The Ministry of Road Transport and Highways (MoRTH) has published groundbreaking draft rules that introduce legally binding cybersecurity and software-update management requirements for motor vehicles in India. By introducing Rules 125-T and 125-U into the Central Motor Vehicles Rules, 1989, India is aligning its automotive regulatory framework with global benchmarks established by the United Nations and currently enforced in the European Union, Japan, and South Korea.
The draft is open for public feedback for 30 days before being finalized into law.
The Core Mandates
The regulation establishes a dual-layered baseline for digital vehicle safety, ensuring connected and autonomous vehicles are secure across their entire functional lifecycle.
1. Rule 125-T: Vehicle Cybersecurity
This rule requires manufacturers to establish a comprehensive Cyber Security Management System (CSMS) to identify, evaluate, and mitigate digital threats throughout the life of the vehicle.
-
Standard Compliance: Must conform to domestic automotive standard AIS-189 (derived from the global UN R155 protocol).
-
Applicability: Vehicles in categories M (passenger vehicles), N (goods carriers), and T (tractors) that feature at least one Electronic Control Unit (ECU). It also covers category L7 (quadricycles) equipped with Level 3 automation or higher.
2. Rule 125-U: Software Update Management Systems (SUMS)
This rule mandates a secure system for tracking and deploying software patches, ensuring that remote modifications do not introduce safety risks or compromise vehicle type approval.
-
Standard Compliance: Must conform to AIS-190 (derived from the global UN R156 protocol).
-
Applicability: Applies to a broader array of vehicle classifications, covering categories M, N, T, A, and C. It outlines rigid infrastructure protocols for Over-The-Air (OTA) distribution channels, including mandatory cryptographic signatures, installation verification, and fail-safe rollback systems.
Note: Both AIS-189 and AIS-190 standards will act as interim regulations until the Bureau of Indian Standards (BIS) issues its own final, formal specifications.
Phased Implementation Timelines
Rather than executing a blanket rollout, the government is adopting a risk-prioritized deployment schedule. Vehicles presenting the highest digital risk exposure face the tightest deadlines.
| Vehicle Profile / Technology | New Vehicle Models Deadline | Existing Vehicle Models Deadline |
| Level 3 Automation & Above | October 2026 | April 2027 |
| Over-The-Air (OTA) Update Capability | April 2028 | October 2028 |
| All Other Software-Update Capable Vehicles | — | October 2029 |
Why This Matters
Historically, cybersecurity has been treated as an optional feature by many global automobile manufacturers. This draft transforms digital security into a strict condition for type approval in India. For major Indian testing agencies like the Automotive Research Association of India (ARAI) and iCAT, these rules mean they will act as the direct technical service and approval authority, auditing automakers heavily before any compliant connected car can roll out onto domestic roads.

