France’s ANSSI Doubles Down on Hybrid PQC and Signals It May Not Follow NIST Exactly

February 27, 2024 – France’s national cybersecurity agency, the Agence Nationale de la Sécurité des Systèmes d’Information (ANSSI), has published an updated position paper on post-quantum cryptography migration, following up on its initial 2022 guidance. The document, titled “ANSSI views on the Post-Quantum Cryptography transition (2023 follow up),” sharpens France’s approach on two fronts: mandatory hybrid deployment and algorithm selection independence from NIST.

The core recommendation is unambiguous. ANSSI “strongly recommends” hybrid post-quantum mechanisms, combining a classical scheme with a post-quantum one, for all security products aimed at offering long-lasting protection of information “until after 2030” or that will “potentially be used after 2030 without updates.” This applies to both key encapsulation mechanisms and digital signatures.

On algorithm selection, ANSSI endorses ML-KEM (FIPS 203) for key exchange, while adding that FrodoKEM is also acceptable as a conservative alternative. For signatures, ANSSI supports ML-DSA (FIPS 204) and SLH-DSA (FIPS 205). However, the paper contains a notable caveat: ANSSI “will identify more restricted acceptability criteria for post-quantum algorithms” for its own security certifications and adds explicitly that “we do not guarantee that the set of acceptable algorithms will exactly match the set of NIST standards.”

ANSSI also recommends SPHINCS+ (now SLH-DSA) as a conservative signature option where performance constraints allow it, noting that hybridization for SPHINCS+ “may also be optional” given its hash-based security foundations.

ANSSI does not set a hard calendar deadline for PQC migration. Instead, its guidance is aligned with the direction set by the EU Commission’s April 2024 Recommendation on PQC transition, which is expected to produce a coordinated EU-wide migration roadmap.

My Analysis

The hybrid mandate is where ANSSI parts company with several of its allies, and the implications go deeper than most organizations realize.

Of the major national cybersecurity agencies, ANSSI and Germany’s BSI are the most emphatic about hybrid being mandatory, not optional. CNSA 2.0 allows hybrid during transition but pushes toward exclusive PQC use. Australia’s ACSC has been moving toward pure PQC, without hybrid. ANSSI goes further than most by extending the hybrid requirement to signatures, not just key exchange. In most migration discussions, the urgency around hybrid focuses on Harvest Now, Decrypt Later (HNDL) protection for confidentiality, which is a key exchange problem. ANSSI is making the argument that signature schemes also warrant hybrid protection during the transition, because the post-quantum signature algorithms are newer and less battle-tested than their classical counterparts.

The timeline implication is more immediate than the guidance appears at first reading. ANSSI’s framing (“products aimed at offering long-lasting protection until after 2030 or that will be used after 2030 without updates”) is deliberately broad. That description covers most enterprise infrastructure. If you’re deploying a VPN gateway, a PKI root certificate, an HSM, or an IoT device today that won’t be refreshed before 2030, ANSSI’s position is that it should already use hybrid PQC. Read carefully, this is a procurement requirement for any system with a lifecycle extending past 2030.

The algorithm independence signal is the most strategically significant part of the paper. When ANSSI writes that its accepted algorithm list “may not exactly match” NIST’s, it’s laying the groundwork for a European cryptographic sovereignty position. Whether this results in France requiring algorithms NIST hasn’t standardized, or rejecting algorithms NIST has, remains an open question. For any organization selling cryptographic products or services into the French market, this is a flag that cannot be ignored.

For multinationals, the practical impact compounds the PQC standards fragmentation problem I’ve been tracking. A company operating across the US, France, and Australia already faces different positions on whether hybrid is required, optional, or discouraged. The solution, as I’ve argued in my writing on crypto-agility, is to architect for algorithmic flexibility from the start, so that when France’s final acceptability criteria arrive, swapping in a different KEM or signature scheme is a configuration change, not a re-architecture.

What organizations should do now: treat ANSSI’s guidance as a procurement filter for the French and broader EU market. If you’re deploying cryptographic infrastructure that will serve French customers or French government beyond 2030, hybrid PQC should be in your requirements document today. As I’ve argued before, the regulatory clock is already running.