With the SDV (software defined vehicle) megatrend gaining traction, India is preparing to take security measures to enhance the security quotient of automobiles made in the country.The Ministry of Road Transport and Highways (MoRTH) has issued a draft notification (dated June 22) proposing to mandate automotive cybersecurity and software update management requirements under AIS-189, marking a significant step towards strengthening cyber resilience in India’s connected vehicle ecosystem.The draft amendment to the Central Motor Vehicles Rules, 1989, introduces two new provisions—Rule 125-T covering Cyber Security and Cyber Security Management Systems (CSMS), and Rule 125-U covering Software Updates and Software Update Management Systems (SUMS).The regulations will apply across vehicle categories M (passenger vehicles), N (goods carriers), T (trailers). And, in the case of Software Updates and SUMS, also agricultural and construction machinery categories, in a phased manner.Under the proposal, vehicles equipped with at least one electronic control unit (ECU) and compliant with AIS-189 will be required to implement cybersecurity and software update management systems in line with the standard, with corresponding BIS specifications to be notified separately.The implementation roadmap begins with Level 3 and above automated vehicles, for which compliance will become mandatory from October 1, 2026 for new models and April 1, 2027 for existing models.The second phase covers OTA-enabled vehicles with OTA-capable ECUs, excluding infotainment systems and tracking devices. These vehicles will need to comply from April 1, 2028 for new models and October 1, 2028 for existing models.
Aligning with global best practices
From October 1, 2029, the mandate will be expanded to all OTA-enabled vehicles. The same date has also been proposed for vehicles that support software updates but do not offer OTA capability. For cybersecurity requirements, vehicles without software update capability or OTA functionality are also proposed to come under the framework from October 2029.AIS-189 aligns India’s regulatory framework with globally accepted practices on vehicle cybersecurity and software lifecycle management, at a time when connected vehicles, over-the-air updates and software-defined architectures are becoming mainstream.The standard is expected to require automakers to establish structured cybersecurity governance, risk assessment processes, incident monitoring and secure software update mechanisms throughout a vehicle’s lifecycle.The ministry has invited comments and objections from stakeholders within 30 days from the publication of the draft notification in the Gazette, following which the rules may be finalised.The move is aimed to accelerate preparedness among vehicle OEMs, suppliers, and software developers as cybersecurity transitions from a product feature to a regulatory requirement in India’s automotive industry.
