India Mandates Cybersecurity & Software Update Rules for Connected Vehicles: MoRTH Issues New Draft

India has drafted new vehicle cybersecurity rules and software-update management norms for connected and autonomous vehicles, marking a major policy step for cars, two-wheelers, commercial vehicles, tractors, and future mobility platforms that depend on software. The draft framework is centred around AIS-189 cybersecurity and AIS-190 software update management, with a phased rollout expected from October 2026 and OTA-enabled vehicles expected to comply by 2029.

What you need to know

• AIS-189 focuses on vehicle cybersecurity management.

• AIS-190 focuses on software-update management, including OTA updates.

• The rollout is reported as phased, starting from October 2026.

• OTA-enabled vehicles are expected to comply by 2029.

• The rules are still draft/proposed in the current source context, so final wording may change.

Why cyber and OTA rules matter

Modern vehicles are no longer only mechanical products. Infotainment systems, telematics, connected apps, ADAS features, battery management software, and over-the-air updates all create new safety and security responsibilities. A badly managed update can affect reliability, while weak cybersecurity can expose vehicle systems and user data to risk.

For buyers, the practical benefit is simple: connected vehicles should receive safer software updates, clearer update-management processes, and stronger protection against digital vulnerabilities. For manufacturers, the draft rules could require more formal cybersecurity testing, documentation, and lifecycle monitoring.

Draft rollout timeline

Which vehicles could be affected?

The draft framework is relevant to vehicles that use connected systems, remote diagnostics, telematics, software-defined features, OTA updates, or autonomous/assisted-driving technologies. That can include connected passenger cars, electric two-wheelers, commercial vehicles, tractors, and future autonomous platforms, depending on the final applicability wording.

What it means for Indian buyers

For Indian buyers, cybersecurity may soon become part of the ownership conversation, just like crash safety, battery warranty, and service support. A vehicle with OTA capability needs reliable update delivery, clear rollback protection, and a manufacturer that can respond to security issues after sale. The draft rules push the industry toward treating software safety as a long-term responsibility rather than a one-time feature launch.

FAQs

Are India's vehicle cybersecurity rules final?

In the current source context, the rules are draft/proposed. Final notification and exact compliance wording should be watched separately.

What is AIS-189?

AIS-189 is the proposed cybersecurity management standard referenced for connected and software-heavy vehicles.

What is AIS-190?

AIS-190 is the proposed software-update management standard, including requirements relevant to OTA-enabled vehicles.

Will these rules affect electric vehicles?

They are especially relevant to EVs with connected apps, OTA updates, battery-management software, and remote diagnostics, though final applicability will depend on the official rule text.

The draft vehicle cybersecurity and OTA update rules show that India's auto regulations are moving toward the software-defined vehicle era. The important next step is the final notification, because that will confirm exact timelines, affected categories, and manufacturer responsibilities.