MoRTH Proposes Mandatory Cybersecurity Standards for Connected and Automated Vehicles

The Ministry of Road Transport and Highways (MoRTH) has released draft rules aimed at fortifying the cybersecurity of India’s evolving automotive landscape. By introducing new provisions—Rules 125-T and 125-U—the government intends to mandate strict cybersecurity and software-update management systems for various vehicle categories. This move aligns India with international standards currently enforced in the European Union, Japan, and South Korea.

Rule 125-T requires compliance with AIS-189, necessitating a robust Cyber Security Management System for vehicles equipped with electronic control units, as well as L7 vehicles with Level 3 automation. Simultaneously, Rule 125-U mandates compliance with AIS-190, which governs the secure delivery of software updates through a centralized management system. These rules apply to a wide range of categories, including M, N, T, A, and C, ensuring comprehensive coverage across the automotive spectrum.

The draft rules are currently open for public comment for 30 days. A phased rollout is planned, with the first major deadline set for October 2026, specifically targeting new vehicle models featuring Level 3 automation or higher. This regulatory shift is a critical step in protecting connected vehicles from potential digital threats, ensuring that as India’s roads become more technologically advanced, they remain secure against the growing risks of cyberattacks and unauthorized software interference.