India is set to tighten security testing rules for equipment such as Wi-Fi routers, broadband devices and fibre network gear as it seeks to make telecom equipment safer for use in the country’s internet networks, government officials and industry executives aware of the matter said.
This means that telecom equipment makers such as Nokia, Ericsson, Cisco, and Tejas Networks can no longer rely solely on temporary approvals or self-declarations of compliance with security testing requirements, but will now have to clear some mandatory security checks before their products can be deployed in the country’s networks.
The move is part of India’s Communication Security Certification Scheme (ComSec) scheme, introduced in 2019, to ensure that telecom equipment used in the country meet minimum security standards and are safe for deployment in networks. However, even after six years of the introduction of the scheme, no equipment maker has fully complied with India’s security standards, instead relying on self-declarations and government-issued Pro Tem certifications to operate their products in the country.
“The plan is to come up with a ComSec certification scheme 2026. This would be a graded certification scheme moving towards mandatory compliance for some of the standards as per Indian Telecommunication Security Assurance Requirements (ITSAR),” one of the government officials cited earlier said, requesting not to be named. The other officials and executives, too, spoke on the condition of anonymity.
Devices under ComSec are tested for secure design, protection of user data, safe software and firmware updates, secure network communications, resistance to cyberattacks, access control and protection against tampering, ensuring they meet India’s telecom security standards before deployment.
“For ease of doing business, the government has given relaxations to the OEMs (original equipment manufacturers), dealers, and importers so that their product line continues while the security certification testing is being done. Now, we expect them to mandatorily comply with security standards in phases at least,” the official quoted above said, adding that many companies have complied with most of the testing requirements.
OEMs are companies that design and manufacture telecom equipment used in network infrastructure.
Introduced in 2024, the Pro Tem certification allows equipment makers to operate their products in India on a temporary basis. During this period, they are expected to work toward full compliance with ComSec security standards by submitting their products to government-designated labs for testing. The Pro Tem scheme is valid till 31 December 2027.
The National Centre for Communication Security (NCCS) under the department of telecommunications (DoT) is considering a proposal to notify three-level security certifications for network equipment vendors. The security assurance level (SAL) one certificate, which will be issued for five years, could involve mandatory compliance of 80% of the selected ITSAR clauses suggested by the OEMs.
There are 20-30 ITSAR clauses across product categories selected by industry for level one compliance, and once the new scheme is implemented, the number of clauses would be increased over a period of time, the official cited above said. For level two and level three security assurances, it is being discussed whether the compliance could be made voluntary, the official added.
To be sure, on 6 January, the National Centre for Communication Security formed an industry committee comprising companies such as Nokia, Hewlett Packard Enterprise, Tejas Networks, Cisco and GX Group, along with industry bodies such as the Cellular Operators Association of India (COAI) and the Telecom Equipment Manufacturers Association of India (TEMA), to consult stakeholders on the proposed graded security certification framework.
Queries emailed to DoT, NCCS, Nokia, Ericsson, Tejas Networks, Cisco remained unanswered till press time. HPE refused to comment.
Graded compliance
Compliance with security standards assumes significance as, according to some industry executives, prolonged reliance on voluntary or Pro Tem certifications can create potential security exposure gaps especially amid evolving geopolitical situations and increase in intensity of cyberattacks.
“The graded security certification framework is a step in the right direction, but its effectiveness will depend on how it aligns with real network security objectives,” said Sambit Swain, director of global sales at Sweden-based GX Group. The company manufactures routers, switches and other telecom equipment.
According to Swain, the framework should ensure baseline security compliance for all telecom equipment, supported by a clear and time-bound roadmap toward higher security tiers (SAL 2 and SAL 3). “In the context of today’s geopolitical and cyber threat environment, baseline compliance alone may not fully address the core objective of securing national telecom networks,” he added.
Some OEMs, however, are of the opinion that since national security testing parameters are not followed anywhere in the world, the government should mandate only a basic level of compliance for them to meet the security standards, and the rest should be made voluntary.
“Some of the global OEMs have largely been reluctant on mandatory compliance with security standards on concerns that their secret product information would be leaked. Besides, they earlier also expressed concerns over ease of doing business and weak testing infrastructure” a consultant who works with some of the telecom equipment makers mentioned in this story said. “A balance between mandatory compliance and keeping certain compliance levels voluntary should be fine with everyone,” the consultant added.
To reduce the burden on the industry for security compliance, the government in December last year extended the Pro Tem Security Certification Scheme, slashed the application fees for Telecom Security Testing Laboratories (TSTLs), and simplified the security assurance requirements for Optical Network Terminator (ONT) devices such as fibre broadband boxes installed at homes and offices. In July, the government had lowered security test evaluation fees for telecom and communication products by up to 95%.
There are eight telecom security testing labs in the country, and the government has issued 156 security certifications so far, most of them Pro Tem certificates.