India mandates cybersecurity rules for smart vehicles to prevent hijacking risks
The Indian government has taken a significant step to address emerging cybersecurity threats in the automotive sector. The Ministry of Road Transport and Highways has proposed draft rules that would make cybersecurity and software update management mandatory for vehicles equipped with advanced electronic systems. This move comes as vehicles become increasingly reliant on software for critical functions, raising concerns about potential remote hijacking and malware attacks.
The proposed regulations apply to passenger and commercial vehicles, as well as tractors, that have at least one electronic control unit (ECU) with Level-3 or higher automated driving capability. Under the timeline outlined, compliance with cybersecurity management systems will be mandatory for new vehicle models featuring Level-3 automation and above—such as the Mercedes-Benz S-Class, Audi A8, and BMW 7 Series—from October 2025. Existing models will have until April 2026 to comply.
Vehicles capable of receiving over-the-air (OTA) software updates will face separate deadlines. OTA technology allows wireless delivery of software or firmware updates via cellular networks or Wi-Fi, similar to smartphone updates, eliminating the need for dealership visits. The ministry has proposed that OTA-equipped vehicles meet standards between April and October 2028, with all other software-update-capable vehicles following by October 2029.
The government is also developing strategies to address risks associated with remote control of battery and electric vehicles. Officials have emphasized the need for secure coding in battery management systems, which monitor and manage battery pack health. Vehicle manufacturers will be responsible for implementing these security measures.
These rules are part of a broader effort to safeguard India's rapidly evolving automotive landscape. As vehicles become more connected and autonomous, the potential for cyber threats grows, and the government aims to preemptively address these challenges. The draft rules are open for public feedback before finalisation.