DST Task Force Report: India Prepares for Post-Quantum Security by 2028

India is preparing to defend its digital infrastructure against the looming threat of quantum computing, with a national task force outlining a roadmap to achieve post-quantum security by 2028. The February 2026 report, “Implementation of Quantum Safe Ecosystem in India,” details a phased approach, beginning with pilot programs in critical sectors like banking and finance. Recognizing the risk of “Harvest Now, Decrypt Later” (HNDL) attacks, the Task Force emphasizes proactive measures, stating that all cryptographic transition planning shall proceed under an “assume breach” principle. This ambitious plan includes establishing a National PQC Testing & Certification Program by December 2026 and mandating the adoption of quantum-safe products in government procurement, signaling a significant investment in future-proof cybersecurity.

Quantum Computing Threat & India’s National Quantum Mission

This isn’t a distant concern; the report outlines phased actions, beginning with pilots in high-priority systems like banking and finance, to be implemented by 2028, with Critical Information Infrastructure (CII) targeted by 2027. Procurement requirements will prioritize “crypto-agile and PQC-compliant assets,” including a detailed “Bill of Materials (BOM)” encompassing software, hardware, and cryptographic configurations. Furthermore, the report emphasizes the need to “promote the adoption of existing indigenous quantum-safe solutions” developed by Indian R&D labs, industries, and startups, while simultaneously initiating new product development where gaps exist. This strategic roadmap positions India alongside nations formally defining PQC migration timelines, aiming for a secure and resilient digital future.

Report of the Task Force: Sub-Group Summaries

The current landscape of cryptographic security is bracing for a paradigm shift, driven by the rapidly approaching threat of quantum computing. Short-term actions, targeted for completion by 2028 – and 2027 for Critical Information Infrastructure (CII) – prioritize pilot programs utilizing Post-Quantum Cryptography (PQC) and hybrid solutions within sectors like banking and finance. Communication of the report’s findings to ministries such as Railways, Finance, and Power, alongside regulators like SEBI and RBI, is also crucial. Crucially, procurement will emphasize “crypto-agile and PQC-compliant assets,” alongside a compulsory Bill of Materials (BOM), defined as a “structured, machine-readable inventory of components that constitute a cryptographic system.” Medium-term goals, by 2030, involve migrating high-priority systems and upgrading labs to Tier-3 sovereign-grade facilities, while long-term objectives, by 2033, envision PQC as the default for all communication systems.

2028: Short-Term PQC/Hybrid Solution Pilots

Several enterprises are aligning with projected timelines, targeting completion of their cryptographic transitions by 2028, 2030, and 2033, respectively. A Public–Private Partnership (PPP) model is proposed to rapidly develop dedicated laboratory infrastructure. This BOM, encompassing software, hardware, and cryptographic primitives, will ensure transparency and security assessment.

2030: Medium-Term PQC Migration & Tier-3 Labs

By 2030, a significant shift in cryptographic infrastructure is projected, with a focus on migrating high-priority, long-lifetime systems and validating these transitions through independent testing, according to the February 2026 report. This medium-term phase also necessitates upgrading select laboratories to “Tier-3 sovereign-grade” facilities, specifically designed for Post-Quantum Cryptography (PQC) and Quantum Key Distribution (QKD) testing, with a particular emphasis on protecting Critical Information Infrastructure (CII). The report stresses the importance of disseminating lessons learned throughout the PQC migration process, fostering a collaborative environment for improvement. Crucially, the development of “PQC-ready PKI systems and establishment of national testbeds” are highlighted as foundational infrastructure for achieving “crypto-agility and hybrid PQC–QKD solutions.” These testbeds will serve as vital resources for scaling, validating, and piloting indigenous PQC, QKD, and crypto-agile platforms.

Long-Term PQC Default & Rating Framework

While immediate quantum decryption isn’t a present danger, the long game demands a proactive shift in cryptographic standards, culminating in a future where post-quantum cryptography (PQC) isn’t an upgrade, but the default. By 2033, the Task Force recommends “PQC will become the default for all communication systems, assets, and business processes,” signalling a complete overhaul of current security infrastructure. This isn’t simply about adopting new algorithms; it necessitates a comprehensive framework to assess and incentivise progress. Crucially, the report advocates for the implementation of a rating framework for organisations, measuring their adoption of post-quantum security measures.

This system aims to “encourage compliance and progress,” moving beyond mere implementation to sustained, verifiable security. Supporting this, the Task Force stresses the need to bolster Indian industry, advocating for the development of “indigenous PQC algorithms and crypto-agile hardware for critical sectors,” alongside sustained procurement and certification. Furthermore, continuous monitoring and algorithm lifecycle governance, aligned with global standards, are deemed essential. The Task Force also recommends the TEC publish “an India-specific list of cryptography-dependent products,” building upon existing international inventories like the CISA list, while prioritizing domestic quantum-safe capabilities. This strategic approach aims to ensure national security and supply-chain resilience in a rapidly evolving technological landscape.

Bill of Materials (BOM) for Cryptographic Systems

A comprehensive “Bill of Materials” (BOM) is now considered essential for bolstering cryptographic security, representing a significant shift in how systems are assessed and procured. Furthermore, the report details a subset of CBOM, the “QBOM,” specifically for quantum-safe and resilient cryptographic components. Prioritizing “indigenously developed quantum-safe products and solutions” is also mandated, subject to technical suitability and interoperability, signaling a drive for self-reliance in this critical area of national security.

National PQC Testing & Certification Program Establishment

A robust national program to test and certify post-quantum cryptography (PQC) is now under development in India, aiming to proactively secure digital infrastructure against future threats. Currently, existing laboratory capabilities already support testing of Quantum Key Distribution (QKD) systems, but expansion is critical. This initiative will leverage a Public–Private Partnership (PPP) model to rapidly build dedicated laboratory infrastructure. Furthermore, the Task Force advocates for preferential consideration of domestically developed quantum-safe solutions, contingent on technical suitability and interoperability. Workshops and seminars will disseminate knowledge about emerging threats and the urgency of adopting quantum-safe networking, while the existing TEC approval framework will remain in place during the transition.

Crypto-Agile Procurement & Indigenous Product Mandates

The push for quantum-resistant cryptography in India isn’t solely focused on algorithm development; a robust procurement strategy is central to securing future digital infrastructure. The Task Force believes government and Critical Information Infrastructure (CII) deployments should “act as anchor adopters for validated indigenous quantum-safe technologies,” bolstering national security and supply chain resilience.

TEC Framework & India-Specific Cryptography List

The groundwork for a quantum-resistant digital future in India is being solidified through a strengthened regulatory framework and a targeted cryptographic inventory, ensuring proactive rather than reactive security measures. The Telecommunication Engineering Centre (TEC) will continue its existing approval process for quantum-safe products, while simultaneously building new infrastructure and processes for more comprehensive evaluation. The BOM, a “structured, machine-readable inventory of components,” will encompass software, hardware, and cryptographic configurations.

Post-Quantum Security: Risks of Delay & Strategic Goals

The assumption that quantum computing’s decryption capabilities are a distant threat is dangerously misleading; the real risk lies in the “Harvest Now, Decrypt Later” (HNDL) attacks already underway. This means adversaries are actively collecting encrypted data today, anticipating future quantum decryption, and retrospective mitigation is simply infeasible. The February 2026 report underscores this urgency, outlining a phased approach to mitigate near-term quantum-enabled cryptographic risk. Failure to act decisively risks “irreversible compromise of confidential data,” the report warns.