Automotive Cybersecurity in India: The Growing Opportunity

India's Automotive Cybersecurity market is experiencing rapid growth, driven by domestic regulations (AIS 189, AIS 190), global compliance requirements (UNECE R155, ISO/SAE 21434), and the country's position as a major automotive manufacturing hub with over 23 million vehicles produced annually. For OEMs, Tier-1 suppliers, and engineering services companies across India, this convergence of regulatory pressure and manufacturing scale creates both an urgent challenge and a significant commercial opportunity.

India is the world's third-largest automotive market by volume and the largest manufacturer of two-wheelers and three-wheelers globally. With major OEMs like Tata Motors, Mahindra, Maruti Suzuki, and Hyundai Motor India expanding their connected vehicle portfolios, the attack surface for Automotive Cybersecurity threats is growing exponentially. Meanwhile, India's vast Tier-1 and Tier-2 supplier ecosystem — serving both domestic and global OEMs — faces increasing pressure to demonstrate cybersecurity compliance as a condition of continued business.

The Indian Regulatory Landscape: AIS 189 and AIS 190

India's Ministry of Road Transport and Highways (MoRTH), working through the Automotive Research Association of India (ARAI) and the International Centre for Automotive Technology (iCAT), is developing two key standards that will govern automotive cybersecurity in the Indian market.

AIS 189addresses the Cybersecurity Management System (CSMS) at the organizational level. It requires automotive manufacturers to establish, implement, and maintain a systematic approach to managing cybersecurity risks across the vehicle lifecycle. This is conceptually aligned with UNECE R155's CSMS requirements and ISO/SAE 21434's organizational Cybersecurity Management clauses.

AIS 190 addresses Vehicle Type Approval for cybersecurity. It defines the requirements that individual vehicle types must meet to demonstrate adequate cybersecurity measures. This includes evidence of Threat Analysis, Risk Assessment, cybersecurity testing, and ongoing monitoring capabilities.

Together, AIS 189 and AIS 190 form a two-tier regulatory framework similar to the UNECE R155 structure: organizational capability (CSMS) plus vehicle-level compliance (type approval). Indian OEMs who are already exporting to European, Japanese, or Korean markets — where UNECE R155 is enforced — are building compliance capabilities that will also satisfy the domestic AIS requirements.

Global Requirements vs Indian Requirements

India is not a contracting party to the 1958 Agreement under which UNECE R155 operates, meaning R155 is not directly enforceable in the Indian market. However, the practical impact is significant for several reasons.

First, Indian OEMs exporting to UNECE markets (EU, UK, Japan, South Korea, Australia) must comply with R155 for those vehicles. Companies like Tata Motors (Jaguar Land Rover), Mahindra, and TVS Motor Company have substantial export operations that require full UNECE R155 compliance.

Second, Indian Tier-1 suppliers serving global OEMs receive cybersecurity requirements through supply chain contracts. Companies like Bosch India, Continental India, Motherson, Samvardhana Motherson, and Sona BLW are increasingly required to demonstrate ISO/SAE 21434-compliant engineering practices regardless of the vehicle destination market.

Third, the Indian regulatory framework (AIS 189/190) is being designed with UNECE R155 and ISO/SAE 21434 as reference documents. The alignment is intentional, ensuring that compliance with global standards substantially satisfies Indian requirements.

For practical purposes, any Indian automotive company investing in ISO/SAE 21434 compliance is simultaneously preparing for both global (R155) and domestic (AIS 189/190) regulatory enforcement.

Bengaluru as an Automotive Cybersecurity Hub

Bengaluru has emerged as India's primary center for Automotive Cybersecurity expertise, and this is no accident. The city combines three critical ingredients: a deep pool of cybersecurity talent from India's IT industry, significant automotive R&D presence from both Indian and global OEMs, and a thriving startup ecosystem focused on automotive technology.

