The primary government guidelines and frameworks controlling IoT device security in India come from the Department of Telecommunications (DoT) under the Ministry of Communications and the Ministry of Electronics and Information Technology (MeitY), with support from CERT-In for incident reporting.
Key Guidelines and Standards
Code of Practice for Securing Consumer Internet of Things (IoT) (TEC 31318:2021)
Issued by the Telecommunication Engineering Centre (TEC) under DoT in 2021 (released publicly in 2022).
This is the main baseline document for consumer IoT security, aligned with global standards like ETSI EN 303 645. It emphasizes “Security by Design” and covers principles such as no universal default passwords, secure software updates, vulnerability disclosure policies, data protection, and secure storage of credentials.
It applies to manufacturers, service providers, system integrators, and application developers.
-Advisory Guidelines to M2M/IoT Stakeholders for Securing Consumer IoT (Issued by DoT in 2023)
These reinforce the Code of Practice and advise stakeholders on implementing security measures for consumer IoT endpoints to protect users and networks.
Certification and Mandatory Requirements
Mandatory Testing and Certification of Telecommunication Equipment (MTCTE)
Administered by TEC under DoT. Certain IoT/M2M devices (e.g., gateways, smart meters, feedback devices, smart cameras) must undergo mandatory testing and certification, including Indian Telecom Security Assurance Requirements (ITSAR) developed by the National Centre for Communication Security (NCCS). ITSAR specifies security controls for various IoT categories.
IoT System Certification Scheme (IoTSCS)
Operated by the Standardisation Testing and Quality Certification (STQC) Directorate under MeitY. This voluntary scheme (with progression requirements) provides graded assurance levels (0 to 4) for IoT device security, covering physical, communication, and application interfaces. It is mandatory for specific devices like CCTV systems under Essential Requirements (ERs) introduced in 2024.
Essential Requirements (ERs) for Specific IoT Devices
For example, ERs for CCTV and video surveillance systems (MeitY, 2024) require compliance with security standards and STQC certification.
Incident Reporting and Broader Controls
CERT-In Directions (2022)
Under Section 70B of the IT Act, 2000, entities must report cyber incidents involving attacks on IoT devices within 6 hours. This indirectly enforces security by requiring rapid response to IoT-related breaches.
There is no single overarching law making all IoT security measures universally mandatory, but compliance is enforced through certification for telecom-connected devices, advisories for consumer IoT, and incident reporting obligations. These frameworks aim to align with international best practices while promoting secure domestic manufacturing. For the latest details, refer to official sources like tec.gov.in, dot.gov.in, stqc.gov.in, and cert-in.org.in.
