Who Regulates the Transition

A recurring confusion deserves clearing up first: the DST/NQM Task Force framework is not, by itself, a binding regulation. As the report itself states, it enables regulators to define sector-specific timelines and enforcement. Its milestones become obligatory for a given institution only when its own regulator adopts them. For BFSI, that makes the map of who can compel what the practical question.

RBI — the banking lever

The Reserve Bank already sets cryptographic expectations for regulated entities through its IT-governance and cyber-resilience directions (the CSITE-led framework updated in late 2023), which require strong cryptographic controls and periodic assessment. RBI has not yet issued a quantum-specific mandate — but it has both the authority and the established mechanism (master directions, inspections, supervisory expectations) to fold the DST milestones into existing controls. When it does, "adequate cryptographic controls" will quietly come to mean "quantum-safe roadmap in place."

SEBI — the markets lever

SEBI's Cyber Security and Cyber Resilience Framework (CSCRF) governs the cryptographic posture of stock exchanges, depositories, clearing corporations, mutual funds and intermediaries. CSCRF already pushes regulated entities toward forward-looking cryptographic resilience, making it a natural vehicle for quantum-safe requirements across market infrastructure — where long-lived records and high-value settlement make HNDL and TNFL exposure particularly acute.

CERT-In — the incident lever

CERT-In operates a different, sharper instrument: mandatory incident reporting on tight timelines (notably its six-hour reporting requirement for specified cyber incidents). Its relevance to quantum is twofold. It is the body whose empanelment confers legal standing on security audit and assessment work in India — which shapes who is allowed to formally attest a bank's cryptographic posture. And under an assume-breach posture, HNDL is not a future risk but an active-threat framing that maps naturally onto CERT-In's incident lens.

IRDAI and the DPDP Act — the data levers

IRDAI's 2023 cyber-security guidelines impose cryptographic-control and vulnerability-assessment duties on insurers, with defined timelines for closing high-risk gaps. Cutting across all sectors, the Digital Personal Data Protection Act creates a duty to protect personal data with adequate safeguards. The DPDP angle is the quietest but possibly the broadest: if today's encryption of personal data is expected to fail within the data's required confidentiality lifetime, "adequate" protection is precisely the question quantum migration answers. Aadhaar-linked and KYC data sit squarely here.

The DST report wrote the strategy. RBI, SEBI, CERT-In and IRDAI hold the pens that make it enforceable — and the report explicitly asks DST to hand them the brief.

Why this matters for sequencing

Two consequences follow for an Indian institution. First, you are likely answerable to several of these bodies at once — a bank that runs market-facing services and holds personal data sits under RBI, SEBI, CERT-In and DPDP simultaneously, and the strictest requirement governs. Second, the smart posture is to build to the national framework now rather than wait for each sector circular, because the milestones are already published and the foundational work (discovery, CBOM, prioritisation) is identical regardless of which regulator formalises it first. Waiting for your specific circular is a way of guaranteeing you start late.

The empanelment subtlety

One structural point worth internalising: in India, formal security audit output generally carries weight when produced by a CERT-In empanelled entity. That shapes the market — assessment tooling and the empanelled audit function are complementary, not interchangeable. A credible quantum-safe practice in India tends to pair strong assessment capability with an empanelled delivery partner, rather than assuming one replaces the other.