MoRTH Proposes Mandatory Cybersecurity and Software Update Rules for Connected Vehicles in India
The Ministry of Road Transport and Highways has proposed new rules requiring connected and software-enabled vehicles to comply with cybersecurity and software update management standards.
MoRTH Proposes Mandatory Cybersecurity and Software Update Rules for Connected Vehicles in India
The Ministry of Road Transport and Highways (MoRTH) has issued a draft notification proposing amendments to the Central Motor Vehicles Rules (CMVR), 1989 to introduce mandatory cybersecurity and software update requirements for motor vehicles in India. The draft was published on June 17, 2026, and has been released for public comments before being finalised.
Also read: Tata Sierra EV India Launch Tomorrow: Here's What To Expect
New rules for cybersecurity and software updates
The proposed amendments introduce two new provisions under the CMVR:
- Rule 125-T, which covers Cybersecurity and Cybersecurity Management Systems (CSMS)
- Rule 125-U, which covers Software Update and Software Update Management Systems (SUMS)
These rules will require vehicle manufacturers to comply with the technical requirements specified under AIS-189 for cybersecurity and AIS-190 for software update management until corresponding Bureau of Indian Standards (BIS) specifications are notified.
Phased implementation plan
According to the draft notification, the implementation will take place in phases based on vehicle type and capability.
Vehicles equipped with Level 3 or higher automation will have to comply from October 1, 2026 for new models and April 1, 2027 for existing models.
For OTA-enabled vehicles (excluding infotainment systems and tracking device ECUs), compliance will begin from April 1, 2028 for new models and October 1, 2028 for existing models.
From October 1, 2029, the requirements will extend to all OTA-enabled vehicles as well as vehicles receiving software updates, including those without OTA capability.
Vehicle categories covered
The proposed cybersecurity rules apply to Category M, N and T vehicles fitted with at least one electronic control unit (ECU) and Level 3 automation.
The software update management requirements cover Category M, N, T, A and C vehicles, bringing a wider range of vehicle segments under the proposed framework.
Public consultation underway
The ministry has invited objections and suggestions from stakeholders. Comments can be submitted within 30 days from the date the draft notification was made available to the public, after which the government will review the feedback before notifying the final rules.
Elctrik Speaks
As vehicles become increasingly software-driven and connected, cybersecurity and software update management are becoming part of vehicle safety requirements rather than optional features. The proposed rules indicate that India is aligning its regulatory framework with global practices by introducing defined compliance standards for connected vehicle technologies.