IndoAI — The Programmable AI Camera Platform

Regulation · India · CCTV Compliance

BIS ER-01 / MeitY Essential Requirements: What CCTV Buyers Must Do Now That Enforcement Is Live

Since 1 April 2026, BIS ER-01 compliance is mandatory for every CCTV camera sold in India. MeitY's Essential Requirements make STQC-tested, BIS-registered cameras the only legal purchase. Buyers must verify the BIS CRO registration and ER-01 test evidence for each model, write compliance into purchase orders, and reject uncertified stock.

Dr. Vivek Gujar · 14 July 2026 · 12 min read

Timeline illustration of India's BIS ER-01 compliance enforcement: milestone dots ending at a solid wall, with only a certified CCTV camera passing through the checkpoint
The transition era ended on 1 April 2026. Only certified cameras pass the wall.

For two years, the CCTV industry treated India's camera security mandate as a moving deadline — notified, extended, relaxed, extended again. That era is over. On 16 January 2026, the Ministry of Electronics and Information Technology (MeitY) issued an Office Memorandum withdrawing the last remaining relaxation. From 1 April 2026, no CCTV camera that fails to conform to the notified Essential Requirements can be sold in India — not by manufacturers, not by importers, not by the dealer clearing "old stock" at a discount.

Enforcement is now live. If you are specifying, procuring, or expanding a video surveillance system anywhere in India — a factory in Chakan, a retail chain, a housing society, a government tender — this article tells you what changed, what ER-01 actually tests, a paradox inside the certificate that almost nobody discusses, and the checklist to run before you sign any purchase order. Every regulatory claim is sourced at the end.

Three ways to read one regulation

On paper, ER-01 is a cybersecurity rule. In practice, it is three policies wearing one gazette notification — and a buyer who understands all three will negotiate better than one who sees only the first.

Reading one: a security floor for the internet's softest target

Networked cameras have a specific, well-earned reputation in security circles. In 2016, a botnet assembled largely from hijacked cameras and video recorders — devices running default passwords and unpatched firmware — briefly broke large sections of the global internet in one of the biggest denial-of-service attacks ever recorded. The cheapest camera on the market has, for a decade, been one of the cheapest ways into a corporate network. ER-01's answer is blunt: minimum device security is no longer a premium feature; it is a condition of market access. A camera that cannot prove it resists compromise cannot legally be sold.

Reading two: a passport for cameras

The most consequential line in ER-01 is not about encryption. It is the requirement that a camera's certificate record the make and origin of its chipset, plus its exact firmware version and hash. Every certified camera now carries, in effect, a passport — a verifiable declaration of where its silicon was born and what code it runs. India is among the first large markets in the world to make this disclosure a condition of sale. Whatever else the regulation achieves, it has permanently ended anonymous hardware.

Reading three: a market restructured in eighteen months

The enforcement deadline coincided with — and accelerated — a historic shift in market share. Chinese brands accounted for roughly a third of Indian CCTV sales as recently as a year before enforcement; by early 2026, industry research put Indian manufacturers at more than 80% of the market, built on redesigned supply chains, non-Chinese chipsets, and localised firmware. The overall India video surveillance market — roughly USD 4.40 billion in 2025 and forecast to reach USD 7.12 billion by 2030 at a 10.1% CAGR — now flows almost entirely through certified, disclosed, domestically accountable hardware.

You do not have to pick a reading. All three land on the same desk: the buyer's. The security floor changes what you must verify, the passport changes what you can demand to see, and the market restructuring changes who you will be buying from.

The timeline: how a deadline became a hard wall

DateWhat happenedEffect for buyers
April 2024MeitY gazette notification introduces ER-01 for CCTV cameras under the CRO amendmentSix-month runway announced; compliance originally due October 2024
9 April 2025Extended compliance deadline. After this date, non-compliant models are deleted from BIS licence scope; no new registrations without an ER-01 test reportNew models must be certified, but existing stock still circulated
21 May 2025MeitY Office Memorandum grants a relaxation: cameras imported or manufactured before 9 April 2025 may still be sold, to allow stock clearanceDealers legally sell down uncertified inventory
16 January 2026MeitY Office Memorandum withdraws the relaxation, stating industry has had sufficient transition timeThe stock-clearance window is given a fixed end date
1 April 2026Full enforcement. Non-ER-compliant cameras cannot be sold in India, regardless of import or manufacture dateEvery camera you buy from this date must carry ER-01 evidence

Note the subtlety in the final row: even stock imported or manufactured before April 2025 must now meet the Essential Requirements to be sold. "We imported it before the deadline" is no longer a legal basis for sale. If a quote today includes uncertified hardware, the supplier is offering you a product that cannot lawfully change hands.

