Bank of France and ACPR urge financial institutions to start preparing for post-quantum cryptography migration

The Bank of France and the French Prudential Supervision and Resolution Authority (ACPR) published an update warning that advances in cryptographically relevant quantum computers could, over the medium term, break current cryptographic protections widely used across the financial sector. They call on financial institutions to begin adapting their information systems now by planning a migration to post-quantum cryptography (PQC). The note highlights a commonly cited horizon of 2035 for the likely arrival of cryptographically relevant quantum computers, but stresses that the risk is already present through “harvest now, decrypt later” attacks where encrypted data stolen today could be decrypted after “Q-day”, depending on how long the data remains sensitive. It outlines that mitigation can involve replacing classical cryptographic algorithms with quantum-resistant alternatives or strengthening key robustness, and notes PQC can be deployed on classical computing architectures. It also frames PQC migration as a long-running technical programme requiring internal governance and awareness, an inventory of cryptographic assets, assessment of data sensitivity lifetimes, prioritisation across potentially impacted systems, and capabilities such as crypto-agility and hybrid operation of classical and post-quantum algorithms. The messaging is positioned as consistent with the G7 Cyber Expert Group roadmap updated in January 2026 and with European Commission and NIS roadmaps, including a shared milestone of 2030 for dominant adoption of PQC. ACPR has started a 2026 cycle of interviews with financial ecosystem participants and encourages firms to move proactively on internal PQC roadmaps, resilience testing and engagement in standard-setting.