The Ministry of Road Transport and Highways (MoRTH) has proposed new automotive cybersecurity and software update regulations to strengthen the safety and security of modern motor vehicles in India. The draft notification seeks to amend the Central Motor Vehicles Rules (CMVR), 1989 by introducing mandatory Cyber Security Management System (CSMS) and Software Update Management System (SUMS) requirements for specified categories of vehicles. The draft notification seeks to amend the Central Motor Vehicles Rules (CMVR), 1989 by introducing mandatory cybersecurity and software update management requirements for specified vehicle categories.
If approved, the proposal will introduce two new provisions—Rule 125-T and Rule 125-U—to strengthen protection against cyber threats and ensure secure software updates in connected vehicles.
Mandatory Cyber Security Management System (CSMS)
Under the proposed Rule 125-T, manufacturers will be required to establish a Cyber Security Management System (CSMS) in accordance with AIS-189. The framework covers cybersecurity governance, Threat Analysis and Risk Assessment (TARA), supplier cybersecurity management, vulnerability monitoring, incident response, security validation and penetration testing throughout the vehicle lifecycle.
The proposed rule will apply to:
- Category M, N, and T motor vehicles equipped with at least one Electronic Control Unit (ECU).
- L7 category vehicles with Level 3 automation or higher.
The AIS-189 standards will remain applicable until the Bureau of Indian Standards (BIS) issues corresponding national standards.
Software Update Management System (SUMS) Made Mandatory
The AIS-190 standard is not limited to Over-the-Air (OTA) updates. It establishes a complete Software Update Management System (SUMS) covering software configuration management, update approval, verification, traceability, rollback capability and cybersecurity protection for software updates delivered both through OTA and other approved methods.
Under this proposal, vehicles in categories M, N, T, A, and C must comply with AIS-190 standards for secure software updates.
These standards will continue to apply until official BIS specifications are notified.
Alignment with Global Standards
The proposed AIS-189 and AIS-190 standards are broadly aligned with internationally recognized UNECE R155 (Cybersecurity Management System) and UNECE R156 (Software Update Management System) regulations. The proposal represents a significant step toward harmonizing India’s automotive cybersecurity framework with global standards.
Phased Implementation Timeline
The proposed cybersecurity and software update regulations will be introduced in phases.
October 1, 2026
- New vehicle models with Level 3 automation and above.
April 1, 2027
- Existing vehicle models with Level 3 automation and above.
April 1, 2028
- New Over-the-Air (OTA) enabled vehicle models equipped with OTA-capable ECUs.
October 1, 2028
- Existing OTA-enabled vehicle models.
October 1, 2029
- All OTA-enabled vehicles.
- Vehicles that support software updates but do not have OTA capability.
- Vehicles without software update or OTA capability will also be required to comply with the Cyber Security Management System (CSMS) framework.
Government Invites Public Comments
The draft notification has been issued under Section 110 of the Motor Vehicles Act, 1988.
Before the rules are finalized, the Central Government has invited objections and suggestions from vehicle manufacturers, industry stakeholders, and the public.
Interested stakeholders can submit their comments within 30 days from the date the notification is published in the Gazette of India. The government will review all feedback before issuing the final regulations.
Why These Connected Vehicle Cybersecurity Rules Matter
Modern vehicles increasingly rely on electronic control units (ECUs), embedded software, wireless connectivity and software-defined vehicle technologies. As these systems become more advanced, they also create new cybersecurity risks. The proposed regulations aim to ensure that manufacturers build cybersecurity into the entire vehicle lifecycle rather than treating it as an optional feature.
If finalized, manufacturers will also be required to demonstrate cybersecurity governance, software update management, supplier cybersecurity controls, vulnerability monitoring and compliance during the vehicle type-approval process, significantly strengthening India’s automotive regulatory framework
The proposed Connected Vehicle Cybersecurity Rules in India aim to:
- Protect connected vehicles from cyber threats.
- Ensure secure software updates throughout a vehicle’s lifecycle.
- Improve road safety through stronger cybersecurity standards.
- Create a uniform regulatory framework for automobile manufacturers.
- Increase consumer confidence in connected and software-defined vehicles.
Once implemented, these regulations will establish India’s first comprehensive cybersecurity framework for connected vehicles and align the country’s automotive sector with global best practices.













