Cybersecurity for cars? India plans to implement global standards
What's the story
The Ministry of Road Transport and Highways (MoRTH) has proposed a major change in the way we think about vehicle security. The ministry has issued a draft notification, suggesting that all vehicles with at least one Electronic Control Unit (ECU) and compliant with AIS-189 should have cybersecurity and software update management systems. This is part of India's plan to strengthen cyber resilience in its connected vehicle ecosystem.
Implementation strategy
Proposed rules amend Central Motor Vehicles Rules, 1989
The proposed rules, which amend the Central Motor Vehicles Rules, 1989, introduce two new provisions, Rule 125-T on Cyber Security and Cyber Security Management Systems (CSMS), and Rule 125-U on Software Updates and Software Update Management Systems (SUMS). These regulations will be applied across all vehicle categories, including passenger vehicles, goods carriers, trailers, as well as agricultural and construction machinery categories, though the latter two categories are included only for the software update and SUMS requirements, in a phased manner.
Phase #1
Phase-wise implementation roadmap
The first phase of the implementation roadmap is for Level 3 and above automated vehicles. These new models will have to comply with the proposed rules from October 1, 2026, while existing models will have until April 1, 2027. This phased approach gives manufacturers time to adjust their systems according to these new cybersecurity standards.
Phase #2
Second phase targets OTA-enabled vehicles
The second phase targets Over-The-Air (OTA)-enabled vehicles with OTA-capable ECUs, excluding infotainment systems and tracking devices. These new models will have to comply from April 1, 2028, while existing models will get time until October 1 of that year. This is a crucial step as it brings a large number of vehicles under the proposed cybersecurity framework.
Final phase
Comprehensive approach to cybersecurity
From October 1, 2029, the mandate will be extended to all OTA-enabled vehicles. The same date has also been suggested for vehicles that can receive software updates but don't have OTA capability. For cybersecurity requirements, vehicles without software update capability or OTA functionality are also proposed to come under the framework from October 2029. This comprehensive approach ensures no vehicle is left unprotected against potential cyber threats.
Global alignment
AIS-189 aligns India's vehicle cybersecurity with global standards
AIS-189 brings India's regulatory framework in line with globally accepted practices on vehicle cybersecurity and software lifecycle management. The standard is expected to require automakers to set up structured cybersecurity governance, risk assessment processes, incident monitoring, and secure software update mechanisms throughout a vehicle's lifecycle. This move is likely to make cybersecurity a critical part of the automotive industry in India.