What ER-01 actually tests inside the camera

ER-01 is not a paperwork exercise. STQC labs — 14 of them are recognised by BIS for this testing — evaluate physical samples, including engineering boards with access probes, against a defined methodology. The requirements fall into five broad areas:

Exploded diagram of a dome CCTV camera surrounded by five icons representing ER-01 test areas: hardware security, firmware security, secure communication, access control, and supply-chain transparency
The five test areas of ER-01: hardware, firmware, communication, access, supply chain.

1. Hardware-level security

The device must resist physical attack: tamper resistance and tamper detection, a hardware root of trust (a TEE, Secure Element, or TPM), secure boot that validates the boot image signature before loading, and cryptographic keys that are unique to each individual device — so compromising one camera does not compromise the fleet.

2. Software and firmware security

Firmware must enable memory protections (ASLR and DEP), updates must be cryptographically signed and protected against rollback to older vulnerable versions, and the lab checks for hardcoded credentials and banned code — the classic weaknesses behind most camera botnets.

3. Secure communication

Data in transit must be encrypted using strong TLS, communication channels must support mutual authentication, only standard documented protocols are allowed, and open ports must be justified. The lab literally scans the device and asks the vendor to defend every listening service.

4. Access control

Authentication is mandatory, with role-based access control and no universal default passwords — the vulnerability that made older CCTV estates trivially harvestable.

5. Supply-chain transparency

This is the passport described above. Vendors must demonstrate trusted component sourcing, and the issued certificate records chipset make and origin, firmware version, and hash. Under the series guidelines, every model in a certified series must use the same SoC and the same firmware hash — a different firmware build is treated as a different product.

The paradox inside the certificate

Here is the part of this regime that procurement teams have not yet metabolised — and the reason a certificate should start a conversation with your vendor rather than end one.

The ER-01 certificate freezes a moment in time: it records the exact firmware version and cryptographic hash of the build that passed the lab. But ER-01 also mandates a secure, signed update mechanism — because everyone involved knows that unpatched firmware is precisely how cameras get compromised. Read those two requirements together and you find a genuine tension: the certificate certifies an artifact whose security depends on that artifact changing.

A certificate is a snapshot. Security is a subscription.

This is not a flaw unique to India — every device-certification regime in the world wrestles with it — but it has a practical consequence for buyers. It creates a quiet incentive problem: a vendor who ships security patches promptly must also keep documentation aligned with the new build, while a vendor who sits on patches keeps tidy paperwork and a slowly rotting fleet. The mark on the box tells you the camera was secure on the day it was tested. It does not tell you the camera is secure today.

So add one question to every vendor conversation, and watch how it is answered: "When you release a security patch for this certified model, what is your process — and how quickly does your compliance documentation catch up?" A vendor with a disciplined patch-and-realign pipeline will answer in specifics. A vendor who treats the certificate as a one-time event will change the subject. That single question separates compliance culture from compliance theatre better than any datasheet.

Five myths that will get a procurement team in trouble

MythReality
"Our installed cameras are now illegal."No. The rule restricts sale and new supply. Installed, operating systems continue as they are. The obligation triggers when you buy.
"Dealers can still clear pre-2025 stock."That relaxation was explicitly withdrawn on 16 January 2026. Old stock without ER conformity cannot be sold.
"This only applies to government projects."ER-01 under the CRO applies to all sales — homes, offices, private enterprises. Government tenders add a further STQC layer under public procurement rules.
"The brochure says compliant, so it's compliant."Compliance is proven by documents: BIS registration, ER-01 test report, packaging declaration. Verbal assurance is not evidence.
"There'll be another extension."MeitY's withdrawal memorandum states industry has had sufficient time. Planning a project around a hoped-for extension is a supply-chain gamble.

How to Verify BIS ER-01 Compliance Before You Buy

Here is the seven-step verification workflow we recommend to system integrators and facility teams. It takes minutes per model and can save a project from stranded, unsellable, or unsupportable hardware.

