token distributors must prepare for the migration from FIPS 140-2 compliant cryptographic USB tokens to the newer FIPS 140-3 compliant secure cryptographic modules.
This transition affects DSC issuance, renewal, eTendering, MCA filings, Income Tax filing, GST filing, DGFT transactions, ICEGATE users, banking authentication, and every organization that relies on Digital Signature Certificates for secure digital transactions.
This article explains the official CCA guidance, migration timelines, impact on existing DSC tokens, benefits of FIPS 140-3, and what businesses should do before the September 2026 deadline.
What is Happening in India's DSC Ecosystem?
The Controller of Certifying Authorities (CCA) has advised all Certifying Authorities to migrate from FIPS 140-2 cryptographic modules to FIPS 140-3 compliant modules for enhanced security and future-ready compliance.
As per the official advisory:
- Certifying Authorities must stop issuing DSCs in FIPS 140-2 modules from 21 September 2026.
- Existing DSCs downloaded before the deadline will continue to function until certificate expiry.
- New DSC issuances and renewals will gradually move to FIPS 140-3-compliant tokens.
- Token manufacturers and distributors have been advised to publish exchange or buyback policies for older tokens.
- CAs have been instructed to publish updated pricing and migration policies.¹
This migration aligns India's Public Key Infrastructure (PKI) ecosystem with the latest internationally recognized cryptographic security standards.
Official Migration Timeline
Key Dates Every DSC User Should Know
| Event | Date |
|---|---|
| Last practical date to download DSC in FIPS 140-2 token | 20 September 2026 |
| Mandatory stop of DSC issuance in FIPS 140-2 modules | 21 September 2026 |
| Existing DSCs remain valid until certificate expiry | Yes |
| Fresh audit applications for FIPS 140-2 modules accepted by CCA | Stopped from 1 January 2026 |
According to the CCA advisory, any DSC downloaded into a FIPS 140-2 token on or before 21 September 2026 can continue to operate until the certificate validity period ends.¹
Will Existing DSC Tokens Stop Working After September 2026?
No.
This is one of the most common concerns among DSC users.
If your DSC has already been downloaded into a FIPS 140-2 token before 21 September 2026, the certificate will continue functioning normally until its expiry date.¹
Example
Suppose:
- DSC downloaded: 20 September 2026
- Certificate validity: 3 years
The DSC will continue working until September 2029, even though new issuance of FIPS 140-2 tokens has stopped.
The restriction applies only to:
- New DSC issuance
- Fresh certificate downloads
- Renewals after certificate expiry
What Happens When the Existing DSC Expires?
Once the DSC validity period ends:
- A new DSC cannot be downloaded into the old FIPS 140-2 token.
- Renewal may require migration to a FIPS 140-3-compliant token.
- Businesses may need to replace legacy hardware.
This is why organizations should begin migration planning well before renewal cycles start approaching.
What is FIPS 140-3?
FIPS 140-3 is the latest international security standard for cryptographic modules used to generate, store, and protect digital signature keys.
The standard replaces FIPS 140-2 and introduces stronger validation requirements, updated testing methodologies, and alignment with ISO/IEC 19790 and ISO/IEC 24759 security frameworks.¹
In simple terms, FIPS 140-3 ensures that cryptographic devices used for digital signatures provide stronger protection against modern cybersecurity threats.
FIPS 140-2 vs FIPS 140-3
| Security Area | FIPS 140-2 | FIPS 140-3 |
| Standard Basis | Proprietary framework | ISO/IEC aligned |
| Security Validation | Previous generation | Enhanced validation |
| Testing Requirements | Traditional testing | More rigorous testing |
| Physical Security | Strong | Improved |
| Compliance Readiness | Legacy standard | Future-ready standard |
| Global Acceptance | Older generation | Current international benchmark |
The migration is part of a broader global transition where FIPS 140-2 validations move to historical status after September 2026, while FIPS 140-3 becomes the active standard for new cryptographic validations.¹
Why is the Government Moving to FIPS 140-3?
The transition is primarily driven by cybersecurity modernization.
Key Objectives
1. Stronger Protection of Private Keys
Digital Signature Certificates depend on private keys. If those keys are compromised, digital trust is lost. FIPS 140-3 strengthens protection mechanisms.
2. Improved Cybersecurity
Modern cyber threats require stronger cryptographic safeguards and tamper-resistant hardware.
3. International Compliance
FIPS 140-3 aligns with globally recognized security standards and validation frameworks.
