- India Vehicle Cybersecurity Rules introduce phased compliance.
- AIS standards strengthen software update governance.
India is preparing to strengthen automotive cybersecurity and software management through proposed amendments to the Central Motor Vehicles Rules, 1989. On June 17, the Ministry of Road Transport and Highways released draft regulations introducing mandatory compliance requirements for vehicle cybersecurity and software update management. The proposal establishes two new provisions—Rule 125-T and Rule 125-U—which reference AIS-189 for Cyber Security and Cyber Security Management Systems (CSMS) and AIS-190 for Software Updates and Software Update Management Systems (SUMS). Interested stakeholders have 30 days from the gazette publication date to submit objections or suggestions before the regulations are finalized.
New Rules Introduce Mandatory Cybersecurity and Software Update Compliance
The draft amendments create Rule 125-T to regulate Cyber Security and Cyber Security Management Systems under AIS-189, while Rule 125-U introduces Software Update and Software Update Management System requirements under AIS-190. These provisions are intended to establish a structured framework for cybersecurity governance and secure software lifecycle management across eligible vehicles sold in India. Vehicle manufacturers will be expected to ensure that their electronic architectures and software management processes comply with the applicable Automotive Industry Standards as part of future type approval requirements.
Vehicle Categories and Implementation Timeline
The proposed framework applies to motor vehicles classified under categories M, N and T, covering passenger cars, commercial vehicles and tractors. Additionally, categories A and C are included under the Software Update Management System requirements. Compliance will be introduced through a phased schedule to provide manufacturers with sufficient preparation time while ensuring that increasingly connected and software-driven vehicles meet standardized cybersecurity and software update requirements.
Proposed Compliance Schedule
The implementation timeline varies according to vehicle capability and model status, beginning with highly automated vehicles before expanding to OTA-enabled and eventually all applicable vehicles.
Proposed implementation timeline
| Vehicle Category | Implementation Timeline |
|---|---|
| Level 3 automation and above - New Models | October 1, 2026 |
| Level 3 automation and above - Existing Models | April 1, 2027 |
| OTA-enabled vehicles - New Models | April 1, 2028 |
| OTA-enabled vehicles - Existing Models | October 1, 2028 |
| All applicable vehicles | October 1, 2029 |
Technical Scope of AIS-189 and AIS-190
The proposed regulations require original equipment manufacturers to align vehicle electronic architectures with AIS-189 and AIS-190. AIS-189 establishes requirements for Cyber Security Management Systems, while AIS-190 governs Software Update Management Systems and over-the-air software update protocols. The cybersecurity provisions apply to any vehicle equipped with at least one Electronic Control Unit (ECU). Meanwhile, the SUMS framework also covers software-update-capable vehicle platforms even if they do not support over-the-air updates, ensuring comprehensive software governance across connected vehicle ecosystems.
Transition Until BIS Standards Are Notified
The proposed requirements will remain applicable until corresponding specifications are formally notified by the Bureau of Indian Standards under the BIS Act, 2016. This transitional approach ensures that cybersecurity and software update management obligations remain enforceable while national standards continue to evolve. By referencing AIS-189 and AIS-190, the draft amendments establish a structured regulatory pathway for improving cybersecurity resilience and secure software management throughout the automotive sector.
Frequently Asked Questions
What are Rule 125-T and Rule 125-U?
Rule 125-T introduces mandatory Cyber Security Management System requirements under AIS-189, while Rule 125-U establishes Software Update Management System requirements under AIS-190 for eligible vehicles sold in India. Together, these draft provisions aim to strengthen vehicle cybersecurity, standardize software update management, and establish regulatory requirements for manufacturers developing connected and software-driven vehicles under the proposed amendments to the Central Motor Vehicles Rules, 1989.
Which vehicles are covered under the proposed regulations?
The draft rules apply to motor vehicles in categories M, N and T, while categories A and C are included under the Software Update Management System requirements specified in the proposed amendments. The implementation will occur in phases based on vehicle capability, beginning with Level 3 automated vehicles, followed by OTA-enabled vehicles, and ultimately extending to all applicable vehicles according to the announced compliance schedule.
When will the proposed cybersecurity requirements become effective?
The phased implementation begins on October 1, 2026 for new Level 3 automated vehicle models, with later milestones extending through October 1, 2029 for all applicable vehicles covered by the draft rules. The proposed requirements will remain applicable until equivalent Bureau of Indian Standards specifications are officially notified under the BIS Act, 2016, after completion of the public consultation process.
Click above to visit the official source.
Discussion
Join the conversation.