tatamahindra

India's Connected Car Cybersecurity Rules Arrive: Overdue, Not Optional

Tata Sierra
Image: Autocar India / Tata Motors Press Kit

The Ministry of Road Transport and Highways has published draft rules that would, for the first time, make cybersecurity and software-update management mandatory for connected motor vehicles in India. The notification proposes two new provisions under the Central Motor Vehicles Rules, 1989, opens a 30-day public comment window, and targets phased implementation from October 2026.

Share

What was announced

MoRTH's draft notification, dated 29 June 2026, proposes adding Rules 125-T and 125-U to the Central Motor Vehicles Rules, 1989. Rule 125-T covers vehicle cybersecurity and requires eligible vehicles to comply with AIS-189, India's cybersecurity standard. Rule 125-U mandates compliance with AIS-190 for software-update management systems, covering how manufacturers validate, deliver and record over-the-air and workshop updates.

Until this draft, your connected Tata or Mahindra was a rolling computer on a public network governed only by the manufacturer's good intentions.

Both AIS standards will remain in force as interim norms until the Bureau of Indian Standards issues its own specifications, at which point the BIS versions take over. The draft is open for public comments for 30 days before being finalised, with phased implementation beginning in October 2026. The cybersecurity rules will apply to passenger vehicles in the first phase, with broader categories expected to be folded in subsequently.

The move aligns India with vehicle regulations already in force across the EU, Japan and South Korea, which mandate UNECE R155 (cybersecurity) and R156 (software updates) for type approval of new connected vehicles. In practice, that means every connected passenger car sold in India, EVs and ICE alike, from the Tata Nexon and Harrier EV to the Mahindra BE6, XUV 3XO and Nissan Magnite's connected variants, will need certified cybersecurity management systems, documented threat assessments, and an auditable OTA pipeline before the homologation stamp lands. OEMs without mature software organisations face the steepest lift; those already exporting to Europe or running in-house software stacks are closest to compliant.

The Car Jury verdict

This is overdue. Every new Tata, Mahindra and Hyundai launch ships with an embedded SIM, an app, and over-the-air update plumbing. Until now, none of it was governed by Indian law. A connected Harrier EV, Curvv EV or Mahindra BE6 is effectively a rolling computer on a public network, and the manufacturer's word was the only assurance buyers had that it could not be hijacked or silently downgraded via a bad OTA push.

Aligning with UNECE-style norms followed in the EU, Japan and South Korea is the right call, and tying it to AIS-189 and AIS-190 until BIS publishes its own standard avoids a regulatory vacuum. Buyers eyeing a Tata Harrier EV, Curvv EV or Mahindra BE6 get nothing to fear here and a great deal to gain. The cost burden lands on OEMs, where it belongs.

Share
Tags
tatamahindra