Pakistan has taken a significant step towards embracing digital assets by approving new IT and cryptographic security standards, set to take effect in June 2028. The Pakistan Standards and Quality Control Authority (PSQCA), acting on the advice of the National Telecom and Information Technology Security Board (NTISB), has established a framework that will allow for legally recognized cryptocurrency and secure digital transactions throughout the country.
A New Framework for Digital Security
The new standards require devices such as hardware security modules, encryption tools, firewalls, and other cryptographic systems to undergo strict testing and certification. The framework introduces four levels of security classification. Evaluators will test cryptographic primitives separately. Authorities will screen every product for backdoors, trojans, and hidden vulnerabilities. Developers and vendors must obtain NTISB approval before they deploy these devices.
Broad Institutional Impact
Government bodies including NADRA, the Civil Aviation Authority, Railways, Immigration, law enforcement, and energy providers must adopt the new standards. Private entities such as telecom and internet service providers, banks, and semi-government bodies also fall under its scope. Organisations must phase out unverified or outdated devices and prepare procurement and replacement strategies before the deadline.
Cyber Threats, Legal Clarity and Crypto’s Future
Officials said the new regulation responds to growing cyber threats, insider risks, and the increasing sophistication of state-backed cyberattacks. The regulation focuses on the three pillars of cybersecurity: confidentiality, integrity, and availability (CIA triad). The Pakistan government will maintain a list of approved devices through NTISB.
The new standards create the foundation for regulating blockchain applications, digital banking, and crypto exchanges by enforcing strict cryptographic benchmarks. Analysts say that legal recognition for cryptocurrencies in Pakistan depends on building such infrastructure.
The regulations take effect in June 2028, giving institutions a three-year transition period to comply. Organisations must fully adapt by that date or risk penalties for non-compliance.