PrepLiberty.
Updated · Today
Science & Technology June 30, 2026 6 min read Daily brief · #1 of 31

Cybersecurity rules proposed for smart vehicles to prevent malware risks

The Ministry of Road Transport and Highways (MoRTH) has proposed draft rules introducing mandatory cybersecurity and software update management requirements ...


What Happened

  • The Ministry of Road Transport and Highways (MoRTH) has proposed draft rules introducing mandatory cybersecurity and software update management requirements for connected and autonomous vehicles sold in India.
  • The proposed framework introduces two new rules — Rule 125-T (Cybersecurity Management System) and Rule 125-U (Software Update Management System) — to the Central Motor Vehicles Rules, 1989.
  • Manufacturers will be required to comply with AIS-189, India's automotive cybersecurity standard, by establishing a certified Cyber Security Management System (CSMS) covering the entire vehicle lifecycle.
  • Rule 125-T applies to passenger vehicles (Category M), goods vehicles (Category N), tractors (Category T) equipped with at least one Electronic Control Unit (ECU), and Category L7 vehicles with Level 3 or higher automated driving capability.
  • The Ministry invited public comments on the draft for 30 days before finalising the regulations, consistent with the pre-legislative consultation policy.
  • New vehicle type compliance is mandated from October 1, 2026, with existing vehicle types required to comply from April 1, 2027; OTA-capable vehicles have staggered deadlines extending to 2028–2029.

Static Topic Bridges

India's Automotive Cybersecurity Standard: AIS-189 and AIS-190

AIS-189 is India's national automotive cybersecurity standard, developed by the Automotive Industry Standards Committee (AISC) — a joint body of MoRTH and the Automotive Research Association of India (ARAI). It is modelled on UNECE Regulation No. 155 (UN R155), the international standard on Cyber Security Management Systems for vehicles. AIS-190 is the parallel standard governing Software Update Management Systems (SUMS), mirroring UNECE R156.

  • AIS-189: India's CSMS standard, aligned with UN R155; mandates certified cybersecurity management across the full vehicle lifecycle — design, development, production, post-production threat monitoring, and incident response.
  • AIS-190: India's SUMS standard, aligned with UN R156; governs how software updates (including Over-The-Air updates) are managed and validated.
  • AISC (Automotive Industry Standards Committee): Joint body of MoRTH and ARAI responsible for developing AIS standards; ARAI and ICAT (International Centre for Automotive Technology) are designated testing and certification agencies.
  • International alignment: EU, Japan, and South Korea already mandate UN R155/R156; India's framework brings it into this global regulatory harmonisation.
  • AIS-189 effective from October 1, 2025 for new vehicle types; October 1, 2028 for all vehicle types (existing models).

Connection to this news: The proposed Rules 125-T and 125-U embed AIS-189 and AIS-190 compliance as legal mandates under the Central Motor Vehicles Rules, giving them the force of law beyond a voluntary industry standard.


Connected Vehicles and Cybersecurity Threat Landscape

A "connected vehicle" (also called a "smart vehicle") is one equipped with internet connectivity, Electronic Control Units (ECUs), vehicle-to-everything (V2X) communication capability, or OTA software update functionality. These vehicles are exposed to cyberattacks that can compromise safety-critical systems — including braking, steering, engine control, and navigation.

  • Electronic Control Unit (ECU): The onboard computer that controls vehicle functions; modern vehicles can contain 70–100+ ECUs.
  • Threat vectors include: remote exploitation via OTA update channels, infotainment system intrusion, V2X communication spoofing, GPS jamming, and malware injection into diagnostics ports.
  • Level 3 automated driving: SAE Level 3 indicates "conditional automation" where the system handles all aspects of driving in defined conditions but requires human takeover on request. Vehicles at Level 3 and above are specifically targeted by Rule 125-T due to heightened risk.
  • National security dimension: Connected vehicle data (location, passenger patterns, infrastructure mapping) constitutes sensitive data; foreign-manufactured vehicles collecting such data at scale pose intelligence and critical infrastructure risks.

Connection to this news: The proposed rules directly respond to the malware and remote-exploit risks inherent in connected vehicles — mandating that manufacturers implement a systematic CSMS rather than treating cybersecurity as optional or post-market.


