Sign in Subscribe
4 min read Automobile Cybersecurity

India's AIS 189: The Cybersecurity Deadline Reshaping the Automotive Industry

Share
India's AIS 189: The Cybersecurity Deadline Reshaping the Automotive Industry

India's first mandatory vehicle cybersecurity standard arrives in 2027 — modelled on the same framework that reshaped European automakers. Most OEMs and vendors are not ready. The window to act is closing.

A regulatory milestone in the world's third-largest auto market

India is home to one of the largest and fastest-growing automotive markets on the planet. For decades, regulatory focus has centred on emissions, crash safety, and fuel efficiency. That picture is changing. With vehicles becoming complex, networked computers on wheels — connected to cloud platforms, running OTA software updates, and interfacing with smartphones — cybersecurity is no longer optional. It is becoming law.

AIS 189, formally the Automotive Industry Standard on Cybersecurity and Cybersecurity Management Systems, is India's answer. Introduced by the Automotive Industry Standards Committee (AISC) under the Ministry of Road Transport and Highways (MoRTH), it is the country's first mandatory regulatory framework for vehicle cybersecurity.

Compliance Timeline

2024–2025 — Preparation phase
OEMs begin building CSMS governance structures and integrating cybersecurity processes into development and supplier management pipelines.

October 2027 — New model enforcement begins
AIS 189 compliance becomes a type-approval prerequisite for all entirely new vehicle models entering the Indian market. No new model launches without cybersecurity certification.

October 2028 — Full market compliance
All passenger vehicles sold in India — including carry-over models — must demonstrate full AIS 189 compliance. The window for exemptions closes entirely.

What AIS 189 Actually Mandates

The regulation takes a holistic, lifecycle approach to cybersecurity — from vehicle design and development through production, sale, and long-term post-market support. OEMs must demonstrate compliance across four core pillars:

1. Threat Analysis and Risk Assessment (TARA)
A comprehensive, India-market-specific risk assessment that identifies and evaluates cybersecurity threats across the vehicle's entire lifecycle.

2. Cybersecurity Management System (CSMS)
The operational backbone of compliance — a structured system governing how an OEM manages cybersecurity risks across products, processes, and supply chains. Every OEM operating in India will need a working CSMS before enforcement begins. Working, not planned. Implemented, not scoped.

3. Software Update Management System (SUMS)
Covers how OEMs manage and secure over-the-air (OTA) software updates throughout a vehicle's life — ensuring updates cannot be weaponised or tampered with.

4. Supply Chain Security and Penetration Testing
Extends cybersecurity obligations beyond the OEM to Tier 1 and Tier 2 suppliers. Requires rigorous penetration testing before any vehicle is approved for sale.

Beyond process requirements, AIS 189 mandates technical controls at the hardware level — including secure boot with signature verification, encrypted communications for CAN/Ethernet networks, non-exportable cryptographic keys, locked debug interfaces, and anti-rollback firmware protection.

Modelled on Global Frameworks, Built for India

AIS 189 is directly aligned with UN Regulation No. 155 (UN R155) — the same standard the European Union enforced from July 2022, requiring all new EU type-approved vehicles to hold a certified Cybersecurity Management System. It also maps closely to ISO 21434, the international standard for automotive cybersecurity engineering.

This global alignment is intentional. Indian OEMs that export to EU, Japanese, or Korean markets can in principle reuse evidence across vehicle families, reducing duplication of effort. The compliance challenge, however, is that India's procurement ecosystem, regulatory notification process, and local delivery infrastructure are meaningfully different from Europe's — and most global cybersecurity vendors have built their playbooks entirely around EU dynamics.

In short, it is the same compliance challenge that reshaped the European market — now arriving in the world's third-largest automotive market.

Challenges Facing the Industry

EU-centric vendor playbooks
Most global cybersecurity vendors are oriented around EU OEM relationships and EU procurement timelines. India's procurement dynamics are different, and very few vendors have built local delivery capability or confirmed AIS 189-aligned product coverage.

No established local infrastructure
India currently has no mature local delivery infrastructure for automotive cybersecurity compliance services — creating genuine bottlenecks for OEMs that need to move quickly.

A misleading sense of available time
MoRTH's regulatory notification process is still being formalized. This creates a false impression that time remains. It does not. Type approval cycles, CSMS implementation, supplier onboarding, and penetration testing take years — not months.

Low supply chain maturity
The impact of AIS 189 extends deep into India's automotive supply chain. Modern vehicles rely on a complex network of suppliers for electronic components. Vulnerabilities in any part of that chain can jeopardize final vehicle approval — and by late 2025, supply chain cybersecurity maturity in India remained notably low.

Talent scarcity
There is an acute shortage of professionals with expertise in identity and access architecture, threat intelligence, and platform security — driving up hiring timelines and costs across the board.

Cost pressures
The initial phase of AIS 189 compliance will inevitably increase costs for automakers and suppliers. This mirrors the BS-VI emission transition, which significantly raised manufacturing costs and vehicle prices — and hit smaller companies hardest.

The Opportunity for Early Movers

The demand is going to be real. Every OEM operating in India — domestic manufacturers and global players alike — will need a working CSMS before enforcement begins. That is not a niche market. It is the entire Indian passenger vehicle industry.

Cybersecurity vendors that move during 2026, building AIS 189-aligned capability, securing local references, and establishing delivery infrastructure before the market crystallizes, will hold a structural competitive advantage that latecomers will struggle to replicate.

The same is true for OEMs. Those who begin their CSMS implementation, TARA processes, and supplier cybersecurity programs now will have room to course-correct. Those who wait until 2027 will be racing a hard regulatory deadline with no buffer.

The Bottom Line

India's AIS 189 is not a distant regulatory concept. It is an imminent market access requirement — the kind that blocked vehicle launches and triggered expensive recalls in Europe when manufacturers underestimated the timeline.

The window is not 2027.

India's AIS 189 compliance begins from 2027. Competition doesn't.

Tags: AIS 189 · UN R155 · ISO 21434 · CSMS · SUMS · TARA · India Automotive · Vehicle Cybersecurity · MoRTH · Connected Vehicles

Published by:

The CyberDiplomat

You might also like...

22
May
Arrested by Fear: The Global Rise of Digital Arrest Scams

Arrested by Fear: The Global Rise of Digital Arrest Scams

They wear uniforms. They carry badges. They read out charges. They are entirely fictional — and they are stealing billions from
9 min read

Member discussion