Recommendation to Extend the ER-01 Cybersecurity Deadline for CCTV Systems in ITS

New Delhi [India], July 23: In light of new cybersecurity mandates affecting intelligent transport systems (ITS), this policy recommendation recommends extending the ER-01 cybersecurity certification deadline for CCTV network cameras to January 1, 2026. The ITS India Forum fully supports the intent of the ER-01 mandate – effective April 9, 2025 – to safeguard national security from substandard surveillance systems. However, the forum highlights that while compliance with these standards is crucial amid India’s rapid ITS growth, several operational challenges could delay effective implementation in key projects like tolling and traffic enforcement. To prevent disruptions and ensure the mandate’s success, the forum formally proposes extending the compliance deadline to January 1, 2026. This recommendation builds on the forum’s input and an assessment of the evolution of STQC policies – illustrating how a phased approach to cybersecurity compliance aligns with India’s smart mobility goals.

STQC Evolution and Significance for Smart Mobility

The Standardisation Testing and Quality Certification (STQC) Directorate of MeitY plays a pivotal role in India’s smart mobility ecosystem. STQC provides nationwide testing, calibration, and certification services to ensure technology products meet defined standards of quality, safety, and security. In the context of ITS, this role is crucial – modern transportation relies on electronic systems (such as smart cards, sensors, software platforms, and CCTV cameras) that must be reliable, secure, and interoperable. By certifying such systems (e.g. toll collection systems, transit smart cards, surveillance cameras), STQC helps build trust in the technologies underpinning smart mobility, ensuring innovations like automated fare collection, traffic management, and connected vehicles operate safely within a standardised framework.

Over the past decades, STQC’s policies have continually evolved to support India’s digital infrastructure and transportation needs. From its origins focusing on hardware testing and calibration in the 1980s, STQC expanded into software quality assurance and information security in the 2000s to serve e-governance and public service delivery. In recent years, STQC has launched specialised schemes for emerging domains – notably the IoT Systems Certification Scheme (IoTSCS) – in response to the explosion of IoT devices in smart cities and transport. The IoTSCS provides a structured framework to evaluate end-to-end IoT ecosystems (sensors, networks, cloud platforms, etc.) for security and performance. Under this scheme, STQC defines Essential Requirements (ERs) for IoT devices and systems to assure their security and reliability. A pertinent example is the mandatory ER for CCTV network cameras: in March 2024, the government issued a gazette notification introducing essential cybersecurity requirements for CCTV cameras, and STQC announced that existing certified security cameras must be re-tested to meet the new standards. This adaptive policy underscores STQC’s commitment to strengthening cybersecurity in critical ITS infrastructure. By rolling out IoTSCS and updating requirements for devices like networked cameras, the government and STQC are proactively creating a safer environment for IoT-driven smart mobility solutions. Such evolving STQC policies align with India’s smart mobility goals by ensuring that as transportation systems become more digital, they remain secure, interoperable, and trustworthy for public use.

Operational Challenges in Implementing ER-01 by April 2025

While the ER-01 cybersecurity mandate for CCTV cameras is well-intentioned and supported in principle by the ITS industry, the current April 2025 compliance timeline poses significant operational and structural challenges. The ITS India Forum and industry stakeholders have identified several bottlenecks that make immediate implementation difficult:

• Limited Testing Capacity and Long Certification Cycles: The combined timeline for STQC lab testing and Bureau of Indian Standards (BIS) approval is around 7–8 months per camera model, which far exceeds the available time before the original deadline. Moreover, only a handful of accredited laboratories in India are equipped for the complex testing of CCTV/IP cameras. With roughly 1,000 camera models expected to undergo certification, labs face inevitable backlogs and delays. These capacity constraints mean many compliant products cannot be certified in time. (Notably, STQC’s own assessments echo this issue: scaling up testing infrastructure to meet demand is a known bottleneck as IoT devices proliferate, with labs facing heavy workloads and potential delays in project rollouts.)
• Incomplete Alignment with ITS Project Needs: Experience so far shows that even some currently certified camera models do not fully meet specialised project requirements (e.g. high frame-rate video for tolling, low-light clarity for traffic enforcement). Such gaps between generic compliance and specific field needs indicate that further refinement of standards or additional testing parameters may be required. In short, compliance on paper doesn’t always equal readiness for all use-cases, which could undermine ITS project outcomes if not addressed.
• Lack of Finalised Standards and Benchmarks: Certain testing benchmarks for ITS-specific applications (like automated tolling and advanced traffic management) are still evolving. The absence of clear, finalised standards in these niches creates uncertainty for original equipment manufacturers (OEMs) and system integrators on how to design and modify their products. This moving target makes immediate compliance harder, as companies risk needing re-certification once standards are updated. It underscores the need for finalising sector-specific requirements so that industry can confidently invest in compliant technologies.
• High Compliance Costs Impacting MSMEs: The cost of STQC testing and certification is significant, which disproportionately affects micro, small, and medium enterprises (MSMEs). Smaller domestic manufacturers are struggling with the fees and technical resources needed to certify their CCTV products, and many may be unable to comply by the deadline without support. This shrinks the pool of compliant vendors, reducing competition and options in procurement – ultimately potentially raising costs or slowing deployments for ITS projects if only a few expensive certified products are available. It also risks pushing startups and new entrants out of the market; firms with limited capital find the compliance barrier too high, especially given unclear multi-phase rollout plans.
• Project Deployment Delays and Legacy Integration Issues: Several major initiatives – from highway toll collection upgrades to city surveillance and traffic management systems – are at risk of delays because compliant equipment might not be widely available in time. Procuring only certified cameras could slow down projects or increase costs, and there is also backwards compatibility with existing infrastructure (for example, replacing or retrofitting older cameras and systems to meet new standards may not be straightforward). Sudden enforcement of ER-01 without transitional measures could disrupt ongoing installations. The forum cautions that a sudden supply chain shock of this nature can affect thousands of MSMEs involved in the electronics and ITS value chain, potentially leading to job losses across the ecosystem. Indeed, history shows that when the IoT security certification for cameras was abruptly made compulsory, many small CCTV manufacturers (often dependent on imported components) faced hurdles in meeting the new standards on short notice, necessitating careful handling to avoid supply disruptions.

