Current Affairs Topics Quiz Archive
International Relations Economics Polity & Governance Environment & Ecology Science & Technology Internal Security Geography Social Issues Art & Culture Modern History

With new standardisation rules, CCTV companies can now compete fairly: Qubo CEO

April 07, 2026 6 min read Science & Technology Polity & Governance GS Paper 3 (Science & Technology Cyber Security Internal Security)
On This Page

What Happened

  • India's new standardisation framework for CCTV cameras came into effect from April 1, 2026, under the Essential Requirements (ER) standards framework managed by the Standardisation Testing and Quality Certification (STQC) Directorate under the Ministry of Electronics and Information Technology (MeitY).
  • The ER-01 standard under the IoT System Certification Scheme (IoTSCS) requires CCTV devices to use secure chips from trusted sources and have properly-tested firmware with high levels of encryption.
  • The CEO of Qubo (a domestic CCTV brand) noted that the new rules create a level playing field, preventing manufacturers using unsecured or low-cost foreign (particularly Chinese-origin) chips from dominating the market.
  • Devices that do not conform to the ER standards cannot be legally sold in India from April 1, 2026.
  • Chinese brands face effective market block: MeitY has been reportedly withholding certification from devices relying on Chinese-origin chipsets.
  • Indian brands (CP Plus, Qubo, Matrix) are switching to chipsets sourced from Taiwan or the US to comply with MeitY guidelines.
  • The rules mandate: elimination of hardcoded passwords, no hidden backdoors, secure firmware updates, encrypted communication protocols, and no harmful software.

Static Topic Bridges

Cybersecurity Standards and STQC Certification in India

The Standardisation Testing and Quality Certification (STQC) Directorate is India's apex body for quality assurance of electronics, IT, and cybersecurity products.

  • STQC: Operates under MeitY; provides testing, calibration, and certification services for IT and electronics products.
  • IoT System Certification Scheme (IoTSCS): Framework under which ER-01 was developed — applies to IoT devices including CCTV cameras, routers, and smart home devices.
  • ER-01 standard: Part of the Essential Requirements framework; specifies minimum cybersecurity requirements for IoT devices — modelled on international frameworks (ETSI EN 303 645 in Europe; NIST IoT framework in the US).
  • Common Criteria: International standard (ISO/IEC 15408) for cybersecurity evaluation; STQC is accredited to evaluate against Common Criteria.
  • Mandatory certification: From April 1, 2026, CCTV cameras without ER-01 compliance/STQC certification cannot be imported or sold.
  • Bureau of Indian Standards (BIS): Also plays a role in product standardisation; for electronics, the Electronics and IT Goods (Requirements for Compulsory Registration) Order mandates BIS registration for many product categories.

Connection to this news: The ER-01 standard for CCTVs operationalises India's cybersecurity sovereignty goal by mandating technical safeguards at the device level — preventing surveillance infrastructure from becoming a backdoor for foreign intelligence gathering.

Trusted Source Policy and Atma Nirbhar in Critical Technology Infrastructure

India's Trusted Sources framework, developed after the 2020 India-China border tensions, aims to exclude untrusted vendors from critical telecommunications and surveillance infrastructure.

  • National Cyber Security Policy, 2013: India's foundational cybersecurity policy; a revised policy has been under preparation.
  • Trusted Telecom Portal: MeitY and Department of Telecommunications (DoT) jointly operate a portal to designate trusted and non-trusted sources for telecom equipment.
  • Huawei/ZTE exclusion: India effectively excluded Chinese telecom vendors from 5G network rollout by restricting access to spectrum auctions and security testing.
  • CCTV security concern: Reports by multiple intelligence agencies globally (UK, Australia, US) found that Hikvision and Dahua (Chinese CCTV brands) transmitted surveillance data to Chinese servers.
  • Semiconductor supply chain: The CCTV chipset requirement to use trusted sources (Taiwan/US chips) is part of India's broader effort to reduce dependence on Chinese semiconductor supply chains.
  • India Semiconductor Mission (ISM): Launched 2021; ₹76,000 crore incentive scheme to attract semiconductor fabrication to India; Tata Electronics and Powerchip Semiconductor Manufacturing Corporation announced India's first chipmaking fab in Gujarat.

