India pulls the plug on Chinese CCTV makers with new norms from 1st April: Read how ‘connected’ cameras are a national security issue now, after what Israel did in Iran

The surveillance system in India is getting a sweeping reset. Chinese CCTV makers including TP Link, Hikvision and Dahua are effectively being pushed out of the internet connected camera market as stricter certification norms are all set to kick in on 1st April. Companies that have failed to secure mandatory security certification under the government’s STQC regime will no longer be allowed to sell such products in the Indian market. This change will mark a decisive shift driven by national security concerns, trusted supply chains and data sovereignty. What is happening in the market The immediate impact of the new certification regime is visible in the CCTV market in India. Chinese brands that until recently held around one third of the market are now either exiting or drastically altering their business models. According to industry data published in media reports, Indian manufacturers such as CP Plus, Qubo, Prama, Matrix and Sparsh have already taken over 80% of the CCTV market. Global firms such as Bosch and Honeywell have consolidated their position in the premium segment. On the other hand, Chinese and smaller players have disappeared due to non compliance. Companies that heavily relied on Chinese chipsets and firmware have struggled to meet certification requirements. Major industry players including Hikvision have been forced to explore joint ventures with Indian firms and move away from Chinese supply chains due to regulations imposed by the Government of India. Dahua’s presence has also shrunk by almost 80% in the Indian market. Household names from the Chinese ecosystem including Xiaomi and Realme, who rule the smart home camera segment, have also withdrawn from the market due to compliance challenges. Reports suggest that the shift has increased costs by 15% to 20% due to localisation and alternative sourcing. However, dominant players have managed to stabilise prices in the lower end of the market. The transition stems from the Essential Requirements norms introduced by the Ministry of Electronics and Information Technology (MeitY) in April 2024. With the norms, the government mandated security testing, declaration of component origin, and vulnerability assessment before the products can be sold in the Indian market. The policy architecture explained As recent as 4th February 2026, the Government of India issued a circular that clarified the policy architecture behind the market shift. The circular made it clear that security certification for CCTV cameras will now be uniformly governed through STQC testing under the Essential Requirements framework. The government has aligned two regulatory mechanisms, the Compulsory Registration Order and the Public Procurement Preference to Make in India framework, by ensuring that a single STQC security test report will suffice for compliance under both. This effectively removes ambiguity and tightens enforcement. It is important to note that the circular has clarified that security certification is independent of value addition requirements under Make in India norms. In other words, even if the product meets localisation criteria, it cannot bypass security testing. The IoT System Certification Scheme plays a crucial role here. CCTV cameras fall under IoT devices, meaning they are subject to cybersecurity scrutiny that goes beyond basic hardware compliance. Under this framework, devices must meet stringent requirements such as secure communication protocols, encryption, tamper resistance, and controlled access to hardware interfaces. The IoT section further clarifies that STQC certification applies to all such devices uniformly, ensuring that no manufacturer can escape scrutiny by exploiting regulatory overlaps. It also enables government authorities to standardise testing procedures and certification outputs across sectors. The government has also publicly published names of companies that have secured the clearance certificate along with a PDF of the certificate on the website which can be accessed here. Government refused to extend certification deadline in 2025 The groundwork for the current market disruption was laid in 2025 when the government expanded the scope of CCTV scrutiny to include hardware, software and even source code level inspection. As reported earlier by OpIndia in May 2025, manufacturers were mandated to submit their devices for deep security assessment in government labs. This included analysis of firmware, encryption mechanisms and potential vulnerabilities that could allow remote access or data exfiltration. The move was driven by concerns that internet connected cameras could act as surveillance tools if compromised. Experts had warned that such devices could be accessed remotely from adversarial locations, posing espionage risks. Manufacturers had raised objections at the time, citing delays, inspection burdens and risks to proprietary source code. Industry bodies warned of financial losses and disruption to infrastructure projects. However, the government refused to dilute the policy, maintaining that it addressed a genuine national security concern. The rules also empowered authorities to inspect manufacturing facilities, even outside India, and mandated robust cybersecurity features such as encryption, malware detection and secure communication protocols. Government flagged vulnerabilities in CCTV ecosystem Concerns around CCTV related data security are not new. Back in 2021, while responding to a Lok Sabha query, the government had already flagged vulnerabilities associated with foreign made surveillance systems. It shows that the Narendra Modi led government has been trying to weed out possible data leaks via the CCTV ecosystem for a long time. The government stated that around 10 lakh CCTV cameras installed in government institutions were sourced from Chinese companies. It acknowledged that video data captured through such devices could be transferred to servers located abroad, raising serious security concerns. The government had pointed to systemic vulnerabilities and said measures such as filtering of URLs and IP addresses had been implemented to mitigate risks. It