These challenges illustrate that the current timeline is overly ambitious given on-the-ground realities. Rushing to enforce compliance by April 2025 could result in project standstills, increased costs, and exclusion of smaller players, which in turn undermines the very goal of improving security (since fewer compliant devices would actually be deployed). It is therefore imperative to adjust the approach to implementation.

Recommendation: Phased and Collaborative Implementation of Cybersecurity Mandates

To ensure the ER-01 mandate achieves its cybersecurity objectives without negative impacts on India’s ITS deployments, a phased, collaborative implementation strategy is recommended. As the ITS India Forum emphasizes, the success of ER-01 “hinges on a collaborative, phased implementation” involving both government and industry. Key policy recommendations include:

1. Extend the Compliance Deadline: Postpone the enforcement of ER-01 from April 9, 2025, to January 1, 2026. This minimum six-month extension (effectively to the start of 2026) will provide additional time for manufacturers to complete certification and for projects to procure compliant systems. It ensures a smoother adaptation period, preventing abrupt disruptions and allowing alignment with the new standards across ongoing projects.
2. Expand Testing Infrastructure: Increase the capacity of STQC-accredited labs and available testing slots to address the certification backlog. This may involve designating more labs, hiring and training testers, or accrediting qualified private laboratories under STQC oversight. Strengthening the testing infrastructure will speed up certification for the ~1,000 camera models in queue and is critical to meet the surge in compliance demand.
3. Clarify and Finalize Standards: Develop clear, sector-specific testing benchmarks for ITS applications (e.g. standards tailored for tolling cameras, traffic enforcement cameras) and publish these promptly. Providing detailed technical requirements will remove uncertainty for OEMs and integrators. It enables industry to design to spec the first time, and ensures that certified products truly meet the operational needs of smart mobility projects. Finalizing these standards in consultation with industry experts will improve compliance quality and consistency.
4. Provide a Transitional Roadmap: Implement a graded or phased compliance roadmap for existing and in-service systems. Rather than rendering all non-certified cameras obsolete immediately, allow deployments already in place (or in advanced procurement stages) to continue operating with a plan to gradually retrofit or replace them over a defined period. This grace period strategy avoids a shock to ongoing ITS services and supply chains. It also gives integrators time to upgrade software or configurations on existing cameras where possible to enhance security until hardware can be swapped. A roadmap for transition will help maintain continuity in toll collection, law enforcement, and city surveillance during the changeover.
5. Incentivize Compliance for MSMEs: Support smaller manufacturers and startups through financial and technical assistance programs. This could include subsidized testing fees for MSMEs, grants or soft loans for upgrading product security features, and government-run training workshops on meeting STQC requirements. Additionally, procurement policies can prioritize or provide preferential treatment to certified Made-in-India products, encouraging domestic players to invest in compliance. Such incentives will broaden the base of compliant vendors, spur healthy competition, and mitigate the risk of market concentration due to compliance costs.

These measures reflect a collaborative path forward, combining regulatory firmness with practical support. By adopting this phased approach, MeitY would align the cybersecurity mandate with industry’s capacity to comply, ensuring that the policy’s intent is fully realized. As noted by the ITS India Forum, a well-planned extension and staged implementation will allow the ER-01 mandate to achieve its goals without unintended consequences like project delays or economic disruption. In effect, this approach upholds national security interests – by eventually getting all critical CCTV systems certified secure – while sustaining the momentum of smart infrastructure development.

Conclusion

Extending the ER-01 deadline to January 2026 and pursuing a phased implementation is a strategic necessity for India’s intelligent transport and surveillance initiatives. It provides the breathing room needed for standards to mature, labs to expand, and industry (especially domestic MSMEs) to rise to the compliance challenge. By heeding the ITS India Forum’s recommendations and working jointly with stakeholders, policymakers in MeitY can ensure that India’s push for cybersecurity in ITS is executed in an orderly, inclusive, and data-driven manner. This will ultimately strengthen public trust in smart mobility systems and fortify the nation’s digital infrastructure, without derailing progress on the ground. We urge the Ministry and relevant authorities to adopt this recommendation and set a precedent for policy implementation that is both ambitious and well-calibrated to real-world conditions. The result will be a robust, secure ITS ecosystem contributing to India’s smart mobility goals, achieved through cooperation and careful planning rather than coercive deadlines.

For more information, please visit – https://www.itsindiaforum.com/

If you object to the content of this press release, please notify us at [email protected]. We will respond and rectify the situation within 24 hours.