In February 2026, India's Post-Quantum Cryptography Task Force released its landmark report, establishing the most comprehensive PQC migration roadmap in the Asia-Pacific region. This report does not merely recommend -- it sets binding milestones that every organization handling sensitive data in India must follow. If you are a CISO, CTO, or security leader, this report is your new compliance bible.
The report acknowledges what cryptographers have warned about for years: the quantum threat is not hypothetical. With companies like IonQ demonstrating networked quantum computing at Davos 2026, and Google's quantum division achieving new milestones, the timeline to cryptographically relevant quantum computers (CRQCs) is shrinking faster than most enterprises anticipated.
India's Task Force has responded with a phased migration framework that balances urgency with practicality. In this article, we break down every aspect of the report that matters for enterprise security leaders.
Background & Context
The PQC Task Force was constituted under the Ministry of Electronics and Information Technology (MeitY) with representation from CERT-In, DRDO, IDRBT, RBI, SEBI, IRDAI, NIC, and leading academic institutions including IITs and IISc. The mandate was clear: develop a national roadmap for transitioning India's digital infrastructure to quantum-safe cryptography.
The report builds upon NIST's finalization of three post-quantum cryptographic standards -- FIPS 203 (ML-KEM), FIPS 204 (ML-DSA), and FIPS 205 (SLH-DSA) -- and adapts them to India's unique regulatory landscape, which includes:
- RBI Cyber Security Framework (CSF): Governs all regulated financial entities
- CERT-In directives: Mandatory incident reporting and security practices
- Digital Personal Data Protection Act (DPDPA) 2023: India's flagship data protection legislation
- SEBI Cyber Resilience Framework: For capital market entities
- IRDAI ICT guidelines: For the insurance sector
Critical Timeline Warning
The Task Force explicitly states that organizations should not wait for quantum computers to arrive before beginning migration. The Harvest Now, Decrypt Later (HNDL) threat means that encrypted data being transmitted today is already at risk of future decryption. Data with a confidentiality requirement extending beyond 2030 must be protected with quantum-safe algorithms starting now.
The Three Milestones: M1, M2, M3
The report defines three critical milestones that create a phased migration timeline. Each milestone has specific deliverables and applies across sectors with varying urgency levels.
M1: Discovery
Complete cryptographic inventory, generate CBOM, identify quantum-vulnerable systems, conduct Quantum Encryption Risk Assessment (QERA)
M2: Transition
Implement hybrid cryptography, begin PQC migration for critical systems, establish crypto-agility framework, update procurement policies
M3: Completion
Full PQC deployment across all systems, deprecated classical-only cryptography, continuous monitoring and algorithm updates
M1: The Discovery Phase (Now)
M1 is already underway. Organizations must complete a full cryptographic inventory of their entire estate -- every certificate, every key, every algorithm, every protocol, every library. This is not a spreadsheet exercise. Modern enterprises have thousands of cryptographic touchpoints across applications, APIs, databases, network devices, IoT endpoints, and cloud services.
The output of M1 is a Cryptographic Bill of Materials (CBOM) -- a comprehensive, machine-readable inventory of every cryptographic asset in the organization. The Task Force mandates that this CBOM be maintained as a living document, updated continuously as the estate evolves.
M2: The Transition Phase
During M2, organizations must begin implementing hybrid encryption -- running classical and post-quantum algorithms simultaneously. This approach ensures backward compatibility while providing quantum resistance. The Task Force specifically recommends hybrid mode as the transition mechanism, aligned with CNSA 2.0 guidance.
Key M2 deliverables include updating TLS configurations, migrating certificate authorities, upgrading VPN infrastructure, and implementing PQC-capable key management systems. Organizations must also update their vendor and procurement policies to require PQC readiness from all technology suppliers.
M3: Full PQC Deployment
By M3, organizations should be running PQC algorithms as the primary cryptographic mechanism. Classical algorithms can remain as fallback in hybrid mode but should no longer be the sole protection for any sensitive data or communication channel. The Task Force sets FY 2030-31 as the target for complete migration.
The CBOM Mandate
Perhaps the most operationally significant requirement is the Cryptographic Bill of Materials (CBOM) mandate. The Task Force requires every organization to maintain a complete inventory of:
- All cryptographic algorithms in use (RSA, ECC, AES, SHA, etc.)
- Key sizes and parameters for every deployment
- Certificate chains and trust anchors
- Cryptographic libraries and their versions
- Protocol versions (TLS 1.2, TLS 1.3, SSH, IPSec, etc.)
