Bank of France validates post-quantum cryptography to protect OneGate regulatory reporting data transfers with Allianz France

The Bank of France published the results of a joint experiment with Allianz France showing that regulatory reporting files transmitted via its OneGate platform can be secured using post-quantum cryptography (PQC) while keeping existing communication channels and critical systems unchanged. The pilot integrated PQC algorithms standardised by the National Institute of Standards and Technology in August 2024 into client-server communications used for weekly reporting. A hybrid “tunnelling” approach encapsulated traditional TLS flows in a quantum-safe layer to address “store now, decrypt later” interception risks and potential authentication impersonation, without changing applications, browsers or identity-and-access-management systems. Testing covered both user-to-application and application-to-application scenarios and relied on proxy-based deployment (including NGINX and Stunnel), a PQC-capable PKI to issue ML-DSA certificates, and hybrid key exchange using x25519 with ML-KEM; the report notes only minor TLS handshake impact and no significant performance degradation in data transfer. The accompanying report calls for crypto-agile architectures and phased migration planning and outlines potential follow-on work on hybrid certificate formats, PQC-capable client tooling and monitoring. It also situates the project within the Bank of France’s broader PQC programme underway since 2022, including a prior experiment with the Monetary Authority of Singapore.