In a recent study, carried out by French cybersecurity agency ANSSI in 2023, and published March 2025, the research organization found a significant lack of preparedness for the post-quantum cryptography transition.
The survey, conducted across 38 ANSSI ‘beneficiaries’ (private and public organizations subject to cybersecurity regulations) concluded that many operators are at risk, and while aware of the quantum threat, lack understanding of its impact on their specific systems. It’s likely to be a wider trend, and one that’s worth examining in a broader context.
Vulnerability to ‘retroactive’ attacks
Sensitive data often requires confidentiality for a lifespan of 10 years or longer, and sending such data or certificates across VPNs for example, could lead to a compromise. There are a number of ‘pre-quantum’ practices that are susceptible to such attacks.
Unawareness of specific impact
The survey concluded that while the majority were aware of the theoretical quantum threat, there was little understanding of how it specifically impacted them. The lack of formal communication of a specific date or timeline in France is noted here as a factor, and the challenges haven’t been clearly identified.
Lack of preparedness
No post-quantum transition plan was observed from the surveyed organizations, and CISOs appeared to lack a precise timeline for migration, or use cases for PQC.
Need for external support
Organizations identified a need for guidance from ANSSI in helping the preparatory work (quantum risk analysis, identifying priority use cases, inventory and data classification).
Lack of financial and human resources
This theme stems from the lack of awareness, and perhaps not perceiving or quantifying the quantum threat and risks involved. Prioritization has been slow, and results in a distinct lack of focused resources available in organizational budgets.
Absence of regulatory obligation
Regulatory requirements are often the lever required for change, and this will be a key as awareness of the quantum threat increases.
Post-quantum technology maturity
Part of the awareness problem is around the maturity of PQC implementations – a number of respondents were perhaps less confident or aware of the status of PQC primitives and believe that ‘developing efficient hardware and software implementations will require significant time and effort’
The study is an interesting exercise for ANSSI, and provides a need for continued leadership, guidance, and facilitation on PQC transition – largely from the Agency itself. They conclude that the major impediments are the lack of regulatory drivers, lack of understanding of the impact, and limited availability of PQC implementations – all of which are themes that have resonated with us at PQShield over the last year. In fact, our patented implementations of post-quantum cryptography in both hardware and software are key solutions to the problem.