The Ministry of Road Transport and Highways (MoRTH) has issued draft rules that would make cybersecurity and software update management mandatory for specified categories of motor vehicles in India. The proposal marks the country’s first comprehensive regulatory framework for vehicle cybersecurity and aligns India’s automotive safety standards with those already implemented in major global markets, including the European Union, Japan and South Korea.
The draft notification proposes the insertion of two new provisions—Rule 125-T and Rule 125-U—into the Central Motor Vehicles Rules, 1989. The ministry has invited public comments on the proposal for 30 days before finalizing the regulations.
Cybersecurity Management Requirements
Proposed Rule 125-T focuses on vehicle cybersecurity. It will apply to passenger vehicles (Category M), goods vehicles (Category N), tractors (Category T) equipped with at least one Electronic Control Unit (ECU), and Category L7 vehicles featuring Level 3 or higher automated driving capabilities.
Under the rule, manufacturers will be required to comply with AIS-189, India’s automotive cybersecurity standard, and establish a Cyber Security Management System (CSMS). The system is designed to identify, assess and manage cybersecurity risks throughout a vehicle’s lifecycle, from development to post-sale operation.
Software Update Management
Rule 125-U addresses software update management and applies to a broader range of vehicle categories, including M, N, T, A and C. Manufacturers will need to comply with AIS-190, which specifies requirements for securely delivering, validating and tracking vehicle software updates through a Software Update Management System (SUMS).
Both AIS-189 and AIS-190 will remain applicable until the Bureau of Indian Standards (BIS) notifies corresponding national standards, after which the BIS specifications will replace them.
Aligning with Global Standards
The proposed regulations bring India closer to the United Nations regulatory framework that already mandates Cyber Security Management System (CSMS) and Software Update Management System (SUMS) certification for vehicle type approval in markets such as the European Union, Japan and South Korea. In these jurisdictions, cybersecurity compliance has become a mandatory prerequisite for vehicle certification rather than an optional feature.
Phased Implementation
The government has proposed a phased rollout based on vehicle risk profiles and technological capability.
Vehicles equipped with Level 3 or higher automated driving systems will be required to comply first, with implementation beginning in October 2026 for new vehicle models and April 2027 for existing models.
Vehicles capable of receiving over-the-air (OTA) software updates will follow, with compliance deadlines extending to April 2028 for new models and October 2028 for existing models.
All other vehicles equipped with any software update capability, whether through OTA or conventional methods, will be required to comply by October 2029.
