Post-Quantum Migration Window Narrows: What NIST FIPS 203 Means for Indian Enterprises

Last updated: June 22, 2026

NIST published its first post-quantum cryptography standards — FIPS 203 (ML-KEM), FIPS 204 (ML-DSA), and FIPS 205 (SLH-DSA) — in August 2024. Nearly two years on, adoption in enterprise environments is still early, despite mounting evidence that adversaries are harvesting encrypted traffic today for decryption once quantum computers become capable. The window to migrate is measured in years, but the planning has to start now.

The harvest-now-decrypt-later threat

Nation-state actors with long intelligence horizons do not need a quantum computer today to benefit from post-quantum attacks. Intercepted TLS sessions, archived VPN traffic, and exfiltrated encrypted databases are all candidates for future decryption. Data with a classification lifetime of ten years or more — defence procurement, pharmaceutical R&D, diplomatic communications — is already at risk under this model. Indian organisations with government contracts or in regulated sectors should treat this as an active, not theoretical, threat.

What FIPS 203/204/205 actually replace

• ML-KEM (FIPS 203) replaces RSA and ECDH for key encapsulation — the mechanism used in TLS handshakes, encrypted email, and VPN key exchange.
• ML-DSA (FIPS 204) replaces RSA and ECDSA for digital signatures — used in code signing, document signing, and certificate authorities.
• SLH-DSA (FIPS 205) is a stateless hash-based signature scheme for use cases where algorithm diversity matters.

Where Indian enterprises should start

The migration is not a single project — it is a multi-year programme. The first step is a cryptographic inventory: where is public-key cryptography used, what data does it protect, and what is the data’s sensitivity lifetime? Most organisations discover they have no idea how many places RSA and ECC are embedded across their infrastructure. TLS termination points, PKI roots, code-signing pipelines, hardware security modules, and application-level encryption all need to be catalogued before migration can be sequenced.

RBI and SEBI have not yet published post-quantum readiness guidelines, but BIS (Bureau of Indian Standards) has aligned its national standards work with NIST. The guidance will arrive — the question is whether your organisation is ahead of it or scrambling when it does.