An Interface with Suresh Chandra –
Member GAC (IT Act), Ex. Sr. Dir/ DDG at STQC (MeitY),
Ex. Head of CB of Com. Criteria, CCTV, Biometric, GIGW, EPS, TMS,
ab Empanelment-SETL. and also a member of ISO/ UEC committee SC27,
BIS LITD17, LITD 31, Chairman LITD 25.
As India strengthens its focus on trusted surveillance infrastructure, cybersecurity compliance has become a critical requirement for CCTV manufacturers, system integrators, and procurement agencies. The Essential Requirements (ER) framework and STQC testing play a central role in ensuring that video surveillance products deployed across the country meet stringent security standards.
Following the February 2026 clarification regarding the validity of a single ER test report for both CRO and PPP-MII, the industry has seen greater clarity in the certification process. In this interaction, Suresh Chandra, former Sr. Director/ DDG at the STQC Directorate, Meity addresses key questions related to ER compliance, certification timelines, testing capacity,
and future plans for expanding the framework to other product categories.
Suresh Chandra is a distinguished expert in the field of IT standardization, conformity assessment, cybersecurity, and electronic surveillance technologies, with decades of experience in government certification, testing, and regulatory frameworks. He currently serves as Member, GAC under the Information Technology Act, contributing to policy and compliance matters related to
IT security and certification in India.
He formerly served as Senior Director/ Deputy Director General at STQC Directorate, Ministry of Electronics & Information Technology (MeitY), Government of India, where he played a key role in developing testing, certification, and quality assurance frameworks for critical technologies.
He has also been actively involved in national and international standardization activities and has represented India in several technical committees including – Member, ISO/ IEC JTC 1 SC 27 (IT Security Techniques), Member, BIS LITD-17 (Information Security),
Member, BIS LITD-31, and Chairman, BIS LITD-25 Committee.
With deep expertise in certification, cybersecurity standards, surveillance systems,
and regulatory compliance, Suresh Chandra continues to contribute to strengthening
India’s trusted digital and security ecosystem.
Here are the excerpts:
The February 2026 circular clarifies that a single STQC ER test report will be valid for both CRO and PPP-MII. What prompted this clarification?
The technical requirements for PPO and CRO are essentially the same, and the testing and evaluation carried out by STQC are also identical. The only difference is in procurement entities and this is being addressed with the available rules and procurement procedures being followed by different government entities. The February 2026 clarification was issued to remove ambiguity and streamline compliance by aligning certification with the existing procurement rules and procedures.
How does this move simplify the compliance process for manufacturers and system integrators?
Earlier, manufacturers were required to obtain separate approval under PPO in addition to ER compliance, even though the testing requirements were the same. With the new clarification, a single ER test report leading to CRO registration will be sufficient. This eliminates duplication, reduces cost and effort, and speeds up the overall compliance and procurement process.
What is the exact role of STQC under the new unified ER compliance structure?
There is no change in the role of STQC as far as testing and evaluation are concerned. The Directorate will continue to carry out testing, evaluation, and certification as per the prescribed Essential Requirements. The recent clarification relates to procurement interpretation and compliance alignment, not to the technical testing process itself.
Can you briefly explain the scope of the Essential Requirements (ER) security testing for CCTV systems?
The ER framework broadly covers hardware security, software security, firmware integrity, communication interfaces, and supply chain security. The objective is to ensure that CCTV products deployed in the country are secure, reliable, and free from vulnerabilities that could compromise data integrity or national security.
What are the key cybersecurity areas covered under the ER framework?
The key security areas include Root of Trust implementation, secure firmware update mechanisms, interface security, authentication and access control, cryptographic security, supply chain traceability, and protection against known vulnerabilities. These checks ensure that the product is secure throughout its lifecycle.
How does STQC ensure that testing keeps pace with evolving cyber threats?
STQC follows national and international standards and continuously updates its testing methodologies in line with emerging cybersecurity risks. Evaluation procedures are revised whenever required to address new threat vectors and technological changes.
What is the typical timeline for ER testing and certification?
The timeline depends largely on the completeness and correctness of the inputs provided by the manufacturer. In many cases, delays occur due to incomplete documentation, missing technical details, or non-compliant components, leading to multiple iterations. STQC makes every effort to complete the evaluation within the prescribed timelines and often undertakes additional effort without extra cost to the applicant.
As India strengthens its focus on trusted surveillance infrastructure, cybersecurity compliance has become a critical requirement for CCTV manufacturers, system integrators, and procurement agencies. The Essential Requirements (ER) framework and STQC testing play a central role in ensuring that video surveillance products deployed across the country meet stringent security standards
Are there sufficient STQC-approved labs to handle industry demand?
Yes, the available STQC laboratories are adequate for the current demand. In the case of CCTV products, the number of SoC platforms is limited, and their compliance status is now well understood by the labs. This reduces repetition in testing and helps in faster evaluation, thereby improving overall efficiency.
