Car hacking! How India’s first vehicle cybersecurity rule AIS 189 may affect the auto industry

<img width="590" height="442" class="unveil" loading="eager" src="https://auto.economictimes.indiatimes.com/images/default.jpg" data-src="https://etimg.etb2bimg.com/photo/129904244.cms" captionrendered="1" alt="

As with most regulatory changes, timing will be critical.

“>

India’s automobile sector is on the verge of a major regulatory shift, as the government prepares to roll out AIS 189, the country’s first mandatory vehicle cybersecurity standard. The move is expected to fundamentally change how vehicles are designed, tested, and sold, especially as cars become increasingly connected and software-driven.

Modelled on global frameworks such as the UN R155 vehicle cybersecurity regulation, AIS 189 will make cybersecurity approval a prerequisite for launching new vehicles in India. Industry timelines suggest implementation could begin for new models by October 2027, with full compliance across all vehicles by October 2028.

A global push India can no longer ignore

The regulation brings India in line with major automotive markets that have already made cybersecurity mandatory. The European Union enforced UN R155 in 2022, while China introduced its own framework in 2024.With more than 60 countries recognising UNECE vehicle regulations, cybersecurity compliance is no longer optional for automakers aiming to export.

For Indian manufacturers expanding into overseas markets, this alignment may simplify operations.
“Automakers that prepare early for AIS 189 can use a single cybersecurity framework for both domestic and international markets,” said Vikash Chaudhary, an automotive cybersecurity specialist. “That reduces duplication of effort and brings long-term cost efficiency.”

What changes for automakers

At the heart of AIS 189 is the requirement for a Cybersecurity Management System (CSMS), a structured framework that covers everything from risk assessment to incident response.In parallel, a related standard will require a Software Update Management System (SUMS), ensuring secure delivery of over-the-air updates and workshop software fixes.

Together, these rules mark a shift from one-time vehicle approval to continuous cybersecurity oversight throughout a vehicle’s lifecycle.

However, building such systems is not quick.

“Setting up a robust cybersecurity management system can take over a year,” Chaudhary noted. “For companies starting from scratch, the timeline itself is a challenge.”

Supply chain faces ripple effects

The impact of AIS 189 will extend far beyond carmakers. Modern vehicles rely on a complex ecosystem of suppliers providing everything from infotainment units to advanced driver assistance systems. Under the new regulation, any vulnerability in these components could affect the final vehicle’s approval.”This is not just about the OEM,” Chaudhary explained. “Every supplier connected to the vehicle’s electronics becomes part of the cybersecurity chain. A weak link anywhere can become a compliance risk.”

This means Tier-1 and Tier-2 suppliers will also need to invest in cybersecurity capabilities, an area where many currently lack expertise.

Talent shortage could slow adoption

One of the biggest hurdles for the industry is the shortage of skilled professionals.

Unlike traditional IT security, automotive cybersecurity requires specialised knowledge of embedded systems, vehicle communication protocols, and regulatory compliance.

“The top manufacturers have started building teams, but much of the ecosystem is still underprepared,” Chaudhary said. “As enforcement nears, demand for skilled talent will far outstrip supply.”

Costs now, opportunity later

In the short term, AIS 189 will increase compliance costs for automakers and suppliers. Investments in technology, processes, and talent will be unavoidable.

But the long-term picture may be more positive.

The regulation is expected to create a new markfor cybersecurity services in India, spanning threat detection, penetration testing, secure software platforms, and vehicle security operations.

It could also improve consumer trust in connected vehicles, a segment that is expected to grow rapidly in the coming years.

Early movers vs late adopters

As with most regulatory changes, timing will be critical. Companies that invest early may gain a competitive edge, not just in India but across global markets. Those that delay could face disruptions, higher last-minute costs, or even barriers to launching new models.

AIS 189, in that sense, is more than just a compliance requirement. It signals a broader transition in the auto industry, from mechanical engineering dominance to a future where software security becomes just as critical as engine performance.