Close Menu
    Subscribe
    Subscribe
    Content Writing

    Action plan on quantum readiness in regulated ecosystem prepared, SEBI Chairman

    Updated:6 Mins Read Content Writing
    Picsart 25 10 10 04 20 55 936

    Introduction

    The accelerating march of technology has brought quantum computing from theoretical curiosity towards plausible practical impact. One of its most eye-opening implications is in cryptography: many encryption algorithms that underpin digital security today could be broken—or substantially weakened—by quantum computers. For regulatory bodies overseeing financial markets, where data security, integrity, and investor protection are paramount, this poses systemic risk.

    Against this backdrop, SEBI (Securities and Exchange Board of India), under Chairman Tuhin Kanta Pandey, has publicly laid out a plan to ensure that the regulated entities in India’s securities markets become “quantum ready.” The announcement was made during the Global Fintech Fest 2025, with targets, measures, and stakeholders outlined. This report describes the plan, its components, the timeline, the rationale, and the potential challenges.

    Rationale for Quantum Readiness

    SEBI’s motivation rests on several interlocking points:

    • Vulnerability of current cryptographic systems: encryption standards in wide use (e.g. password-based encryption such as 128-bit etc.) may be broken or compromised once powerful quantum computers become available.
    • Systemic risk: breaches in security or operational failures can cascade in interconnected systems, especially where market infrastructure entities, third-party service providers, cloud platforms, fintech intermediaries are involved.
    • Regulatory foresight: learning from past “once in a lifetime” tech challenges (the Y2K problem was explicitly referenced) to act before the crisis emerges.

    Key Elements of SEBI’s Action Plan

    Based on the public sources, the action plan comprises several components:

    1. Discovery, Preparation, and Action Phases SEBI intends to structure the initiative over three stages:
      • Discover: Assess where and how quantum threats affect current systems, mapping cryptographic dependencies (passwords, keys, systems) in regulated entities.
      • Prepare: Capacity building, awareness, standard setting, and developing or adopting quantum-safe cryptographic methods (e.g. post-quantum cryptography (PQC), quantum key distribution (QKD)).
      • Act / Implementation: Gradual replacement of weak or vulnerable cryptographic components, putting in place operational practices, ensuring systems are resilient.
    2. Timeline / Target Dates
      • SEBI has set a target operational readiness for quantum-safe computing in its regulated ecosystem around 2028-2029.
      • Within the next two to four years (i.e. more immediately) is for discovery and preparation phases in many systems.
    3. Capacity Building and Standardization
      • SEBI will run capacity building initiatives to bring the regulated entities up to speed in terms of knowledge, skills, and preparedness.
      • There will be work around standardizing cryptographic practices and possibly mandating or advising specific post-quantum cryptographic standards.
    4. Regulatory Framework & Monitoring
      • SEBI’s existing cybersecurity and cyber resilience framework for regulated entities will be leveraged and expanded to include quantum risk.
      • Enhanced supervision, real-time monitoring, oversight of third-party service providers/cloud platforms.
      • Use of regulatory sandbox (Innovation Sandbox) to test and experiment with blockchain / DLT apps, possibly other new technologies, under a controlled environment.
    5. Shared Responsibility
      • SEBI emphasizes that quantum readiness is not something the regulator can enforce alone. Market infrastructure institutions (MIIs), intermediaries (brokers, fintechs), cloud service providers, fintech innovators, etc., all have a role.

    Timeline and Milestones

    • Immediate to short term (Next 2-4 years): Discovery of vulnerabilities, mapping where cryptographic risk lies; standard-setting; capacity building; piloting post-quantum cryptography in selected systems.
    • Medium term (by ~2028-29): Operational quantum-safe cryptography across SEBI’s regulated entities; replacing or upgrading systems and passwords; ensuring resilience and incident-response readiness.

    Challenges and Considerations

    Implementing this action plan is not without hurdles. Some of the challenges are:

    1. Technological Maturity
      • Post-quantum cryptography (PQC) and quantum key distribution (QKD) standards are still under development globally; some are provisional, others may impose performance, cost, or interoperability concerns.
    2. Cost and Upgradation of Legacy Systems
      • Many regulated entities may have legacy infrastructure with deep cryptographic integration; upgrading them (or replacing components) is expensive and time-consuming.
    3. Standardization and Interoperability
      • Ensuring any quantum-safe solutions adopted are compatible across the ecosystem; avoiding fragmentation or vendor lock-in.
    4. Regulatory Coordination
      • Because many services cross regulatory boundaries (e.g. fintechs, cloud providers, banks, insurance), and jurisdictions, coordination with other regulators (RBI, IRDAI, MeitY, CERT-In) will be essential. While SEBI is leading for securities markets, systemic cybersecurity demands broader alignment. SEBI chairman has acknowledged this need.
    5. Risk of Complacency or Delay
      • Quantum computers are not yet widely available, so there’s a risk that entities may postpone preparation, thinking the threat is distant, thereby increasing exposure.
    6. Human Capacity
      • There will be a need for skilled cryptographers, cybersecurity experts oriented toward quantum-safe methods; training and capacity building may lag demand.
    7. Regulatory and Legal Aspects
      • Legal frameworks, contracts, data privacy regulations, confidentiality and cross-border data flows may need updates to accommodate quantum-safe or quantum-resilient technologies.

    Implications

    The implications of SEBI’s plan are significant:

    • For investor confidence: taking proactive steps shows SEBI is considering future risks and is not merely reactive. This helps maintain trust.
    • For market infrastructure: Entities will need to audit their systems, invest in upgrades; new vendors for quantum-safe cryptographic solutions may see demand increase.
    • For innovation in fintech: There will be opportunities in developing PQC/QKD solutions, tools, services. Also, regulatory sandboxes to test new technologies may spur experimentation.
    • For global competitiveness: As financial markets globally begin considering quantum readiness, India’s proactive steps could help its marketplaces align favorably.

    Gaps / What Remains to be Clarified

    While SEBI’s announcement is an important start, some details that are (so far) not fully public, or are areas where further clarity would help, include:

    • Exactly which entities (by size, nature, function) will be mandated first to move to quantum-safe cryptography.
    • What specific standards and algorithms will be adopted or recommended; whether alignment with global standards (e.g. NIST, ISO) is assured.
    • How SEBI plans to monitor compliance and enforce changes, especially for smaller or resource-constrained intermediaries.
    • Budgetary or resource support for smaller regulated entities to help with transition.
    • Whether third-party service providers/cloud platforms will be subject to specific obligations or oversight for quantum risk.
    • How incident response and breach/disclosure requirements will be modified to cover quantum-related vulnerabilities.

    Conclusion

    SEBI’s action plan to ensure quantum readiness of its regulated ecosystem is a forward-looking step, recognizing that the next wave of computing could undercut many foundational assumptions about digital security. By targeting 2028-29 for operational readiness, incorporating discovery, preparation and implementation phases, and emphasizing stakeholder collaboration, SEBI is attempting to stay ahead of a prospective risk rather than scrambling after damage is done.

    However, given the technical, financial, and regulatory challenges, success will depend heavily on clear standards, timely regulatory guidance, cooperation across regulators and industry players, and ensuring that the burden doesn’t fall unfairly on smaller entities. If done well, this initiative could significantly enhance the cyber-resilience of India’s securities markets; if not, it may result in patches, delays, or uneven adoption that leave pockets of vulnerability.

    Share.

    Related Posts