Regulatory Framework: MoRTH, CMVR, and ARAI

Vehicle safety standards in India are governed through the Central Motor Vehicles Rules (CMVR), 1989, framed under the Motor Vehicles Act, 1988. MoRTH is the nodal ministry. Technical standards are developed by ARAI (Pune) and ICAT (Manesar), which function as designated testing agencies under the CMVR framework.

  • Motor Vehicles Act, 1988: Parent legislation for vehicle standards; Section 110 empowers the Central Government to make rules prescribing standards for vehicle construction, equipment, and maintenance — the basis for CMVR amendments.
  • CMVR, 1989: The operative rules that set mandatory technical standards; new Rules 125-T and 125-U are proposed additions.
  • ARAI (Automotive Research Association of India), Pune: India's premier automotive R&D and testing body; handles CSMS certification.
  • ICAT (International Centre for Automotive Technology), Manesar: Second designated testing agency for type approval.
  • Pre-legislative consultation: India's pre-legislative consultation policy (2014) requires ministries to publish draft Bills and rules for public comment for 30 days — the MoRTH process here follows this requirement.

Connection to this news: The proposed rules amend the CMVR framework, making cybersecurity compliance a type-approval requirement — meaning vehicles cannot be sold in India without demonstrating CSMS certification, similar to how crash safety standards work today.


India's Broader Cybersecurity Governance Architecture

Vehicle cybersecurity sits within India's broader cybersecurity policy framework. CERT-In (Indian Computer Emergency Response Team), established under Section 70B of the Information Technology Act, 2000, is India's nodal agency for cybersecurity incidents. The National Cybersecurity Policy 2013 and the proposed National Cybersecurity Policy 2020 (draft) provide the overarching framework; sectoral regulators (MoRTH for vehicles, RBI for banking, TRAI for telecom) implement sector-specific rules within it.

  • CERT-In: Nodal cybersecurity response agency under MeitY; operates under IT Act Section 70B; issues mandatory directions on incident reporting (amended April 2022, requiring organisations to report incidents within 6 hours).
  • IT Act, 2000 Section 66: Penalises hacking and unauthorised access — applicable to vehicle cyberattacks once rules are in place.
  • National Critical Information Infrastructure Protection Centre (NCIIPC): Under NTRO; protects critical information infrastructure including connected transport networks.
  • Critical Information Infrastructure: Defined under IT Act Section 70 — any computer resource whose incapacitation would have a debilitating impact on national security, economy, public health, or safety.

Connection to this news: The vehicle cybersecurity rules create a domain-specific regulatory layer under MoRTH that complements CERT-In's general mandate — recognising that connected vehicle networks, at scale, constitute potential critical infrastructure.

Key Facts & Data

  • AIS-189: India's vehicle CSMS standard, aligned with UNECE R155; effective for new vehicle types from October 1, 2025.
  • AIS-190: India's SUMS standard, aligned with UNECE R156; governs OTA and conventional software update management.
  • Rule 125-T (Cybersecurity) and Rule 125-U (Software Updates): proposed additions to Central Motor Vehicles Rules, 1989.
  • Applies to Category M (passenger), N (goods), T (tractors with ECU), L7 (Level 3+ automated driving).
  • Compliance timeline: New models — October 1, 2026; existing models — April 1, 2027; OTA-capable new models — April 2028; OTA-capable existing models — October 2028; all software-updateable vehicles — October 2029.
  • ARAI (Pune) and ICAT (Manesar): designated certification and type-approval agencies.
  • Motor Vehicles Act, 1988 Section 110: empowers Central Government to set vehicle construction and equipment standards.
  • CERT-In operates under IT Act Section 70B; mandates 6-hour incident reporting (2022 amendment).
  • India follows global peers EU, Japan, South Korea in adopting UNECE R155/R156-aligned frameworks.
On this page
  1. What Happened
  2. Static Topic Bridges
  3. India's Automotive Cybersecurity Standard: AIS-189 and AIS-190
  4. Connected Vehicles and Cybersecurity Threat Landscape
  5. Regulatory Framework: MoRTH, CMVR, and ARAI
  6. India's Broader Cybersecurity Governance Architecture
  7. Key Facts & Data
Display