Tsaaro got CERT-IN Empanelled | MeitY has published the DPDP Rules, 2023.
Tsaaro got CERT-IN Empanelled | MeitY has published the DPDP Rules, 2023.
Tsaaro got CERT-IN Empanelled | MeitY has published the DPDP Rules, 2023.
Tsaaro got CERT-IN Empanelled | MeitY has published the DPDP Rules, 2023.
Back To Home
Research Team (Tsaaro)
Inside India’s New CCTV Rules: The Push for Security and Self-Reliance
Introduction:
India has tightened its CCTV regulations, restricting the sale of internet-connected cameras that fail to meet STQC certification and essential requirements (ER). This change is a response to rising concerns around national security arising from overdependence on foreign technology, especially in the surveillance industry. Many imported devices especially from opaque supply chains can carry vulnerabilities like weak firmware and hidden backdoors, making them easy targets for remote exploitation. Global conflicts have already shown how such cameras can be weaponised for surveillance and intelligence. Therefore, the new framework aims to secure India’s digital infrastructure while fostering a more reliable and self-reliant domestic surveillance industry.
Implementation Timeline
This shift is not sudden. It has been years in the making, with India steadily building towards a secure and tightly regulated surveillance framework through a phased rollout.
Date | Event |
2023
| Introduction of essential requirements (ER) for CCTV systems. |
April 2024
| MeitY brings CCTV cameras under the Compulsory Registration Order (CRO), mandating compliance and vulnerability disclosures. |
2024–2025
| Two-year transition period for manufacturers and vendors to adapt, certify products, and clear old stock; over 500 models certified. |
16 January 2026
| Final notice issued confirming the end of regulatory relaxation. |
1 April 2026
| Full enforcement begins; non-compliant internet-connected CCTV cameras are banned from import, manufacture, sale, and installation. |
From this point forward, non-compliance carries real consequences, including product seizures, legal risks, and exclusion from government tenders.
Key Changes & Developments
With these changes in force, CCTV cameras are no longer treated as simple recording devices. They are now classified as devices with potential national security implications and are therefore subject to strict regulatory and cybersecurity oversight. The key changes are as follows:
Compulsory Registration Order and Essential Requirements: CCTV cameras are now formally brought under the Compulsory Registration Order (CRO), with Essential Requirements (ER) forming the core compliance framework. This means that every device must meet defined cybersecurity, hardware, and software standards before entering the market. With the transition period now over, compliance is mandatory, leaving no room for legacy or non-compliant products.
Mandatory STQC and BIS Certification: To ensure uniform quality and security, all CCTV devices must undergo rigorous testing at authorised labs. They are required to obtain Standardisation Testing and Quality Certification (STQC), which verifies adherence to ER norms. This certification acts as a gatekeeping mechanism, ensuring that only trusted and secure products are available in the market.
Supply Chain Transparency and Trusted Components: A key focus of this change is visibility into the supply chain. Manufacturers must disclose the origin of critical components, particularly chipsets and firmware, which are often the most vulnerable points in a device. Products built on opaque or high-risk supply chains face significant hurdles in obtaining certification. This move is aimed at reducing dependence on unverified foreign components and ensuring that surveillance infrastructure is built on trusted technology.
Strict Cybersecurity Standards: The ER framework lays down detailed cybersecurity requirements to minimise the risk of hacking or misuse. These include eliminating default or hardcoded passwords, enforcing strong encryption protocols for data transmission and storage, and ensuring that firmware is secure and regularly updateable. In certain cases, authorities may also require access to source code, especially where proprietary systems are used, to verify the absence of hidden vulnerabilities or malicious features.
Public Procurement Controls and Inspections: For suppliers dealing with government bodies and public sector units, compliance requirements are even more stringent. In addition to ER standards, vendors must meet Public Procurement Order (PPO) norms, which prioritise trusted and locally compliant suppliers. Authorities are also empowered to inspect manufacturing facilities, including those located overseas, to assess potential cybersecurity risks. This ensures end-to-end accountability, from production to deployment.
The ripple effect of these changes
Impact on Manufacturers: The biggest impact is on foreign manufacturers, particularly those that previously dominated the Indian market with low-cost devices. Unless they meet India’s stringent STQC and ER standards, their products are effectively shut out. This has disrupted existing supply chains and forced global players to either localise production or exit the market.
On the other hand, domestic manufacturers have gained a strong advantage. With compliance becoming a market entry barrier, Indian companies are expected to expand rapidly and capture a larger market share. However, compliance is not cheap; manufacturers must invest heavily in redesigning products, securing trusted components, and undergoing rigorous testing and certification processes.
Impact on Vendors and Dealers: For vendors, installers, and distributors, selling, stocking, or installing non-compliant devices is no longer just a risk; it’s a direct liability. Dealers must now carry out proper due diligence, including verifying STQC and BIS certifications, maintaining compliance records, and ensuring that all products meet regulatory standards. Any lapse can lead to product seizures, loss of business credibility, and exclusion from government or large-scale projects.
Impact on Existing Users: For individual users and small businesses, the immediate impact is relatively limited. Existing CCTV systems will continue to function and will not be forcibly removed. However, there are some indirect impacts. If certain non-compliant brands exit the Indian market, users may gradually lose access to software updates, security patches, and after-sales support, leaving their systems vulnerable over time.
Impact on New Buyers: For new buyers, the cost of CCTV systems is likely to increase, as manufacturers pass on the expenses of compliance and certification. However, this higher cost comes with improved security, reliability, and long-term usability.
Impact on businesses and institutional users: For businesses and institutional users, the stakes are significantly higher. Installing non-compliant systems can lead to rejection in government tenders, failures during regulatory or security audits, and even complications in insurance claims where certified surveillance systems are required.
Conclusion
India’s CCTV regulations mark a shift in how surveillance technology is governed. By treating CCTV cameras as critical digital infrastructure rather than simple hardware, the government is prioritising security and accountability. For consumers and businesses alike, compliance is no longer optional. Investing in certified, secure systems is essential not just for legal reasons but also to safeguard data, ensure reliability, and avoid future disruption. In the long run, these measures strengthen India’s digital ecosystem, reducing vulnerabilities, boosting domestic innovation, and building trust in an increasingly connected world.
Want to know more?
Learn more about India's data protection environment, compliance frameworks, and in-depth analyses of privacy policies at Tsaaro.com.