India is embarking on a significant overhaul of its communication security protocols, moving decisively towards a more stringent, mandatory regime for telecom equipment deployed across its vast and rapidly expanding digital networks. This strategic shift signals an end to the era of voluntary compliance and temporary approvals for critical infrastructure components such as Wi-Fi routers, broadband devices, and fiber network gear. The initiative, primarily driven by the nation’s Communication Security Certification Scheme (ComSec), aims to embed robust security at the foundational level of India’s digital ecosystem, addressing escalating cyber threats and national security imperatives.
The genesis of this tightening stems from the ComSec scheme, originally introduced in 2019 by the Department of Telecommunications (DoT), with the explicit goal of ensuring that all telecom equipment utilized within India meets predefined minimum security benchmarks. Despite its six-year existence, the scheme has largely operated on a system of self-declarations and government-issued "Pro Tem" (temporary) certifications. This leniency, initially granted to facilitate business continuity and ease market entry, has meant that a significant portion of equipment from major global players like Nokia, Ericsson, Cisco, and even domestic manufacturers such as Tejas Networks, has yet to achieve full compliance with India’s comprehensive security standards. The Pro Tem certification, introduced in 2024 and valid until December 2027, was a transitional measure, allowing manufacturers to deploy products while working towards full adherence to ComSec requirements, which involve submitting devices to designated government laboratories for rigorous testing.
Under the impending "ComSec Certification Scheme 2026," the government plans to implement a graded certification framework, progressively escalating the mandatory compliance requirements. This structured approach seeks to transition from the current voluntary system to one where specific security assurance levels (SALs) will necessitate adherence to a defined percentage of the Indian Telecommunication Security Assurance Requirements (ITSAR) clauses. For instance, the proposed Security Assurance Level One (SAL 1) certification, expected to be valid for five years, could mandate compliance with 80% of selected ITSAR clauses suggested by Original Equipment Manufacturers (OEMs). Initially, this might involve 20-30 clauses across various product categories, with plans to systematically increase the number of mandatory clauses over time. Higher SALs (Level Two and Level Three) are currently under discussion regarding whether their compliance will remain voluntary or also become mandatory in future phases.
The imperative for such stringent measures is multifaceted, deeply rooted in national security, data sovereignty, and economic resilience. India, with its colossal and growing internet user base, projected to reach over a billion by the end of the decade, represents a critical digital frontier. The rapid rollout of 5G networks and the expansion of digital public infrastructure (DPI) have exponentially increased the attack surface for malicious actors. Geopolitical tensions and the rising sophistication of state-sponsored cyberattacks have underscored the vulnerabilities inherent in reliance on untrusted or inadequately vetted equipment. Cybersecurity experts consistently highlight that supply chain vulnerabilities in telecom infrastructure can lead to espionage, data exfiltration, and critical service disruption, posing direct threats to national security and citizen privacy. India has, in recent years, emerged as a top target for cyberattacks, necessitating a proactive and robust defense strategy.
The ComSec framework is designed to evaluate equipment for secure design principles, robust protection of user data, secure software and firmware update mechanisms, encrypted network communications, resistance to various cyberattacks, stringent access control protocols, and protection against physical and logical tampering. By enforcing these checks, India aims to build a resilient and trustworthy digital backbone. The shift is also seen through the lens of economic protection and fostering indigenous capabilities. While not explicitly protectionist, mandatory security standards can indirectly encourage domestic manufacturing and R&D by leveling the playing field and potentially reducing the advantage of foreign firms relying solely on international certifications. This aligns with broader governmental initiatives like "Make in India" and "Atmanirbhar Bharat" (Self-Reliant India), which seek to bolster local manufacturing and reduce reliance on foreign supply chains, especially in critical sectors.
However, this transition is not without its challenges, particularly for global OEMs. Concerns have been voiced regarding the potential exposure of proprietary product information during mandatory testing, which could impact their competitive edge and intellectual property. Furthermore, some international manufacturers argue that national security testing parameters, as extensive as those proposed by India, are not universally adopted across major global markets. This disparity could create additional burdens, affecting the "ease of doing business" for companies operating across multiple jurisdictions. Historical concerns have also included the perceived inadequacy of existing testing infrastructure in India to handle the volume and complexity of advanced telecom equipment.
To address some of these industry concerns and balance security with market realities, the government has already implemented several concessions. In December of the previous year, the Pro Tem Security Certification Scheme was extended, application fees for Telecom Security Testing Laboratories (TSTLs) were significantly reduced, and security assurance requirements for specific devices like Optical Network Terminator (ONT) boxes (fiber broadband devices used in homes and offices) were simplified. These measures, including a reduction of up to 95% in security test evaluation fees for various telecom and communication products, underscore a governmental attempt to facilitate compliance rather than impede market operations. As of now, India has eight operational TSTLs, which have issued 156 security certifications, predominantly the temporary Pro Tem certificates, indicating the scale of the compliance challenge ahead.
The industry’s response to the graded compliance framework has been mixed but generally constructive. An industry committee comprising major players like Nokia, Hewlett Packard Enterprise, Tejas Networks, Cisco, and GX Group, alongside industry bodies such as the Cellular Operators Association of India (COAI) and the Telecom Equipment Manufacturers Association of India (TEMA), was formed in January to consult stakeholders on the proposed framework. Sambit Swain, Director of Global Sales at Sweden-based GX Group, acknowledges the graded framework as a "step in the right direction," emphasizing that its effectiveness hinges on its alignment with real network security objectives. He advocates for baseline security compliance for all equipment, complemented by a clear, time-bound roadmap towards higher security tiers (SAL 2 and SAL 3). Yet, he cautions that baseline compliance alone may not fully address the core objective of securing national telecom networks given the dynamic geopolitical and cyber threat environment.
The long-term economic implications of this policy shift are substantial. While initial compliance costs for OEMs might increase, potentially leading to higher product prices or temporary market adjustments, the benefits of a more secure and resilient network infrastructure are far-reaching. Enhanced security fosters greater consumer trust in digital services, drives broader digital adoption, and strengthens the foundation for India’s burgeoning digital economy, which is projected to contribute significantly to the nation’s GDP. A secure network reduces the risk of costly cyberattacks, downtime, and data breaches, thereby safeguarding critical services and protecting the national economy. This move also positions India as a leader in advocating for secure digital infrastructure, potentially influencing global standards and fostering international collaborations on cybersecurity. The challenge for policymakers will be to maintain a delicate balance: enforcing stringent security without stifling innovation or creating insurmountable barriers to entry for foreign investment, ultimately ensuring India’s digital future is both secure and prosperous.