Step 1Ask for the model's BIS registration number under the CRO and verify it against the BIS portal listing.
Step 2Ask for the ER-01 test report or STQC certificate for the exact model or series being quoted.
Step 3Check the packaging declaration — the "complies with Essential Requirement(s) for Security" mark.
Step 4Match the chipset and firmware hash on the certificate to the product datasheet. A different firmware build is a different product.
Step 5Write compliance into the purchase order: a warranty clause that all supplied units conform to ER-01, with documentation delivered at supply.
Step 6Audit open quotes and AMC stock. Replacement cameras under maintenance contracts must also be compliant from now on.
Step 7 · Government buyers onlyLayer in public procurement requirements: STQC-certified cameras have been mandatory in government procurement since June 2024, with tender preference tied to local content classes. Confirm the supplier's class before bid submission.

Worked example · A 60-camera factory expansion

A Pune auto-component plant plans 60 additional cameras across two new sheds. The integrator's quote lists three models from two brands. Running the checklist: model A and model B return valid BIS registrations with ER-01 reports; model C — a budget bullet camera — has a BIS number for electrical safety only, with no ER-01 evidence. The fix costs nothing: swap model C for a certified equivalent at roughly ₹400 more per unit, or about ₹8,000 across the sub-estate that used it — against the alternative of ripping out and re-buying unsupportable hardware, plus the audit and insurance questions that follow an uncertified install.

The part ER-01 does not cover: your data

Here is the distinction that most buying conversations still miss. ER-01 secures the device. It says nothing about what you do with the footage.

India's surveillance compliance now has two layers, and they map cleanly onto the two layers of any modern video system:

LayerGoverning regimeWhat it demands
Capture layer
(cameras, NVRs)
BIS ER-01 / CRO, enforced from 1 April 2026The hardware you buy must be BIS-registered and STQC-tested: secure boot, signed firmware, encrypted transport, disclosed supply chain.
Intelligence layer
(analytics, storage, access)
DPDP Act and Rules, phased compliance through 2027Footage of identifiable people is personal data: purpose limitation, notices, retention discipline, security of processing, penalties up to ₹250 crore for serious breaches.

Buying a certified camera gives you a compliant capture layer — and nothing more. If that camera streams identifiable footage to an analytics stack with no retention policy, or to processing outside your control, the device certificate will not help you in a DPDP inquiry.

This is where architecture matters. An edge-first intelligence layer — processing video on-site, next to the cameras, rather than shipping raw footage out — keeps the data-protection surface small and auditable. It is the design principle behind IndoAI's Appization platform: a programmable layer of installable AI apps that connects to any ONVIF/RTSP-compliant camera estate, including the newly certified Indian brands now dominating the market, and including the cameras you already own.

Architecture diagram showing four generic CCTV cameras in a capture layer connecting upward across a divider to a single on-site edge AI appliance in the intelligence layer
Two layers, two regimes: ER-01 governs the cameras below the line; DPDP governs the intelligence above it.

That last point deserves emphasis, because it is the good news inside this regulation. Since the mandate restricts sale rather than operation, your installed estate is a legitimate foundation — you can add modern AI capability to it today, and apply the ER-01 checklist only to the cameras you buy from here on. Regulation-driven panic replacement is rarely necessary; regulation-aware procurement always is. Teams running manufacturing sites in particular can phase hardware refresh across budget cycles while the intelligence layer stays constant above it.

The bottom line for buyers

ER-01 enforcement is the best thing to happen to Indian CCTV procurement in a decade — it converts a race-to-the-bottom hardware market into one where security is a legal floor, not a premium feature. But the burden of verification sits with you. From 1 April 2026, four habits protect every project: demand the registration and test report per model, contract for compliance in the PO, ask the patching question, and treat device certification and data protection as two separate questions — one answered by the camera you buy, the other by the intelligence layer you run above it.

Frequently asked questions

Are my already-installed CCTV cameras illegal after 1 April 2026?

No. The ER-01 mandate restricts the sale and new supply of non-compliant cameras. Systems already installed and operating before enforcement can continue running. The rule bites when you buy: any new camera purchased, replaced under AMC, or added to an existing site must be ER-01 compliant.

What is BIS ER-01 in simple terms?

ER-01 is the set of Essential Requirements for the security of CCTV cameras notified by MeitY in April 2024 under the Compulsory Registration Order. It defines cybersecurity benchmarks — secure boot, signed firmware, encrypted communication, access control, tamper protection, and supply-chain disclosure — that a camera must pass in a BIS-recognised STQC lab before it can be legally sold in India.