4. Modernization of India's Digital Trust Infrastructure
India's digital economy increasingly relies on secure electronic authentication for:
- MCA filings
- GST returns
- Income Tax eFiling
- eProcurement
- Banking transactions
- Government services
The migration helps future-proof this ecosystem.
What About Existing Token Stock?
Many DSC partners and businesses currently have inventories of FIPS 140-2 tokens such as:
Organizations are advised to:
- Utilize existing stock before September 2026.
- Avoid excessive procurement of legacy tokens.
- Monitor manufacturer announcements regarding exchange programs.
- Plan inventory transition strategies.
As of now, there is no universally announced exchange or buyback program covering all token brands. However, CCA has advised OEMs and distributors to publish replacement policies.¹
Will There Be Exchange or Buyback Programs?
The official advisory recommends that token manufacturers and distributors publish:
- Buyback policies
- Exchange programs
- Replacement pricing
- Migration assistance policies
However, implementation depends on individual OEMs and distributors.
Businesses should monitor official announcements from token manufacturers and authorized distributors during 2026 for specific migration offers.¹
When Will FIPS 140-3 Tokens Be Available?
The Indian market has already begun seeing the introduction of FIPS 140-3-compliant DSC tokens.
Availability will vary by manufacturer and distributor.
Organizations planning large-scale deployments should begin evaluating:
- FIPS 140-3 certified token options
- Enterprise rollout strategies
- Compatibility with signing applications
- Procurement timelines
Early planning helps avoid potential shortages and last-minute migration challenges.
Benefits of Upgrading to a FIPS 140-3 DSC Token
Enhanced Security
Improved cryptographic protection and stronger security validation.
Better Tamper Resistance
More robust safeguards against physical and hardware-based attacks.
Future Compliance Readiness
Prepared for evolving regulatory and cybersecurity requirements.
Improved Trust
Higher confidence in digital signatures used for legal, financial, and government transactions.
Long-Term Compatibility
Better support for future digital trust and authentication frameworks.
Impact on Businesses and Professionals
The migration affects:
- Chartered Accountants (CA)
- Company Secretaries (CS)
- Tax Consultants
- GST Practitioners
- Legal Professionals
- eTender Participants
- Import Export Businesses
- Government Contractors
- Corporate Compliance Teams
- Banking and Financial Institutions
Any organization using DSCs for regular compliance activities should start planning for FIPS 140-3 adoption.
Recommended Migration Strategy for DSC Partners
Step 1: Review Existing Inventory
Assess available FIPS 140-2 token stock and expected utilization.
Step 2: Inform Customers Early
Educate clients about the September 2026 transition deadline.
Step 3: Avoid Overstocking Legacy Tokens
Procure inventory carefully to minimize obsolete stock risk.
Step 4: Track OEM Announcements
Monitor buyback, exchange, and migration programs.
Step 5: Prepare for FIPS 140-3 Rollout
Train support teams and update documentation.
Step 6: Update Pricing and Product Catalogs
Align offerings with the new compliance requirements.
Frequently Asked Questions
Can I continue using my current DSC token after September 2026?
Yes. Existing DSCs downloaded before the deadline will remain valid until certificate expiry.
Can I renew a DSC in the same old token after expiry?
Generally, no. Renewal and fresh downloads are expected to require FIPS 140-3-compliant modules.
Will old tokens become unusable immediately?
No. Existing certificates will continue working until they expire.
Is FIPS 140-3 mandatory?
For new DSC issuance after 21 September 2026, migration to FIPS 140-3 compliant modules becomes the recommended and supported direction under the CCA advisory.
Should businesses start migration planning now?
Yes. Early planning helps avoid operational disruptions, procurement delays, and inventory challenges.
Conclusion
The migration from FIPS 140-2 to FIPS 140-3 marks an important evolution in India's digital signature and cybersecurity ecosystem. While existing DSCs stored in FIPS 140-2 tokens will continue to function until expiry, all stakeholders should prepare for the transition before September 2026.
Businesses, professionals, DSC partners, Certifying Authorities, and token distributors should begin evaluating FIPS 140-3-compliant DSC tokens, planning inventory transitions, educating customers, and monitoring official announcements from manufacturers.
Organizations that prepare early will experience a smoother migration, stronger security, and uninterrupted access to critical digital signature services.
References
- Office of the Controller of Certifying Authorities (CCA), Advisory on Migration from FIPS 140-2 to FIPS 140-3 Cryptographic Modules.
- National Institute of Standards and Technology (NIST) FIPS 140-3 Transition Guidance.
- Industry implementation updates and migration guidance are published by Certifying Authorities and authorized DSC ecosystem participants.
