The Ministry of Road Transport and Highways (MoRTH) has published draft rules that would, for the first time, make cybersecurity and software update management mandatory for certain categories of motor vehicles in India. The proposed regulations introduce two new provisions under the Central Motor Vehicles Rules, 1989, and are open for public comments for 30 days before being finalised.
- New rules introduce mandatory cybersecurity and software update standards
- New standards to remain in force until BIS issues its own norms
- India aligns with vehicle regulations followed in the EU, Japan and South Korea
New cybersecurity and software update rules proposed
The draft notification proposes adding Rules 125-T and 125-U to the Central Motor Vehicles Rules, 1989. Rule 125-T covers vehicle cybersecurity and requires eligible vehicles to comply with AIS-189, India’s cybersecurity standard, while Rule 125-U mandates compliance with AIS-190 for software updates. Both standards will remain in force until the Bureau of Indian Standards (BIS) issues its own specifications, at which point those will take over.
The cybersecurity rules will apply to passenger vehicles, commercial vehicles and tractors equipped with at least one electronic control unit (ECU), as well as quadricycles with Level 3 or higher automated driving capability. The software update requirements will cover a wider range of vehicles, including passenger vehicles, commercial vehicles, trailers and semi-trailers.
Rollout to be phased until 2029
Rather than applying the rules to all vehicles at once, MoRTH has proposed a phased rollout based on risk exposure. Vehicles with Level 3 or higher automated driving systems will be the first to comply, with deadlines beginning in October 2026 for new models and April 2027 for existing ones. Vehicles capable of receiving over-the-air (OTA) software updates will be next, between April and October 2028, followed by all other vehicles with software update capability from October 2029.
India moves closer to global regulations
According to the draft notification, the proposed rules align India with the United Nations regulatory framework already adopted in markets such as the European Union, Japan and South Korea, where cybersecurity and software update management are mandatory requirements for vehicle type approval.
Dipan Sur
Saptarshi Mondal
Ajit Dalvi
Viraaj Bhatnagar
