This is the first of two articles looking at regulation of IoT in India, and government initiatives to promote development, manufacturing and adoption in the country.

This first article looks at regulation of IoT, and includes regulations and legislation to require effective device and infrastructure cybersecurity and protect personal privacy and data, as well as certification and quality schemes to ensure enforcement.

The next article in the series will look at government-led initiatives and measures to promote development, manufacture and adoption of IoT in the country.

India’s IoT economy is expanding rapidly. It is projected to more than double over the next five years, from an estimated $15 billion in 2024 to $35 billion by 2030.

Foundation: The IT Act

The regulatory landscape for IoT in India is built at foundation level on the Information Technology (IT) Act, 2000. This was designed to address cybercrime and electronic transactions. It has been subsequently supplemented and strengthened with additional rules and the Digital Personal Data Protection Act, 2023 (DPDP Act). The latter has modernised data protection in response to growing privacy concerns.

Beyond these broad measures, specific technical guidelines and certification schemes have been added to mandate effective security measures as well as provide effective regulation to promote domestic production for both internal and overseas markets. These include the Code of Practice for Securing Consumer IoT Devices (TEC 31318:2021), the IoT System Certification Scheme (IoTSCS) under the Indian Telecom Security Assurance Requirements (ITSAR), and the Essential Requirements (ER) for CCTV and video surveillance systems.

Several provisions within the IT Act and its subsequent rules, are especially relevant to IoT cybersecurity and data protection. Section 43A imposes significant liability on companies, and is seen as being a key section governing IoT device data collection, storage and processing. It requires compensation for any negligence in implementing and maintaining reasonable security practices and procedures for sensitive personal data or information (SPDI), and makes IoT device manufacturers and service providers directly accountable for data breaches caused by inadequate security.

The SPDI Rules

To enforce Section 43A, the Information Technology (Reasonable Security Practices and Procedures and Sensitive Personal Data or Information) Rules, 2011 (SPDI Rules), were brought into force. These rules list detailed requirements for data protection by companies. They make a key distinction between “personal information” and “sensitive personal data or information (SPDI)” and outline different obligations for their handling.

Further provisions within the IT Act address confidentiality and privacy: Section 72 prescribes penalties for breaches of confidentiality and privacy, while Section 72A imposes penalties for the disclosure of information in breach of a lawful contract.

Beyond data protection, the IT Act also provides the basis for broader cybersecurity measures. The CERT-In Rules, introduced in 2013, established the Indian Computer Emergency Response Team (CERT-In) as the national agency responsible for cybersecurity incident reporting and emergency response.

The Protected Systems Rules

In 2018, the Protected Systems Rules were enacted. These provide additional security requirements for critical computer resources, which include IoT infrastructure in defined critical sectors. The Intermediaries Rules, updated in 2021, require digital platforms and social media intermediaries to implement security measures and report incidents to CERT-In. This has extended the cybersecurity net to a wider range of online services that may interact with IoT data.

The IT Act and the SPDI Rules currently form the basis of India’s data protection regime. However, the SPDI Rules are considered outdated due to gaps and a rudimentary approach. As a result, they are slated for overhaul by the Digital Personal Data Protection Act, 2023 (DPDP Act). This was introduced in August 2023, largely as a result of a landmark decision by the Indian Supreme Court in Puttaswamy and Another vs Union of India And Others. This decision established a fundamental right to privacy, and impelled the Indian government to put in place a more robust data protection framework for India, including IoT devices and infrastructure.

Securing Consumer IoT Devices Code

The Code of Practice for Securing Consumer IoT Devices (TEC 31318:2021) has standardised security for consumer IoT devices in India. The Code was issued by India’s Telecom Engineering Centre (TEC), which functions as the technical arm of the Department of Telecom under the Ministry of Communications. Its primary purpose is to provide specific technical guidelines to enhance the security of consumer-grade IoT devices.

In something of a departure, the Code has aligned with global standards, particularly ETSI EN 303 645, a widely recognised European benchmark for IoT security. This alignment is aimed at positioning India’s regulations on a par with international best practices to foster interoperability and facilitate market access for domestically produced devices.

A core principle embedded within the Code is “Security by Design.” This promotes the integration of robust security features during the initial development phase of their products, rather than subsequently.

The Code provisions include requiring unique passwords for each device, secure storage of sensitive security parameters, and timely and secure software updates to address vulnerabilities and enhance product reliability. It also requires effective protection of sensitive user data, imposing requirements for the secure storage of security parameters.

IoT System Certification Scheme

The IoT System Certification Scheme (IoTSCS) is another part of India’s efforts to ensure security and reliability of IoT devices. This scheme is administered by the Standardisation Testing and Quality Certification (STQC) Directorate, operating under the Ministry of Electronics and Information Technology (MeitY). The rules and procedures for IoTSCS, which also cover CCTV systems, were published in October 2024.

The IoTSCS is closely related to the “Indian Telecom Security Assurance Requirements (ITSAR),” a set of security standards developed by the National Centre for Communication Security (NCCS), a unit operating under India’s Department of Telecommunications (DoT). ITSAR is enforced under the “Mandatory Testing and Certification of Telecommunication Equipment (MTCTE)” framework, making compliance mandatory for market access in India.

Security Assurance Requirements

ITSAR covers a range of telecom and IoT devices, categorised into different groups based on their function and security requirements. These include critical components such as core 5G network functions, various consumer and enterprise networking equipment, fibre broadband equipment, IoT-based user interfaces, smart cameras, and smart meters. The framework outlines four primary levels of security assurance, ranging from basic (Level 1) to advanced (Level 4), with Level 1 being the minimum requirement for feedback devices.

The security measures mandated by ITSAR include requirements for secure boot, cryptographic integrity validation, mutual authentication, secure software updates, role-based access control, and audit logging.

For smart cameras, specifically governed by ITSAR309062504, requirements include secure streaming (e.g., SRTP), encryption of stored footage, identity management for user and device access, tamper alerts, and remote device lockdown capabilities. These devices must also implement secure provisioning practices, disallow factory default credentials, and support audit trails for forensic analysis.

For smart meters, ITSAR mandates secure boot, data encryption at rest and in transit, mutual authentication between the meter and data concentrator, anti-tampering protections, and secure firmware life-cycle management.

Even basic devices must support secure identity management, encrypted communication channels, tamper detection, secure firmware updates, and hardening against known vulnerabilities. Level 3 and 4 devices are expected to demonstrate compliance with international standards such as ISO 27001 and also undergo third-party vulnerability assessments.

Cybersecurity Essential Requirements

The Essential Requirements (ER) for CCTV and video surveillance systems is a special regulatory measure introduced by India’s Ministry of Electronics and Information Technology (MeitY) in March 2024 under the “Made in India” initiative. It is a set of regulations to address cybersecurity concerns in the applications of CCTV systems in public safety and infrastructure monitoring.

An aspect of the ER guidelines is the mandatory certification by the Standardisation Testing & Quality Certification (STQC) Directorate. This certification ensures that CCTV systems meet standards for functionality, reliability, and data security.

While no single law mandates STQC certification for all IoT devices, the certification process for CCTVs is influenced by the broader Code of Practice for Securing Consumer IoT Devices and these specific ER guidelines.

The ER regulations cover aspects related to hardware, software, supply chains, and design, and align with international regulations. Key considerations within the ERs focus on security mechanisms embedded within the CCTV device, mandating: secure software with an anti-rollback mechanism; TEE/SE/TPM (Trusted Execution Environment/Secure Element/Trusted Platform Module) enablement; supply chain risk assessment; unique keys and secure key injection; credential and back-door audits, among other provisions.