Major automotive R&D centers in Bengaluru include Bosch's engineering center (one of the largest outside Germany), Continental Automotive, Mercedes-Benz Research and Development India, BMW Group Technology Office, and Toyota's connected vehicle technology team. These centers are actively hiring cybersecurity engineers and building ISO/SAE 21434 compliance capabilities.

Bengaluru-based companies like Agnile Technologies are building specialised tools and services for the Automotive Cybersecurity domain. Proximity to OEM R&D centres and a deep cybersecurity and AI engineering bench creates the kind of ecosystem advantage that took Detroit and Stuttgart decades to assemble.

Academic institutions in Bengaluru and Karnataka — including IISc, IIIT-B, and Dayananda Sagar University — are developing specialized programs in automotive cybersecurity, further strengthening the talent pipeline.

Key Challenges for Indian OEMs and Suppliers

Despite the growing opportunity, Indian automotive companies face several challenges in adopting cybersecurity engineering practices:

• Talent scarcity: The intersection of automotive domain expertise, embedded systems knowledge, and cybersecurity skills is exceptionally rare. Most cybersecurity professionals in India come from IT/enterprise backgrounds and lack automotive domain understanding.
• Process maturity: Many Indian Tier-1 suppliers are still maturing their systems engineering processes. Adding cybersecurity engineering on top of an immature systems engineering foundation is difficult.
• Cost pressure:Indian suppliers often compete on cost, and cybersecurity compliance adds engineering overhead. Demonstrating the ROI of cybersecurity investment — especially when the regulatory deadline is not immediate — is a common challenge.
• Tool availability: Until recently, most automotive cybersecurity tools were developed by European companies and priced for European budgets. Indian companies need tools that are technically rigorous but commercially accessible.
• Supply chain complexity: Indian OEMs often work with hundreds of Tier-1 and Tier-2 suppliers. Flowing down cybersecurity requirements and collecting work products across this vast supply chain is a coordination challenge.

How to Get Started with ISO/SAE 21434 in India

For Indian OEMs and suppliers looking to begin their ISO/SAE 21434 journey, we recommend a phased approach:

Phase 1: Gap Assessment. Evaluate your current systems engineering and cybersecurity practices against ISO/SAE 21434 requirements. Identify gaps in processes, tools, and competencies. This can be done internally or with the support of a specialized cybersecurity engineering partner.

Phase 2: Pilot TARA.Select one representative ECU or system and perform a complete Threat Analysis and Risk Assessment (TARA) following ISO/SAE 21434 Clause 15. This builds practical understanding of the standard's requirements and produces tangible work products. Tools like KAVACH can accelerate this step by automating threat identification and risk scoring.

Phase 3: Organizational CSMS. Establish the organizational policies, roles, competencies, and processes required by ISO/SAE 21434 Clauses 5-7. This includes cybersecurity governance, competency management, information sharing, and supplier management frameworks.

Phase 4: Scale and Integrate. Extend TARA and cybersecurity engineering processes across your product portfolio. Integrate cybersecurity activities into your existing V-model development process. Build supplier cybersecurity interface agreements.

Phase 5: Audit Readiness. Prepare for CSMS assessment by a technical service (e.g. ARAI). Compile work product evidence, conduct internal audits, and address any remaining gaps.

The Opportunity Ahead

India's automotive cybersecurity market represents one of the most significant growth opportunities in the global automotive engineering landscape. The combination of scale (23 million+ vehicles annually), regulatory momentum (AIS 189/190), export requirements (UNECE R155), and a maturing connected vehicle ecosystem creates demand for cybersecurity engineering services, tools, and talent that will only accelerate.

Companies that invest in building ISO/SAE 21434 capabilities now — rather than waiting for regulatory enforcement — will be positioned as preferred partners for global OEMs and as leaders in the domestic market. The window for early-mover advantage is open, but it will not stay open indefinitely.

Agnile Technologies is based in Bengaluru and specializes in automotive cybersecurity engineering. Contact us to discuss how we can support your ISO/SAE 21434 compliance journey.