India Clarifies BIS Software Update Rules for IP Cameras
21. May 2026India’s updated BIS compliance framework for IP cameras introduces stricter obligations for firmware management, End-of-Life (EoL) monitoring, and cybersecurity reporting under the ER certification regime. The Ministry of Electronics and Information Technology (MeitY) has released new guidance requiring manufacturers to document and report software-related changes through the Bureau of Indian Standards (BIS) CCL update process.
The new requirements, effective from 26 November 2025, apply to OEMs supplying ER-certified IP cameras in the Indian market. The guidance focuses on lifecycle security management, including firmware integrity, vulnerability mitigation, and component traceability. IP cameras usually require BIS certification in order to be approved for import and sale in India.
New EoL and Firmware Compliance Obligations
Under the revised framework, firmware used in ER-certified IP cameras must not include End-of-Life libraries or unsupported software components. MeitY stated that any unpatched EoL component remaining unresolved six months after expiry may result in the product being considered non-compliant under the BIS Act, 2016.
To support compliance, manufacturers are expected to maintain detailed Software and Hardware Bills of Materials (BOMs). These records should include component versions, EoL status, and known cybersecurity vulnerabilities, including Common Vulnerabilities and Exposures (CVEs).
The guidance also differentiates between minor and major software modifications. Minor changes, such as cosmetic user interface updates, require submission of an Impact Analysis Report together with updated firmware hashes. Major changes, including security patches, kernel updates, and feature additions, require a laboratory verification report to be submitted to BIS for review and approval.
In addition, a CCL update becomes mandatory for a wide range of software and hardware modifications, including emergency vulnerability fixes, replacement of EoL components, voluntary firmware updates, and other security-critical changes.
BIS Reporting Procedures and Surveillance Requirements
For emergency cybersecurity vulnerabilities, OEMs are instructed to deploy corrective patches immediately and notify BIS within 10 working days via email. The notification must include an Impact Analysis Report, while supporting test reports should later be uploaded through the BIS portal once available.
MeitY also confirmed operational procedures for the BIS portal. The online CCL update option is now active for major changes, while minor changes continue to require hard-copy submissions to the BIS Head Office followed by email confirmation.
The updated framework further emphasizes ongoing post-certification obligations. Even after obtaining ER-BIS approval, manufacturers must continuously monitor firmware and component status, track vulnerabilities, and report all significant modifications to BIS.
MeitY audits may include verification of firmware hashes, secure boot implementation, bootloader and kernel versions, source code scans, and evidence of CVE mitigation measures. The clarification reflects India’s broader effort to strengthen cybersecurity controls and lifecycle compliance requirements for connected surveillance equipment entering the domestic market.
If you are interested in understanding what requirements are needed for your product to be imported into India, please do not hesitate to contact us by email or phone (Europe: +49-69-271 37 69 261, US: +1 773 654-2673). If a certification need is discovered we can provide a quotation to make sure that all your certification needs are covered.
If you have any questions you can also use our chat-window in the bottom right. (Please check your browser settings if you can’t see the window)
For more information about BIS certification, please refer to our free brochure “BIS Certification Made Easy“.
