- The Ministry of Road Transport proposes cybersecurity rules for motor vehicles in India
- Rules 125-T and 125-U require compliance with AIS-189 and AIS-190 cybersecurity standards
- Rules apply to various vehicle categories including automated and software-update capable models
The Ministry of Road Transport and Highways has published draft rules that would, for the first time, make cybersecurity and software-update management legal requirements for certain categories of motor vehicles, moving the country toward a regulatory standard already in force across the European Union, Japan, and South Korea.
The notification proposes inserting two new provisions, Rules 125-T and 125-U, into the Central Motor Vehicles Rules, 1989. The draft is open for public comment for 30 days before the government finalizes it.
Also Read: Hero Passion Plus Gets New Disc Brake Variant; Check Price
What the rules require:
Rule 125-T covers cybersecurity. Any vehicle in categories M, N or T (passenger vehicles, goods vehicles and tractors) equipped with at least one electronic control unit, and category L7 vehicles with Level 3 automation or higher, will have to comply with AIS-189, India's domestic cybersecurity standard, and maintain what regulators call a Cyber Security Management System, a structured process for identifying and managing security risks across a vehicle's lifecycle.
Also Read: Delhi Woman Drives Porsche In Indian Attire, Internet Calls Her A 'Desi Baddie'
Rule 125-U covers software updates. It applies to a broader set of categories: M, N, T, A, and C, and requires compliance with AIS-190, which governs how software updates are delivered and tracked through a Software Update Management System. Both standards will remain in effect only until the Bureau of Indian Standards issues its own formal specifications, at which point those will take over.
Also Read: Unregistered Mahindra SUV Crashes On Purchase Day, Dealer Ordered To Pay Rs 3 Lakh
Catching up to a global baseline:
The move brings India in line with the United Nations framework, which already requires CSMS and SUMS certification for vehicle type approval in the EU, Japan, and South Korea. Those markets have treated cybersecurity as a type-approval condition, not an optional feature, for several years.
A phased rollout that prioritizes risk:
Rather than applying uniformly, the rules will be phased in based on risk exposure. Vehicles with Level 3 automation and above face the earliest deadlines, October 2026 for new models and April 2027 for existing ones. Vehicles capable of over-the-air updates follow, with deadlines extending to April 2028 and October 2028. Every other vehicle with any form of software update capability, whether OTA or not, falls under an October 2029 deadline.