Field notes on India's post-quantum migration — the NIST PQC standards, the NQM Task Force framework, the operational gaps banks discover when they actually start inventorying their cryptography, and the engineering choices we make on the platform.
HNDL was the confidentiality story. TNFL is the integrity story — and harder. The May 2026 NQM Task Force names the threat and puts a December 2027 CBOM on the calendar for Indian BFSI.
NIST has published five PQC standards in two years. Most CISO conversations still treat them as one thing. They're not — and the order you migrate matters more than people think.
Chrome quietly turned post-quantum key exchange on by default in 2024–2025. Inside the hybrid handshake and what your edge stack has to support.
HNDL is real but narrower than the press makes it sound. Which BFSI data classes are actually at risk, and what to encrypt forward today.
X + Y > Z — the three numbers that tell you whether your PQC migration is on time or already late. A practitioner's reading.
You can't migrate what you can't see. The six categories of asset a CycloneDX 1.6 CBOM captures, and how discovery actually works.
OperationsMost plans assume firmware upgrade. For many Indian banks the answer is replacement — a six-month critical path.
PKIThe algorithm change is the easy part. Re-issuing every certificate the old root signed is where the migration stalls.
EngineeringA four-layer architecture pattern so swapping algorithms is a config change, not a code change. Anti-patterns and a refactor playbook.
SignaturesA 17 KB signature is a hard sell at a TLS leaf and an easy one at a code-signing root. When the size trade is worth it.
StrategyTwo technologies, two purchase orders, two operating models. Where each fits in an Indian enterprise's quantum-safe budget.
FrameworkThe NQM Task Force tiers and what each means in BFSI practice. A descriptive structure for reporting — not a per-asset scoring system.