India Proposes Mandatory Cybersecurity Rules for Smart Vehicles
NEW DELHI: The Ministry of Road Transport and Highways has released draft rules that would make cybersecurity and software update management mandatory for certain categories of vehicles in India. The proposal, open for public comment, targets vehicles with advanced automated driving capabilities and those capable of receiving over-the-air (OTA) updates.
Under the draft rules, compliance with cybersecurity standards and a cybersecurity management system would be required for new models of vehicles equipped with Level-3 or higher automated driving systems from October 2025. Existing models with such automation must comply by April 2026. Vehicles with OTA update capability will need to meet the norms between April and October 2028, with all other vehicles having software update capability required to comply by October 2029.
Level-3 automation allows the vehicle to handle all driving functions under certain conditions, but the driver must be ready to take control when requested. Examples of such vehicles include the Mercedes Benz S-Class, Audi A8, and BMW 7 Series.
The proposed rules mandate adherence to two Automotive Industry Standards (AIS): AIS 189, which outlines cybersecurity frameworks to protect connected and autonomous vehicles from digital attacks, hacking, and remote tampering; and AIS 190, which defines secure software update management systems (SUMS) to ensure all OTA and manual updates are safe, traceable, and protected from cyber threats.
OTA updates allow wireless delivery of software improvements, bug fixes, and new features to vehicles via cellular networks or Wi-Fi, similar to smartphone updates, eliminating the need for dealership visits.
The ministry stated that the proposed regulations align India with the UN regulatory framework already adopted in the European Union, Japan, and South Korea, where cybersecurity and software update management are mandatory for vehicle type approval. The draft rules aim to enhance vehicle safety and security in an era of increasing digital connectivity.