India is moving steadily to strengthen the security of internet connected devices as smart products become more common in homes and businesses. Instead of one single law the country is relying on a mix of government guidelines certifications and incident reporting rules to reduce cyber risks and improve trust in connected technologies.
The main policy direction comes from the Department of Telecommunications under the Ministry of Communications and the Ministry of Electronics and Information Technology with CERT In supporting incident reporting. A key reference point is the Code of Practice for Securing Consumer Internet of Things issued by the Telecommunication Engineering Centre in 2021 and made public in 2022. The document aligns with global standards such as ETSI EN 303 645 and promotes “Security by Design”. It sets baseline expectations including no universal default passwords secure software updates vulnerability disclosure policies data protection and secure storage of credentials. The code applies to manufacturers service providers system integrators and application developers. In 2023 the Department of Telecommunications issued advisory guidelines to M2M and IoT stakeholders reinforcing the same principles for consumer devices.
On the compliance side mandatory testing has become a major enforcement tool. Under the Mandatory Testing and Certification of Telecommunication Equipment framework several IoT and M2M products such as gateways smart meters feedback devices and smart cameras must undergo testing and certification. These checks include Indian Telecom Security Assurance Requirements developed by the National Centre for Communication Security which define security controls for different device categories. Alongside this the IoT System Certification Scheme run by the STQC Directorate under MeitY offers graded assurance levels from 0 to 4 covering physical communication and application interfaces. While largely voluntary it has become mandatory for certain devices such as CCTV systems following Essential Requirements introduced in 2024.
Incident reporting adds another layer of accountability. CERT In directions issued in 2022 require organisations to report cyber incidents involving IoT devices within 6 hours under Section 70B of the IT Act 2000. While there is no single rule covering all devices these combined measures are shaping a tighter security environment that aligns with global practices and supports secure domestic manufacturing.
Also read: Viksit Workforce for a Viksit Bharat
Do Follow: The Mainstream formerly known as CIO News LinkedIn Account | The Mainstream formerly known as CIO News Facebook | The Mainstream formerly known as CIO News Youtube | The Mainstream formerly known as CIO News Twitter
About us:
The Mainstream is a premier platform delivering the latest updates and informed perspectives across the technology business and cyber landscape. Built on research-driven, thought leadership and original intellectual property, The Mainstream also curates summits & conferences that convene decision makers to explore how technology reshapes industries and leadership. With a growing presence in India and globally across the Middle East, Africa, ASEAN, the USA, the UK and Australia, The Mainstream carries a vision to bring the latest happenings and insights to 8.2 billion people and to place technology at the centre of conversation for leaders navigating the future.
