The Ministry of Road Transport and Highways has published draft rules that would, for the first time, make cybersecurity and software update management legal requirements for certain categories of motor vehicles. The proposed framework is similar to regulatory requirements already in force across the European Union, Japan and South Korea.

The notification proposes the insertion of two new provisions - Rules 125-T and 125-U - into the Central Motor Vehicles Rules, 1989. The draft has been opened for public consultation for 30 days before being finalised by the government.

What the rules require

Rule 125-T covers cybersecurity. Any vehicle in categories M, N or T (passenger vehicles, goods vehicles and tractors) equipped with at least one electronic control unit, as well as category L7 vehicles with Level 3 automation or higher, will be required to comply with AIS-189, India's domestic cybersecurity standard. These vehicles must also maintain a Cyber Security Management System (CSMS), a structured framework for identifying and managing security risks throughout a vehicle's lifecycle.

Rule 125-U covers software updates. It applies to a broader range of vehicle categories - M, N, T, A and C - and requires compliance with AIS-190, which governs the delivery and tracking of software updates through a Software Update Management System (SUMS).

Both standards will remain in force until the Bureau of Indian Standards issues its own formal specifications, at which point those standards will supersede AIS-189 and AIS-190.

International regulatory framework

The proposed measures reflect requirements contained in the United Nations framework, which already requires CSMS and SUMS certification for vehicle type approval in the European Union, Japan and South Korea. In these markets, cybersecurity has been a mandatory type-approval requirement for several years.

A phased implementation approach

The rules will be introduced in phases based on risk exposure rather than being applied uniformly. Vehicles with Level 3 automation and above will face the earliest compliance deadlines, with requirements taking effect from October 1st, 2026, for new models and April 1st, 2027, for existing models.

Vehicles capable of receiving over-the-air (OTA) updates will follow, with compliance deadlines extending to April 1st, 2028, and October 1st, 2028. All other vehicles equipped with any form of software update capability, whether OTA-enabled or otherwise, will be required to comply by October 1st, 2029.