India has dropped its demand that telecom equipment suppliers hand over proprietary source code, in a relief for local telcos and multinationals such as Ericsson, Nokia and Cisco, but poses a setback for local gear-makers.
After the latest change, manufacturers need to provide just a summary of internal security test results and confirm following the testing procedure. If there is a suspicion of product vulnerability during a security breach, they must also submit full test reports and cooperate with the telecom department’s source code testing unit.
Two officials aware of the matter confirmed the change. Mint has also seen an amendment on the source code requirement in the telecom security rules.
Code red
Source code is a key piece of software that controls the working of the physical equipment. A February notification that telcos must submit their source code had alarmed foreign companies supplying equipment such as switches, routers and modems.
“This is somewhat positive; still, the process of sharing internal security tests is burdensome and difficult,” an industry executive who works with foreign equipment makers said. Telecom operators would also benefit since they can procure equipment and rollout networks without delays linked to source code, the executive said on the condition of anonymity.
The change assumes significance at a time of India’s trade negotiations with the US and the European Union. In March, the US Trade Representative (USTR) had flagged concerns over costly third-party equipment testing and disclosure of proprietary information such as source code and internal tests. The source code submission was to begin on 1 January, 2026.
Critical infra
“Telecom networks are critical infrastructure. If compromised, they can affect defence, emergency services, banking, and government operations. Access to source code helps the government verify that there are no backdoors, malware, or embedded vulnerabilities intentionally or unintentionally left by vendors,” one of the two people cited above said.
Queries emailed to Nokia, Ericsson, the Cellular Operators Association of India (COAI) and DoT remained unanswered.
“The original equipment manufacturer shall submit the following documents, internal test report excluding intellectual property (IP) related information, but mandatorily including summary of number of security vulnerabilities/weaknesses classified by risk,” the National Centre for Communication Security (NCCS), a wing of the Department of Telecommunications said in a notification on 18 June. A copy of the notification was seen by Mint.
Scheme delays
In 2020, the government had launched the Communication Security Certification Scheme (ComSec) to develop India-specific standards, testing processes, and a certification ecosystem. However, there have been delays in implementing certification norms over concerns raised by the equipment makers on lack of government testing capacity and a cumbersome registration process. This led to the scheme not yet universally applied across the telecom ecosystem.
According to the NCCS website, there are seven telecom security test labs accredited by the government.
The Source Code Security Assurance Clause within ITSAR was originally intended to verify that the software is free of vulnerabilities, but required companies to share source code, raising concerns among global vendors about protection of their intellectual property (IP). With the latest change, companies need to submit a self-declaration confirming that their products have been developed and tested as per the procedures specified in the ITSAR framework, ensuring compliance even without sharing sensitive source code.