- Hardware security modules (HSMs) and their capabilities
- Quantum-vulnerable vs. quantum-safe classifications
How QuantumVault Automates CBOM
QuantumVault's Quantum Scanner automatically discovers and inventories your entire cryptographic estate. It scans networks, applications, certificates, APIs, and infrastructure to generate a complete CBOM in hours rather than months. The scanner classifies each asset by quantum vulnerability, assigns risk scores, and produces an audit-ready report that meets the Task Force's M1 requirements. Learn more at quantumvault.allsecurex.com
Sector-Specific Impact
Banking & Financial Services
The Task Force identifies BFSI as a "Priority 1" sector with the most aggressive timelines. Banks must complete M1 by end of FY 2026-27 and begin M2 immediately. This aligns with RBI's existing CSF requirements. SWIFT communications, UPI infrastructure, RTGS/NEFT systems, and internet banking platforms all require PQC migration. Read our detailed PQC Migration Playbook for Banks for implementation guidance.
Government & Defense
All Central Government systems, NIC infrastructure, and defense networks are mandated to achieve M1 within 12 months of the report's publication. The Task Force calls for immediate deployment of hybrid encryption for classified communications and recommends CNSA 2.0 compliance as a baseline for defense systems.
Healthcare
The ABDM (Ayushman Bharat Digital Mission) infrastructure, hospital management systems, and telemedicine platforms must prioritize PQC migration due to the extremely long shelf life of patient data. A medical record generated today must remain confidential for 50+ years. Read our analysis on PQC for Healthcare.
Critical Infrastructure
Power grid SCADA systems, telecommunications, transportation networks, and water treatment facilities face unique challenges due to legacy OT equipment. The Task Force acknowledges that some OT systems may require hardware replacement and has provided extended timelines. Our article on SCADA & ICS quantum threats explores this in depth.
Your CISO Action Plan
Based on the Task Force report, here is the immediate action plan every CISO should execute:
- Conduct a Quantum Risk Assessment (QERA): Follow the step-by-step QERA methodology to identify quantum-vulnerable assets and prioritize by data sensitivity and shelf life.
- Generate Your CBOM: Deploy automated scanning tools to create a comprehensive Cryptographic Bill of Materials. Manual inventory is impractical at enterprise scale.
- Establish a PQC Governance Committee: Form a cross-functional team including CISO, CTO, application owners, network architects, and compliance leaders to oversee the migration.
- Build Crypto-Agility: Implement crypto-agile architecture that allows algorithm switching without application rewrites.
- Begin Hybrid Deployment: Start hybrid encryption for the most sensitive data channels first.
- Update Vendor Requirements: Add PQC readiness criteria to all technology procurement RFPs and vendor assessment frameworks.
- Plan Budget Allocation: The Task Force estimates PQC migration costs at 3-8% of annual IT security budgets over the migration period.
How QuantumVault Accelerates Your Compliance
AllSecureX built QuantumVault specifically to address the challenges outlined in the Task Force report. QuantumVault is the only end-to-end PQC platform that covers discovery, assessment, migration, and monitoring in a single solution:
- Quantum Scanner: Automated CBOM generation and cryptographic estate discovery -- achieve M1 compliance in weeks, not months
- QERA Engine: Quantitative risk assessment that maps quantum vulnerability to business impact using FAIR methodology
- Hybrid Encryption SDK: Four presets for hybrid mode deployment with ML-KEM + classical key exchange
- Crypto-Agility Framework: Abstract cryptographic operations so algorithms can be swapped without code changes
- Compliance Dashboard: Real-time tracking against M1/M2/M3 milestones with audit-ready reporting
- Continuous Monitoring: Ongoing scanning for new cryptographic deployments and algorithm deprecation alerts
Conclusion
The India PQC Task Force report is a watershed moment for cybersecurity in India. It transforms post-quantum cryptography from a theoretical future concern into an immediate compliance requirement. Organizations that begin their migration now will have a significant advantage -- those that wait will face compressed timelines, higher costs, and regulatory pressure.
The quantum threat is real, the timeline is accelerating, and the regulatory framework is now in place. The only question is whether your organization will lead or follow.
AllSecureX and QuantumVault are here to ensure you lead.
Start Your PQC Assessment Today
QuantumVault automates M1 compliance with automated CBOM generation, quantum risk assessment, and hybrid encryption deployment.
Start Your PQC Assessment →