also highlighted steps taken under existing laws to regulate imports and ensure compliance with Indian safety standards. These early warnings laid the foundation for the current regulatory tightening and signalled a long-term policy trajectory that is focused on securing surveillance infrastructure. The Gazette notification that changed the CCTV ecosystem for good The legal backbone of the current regulatory regime lies in the Gazette notification issued on 9th April 2024. With the notification, the government formally brought CCTV cameras under the Compulsory Registration framework. The notification amended the Electronics and IT Goods Order to include CCTV cameras as a regulated category requiring mandatory certification before sale. It made compliance with Indian safety standards and newly introduced Essential Security Requirements compulsory. At its core, the notification mandates that CCTV systems must be secure at multiple levels, hardware, firmware, network and supply chain. The requirements go far beyond basic quality checks and focus on cybersecurity resilience. Manufacturers must ensure physical security through tamper resistant enclosures, preventing unauthorised access to device internals. At the software level, devices must implement strong authentication systems, role-based access controls and regular updates. One of the most critical aspects is encryption. Data transmission from cameras must be encrypted, ensuring that video feeds cannot be intercepted or manipulated. Devices must also be capable of resisting cyberattacks through penetration testing and vulnerability assessments. The certification process requires vendors to submit detailed technical documentation, including system architecture, firmware details, and security protocols. They must also provide evidence of secure boot processes, protection against firmware tampering, and safeguards against backdoor access. Another key requirement is the supply chain integrity. Manufacturers must disclose the origin of critical components such as chipsets and demonstrate that they come from trusted sources. This is particularly significant given concerns over Chinese components. The notification also emphasises lifecycle security. Devices must support secure firmware updates, prevent rollback to older vulnerable versions, and maintain logs of software components and vulnerabilities. Testing is conducted in accredited laboratories recognised by the Bureau of Indian Standards. Only after successful evaluation can a product receive certification and be allowed for sale in the Indian market. In essence, the Gazette notification transforms CCTV cameras from simple surveillance devices into tightly regulated digital infrastructure components, where security, transparency and traceability are non-negotiable. Why unmonitored CCTV networks pose a national security risk The seriousness of the threat is evident from the fact that central agencies have recently ordered a pan India audit of CCTV networks across major cities. The directions came after a Pakistan linked spy ring was busted. According to a News18 report, the directive is not a routine administrative exercise. It follows the discovery that the espionage network had not merely exploited existing cameras but had installed its own covert surveillance systems at sensitive sites, including Delhi Cantonment Railway Station and Sonipat Railway Station. Some of these cameras were fitted with solar power systems to ensure uninterrupted live footage, which, according to investigators, was relayed to ISI linked handlers across the border. Central agencies have therefore asked police forces and law enforcement units to physically verify installations, identify unauthorised cameras, and examine if the existing systems have adequate access controls. Surveillance cameras are not just passive crime prevention tools. Once compromised, they can become hostile intelligence assets. A fragmented network of cameras installed by different agencies, contractors and local bodies, without a unified oversight protocol, creates blind spots that can be exploited by enemy states, terror groups or espionage handlers. The danger of compromised surveillance infrastructure is not theoretical. It has already been demonstrated globally in the most chilling way. According to earlier reports by OpIndia, Israel spent years penetrating Iran’s traffic camera network and mobile phone systems to track the movements of the now-deceased Supreme Leader of Iran, Ayatollah Ali Khamenei, and his security detail before the strike that killed him. The surveillance effort reportedly allowed Israeli intelligence to monitor the movements of bodyguards, drivers and senior officials, study parking patterns inside a heavily guarded compound, map commuting routes, and build algorithm driven dossiers on the routines of those tasked with protecting the Iranian leadership. Traffic camera feeds were allegedly encrypted and transmitted to Israeli servers, while mobile networks around the target zone were interfered with to delay or block possible alerts. It shows how cameras, if infiltrated, can become instruments of battlefield grade intelligence. They reveal patterns, routines, vulnerabilities and timing. Combined with signal interception, data analytics and human intelligence, a compromised CCTV grid can help an adversary identify targets, monitor strategic locations and support precision attacks. Therefore, for India, it is not merely a question of cyber hygiene or bureaucratic compliance. It is a question of sovereignty, counter espionage and national defence. An unsecured or unaudited surveillance network is not just a technical lapse, it is a tactical opening. A structural shift, not just a market change The combined effect of policy decisions taken by the government over the years has resulted in a structural shift in India’s surveillance ecosystem. What began as a concern over data security has now evolved into a comprehensive regulatory framework that reshapes supply chains, promotes domestic manufacturing, and restricts unverified foreign technology. While the transition has led to higher costs and short term disruptions, it has also opened opportunities for Indian manufacturers to dominate a market expected to grow significantly in the coming years.