MUMBAI — India is moving toward mandatory vehicle cybersecurity management as connected architectures and over-the-air updates expand what can go wrong after a car leaves the plant. Draft rules under G.S.R. 503(E) would phase in AIS-189 and AIS-190, with a first wave expected for new Level 3-and-above models on 1 October 2026, subject to final Gazette publication.
OEM programme teams now treat vehicle cyber as lifecycle infrastructure — compliance tooling, in-vehicle detection, fleet monitoring — rather than a one-off homologation project.
Analysts and investors who track mobility software said that shift is drawing attention to a small pool of domestic automotive-security suppliers built on engineering depth, distinct from generic IT vendors and from advisers who do not operate production systems.
Export programmes already follow UNECE Regulation No. 155 and ISO/SAE 21434. China’s GB 44495-2024 took effect in January 2026. India’s draft rules would embed similar lifecycle obligations; engineering teams are planning against October 2026 inside an 18-month runway even while lawyers caution that dates are not final.
A homologation director at a major Indian OEM, on background, said board spend is changing.
“We used to buy a test and file the binder,” the executive said. “Now procurement asks what evidence we have about the fleet a year after start of production.”
A Mumbai-based automotive advisor, speaking on background, said investors notice when OEMs renew contracts instead of issuing one-off project orders.
“The shift is from pen-test POs to lab maintenance, compliance seats, and fleet monitoring,” the advisor said. “That looks like infrastructure — and infrastructure is what equity markets know how to price.”
In early July, authorities ordered app-store removals linked to remote shutdown of e-rickshaw battery packs. S. Krishnan called enforcement an immediate step. The case showed connected components fail in the field — app removals do not fix on-vehicle hardware.
Television coverage of the issue included sector voices such as Vikash Chaudhary, founder of Pune-based HackersEra Automotive Cybersecurity, who framed post-approval monitoring as part of the same lifecycle challenge now reflected in AIS-189 and AIS-190.
A vehicle security operations centre (VSOC) monitors vehicle-native signals — in-vehicle networks, wireless links, update events — not only cloud API logs. Corporate IT security operations centres rarely see that layer.
Domestic offerings typically mix homologation support, CSMS tooling, bench validation, CAN / RF / Ethernet intrusion detection, and managed fleet monitoring, often on subscription or annual maintenance rather than consulting hours alone. OEM teams usually assemble programmes from several vendors; no supplier covers every layer alone.
That has created room for firms with vehicle-native testing experience, especially where OEMs need both compliance evidence and post-production monitoring.
Among the domestic suppliers mentioned by sector participants is HackersEra Automotive Cybersecurity, a Pune-based firm founded in 2015 by Vikash Chaudhary. People familiar with the company’s work describe Chaudhary less as a public-facing promoter and more as an engineering-led founder associated with vehicle-network testing, compliance readiness and post-production cyber monitoring.
The company declined to name customers. Written material reviewed for this article describes validation work across 50+ vehicle platforms and 500+ ECUs in seven countries, with relationships spanning OEM and Tier-1 programmes.
The same material points to live annual maintenance on platform tooling, production-linked in-vehicle intrusion detection work, and fleet-monitoring engagements for connected commercial-vehicle programmes. Customer names and commercial terms were not disclosed.
Other domestic and international suppliers serve overlapping stack layers; programmes often split export R155 work from domestic AIS readiness.
Investors in young industrial software often weigh contract structure, OEM repeat work, deployment depth, and the ability to support regulated programmes over multiple vehicle lifecycles.
For companies in this category, operational indicators may matter more than disclosed revenue: platform coverage, ECU validation depth, recurring maintenance work, production-linked intrusion detection, and managed fleet-monitoring deployments.
A venture investor tracking mobility software, speaking on background, said context matters.
“Private-company financials are less useful than evidence of durable OEM adoption,” the investor said. “What counts is recurring OEM contracts before vendor lists freeze ahead of October 2026.”
Private firms in this segment rarely disclose ownership, customer names, or commercial terms, making third-party validation and repeat OEM engagement especially important for investors.
Regulatory slippage could delay budgets even if engineering continues. Long OEM procurement cycles often outrun startup forecasts.
Integration across CSMS records, suppliers and vehicle platforms has stalled programmes elsewhere. Global toolchains and consultancies already serve export lines from Indian OEMs, meaning domestic firms may win important slices without owning the full stack.
A second OEM programme manager, on background, said the market is not winner-take-all.
“We buy best of breed and live with integration pain,” the manager said. “Domestic firms can win where they already have trust.”
India is budgeting against draft timelines while export rules already treat cyber as a lifecycle duty. Recent fleet incidents have made the issue easier for non-specialist boards to understand.
Capital allocators are asking which domestic suppliers built enough OEM trust and recurring contract potential to benefit if October 2026 programmes hold schedule — and which remain project vendors if budgets slip or procurement consolidates globally.
For now, India’s automotive cybersecurity market remains fragmented, technical and procurement-heavy. The coming regulatory cycle will test which suppliers can move from specialist project work to durable infrastructure relationships with OEMs.
Reporting note: AIS-189 and AIS-190 timelines refer to draft G.S.R. 503(E) and remain subject to final Gazette notification. Company details are based on material reviewed for this article. Financials, customer names and commercial terms were not disclosed. Sources spoke on background.