India’s automotive industry is approaching a decisive inflection point as cybersecurity becomes a core requirement for vehicle approval. The 2027 implementation of AIS 189 and AIS 190 elevates digital security from a technical consideration to a primary homologation risk, Omdia report said.
According to Omdia analyst Diwakar Murugan, this regulatory shift presents not just a compliance challenge but a strategic opportunity for Indian and global automakers to close capability gaps and gain a durable competitive advantage.
In 2025, India’s automotive industry is estimated to be around US$ 250 billion in annual turnover, making it one of the world’s largest markets behind the United States and China.
Total vehicle production including passenger vehicles, commercial vehicles, three-wheelers, two-wheelers, and quadricycles reached more than 310 million units across all segments during fiscal year 2024-25 (April 2024 to March 2025).
Software defined vehicles reshape automotive risk
The global automotive industry is undergoing a transformation driven by connected, autonomous, shared, and electric vehicles. Cars are no longer purely mechanical products. They are intelligent, software defined machines built on complex electronics, connectivity, and data flows. In this environment, safety regulations must expand beyond crashworthiness to include cybersecurity, software integrity, and data protection.
India, with its rapidly digitizing consumer base and ambitious mobility targets, is at the center of this transition. Rising adoption of ADAS, telematics, OTA updates, and V2X technologies has turned vehicles into highly connected cyber physical systems. Each feature expands the attack surface, converting localized mechanical risks into scalable remote cyber threats that can impact safety, availability, and data integrity.
Expanding attack surface in India’s auto ecosystem
India’s automotive supply chain has already emerged as one of the most cyberattacked sectors, reflecting global trends where ransomware and intrusion campaigns increasingly target operational technology and embedded products. Fragmented cybersecurity practices across Tier 1, Tier 2, and Tier N suppliers, combined with vague OEM supplier security obligations, amplify systemic risk.
As connected vehicle volumes grow and mobile broadband adoption accelerates faster than China, the likelihood of remote exploitation increases. Supply chain compromise now represents the most significant non product risk to 2027 homologation, making rigorous security flow down, component validation, and continuous monitoring non negotiable for OEMs.
AIS 189 and AIS 190 define the road to 2027
India’s regulatory blueprint for automotive cybersecurity is anchored in two pillars scheduled to become mandatory by 2027.
AIS 189 establishes a Cyber Security Management System aligned with UN Regulation No. 155. It requires manufacturers to identify, assess, and mitigate cyber risks across the entire vehicle lifecycle, from concept and development to production and post sale operations.
AIS 190 introduces a Software Update Management System based on UN Regulation No. 156. It governs secure and traceable software updates for vehicle categories M, N, T, A, and C, ensuring OTA processes are validated, auditable, and protected from cyber exploitation.
These requirements arrive alongside stricter CAFE 3 norms for 2027 to 2032, which mandate CO2 limits of 91.7 grams per kilometer. The push toward hybrids and electric vehicles further increases reliance on advanced software and electronic control units, expanding the digital attack surface governed by AIS 189 and AIS 190.
Industry readiness remains uneven
Despite the clear regulatory trajectory, industry preparedness is inconsistent. Many OEMs and suppliers still lack mature cybersecurity governance, standardized risk scoring, and auditable mitigation timelines. By 2027, vehicles without certified CSMS and SUMS face exclusion from the Indian market.
Early adopters that institutionalize cybersecurity now can reduce approval risk, accelerate time to market, and build trust with regulators and consumers. Late movers risk not only regulatory delays but also exposure to operational disruptions and reputational damage.
India versus EU: functional gaps in implementation
The European Union provides a useful benchmark. UNECE WP.29 R155 and R156 have been fully integrated into EU law under Regulation (EU) 2019/2144. Compliance has been mandatory for new vehicle types since July 2022 and for all new vehicles since July 2024.
This early adoption has eliminated ambiguity around risk scoring, mitigation timelines, and supply chain enforcement. In contrast, India’s draft AIS 189 and AIS 190, while structurally aligned with UN regulations, still leave room for interpretation in key operational areas.
For OEMs serving both markets, prioritizing EU harmonized ISO 21434 practices helps bridge India’s regulatory uncertainties. A unified Asia Europe cybersecurity framework enables smoother homologation and positions manufacturers to respond to escalating global cyber threats.
Cybersecurity intersects with data protection and incident response
Compliance with AIS 189 and AIS 190 does not exist in isolation. OEMs must also align with India’s Digital Personal Data Protection Act and CERT India incident reporting obligations. This convergence of cybersecurity, privacy, and national reporting requirements leaves no margin for fragmented processes.
Integrated governance, auditable ISO 21434 execution, and fleet wide visibility are essential. Vehicle Security Operations Centers play a central role by enabling continuous monitoring, incident response, and regulatory reporting across connected fleets.
Indigenous V SOC ecosystem as a strategic lever
A key opportunity for OEMs lies in India’s rapidly growing indigenous automotive cybersecurity ecosystem. Local V SOC providers offer cost efficient, regulation aware solutions that can accelerate certification and reduce long term operational expenses.
For global OEMs, the strategic challenge is not adopting ISO 21434 itself, but proactively formalizing risk scores, mitigation SLAs, and documentation to compensate for ambiguities in draft Indian standards. Integrating DPDP Act consent requirements into V SOC architectures is equally critical to ensure continuous monitoring remains legally compliant.
Compliance today, leadership tomorrow
Cybersecurity compliance under AIS 189 and AIS 190 is the cost of entry to India’s future automotive market. The strategic decision is how OEMs choose to achieve it. Those that treat CSMS and SUMS as long term investments, rather than short term regulatory burdens, can convert compliance into a competitive differentiator.
By leveraging India’s indigenous cybersecurity capabilities, OEMs can achieve faster homologation, localized expertise, and a scalable security foundation that is globally exportable. Proactive action before 2027 is the non negotiable prerequisite for leadership in India’s connected mobility future.
RAJANI BABURAJAN