Connection to this news: The CCTV chip sourcing requirement is part of the broader Trusted Sources and Atma Nirbhar Bharat framework for critical technology — using regulatory mandates to reshape supply chains and reduce surveillance security risks.

Internet of Things (IoT) Security — The Regulatory Challenge

IoT devices — CCTVs, smart meters, routers, industrial sensors — are proliferating rapidly in India, creating vast new attack surfaces for cyber adversaries.

  • IoT definition: Interconnected physical devices that collect and transmit data via the internet — CCTVs, smart speakers, medical devices, industrial control systems.
  • Security risks unique to IoT: Default/hardcoded passwords, infrequent firmware updates, limited computational power for encryption, long deployment lifecycles.
  • Botnet attacks: IoT devices with weak security (e.g., unsecured CCTVs) are commonly weaponised into botnets for DDoS attacks; the 2016 Mirai botnet used ~600,000 compromised IoT devices.
  • CERT-In (Computer Emergency Response Team — India): Under MeitY; mandated to collect cybersecurity incident reports; the 2022 CERT-In Directions require all entities to report incidents within 6 hours.
  • National Critical Information Infrastructure Protection Centre (NCIIPC): Under the National Technical Research Organisation (NTRO); protects critical information infrastructure — power grids, banking, telecom, transportation — from cyber attacks.

Connection to this news: CCTV cameras installed in homes, offices, and public spaces constitute a distributed sensor network — if compromised, they pose both privacy risks (illegal surveillance) and national security risks (intelligence gathering). The ER-01 standard addresses this specific threat.

Digital India and Consumer Protection in the Digital Space

The new CCTV rules also have a consumer protection dimension — buyers must be able to trust that devices will not spy on them.

  • Consumer Protection Act, 2019: Covers digital commerce; the Central Consumer Protection Authority (CCPA) has powers to take action against unfair trade practices and misleading advertisements, including for digital products.
  • IT Act, 2000 (Section 43A): Provides for compensation to persons affected by breach of data security by companies handling sensitive personal data.
  • Personal Data Protection — The Digital Personal Data Protection Act, 2023 (DPDPA): Establishes obligations on Data Fiduciaries; CCTVs that transmit footage to cloud servers make the operator a Data Fiduciary responsible for protecting the data.
  • Right to Privacy: K.S. Puttaswamy v. Union of India (2017) — nine-judge bench unanimously held right to privacy is a fundamental right under Article 21.
  • Unsecured CCTV cameras streaming footage publicly or to foreign servers would violate both the DPDPA and the right to privacy.

Connection to this news: The Qubo CEO's statement on fair competition is also a consumer protection statement — the new rules ensure consumers purchasing compliant CCTV systems receive a baseline level of security, privacy, and data protection.

Key Facts & Data

  • ER-01 standard effective date: April 1, 2026 (no new non-compliant CCTVs can be sold or imported).
  • Managing body: STQC Directorate, Ministry of Electronics and Information Technology (MeitY).
  • Certification scheme: IoT System Certification Scheme (IoTSCS).
  • Key mandates: Secure chips from trusted sources, high-grade firmware encryption, no hardcoded passwords, no backdoors, secure firmware update mechanism, encrypted communication.
  • Chipset sourcing: MeitY reportedly requires chips from Taiwan or US (not China) for certification.
  • Domestic brands transitioning: CP Plus, Qubo, Matrix — switching to non-Chinese chipsets.
  • CERT-In 2022 Directions: Mandatory 6-hour incident reporting for cybersecurity breaches.
  • NCIIPC: Protects critical information infrastructure; under NTRO.
  • India Semiconductor Mission (2021): ₹76,000 crore for semiconductor manufacturing ecosystem.
  • DPDPA 2023: Regulates handling of personal data by Data Fiduciaries, including those operating CCTV cloud systems.
  • K.S. Puttaswamy (2017): Privacy is a fundamental right under Article 21.