How is STQC addressing concerns about testing capacity and project delays?
As mentioned earlier, most delays are caused by incomplete submissions from manufacturers. At the STQC level, efforts are being made to avoid duplication of work. For example, if a particular SoC has already been evaluated and found compliant, subsequent evaluations using the same platform can be completed faster, reducing certification time.
How prepared is the Indian CCTV industry for full ER compliance?
Based on our interaction with industry stakeholders, manufacturers are largely supportive of the Government’s initiative. They recognize the importance of cybersecurity and national security considerations and are cooperating in achieving full compliance.
What are the most common gaps observed during testing?
Some common issues include the use of obsolete or vulnerable third-party libraries, incomplete supply chain documentation, weak firmware update mechanisms, and inadequate interface security. Addressing these areas in advance can significantly reduce testing time.
What advice would you give to manufacturers preparing for ER certification?
STQC has published a detailed CCTV testing procedure on its portal. This document is very exhaustive and clearly explains what to be tested, the requirements, scope of testing, and documentation needed. Manufacturers are advised to carefully study the procedure and ensure readiness before submitting their products for evaluation.
There has been confusion about multiple STQC certifications. How does the February 2026 circular resolve this?
As already mentioned, earlier, there was a perception that separate approvals were required for PPO and CRO, although the testing/ audit report was single and common. PPO was mainly applicable to government procurement. With the latest clarification, CRO based on ER testing will be valid for both government and non-government procurement, thereby removing duplication and confusion.
Can you clarify the difference between STQC security certification and PPP-MII value-addition requirements?
STQC certification relates to security testing and compliance with Essential Requirements. PPP-MII relates to value addition and local content requirements under Make in India. These are independent requirements, and products must meet each separately depending on procurement conditions.
What documentation should manufacturers now maintain to remain compliant?
Manufacturers should maintain proper records related to change management, vulnerability management, firmware updates, supply chain traceability, and third-party libraries. Regular updates and proper documentation are essential for continued compliance.
Do you expect similar ER-based certification to expand to other electronic or security products?
Yes, it is expected that ER-based security evaluation will gradually extend to other electronic and ICT products, considering the growing importance of cybersecurity in critical infrastructure and public systems.
How will STQC evolve its testing frameworks in the coming years?
STQC continuously upgrades its testing methodologies, infrastructure, and technical capabilities. Capacity building for emerging technologies such as AI, IoT, and indigenous hardware platforms is an ongoing process.
What message would you like to give to the industry regarding cybersecurity compliance?
Cybersecurity compliance is essential for the entire ecosystem including end-point devices, transmission networks, storage, and applications. Surveillance data is highly sensitive and must be protected from possible exploitation. As India moves towards indigenous chip, there is a need to have our own designs, crypto alogarithms, crypto modules and other trusted technologies that will play a key role in reducing risks related to hidden vulnerabilities or backdoors, which are at present a real challenge.
What facilities is STQC creating to cater to a large number of manufacturers and reduce certification time?
STQC is strengthening laboratory infrastructure, upgrading testing tools, and enhancing technical manpower to handle the increasing number of applications. Efforts are also being made to standardize procedures and avoid repetitive testing wherever possible, which helps in reducing certification timelines.
Are there plans for awareness programs or workshops for manufacturers?
Yes, STQC regularly conducts awareness programs, workshops, and industry interactions, and portrayal through media platform like yours i.e., SecurityLinkIndia, to help manufacturers understand ER requirements, testing procedures, and documentation needs. These initiatives improve preparedness and help reduce delays in certification.
Earlier, manufacturers were required to obtain separate approval under PPO in addition to ER compliance, even though the testing requirements were the same. With the new clarification, a single ER test report leading to CRO registration will be sufficient. This eliminates duplication, reduces cost and effort, and speeds up the overall compliance and procurement process
Conclusion
As India moves towards a more secure and self-reliant surveillance ecosystem, the role of structured cybersecurity evaluation has become increasingly critical. The clarification issued in February 2026 marks an important step towards simplifying compliance while maintaining the integrity of the Essential Requirements framework. By removing duplication in certification and aligning testing outcomes with procurement procedures, the new approach is expected to benefit manufacturers, system integrators, and end-users alike.
STQC’s continued focus on strengthening testing infrastructure, updating evaluation methodologies, and engaging with industry stakeholders reflects the Government’s commitment to building a trusted electronics and surveillance ecosystem. With growing emphasis on supply-chain security, indigenous technologies, and protection against evolving cyber threats, ER-based certification is likely to play an even larger role across multiple electronic and ICT product categories in the coming years.
The message to the industry is clear – cybersecurity compliance is no longer optional, but a fundamental requirement for ensuring national security, data protection, and long-term technological sovereignty. Manufacturers who prepare early, follow prescribed procedures, and adopt secure design practices will be best positioned to meet the evolving regulatory landscape.
Views expressed in the interview are personal statements and not STQC clarification.
