India's sweeping new cybersecurity rules for internet-connected CCTV systems have sent shockwaves through the $3.5 billion surveillance industry, as foreign manufacturers face scrutiny over source code, factory inspections, and allegations of potential Chinese espionage. The policy, implemented in April, requires all CCTV makers-foreign and domestic-to submit hardware, software, and in some cases, proprietary code for security certification by government labs before they can operate in the country.
The measures, outlined in internal meeting minutes and emails reviewed by Reuters, have stalled hundreds of product approvals and strained relations with global tech firms. As of May 28, Indian regulators had received 342 applications covering hundreds of models, but only 35 had completed testing-just one of which was from a foreign company.
"Millions of dollars will be lost from the industry, sending tremors through the market," Ajay Dubey, South Asia director for South Korea's Hanwha, warned India's IT ministry in an April 9 email.
The rules follow long-standing national security concerns over Chinese surveillance equipment. In 2021, India disclosed that roughly one million cameras in its public sector were sourced from Chinese firms and potentially transferred video data to overseas servers. A senior Indian official told Reuters, "China is part of the concern."
Under the new regime, firms such as Hikvision, Xiaomi, Dahua, Hanwha, and Motorola Solutions must comply with government lab certification before selling products in India. The Standardization Testing and Quality Certification Directorate-under the Ministry of IT-currently reviews just 28 applications at a time across 15 labs.
Indian officials met with 17 camera manufacturers on April 3-including Bosch, Honeywell, Motorola, and Xiaomi-where companies pleaded for a delay, citing lack of readiness. According to official minutes, the government denied the request, stating the policy "addresses a genuine security issue."
"The testing lab indicated that this requirement applies to applications originating from countries that share a land border with India," Xiaomi wrote in an April 24 email after being told its application required further registration details of two China-based manufacturers. The IT ministry did not respond to Reuters' queries about the company's account.
The rules stipulate that devices must include tamper-proof enclosures, robust malware detection, and encryption. Companies using non-standard communication protocols must also submit source code for evaluation, and regulators are empowered to conduct factory inspections abroad.
"Expectations such as source code sharing, retesting post firmware upgrades, and multiple factory audits significantly impact internal timelines," Infinova sales executive Sumeet Chanana wrote to ministry officials on April 10. On the same day, Sanjeev Gulati, India director for Taiwan's Vivotek, warned, "All ongoing projects will go on halt."
India's push to secure its surveillance infrastructure has intensified since border clashes with China in 2020. In parallel, it has banned dozens of Chinese apps and tightened investment rules for neighboring countries. "Anyone can operate and control internet-connected CCTV cameras sitting in an adverse location," said Gulshan Rai, India's cybersecurity chief from 2015 to 2019. "They need to be robust and secure."
The market implications are already visible. CP Plus, which controls 48% of India's camera market, told Reuters it had received certification for flagship models but awaits approval for others. Bosch requested regulators "allow business continuity" while testing is underway.
At New Delhi's Nehru Place electronics market, shop owner Sagar Sharma said camera sales had plummeted 50% from April due to supply constraints. "It is not possible right now to cater to big orders," he said. "We have to survive with the stock we have."
