Introduction

India is steadily strengthening its Internet of Things security posture through a mix of regulatory frameworks, certification schemes, and incident reporting obligations. Rather than a single sweeping IoT law, the government has adopted a layered approach that enforces security through telecom regulations, product certifications, and cybersecurity directives. This strategy aims to secure consumer IoT ecosystems while aligning domestic manufacturing with global best practices.

Regulatory Landscape and Authorities

IoT security governance in India is primarily driven by the Department of Telecommunications under the Ministry of Communications and the Ministry of Electronics and Information Technology. Incident response and breach reporting obligations are overseen by CERT-In, which plays a critical role in enforcing accountability following cyber incidents involving IoT systems.

Core Security Guidelines for Consumer IoT

Code of Practice for Securing Consumer Internet of Things

The cornerstone of India’s consumer IoT security framework is the Code of Practice for Securing Consumer Internet of Things (TEC 31318:2021), issued by the Telecommunication Engineering Centre under DoT. Publicly released in 2022, this document is aligned with international standards such as ETSI EN 303 645 and promotes a Security by Design philosophy.

Key principles include:

• Elimination of universal default passwords
• Secure and authenticated software updates
• Defined vulnerability disclosure policies
• Protection of personal data and credentials
• Secure storage of sensitive information

The code applies broadly across manufacturers, service providers, system integrators, and application developers operating in the consumer IoT space.

Advisory Guidelines for M2M and IoT Stakeholders

In 2023, DoT released advisory guidelines reinforcing the Code of Practice. These advisories guide stakeholders on implementing practical security controls for IoT endpoints to reduce risks to users and telecom networks, particularly as device density and connectivity continue to grow.

Certification and Mandatory Compliance Mechanisms

Mandatory Testing and Certification of Telecommunication Equipment

The Mandatory Testing and Certification of Telecommunication Equipment framework, administered by TEC, makes security testing compulsory for several IoT and M2M device categories. Devices such as smart meters, IoT gateways, smart cameras, and feedback systems must comply with Indian Telecom Security Assurance Requirements.

These security requirements are developed by the National Centre for Communication Security and define baseline controls tailored to specific IoT device classes.

IoT System Certification Scheme

MeitY, through the Standardisation Testing and Quality Certification Directorate, operates the IoT System Certification Scheme. This scheme offers graded security assurance levels from 0 to 4, covering physical security, communication interfaces, and application layers.

While initially voluntary, the scheme has gained regulatory weight. Certain device categories are now required to obtain certification as part of market access conditions.

Essential Requirements for High Risk IoT Devices

In 2024, MeitY introduced Essential Requirements for select IoT categories, notably CCTV and video surveillance systems. These requirements mandate compliance with defined security standards and certification under the STQC framework, reflecting growing concerns around surveillance data misuse and national security implications.

Incident Reporting and Enforcement Levers

Under CERT-In Directions issued in 2022, organizations are legally required to report cyber incidents involving IoT devices within six hours of detection, as mandated under Section 70B of the Information Technology Act, 2000. While not device-specific legislation, this requirement indirectly enforces stronger IoT security by imposing strict timelines for detection, response, and reporting.

Impact and Scope

India’s approach does not impose universal IoT security mandates through a single law. Instead, enforcement is achieved through:

• Mandatory certification for telecom-connected IoT devices
• Advisory driven compliance for consumer IoT products
• Strict incident reporting obligations

This model balances regulatory oversight with innovation, while supporting secure domestic manufacturing and reducing systemic cyber risk.

Outlook

As IoT adoption accelerates across smart cities, utilities, healthcare, and consumer electronics, India’s regulatory framework is expected to evolve further. Expansion of mandatory certification categories, tighter Essential Requirements, and closer alignment with global IoT security standards are likely in the coming years.

References and Source Attribution

Official guidance and updates are available through government portals of the Department of Telecommunications, Ministry of Electronics and Information Technology, STQC Directorate, and CERT-In.