Ministry of Electronics and Information Technology Enforces Strict Cybersecurity Mandate for Surveillance Hardware

As of 1 April 2026, the Ministry of Electronics and Information Technology (hereinafter “MeitY”) has officially withdrawn all transition relaxations for the sale of video surveillance equipment in India. This definitive deadline marks the full enforcement of the Compulsory Registration Order (CRO) and the Essential Requirements (ER) framework for all CCTV and surveillance systems. Under this mandate, any surveillance hardware manufactured or imported into India must possess valid STQC (Standardisation Testing and Quality Certification) and BIS certification to be legally sold. The government has explicitly stated that the grace period, which previously allowed for the clearance of non-compliant stock, is now over; any non-conforming device found in the supply chain constitutes a violation of the BIS Act. 

The testing process at accredited STQC laboratories moves beyond basic electrical safety to include rigorous cybersecurity validation. To ensure hardware integrity and data sovereignty, the ministry has notified the following mandatory essential requirements (ERs): 

• Manufacturers must provide a full "Bill of Materials" (BOM) disclosing the origin of critical components, specifically the System-on-Chip (SoC) and memory modules. 

  
  

• Devices must eliminate all hardcoded or shared default passwords, enforcing unique and strong authentication for every individual unit. 

  
  

• All data transmission between the camera and recording systems must be protected via encrypted protocols such as TLS or HTTPS. 

  
  

• Hardware must be certified as free from hidden backdoors, disabled debug ports (such as Telnet or UART), and unauthorised external server communications. 

This move is designed to secure the digital borders of India by ensuring that every lens and chip installed in critical infrastructure meets domestic security standards. Authorities are reportedly refusing to certify hardware that utilises chipsets from "untrusted" origins, which has triggered a massive realignment in domestic supply chains. For enterprise buyers, choosing ER-compliant products is no longer merely a best practice; it is a prerequisite for project eligibility and future-proofing against technical support expiration.  

Source: MeitY Office Memorandum on CCTV Essential Requirements 

News of the week:  

1. Information Commissioner’s Office Issues Landmark Approval for Automated Hiring Systems  

The UK Information Commissioner’s Office (hereinafter “the ICO”) released a comprehensive update on 1 April 2026 regarding the fair and responsible use of automation in recruitment processes. This follows a nine-month evidence-gathering phase and marks the first major regulatory guidance issued since the enactment of the Data (Use and Access) Act. The ICO has provided a conditional approval for automated hiring provided that organisations implement specific safeguards to protect candidate rights. The guidance emphasises that innovation must be balanced with transparency; as responsible adoption is foundational to maintaining public trust. 

The report highlights significant privacy risks in the use of AI for sentiment and emotional analysis during interviews, where language and tone are used to predict personality types. To mitigate these risks, the ICO mandates that companies provide clear human intervention routes and allow candidates to challenge decisions made solely by algorithms. Organisations are now expected to proactively monitor for bias by testing for unfair outputs and asking developers about their bias testing protocols during procurement. This new standard ensures that while automation improves efficiency, the "computer says no" approach is replaced by a system of accountability. 

Source: ICO Official Report on Automated Hiring 

2. CERT-In Issues High Severity Warning Regarding Critical Vulnerabilities in Apple Ecosystem 

 The Indian Computer Emergency Response Team (hereinafter "CERT-In") issued a high-severity advisory on 30 March 2026, warning of multiple vulnerabilities across Apple’s software suite. These flaws affect a wide range of devices, including iPhones, iPads, and Macs running legacy versions of iOS and macOS. The agency noted that remote attackers could exploit these vulnerabilities to gain unauthorised access, steal sensitive personal data, or take complete control of the affected devices. According to the advisory, the following software versions have been identified as high-risk: 

• iOS and iPadOS: All versions earlier than 26.4 and 18.7.7. 

• macOS: Versions of Tahoe prior to 26.4; Sequoia before 15.7.5; and Sonoma before 14.8.5. 

• Browsers and Wearables: Safari versions prior to 26.4, as well as watchOS, tvOS, and visionOS versions earlier than 26.4. 

• Development Tools: Xcode versions prior to 26.4 are also impacted, posing a risk to the developer environment. 

Users are urged to update their devices to the latest software versions immediately to patch these security gaps. The advisory highlights that the flaws allow for the execution of malicious code and can bypass existing security protections, such as "Lockdown Mode", in certain unpatched scenarios. Beyond updating, CERT-In has recommended that users avoid clicking on suspicious links or downloading unknown files from untrusted sources. This warning serves as a reminder of the persistent risks associated with unpatched software in an increasingly connected digital environment. 

Source: CERT-In Advisory on Apple Software Vulnerabilities 

3. European Regulators Issue Joint Opinion Opposing Changes to Personal Data Definition 

 The European Data Protection Board (EDPB) and the European Data Protection Supervisor (EDPS) adopted a Joint Opinion on 27 March 2026 regarding proposed amendments to the GDPR. The regulators issued a strong warning against attempts to narrow the legal definition of personal data through the "Digital Omnibus" proposal. The joint opinion argues that the suggested changes would generate new legal uncertainties and weaken the fundamental rights of individuals across the European Union. They specifically criticised the idea that information should not be personal for a given entity merely because that entity cannot identify the natural person involved. 

While the regulators supported increasing the risk threshold for mandatory breach notifications to reduce administrative burdens, they urged co-legislators to preserve the independence of the EDPB. They argued that the European Commission should not be entrusted to decide via implementing acts what constitutes anonymised data after pseudonymisation. Such changes could force a radical shift in enforcement and potentially leave data holders caught between conflicting legal obligations. The regulators maintain that any update to the definition should focus on what personal data is, rather than creating a negative list of what it is not.  

Source: EDPB Official Joint Opinion 2026