N° 10The Ecosystem

India's Quantum-Safe Ecosystem

Quantum-Safe India Dossier · Grounded on the DST/NQM Task Force Report 2026

A national migration is not a document — it is a set of institutions. The report names them: the National Quantum Mission at the centre, two working groups dividing the labour, a tiered testing regime, and the sector regulators who will turn principle into mandate.

THE INSTITUTIONAL MAP National Quantum Mission · DST TEC-led Sub-group Testing · Certification · Assurance DSCI-led Sub-group Migration strategy · Crypto-agility TEC · STQC · BIS standards & labs L1 — L4 assurance levels 3-TIER TESTING LABS · Tier-1/2 by Dec 2026 CBOM & persona guidance crypto-agility playbooks SECTOR REGULATORS — translate principle into mandate RBI SEBI CERT-In IRDAI IDRBT
The report distributes the work: NQM/DST at the centre, a TEC-led group owning testing and certification, a DSCI-led group owning migration strategy, a tiered lab regime beneath them, and the sector regulators who convert all of it into binding direction.

Every article in this dossier has described a piece of the transition — the threat, the standards, the inventory, the timeline. This one describes the machinery that will carry it. A national cryptographic migration is not accomplished by publishing a deadline; it is accomplished by an ecosystem of institutions, each holding one part of the mandate. The DST report's quiet achievement is that it names them and divides the labour explicitly.

The centre: the National Quantum Mission

At the apex sits the National Quantum Mission under the Department of Science and Technology, whose Task Force authored the report. The Mission's role is not to run any single bank's migration; it is to set the national direction — the milestones, the threat models, the principle of crypto-agility — and to convene the bodies that operationalise them. The report is, in effect, the Mission speaking: this is the shape of the problem, here is the timeline, here is who owns what.

Two working groups, two halves of the problem

Beneath the Mission the report splits the work into two sub-groups, and the split is instructive. The TEC-led sub-group — the Telecommunication Engineering Centre, working with STQC and BIS — owns assurance: how do we know a product's post-quantum claims are real? It defines assurance levels L1 through L4 and stands up the testing and certification regime. The DSCI-led sub-group owns migration: how does an organisation actually get from here to quantum-safe? It produces the strategy, the CBOM and persona guidance, the crypto-agility playbooks. One group certifies the tools; the other tells institutions how to use them. Together they cover the full arc from primitive to deployment.

One group answers "is this product genuinely quantum-safe?" The other answers "how does my institution become quantum-safe?" Neither question is optional, and the report assigns each an owner.

The testing and certification regime

The most concrete new institution is the National PQC Testing & Certification Programme, run through TEC, STQC and BIS. It establishes a three-tier laboratory structure, with Tier-1 and Tier-2 labs to be operational by December 2026. Products are certified against assurance levels — L1 at the lighter end through L4 for the most demanding — and certifications carry validity periods scaling from three years at L1 to ten years at L4. Banking, telecom and healthcare deployments sit at L3, reflecting their systemic importance. For a BFSI institution, this matters directly: the cryptographic products it adopts will increasingly need to carry the right assurance level, and the regime that grants it is being built now.

L1–L4
Assurance levels; banking sits at L3
Dec 2026
Tier-1/2 testing labs operational
3–10 yr
Certification validity, scaling with level

The regulators turn principle into mandate

The Mission can set direction, but it cannot bind a bank. That power sits with the sector regulators, and the report is explicit about the handoff: it asks DST to communicate the findings to bodies like RBI, SEBI and the relevant sectoral authorities so they can issue domain-specific guidance. This is the mechanism by which the national timeline becomes a supervised obligation — RBI's IT directions, SEBI's CSCRF, CERT-In's reporting regime and IRDAI's cyber guidelines are the instruments through which "adopt PQC by 2029" becomes something an auditor checks. The full regulatory map is the subject of N° 07; here the point is structural: the ecosystem is designed so that principle flows down into enforceable mandate.

IDRBT and the banking research arm

For financial institutions specifically, the Institute for Development and Research in Banking Technology occupies a distinctive place — the RBI-established research body that has historically translated emerging technology into banking practice. In a quantum transition, that translating role is exactly what BFSI needs: a bridge between the national standards regime and the operational reality of a core banking system. Watching where IDRBT lands on PQC is one of the higher-signal indicators of how fast the banking-specific guidance will arrive.

Where the private sector fits

The report does not imagine the state building everything. Its persona model explicitly names Technology Providers & Enablers as a category of the ecosystem — the vendors who supply primitives, hardware, assessment tooling and migration capability. This is the deliberate design: the institutions set direction and assurance; the market supplies the tools that meet it. A healthy quantum-safe ecosystem needs Indian providers across that whole stack, from quantum-random-number and key-distribution hardware through cryptographic libraries to the assessment and migration layer that sits closest to the enterprise.

Where KavachQ fits · Technology Provider & Enabler

KavachQ sits in the report's Technology Provider & Enabler persona — specifically in the assessment-and-migration layer, the part of the stack closest to the BFSI institution: discovery, CBOM, roadmap, attestation. It deliberately does not build cryptographic primitives or quantum hardware. That leaves natural complementarity with India's deep-tech players — firms building QRNG, key-distribution and PQC-primitive capability are layers KavachQ consumes and points to, not competes with. The healthiest reading of this ecosystem is partnership across the stack: the primitives layer and the assessment-and-migration layer are different jobs, and a credible national transition needs both.
→ KavachQ aligns to the assurance regime (L3 / BFSI) and partners across the primitives layer rather than rebuilding it.

Reading the map as a whole

Step back and the design is coherent. The Mission sets direction. One working group guarantees that products are what they claim; the other guarantees that institutions know how to deploy them. A tiered lab regime issues the assurance. The regulators make it binding. Research bodies translate it for their sectors. And a market of providers supplies the tools. For a bank reading this dossier, the practical takeaway is that none of these institutions will migrate you — they build the road; you still have to drive it. The deadlines in N° 02 are real, the inventory in N° 03 is the first step, and the ecosystem on this page is the support structure that exists precisely so that no institution has to solve the quantum transition alone.