India Drafts Mandatory Cybersecurity, Software-Update Rules for Connected and Autonomous Vehicles

The Ministry of Road Transport and Highways has published draft rules that would, for the first time, make cybersecurity and software-update management legal requirements for certain categories of motor vehicles, moving the country toward a regulatory standard already in force across the European Union, Japan and South Korea.

The notification proposes inserting two new provisions—Rules 125-T and 125-U—into the Central Motor Vehicles Rules, 1989. The draft is open for public comment for 30 days before the government finalizes it.

What the rules require:

Rule 125-T covers cybersecurity. Any vehicle in categories M, N or T (passenger vehicles, goods vehicles and tractors) equipped with at least one electronic control unit, and category L7 vehicles with Level 3 automation or higher, will have to comply with AIS-189, India's domestic cybersecurity standard, and maintain what regulators call a Cyber Security Management System, a structured process for identifying and managing security risks across a vehicle's lifecycle.

Rule 125-U covers software updates. It applies to a broader set of categories—M, N, T, A and C—and requires compliance with AIS-190, which governs how software updates are delivered and tracked through a Software Update Management System.

Both standards will remain in effect only until the Bureau of Indian Standards issues its own formal specifications, at which point those will take over.

Catching up to a global baseline:

The move brings India in line with the United Nations framework, which already requires CSMS and SUMS certification for vehicle type approval in the EU, Japan and South Korea. Those markets have treated cybersecurity as a type-approval condition—not an optional feature—for several years.

A phased rollout that prioritizes risk:

Rather than applying uniformly, the rules will be phased in based on risk exposure. Vehicles with Level 3 automation and above face the earliest deadlines—October 2026 for new models and April 2027 for existing ones. Vehicles capable of over-the-air updates follow, with deadlines extending to April 2028 and October 2028. Every other vehicle with any form of software-update capability, whether OTA or not, falls under an October 2029 deadline.