​Centres d'Évaluation de la Sécurité des Technologies de l'Information (French Centers for the Assessment of Information Technology Security) are laboratories involved in ensuring that information products or systems comply with global security regulations. This certification is mandatory for devices such as smart cards used in identity documents, payment systems, or access controls. In France, several CESTIs have been accredited by the Agence Nationale de la Sécurité des Systèmes d'Information (ANSSI, National Agency for the Security of Information Systems), including CEA-Leti, which has been assessing hardware since 2000.

EUCC: an EU-wide security certification scheme

CEA-Leti recently took another step as part of this activity when it was awarded two new ANSSI accreditations. The EUCC follows regulatory developments at an EU level. This certification scheme is based on Common Criteria (CC), to harmonize certification procedures dedicated to cybersecurity across the entire EU.

“The EUCC scheme was adopted in 2024. From February 2026, all assessments issued by European CESTIs will need to comply with it," added Mikael Carmona, in charge of the Hardware Security Department at CEA-Leti. “In other words, to continue operating as assessors, CESTIs must now be accredited by the EUCC." CEA-Leti therefore updated its assessment methodologies, and, following an audit conducted by the Comité français d'accréditation (Cofrac, French Accreditation Committee) and by ANSSI, received its accreditation in 2025.

PQC: CEA-Leti becomes first CESTI accredited for the assessment of post-quantum cryptography

PQC (Post-Quantum Cryptography), CEA-Leti's second accreditation, focuses on threats posed by quantum computing. In the 1990s, it was proven that if such a computer were to become operational, it would be capable of decrypting data that is currently considered to be indecipherable using regular computers. While associated risks were not tangible at the time, they are increasingly becoming a reality as progress is made in the field.

This is why we must start preparing now, by transitioning toward post-quantum cryptography. As evidenced by the roadmap published by the European Commission on this subject, the EU has fully taken this goal into consideration. In France, this translates as implementing PQC accreditation by ANSSI, which the agency gave CEA-Leti in September 2025, thus making it the first French CESTI certified for the assessment of post-quantum cryptography.

First PQC-certified Thales smart card

“As a CESTI with PQC accreditation, our role is to verify that post-quantum cryptography implementation is secure, added Mikael Carmona. “At this stage, algorithms have been developed and should be able to withstand the computing capacities of quantum computers. But once implemented, although they are theoretically robust, they may be susceptible to attacks. We must therefore ensure that they are not vulnerable to this type of threat."

This was precisely the focus of work carried out by CEA-Leti as part of an initial pilot evaluation, a required stage when seeking PQC accreditation. While the success of this evaluation work has allowed the CESTI to verify its capabilities in the field of PQC, it also resulted in a favorable verdict for the assessed product. It led to issuing the first PQC certificate for a smart card, a microelectronic component with an embedded software platform developed by Thales and designed especially for identity protection applications, such as ID cards and electronic passports, health cards, and driver's licenses.

Anticipating future regulations

CEA-Leti has already made the certification of other products possible, such as the EUCC and the PQC for SAMSUNG, thanks to these accreditations. This strengthens CEA-Leti's key role within the global cybersecurity ecosystem. Additionally, its assessment activities allow it to further integrate cybersecurity considerations when manufacturing components, and to immediately start preparing for future evolutions, be they technological or regulatory.

“Over the next few years, manufacturers will be facing new requirements," highlighted Bernard Strée, CESTI sales manager at CEA-Leti. “For instance, the Cyber Resilience Act will be applicable from October 2027. Consequently, all electronic components will need to be certified according to their security levels, much like EC markings, before they can be put on the market. As a CESTI, CEA-Leti is already ready for this major evolution in the industry."