How do you future-proof a digital economy that processes hundreds of millions of transactions a month, in a country that’s home to almost 1.5 billion people? Upgrading cryptography could be a huge task for most nations, but for India, it’s a project that has a truly enormous footprint – and an even bigger impact.
That’s why the Indian Department of Science & Technology (DST) under the National Quantum Mission (NQM) has prepared a comprehensive strategy to protect India’s digital infrastructure against the emerging threat of quantum computing. It’s entitled: Implementation of Quantum Safe Ecosystem in India.
The report, from the DST’s specially commissioned Task Force, outlines an ambitious but essential roadmap for quantum transition – for Critical Information Infrastructure (CII) and regular enterprises. It’s fascinating to see the aggressive deadlines specified.
India’s Quantum Roadmap
- Milestone 1 – Build Foundations: CII by 2027, Enterprise by 2028
To reach this milestone, organizations are required to establish governance and cross-functional quantum-risk management, as well as inventory their cryptographic assets. The report suggests introducing PQC-readiness requirements in procurement processes and adopting hybrid PQ/T signatures for critical software and systems. - Milestone 2 – Migrate High Priority Systems: CII by 2028, Enterprise by 2033Pilot projects should be migrated to full migration programs, ensuring supplier accountability and upgrading PKI, HSMs, KSM and libraries to PQC-ready versions. Classical-only systems should be isolated where immediate migration is not feasible.
- Milestone 3 – Full PQC Adoption CII by 2029, Enterprise by 2033This milestone is for complete enterprise-wide adoption, with PQC-only trust chains and quantum-secure digital signatures. The report also imposes long-term vendor oversight and accountability with audits and a process for continuous algorithm updates, as well as layered risk-management for the remaining legacy systems.
The report also specifies a framework for assessing quantum-risk, with Assurance Levels ranging from Level 1 (basic consumer-grade environments with low risk) to Level 4 (sovereign and national critical infrastructure). It’s likely that government and critical sectors will use these levels as a compliance requirement, mandating specific Assurance Levels for products they purchase. With infrastructure likely to take 12-18 months to build, an interim approval process is likely to avoid delaying migration.
This is a critical point for 2026. India’s approach, aligning as it does with the UK, USA, EU and Australia – each of which has formalized national roadmaps for transition to PQC – is at a junction, where action matters. In this second of half of the decade, the countdown is likely to switch from years to months – and India’s proactive approach is putting the world’s most populous nation on a fast-track to quantum security.
You can read more in the full report from the DST’s Task Force here. There’s also a useful infographic summarizing the timeline at postquantum.in.
PQShield is one of the world’s leading providers of post-quantum solutions for the supply chain. Find out more about our state-of-the-art UltraPQ product portfolio here.