris.

The EU-level milestone chain sits above ANSSI’s national timeline. France, Germany, and the Netherlands led the EU’s Coordinated Implementation Roadmap for the post-quantum transition, published June 2025, which sets national transition plans by the end of 2026, migration of high-risk use cases by the end of 2030, and full migration by the end of 2035. [OPERATOR VERIFY the exact EU roadmap milestone dates against the primary EU / ENISA publication before quoting them to a client.]

Which post-quantum algorithms does ANSSI endorse?

ANSSI has named which post-quantum candidates it considers acceptable for first deployments, and it is deliberately cautious, including a conservative option other bodies do not emphasize. Because the position paper was written before final NIST standardization, it references the competition names; the mapping to the standardized names is the operative reading today.

FunctionANSSI-named optionStandardized name
Key establishmentCRYSTALS-KyberML-KEM
Key establishment, conservativeFrodoKEM (unstructured lattice)Not on the NIST FIPS track
Digital signaturesCRYSTALS-DilithiumML-DSA
Digital signaturesFalconFN-DSA
Symmetric and hashAES, SHA-2 and SHA-3 familiesUnchanged, sized appropriately

Source: ANSSI, “ANSSI views on the Post-Quantum Cryptography transition” (2023 follow-up), publications index. [OPERATOR VERIFY the current ANSSI algorithm list against the latest position-paper revision, since ANSSI may update endorsements as it aligns to the finalized FIPS standards.]

Two details are distinctive:

  1. FrodoKEM as a conservative alternative. Alongside the structured-lattice KEMs, ANSSI endorses FrodoKEM, an unstructured-lattice scheme that trades performance for a more conservative security assumption. It is offered for entities that want a larger margin against a future break of structured-lattice cryptanalysis. Whichever KEM is used, ANSSI’s transition-window rule is that it be deployed inside a hybrid construction with a recognized classical key exchange.
  2. Hybrid for signatures. ANSSI names ML-DSA (Dilithium) and FN-DSA (Falcon) as acceptable signature options, and applies the hybrid recommendation to them too, because it regards post-quantum signatures as less mature than post-quantum key establishment.

How does ANSSI relate to the other mandates and standards?

ANSSI sits inside an EU-coordinated stack and contrasts deliberately with the U.S. stack. It endorses the same underlying algorithms NIST standardized, then wraps them in a hybrid deployment rule NIST does not mandate.

  1. BSI TR-02102 (Germany). The closest peer. France and Germany co-led the June 2025 EU Coordinated Implementation Roadmap and share the hybrid-first instinct.
  2. The EU Coordinated Implementation Roadmap for PQC (June 2025). Led by France, Germany, and the Netherlands, it sets the EU-level milestone chain that ANSSI’s national timeline aligns to, and it connects to the broader EU Cyber Resilience Act pressure on product security.
  3. CNSA 2.0 (U.S. National Security Systems). The deliberate contrast case: single-algorithm and schedule-driven rather than hybrid-first.
  4. NIST IR 8547 and the NIST FIPS suite. ANSSI endorses the same core algorithms, ML-KEM, ML-DSA, and FN-DSA, while requiring the hybrid wrapper NIST leaves optional.
  5. The Référentiel Général de Sécurité (RGS). The French regulatory framework the sizing guide historically served as an annex to, and the vehicle through which its rules bind French public systems.

Common misconceptions

  1. “CNSA-2.0-style standalone ML-KEM satisfies ANSSI.” Through Phases 1 and 2 it does not. ANSSI wants the hybrid construction with a classical fallback that guarantees no regression, so a plan correct for a U.S. federal client can fall short for a French one.
  2. “ANSSI’s deadlines match the U.S. 2030 to 2035 window.” The certification requirement for long-term-security products lands from 2027, earlier than the headline U.S. dates, and it gates French market access rather than merely recommending a schedule.
  3. “Hybrid only means hybrid key exchange.” ANSSI applies the hybrid recommendation to signatures as well, so a program that hybridizes key exchange but ships a standalone post-quantum signature still falls short of the stricter French posture.
  4. “The obligation is tied to one migration date.” The v3.00 rule ties the post-quantum obligation to data lifetime and retroactive-attack exposure. Long-retention data created today already falls under the harvest-now-decrypt-later logic ANSSI encodes.
  5. “ANSSI is only advisory.” For qualified products and government or OIV systems, conformance is effectively required through the certification process, and the 2027 cutoff makes post-quantum support a market-access condition for long-term-security products.
  6. “Hybrid is the permanent destination.” Hybrid is ANSSI’s transition strategy, held through Phases 1 and 2. The agency expects standalone post-quantum cryptography to become acceptable for some uses in Phase 3, probably not before 2030.

Questions people ask

Is ANSSI guidance law or recommendation? Both, depending on the audience. The sizing guide is framed as rules and recommendations, and it functions as a binding baseline for French government systems and for products going through ANSSI’s qualification or security-visa process. For the general private sector it is strongly-recommended guidance rather than a legal obligation, though many French firms treat it as the de facto standard.

Does ANSSI apply to a U.S. company? Only if that company sells products into the French public-sector or critical-infrastructure market and needs ANSSI qualification for them. A purely domestic U.S. entity is governed by CNSA 2.0 and NIST IR 8547, not by ANSSI. A company operating across both jurisdictions has to plan for both.

What actually happens in 2027? ANSSI plans to stop granting its security visas and qualification to products that claim long-term protection but do not incorporate post-quantum cryptography. For products that need ANSSI qualification to be sold into the French public sector or critical infrastructure, that turns post-quantum support into a condition of market access from 2027.

Why does ANSSI want hybrid when the U.S. does not? ANSSI treats the standardized post-quantum schemes as young and less scrutinized than RSA and elliptic-curve cryptography, so it wants a proven classical algorithm kept in place as insurance against a future weakness in the new schemes. CNSA 2.0 accepts the post-quantum algorithms on their own on a fixed schedule instead.

What is FrodoKEM and why does ANSSI mention it? FrodoKEM is a key-establishment scheme built on unstructured lattices, which rest on a more conservative security assumption than the structured lattices behind ML-KEM. It is slower and uses larger keys, and ANSSI offers it as an acceptable alternative for entities that want a larger safety margin against a future break of structured-lattice cryptanalysis.

Does the hybrid rule apply to digital signatures? Yes. ANSSI extends the hybrid recommendation to signatures as well as key establishment, which is stricter than CNSA 2.0. Its reasoning is that post-quantum signature schemes are newer and less battle-tested than post-quantum key-establishment schemes.

How does ANSSI compare to Germany’s BSI? They are closely aligned. BSI TR-02102 is also broadly supportive of hybrid deployment during the transition, much closer to ANSSI than to CNSA 2.0, and France and Germany co-led the EU Coordinated Implementation Roadmap, so their national positions largely agree on hybridization.

What does the January 1, 2030 date mean? Under the v3.00 sizing guide, any mechanism intended to be used beyond that date, or exposed to a retroactive-decryption risk, must target a post-quantum security objective. It ties the obligation to how long data has to stay protected, so long-lived data created well before 2030 already falls under the rule.


Everything here is the map, given freely. When your team needs ANSSI’s hybrid requirement and 2027 certification gate translated into a migration plan sequenced against your own systems and jurisdictions, that’s what an alignment briefing is for.

Last verified 2026-07-09 · Maintained by Addie LaMarr, LaMarr Labs.