Your car is now a computer on wheels, and the Indian government wants to make sure no one can hack into it. The Ministry of Road Transport and Highways has published draft rules that would, for the first time, make cybersecurity and software update management mandatory for connected and autonomous vehicles in India.
What You Need to Know
- MoRTH proposes Rules 125-T (cybersecurity) and 125-U (software updates) under Central Motor Vehicles Rules, 1989
- Phase 1: Level 3+ autonomous vehicles must comply from October 2026 (new models) and April 2027 (existing models)
- Phase 2: OTA-enabled vehicles must comply between 2028-2029
- India aligns with UN regulations already in force in EU, Japan and South Korea
- Draft open for 30-day public comment before finalization
Why This Matters Now
As cars become increasingly software-driven, the threat of cyberattacks on vehicles has shifted from science fiction to a real concern. Modern vehicles can contain over 100 million lines of code, multiple electronic control units, and always-on internet connections. A compromised vehicle could mean anything from stolen driving data to remote control of critical systems.
Until now, India had no specific legal framework for vehicle cybersecurity. The proposed rules, published on June 29, 2026, add two new provisions to the Central Motor Vehicles Rules, 1989, bringing India in line with UN regulations already adopted in the European Union, Japan, and South Korea.
What the Rules Require
Rule 125-T covers vehicle cybersecurity. Any passenger vehicle, commercial vehicle, or tractor fitted with at least one electronic control unit (ECU) and meeting Level 3 automation or higher must comply with AIS-189, India's domestic cybersecurity standard. Manufacturers will need to maintain a Cyber Security Management System, a structured process for identifying and managing security risks across a vehicle lifecycle.
Rule 125-U covers software updates. It applies to an even broader range of vehicle categories and requires compliance with AIS-190. This governs how over-the-air (OTA) and workshop updates are validated, delivered, and tracked through a Software Update Management System.
Both AIS standards will remain in effect until the Bureau of Indian Standards issues its own formal specifications, at which point those will take over.
Phased Rollout Timeline
The government has proposed a gradual implementation schedule that gives manufacturers time to adapt:
- October 1, 2026: New models with Level 3+ automation must comply
- April 1, 2027: Existing models with Level 3+ automation must comply
- April-October 2028: OTA-capable vehicles begin compliance
- October 1, 2029: All vehicles with software update capability must comply
This phased approach targets the highest-risk vehicles first, with Level 3 autonomous systems like Mercedes-Benz Drive Pilot being the most vulnerable to cyber threats.
What This Means for Car Buyers
For the average car buyer, these rules mean stronger protection against potential cyber threats. Connected cars from Tata, Mahindra, Hyundai, and other manufacturers sold in India will now need certified cybersecurity management systems before they can be homologated.
The rules also ensure that OTA updates are delivered securely. This is particularly important as more manufacturers move to fix bugs, add features, and improve performance through wireless updates rather than dealership visits.
While compliance costs will ultimately be borne by manufacturers, the regulatory framework ensures these costs are not passed on to consumers as hidden vulnerabilities.
Aligning with Global Standards
India move mirrors UNECE WP.29 regulations already mandatory in Europe, Japan, and South Korea, which require automakers to obtain type approval for cybersecurity management systems and software update processes. This alignment is crucial for global automakers selling in India, as it means they can apply the same cybersecurity frameworks across markets rather than developing region-specific solutions.
Bottom Line
India proposed cybersecurity rules for connected vehicles mark a significant step forward for automotive safety in the digital age. With modern cars collecting more data and running more software than ever, these regulations ensure that the industry keeps pace with the evolving threat landscape.