Can dealers still sell old stock imported before April 2025?

No. The temporary relaxation issued in May 2025 that allowed clearance of pre-existing stock was formally withdrawn by MeitY's Office Memorandum dated 16 January 2026. From 1 April 2026 onward, non-compliant cameras cannot legally be sold regardless of when they were imported or manufactured.

How do I verify that a camera model is genuinely ER-01 compliant?

Ask for three things: the model's BIS registration number under the Compulsory Registration Order, the ER-01 test report or STQC certificate issued for that exact model or series, and the compliance declaration on the packaging. The certificate lists the chipset make and origin plus the firmware version and hash — check that these match the product actually being quoted to you.

Does ER-01 apply to private businesses and homes, or only government projects?

It applies to all CCTV camera sales in India — homes, offices, factories, and public projects alike. Government procurement carries an additional layer: under the Public Procurement Order provisions applicable since June 2024, government tenders require STQC-certified cameras and give preference to suppliers with higher local content.

If certification records a fixed firmware hash, what happens when a security patch is released?

The ER-01 certificate records the firmware version and hash present at testing, and BIS series guidelines treat a different firmware build as requiring separate evaluation. Patches are delivered through the signed, rollback-protected update mechanism that ER-01 itself mandates. Buyers should ask vendors directly how certified models receive security patches and how quickly documentation is re-aligned after an update — a disciplined patch-and-recertify pipeline is a strong signal of vendor maturity.

Does buying an ER-01 certified camera make my surveillance DPDP compliant?

No. ER-01 secures the device; the DPDP Act governs the data. ER-01 certification means the camera resists hacking and tampering. DPDP compliance concerns what you do with footage of identifiable people — notices, purpose limitation, retention, and security of processing. You need both: a compliant capture layer and a lawful, preferably on-premise, intelligence layer.

Can I still add AI analytics to cameras I bought before the ER-01 deadline?

Yes. Because the mandate restricts sale of new devices rather than operation of installed ones, an existing ONVIF/RTSP camera estate remains a legitimate foundation. An edge intelligence layer such as IndoAI's Appization platform connects to those existing streams on-site, so you gain modern AI capability without prematurely replacing hardware — and any future replacements simply follow the ER-01 checklist.

Not sure which of your cameras — current or quoted — clear the new bar?

The IndoAI Adviser walks through your existing estate and planned purchases, flags where ER-01 evidence is needed, and shows how an edge intelligence layer fits above the hardware you keep. Free, and built for Indian regulatory reality.

Run the IndoAI Adviser
VG

Dr. Vivek Gujar

Co-founder and Chief Science Officer, IndoAI Technologies Pvt. Ltd. (founded 2021, Pune). Dr. Gujar writes on edge AI, video intelligence architecture, and India's evolving surveillance-compliance landscape, including the CRO/ER-01 regime and the DPDP Act.

Sources and further reading

  1. STQC, MeitY — IoT System Certification Scheme: Procedure for CCTV Testing, Evaluation and Certification (IoTSCS-P01) — the official test and certification procedure, including the technical construction file and lab evaluation process.
  2. Bureau of Indian Standards — ER Test Report Template for CCTV — the actual checklist labs test against: secure boot, ASLR/DEP, TLS, tamper detection, unique per-device keys.
  3. C-PRAV — BIS guidelines for implementation of ER:01 under the Compulsory Registration Scheme — including the 14 recognised STQC labs and the packaging declaration wording.
  4. Security Update — MeitY withdraws extension for non-ER-compliant CCTV cameras from 1 April 2026 — coverage of the Office Memorandum dated 16 January 2026.
  5. ERCS — Withdrawal of ER compliance extension for CCTV camera security — detail on the 21 May 2025 stock-clearance relaxation and its revocation.
  6. The News Minute — Explained: Why India is restricting Chinese CCTV cameras from April 1 — market-share shift, including Counterpoint Research's estimate of Indian players exceeding 80% of the market.
  7. Mordor Intelligence — India Video Surveillance Market — market size of USD 4.40 billion (2025), forecast USD 7.12 billion by 2030 at 10.10% CAGR.
  8. Matrix Comsec — Insights on why STQC ER compliance matters for network cameras — a hardware manufacturer's breakdown of the ER test areas and the PPO government-procurement layer.