India DST Task Force Report and What It Says
In February 2026, India's Department of Science and Technology published the Implementation of Quantum Safe Ecosystem in India; Report of the Task Force.
The report is a phased, time-bound migration roadmap with explicit deadlines for Critical Information Infrastructure, government bodies, and private enterprises. India joins a small group of nations that have published specific, enforceable PQC timelines. For organizations navigating post-quantum regulation in India, the report sets as a clear compliance framework aligning closely with NIST PQC standards and establishing a national certification path.
Two sub-groups drive the programme. The Telecommunication Engineering Centre (TEC) leads testing, standards, and a national certification framework. The Data Security Council of India (DSCI) leads crypto-agility strategy, migration planning, and enterprise guidance.
Executive Briefing
A summary of the Quantum-Safe Roadmap (DST Task Force report) and what it requires, who it applies to, and what your organization needs to do first.
- Understand the quantum-safe roadmap
- Get familiar with critical migration deadlines
Critical Information Infrastructure
- Defence
- Power
- Telecom
- ISRO
- DRDO
- ONGC
Build Foundations
Quantum risk governance, cryptographic asset inventory, PQC pilots, CBOM mandates in procurement.
Migrate High-Priority Systems
No new classical-only deployments. Upgrade PKI, HSMs, and key management infrastructure.
Full PQC Adoption
Enterprise-wide PQC and hybrid adoption. PQC-only trust chains operational.
Government and Private Enterprises
- Banking
- Healthcare
- Education
- General IT
Build Foundations
Quantum risk governance, cryptographic asset inventory, PQC pilots, CBOM requirements begin.
Migrate High-Priority Systems
No new classical-only deployments. Mandate PQC digital signatures. Enforce supplier accountability.
Full PQC Adoption
All signatures quantum-safe. Continuous algorithm lifecycle governance institutionalized.
Migration to post-quantum cryptography begins with knowing what you have
Every migration milestone in the DST roadmap — governance, prioritisation, CBOMs, vendor accountability, PQC deployment — depends on one foundational capability: a complete, accurate inventory of your cryptographic assets.
You cannot prioritize what you have not found. You cannot produce a CBOM for assets you do not know exist. You cannot migrate cryptography that has not been mapped. Cryptographic discovery is not a precursor to the program. It is the first and most critical step.
CBOM mandate from FY 2027-28
The Task Force requires organizations to issue Cryptographic Bill of Materials requests to key vendors and embed CBOM requirements in new procurement. Organizations that have not completed their own internal discovery cannot meet this requirement.
Activate Sensors
Lightweight agents and agentless sensors deployed across on-premises, cloud, and hybrid environments.
Scan and Detect
Automated scanning maps every cryptographic asset: algorithms, keys, certificates, libraries, and third-party binaries.
Build Your Inventory
Every asset catalogued into a structured, searchable inventory. Your foundation for CBOMs and migration planning.
Q2 2026Assess and Prioritize
Findings ranked by technical severity and policy impact so teams know exactly what to address first.
Q2 2026Resolve and Harden
Remediation guidance and integrations with enterprise tools so teams can act without workflow disruption.
Q3 2026Continuous Posture Management
Ongoing scanning keeps your inventory current as assets change, dependencies shift, and new exposures emerge.
Always onWhy start now?
PQC migration is not a simple upgrade. It is a multi-year program, possibly the largest migration in history and the deadlines are already counting down.
Migration takes years, not months
A full cryptographic migration — discovery, inventory, prioritization, testing, deployment, and validation — routinely takes five to ten years across complex enterprise environments. For CII organizations, the 2027 foundation deadline is effectively now.
Cryptography is embedded everywhere
Keys, certificates, libraries, and protocols are embedded across on-premises systems, cloud platforms, applications, and vendor-supplied software. Locating all of it before you can begin migrating any of it is a substantial program in itself.
Adversaries are harvesting now
Harvest Now, Decrypt Later is not a theoretical risk. Nation-state actors are actively capturing encrypted data today with the intent to decrypt it once quantum capability matures. Long-lifetime data — financial records, health data, government communications — is already at risk.
CBOMs are a procurement requirement from 2027
The Task Force mandates Cryptographic Bills of Materials in procurement from FY 2027-28. Organisations that have not completed a cryptographic inventory cannot produce one and cannot comply. The inventory work must start immediately.
Vendor and supply chain timelines add delay
Your migration timeline is not just yours. It depends on your vendors, cloud providers, hardware suppliers, and software partners being PQC-ready. Communicating requirements to them now gives them time to prepare and gives you time to find alternatives if they cannot.
Q-Day estimates are moving closer
A cryptographically relevant quantum computer could arrive within three years. Google noted in December 2025 that quantum computing is now at the same inflection point AI was five years ago. The window is narrowing faster than expected.
See your cryptographic exposure
Book a demo and see how QuantumGate maps your cryptographic asset inventory, identifies PQC compliance gaps against India's quantum-safe security mandate, and gives your team a clear migration starting point.
