The Ministry of Road Transport and Highways (MoRTH) has initiated a critical regulatory shift to bolster the cybersecurity of India’s rapidly digitizing automotive landscape. Through a draft notification issued on June 22, the government has proposed mandatory cybersecurity and software update management standards for all connected and software-defined vehicles. This policy framework aims to protect the growing fleet of electronic-reliant automobiles from remote unauthorized access, data theft, and systemic electronic interference. By formalizing these requirements, the ministry seeks to ensure that as vehicles become increasingly intelligent, they do not simultaneously become more vulnerable to digital exploitation.
Strengthening Digital Automotive Architecture
The proposed framework centers on the adoption of the Automotive Industry Standard AIS-189, which mandates robust Cybersecurity Management Systems (CSMS) for vehicle manufacturers. Under these new regulations, Original Equipment Manufacturers (OEMs) must implement a risk-based strategy to monitor and mitigate vulnerabilities throughout a vehicle’s entire operational lifecycle. This requirement is not limited to luxury or high-end models but applies broadly to category M passenger vehicles, category N goods carriers, and category T trailers.
The mandate specifically targets any motor vehicle equipped with at least one electronic control unit (ECU), signaling a move to secure the foundation of modern automotive design. By requiring standardized cybersecurity governance, the ministry intends to close security gaps that often emerge in connected telematics and in-vehicle infotainment systems. Manufacturers will be required to conduct rigorous threat analyses and risk assessments to ensure that every layer of the vehicle’s electronic architecture remains resilient against sophisticated digital intrusion.
Phased Implementation and Compliance
The government has structured the compliance roadmap to be progressive, granting the industry sufficient time to adapt to these stringent technical requirements. Automated vehicles boasting Level 3 capabilities are the immediate priority, with compliance becoming mandatory for new models starting October 1, 2026. This aggressive timeline underscores the government’s intent to regulate high-stakes autonomous technologies before they gain widespread commercial prominence on Indian roads.
For broader categories of connected vehicles, the ministry has set a staggered rollout beginning April 1, 2028, for new OTA-enabled models, with existing vehicles following suit by October 2028. The mandate will expand comprehensively by October 2029, covering all OTA-capable vehicles and those supporting software updates without external wireless functionality. Ministry officials emphasize that this phased approach ensures manufacturers can integrate the necessary systems without disrupting supply chains or stalling domestic innovation in the software-defined vehicle space.
Aligning with Global Security Standards
These regulations represent a major departure from viewing cybersecurity as an optional value-added feature, transforming it into a non-negotiable regulatory prerequisite. By aligning domestic policies with global best practices, specifically the UN Regulation No. 155, India is positioning its automotive sector to meet international safety benchmarks. This harmonization is essential for manufacturers aiming to compete in global markets while ensuring that domestically produced vehicles adhere to the highest standards of digital trust.
As cybersecurity transitions from a niche technical concern to a core requirement for vehicle certification, automakers must now invest heavily in forensic data support and secure software update mechanisms. Manufacturers will be required to submit a certificate of compliance during the type approval process, establishing clear accountability for digital safety. Industry experts note that this proactive regulation will likely serve as a blueprint for other emerging economies looking to mitigate the specific risks posed by the modern connected car ecosystem.
