India’s approach to telecom equipment security is built around a specific, scheme-administered framework. It is not a self-certification market where vendors declare conformance to a standard and move on. It requires equipment to be assessed by designated organisations, against defined security requirements, before it can enter the market.
Understanding how that framework is structured, who administers it, and what it requires is the starting point for any OEM approaching the Indian telecom market for the first time, and for any lab considering participation in the scheme as a designated testing organisation.
This guide explains how NCCS and ITSAR work as a framework, how they relate to MTCTE and the broader India telecom regulatory environment, and what the practical implications are for OEMs and labs
In This Guide
What Is NCCS?
NCCS stands for the National Centre for Communication Security. It is the body responsible for developing and administering the security assurance framework for telecommunications equipment in India. NCCS operates under the Ministry of Electronics and Information Technology and works in coordination with the Department of Telecommunications on matters relating to telecom equipment security.
NCCS’s role in the India telecom security landscape is to define the security requirements that equipment must meet, designate the testing organisations authorised to assess equipment against those requirements, and oversee the integrity of the testing and assurance process.
The designation function is central to how the framework operates. NCCS does not conduct security testing itself. It designates a small number of Telecom Security Test Labs and authorises them to conduct ITSAR security testing on its behalf. Only assessments conducted by an NCCS-designated TSTL produce the security test reports that are recognised for compliance purposes in the Indian market.
What Is ITSAR?
ITSAR stands for Indian Telecommunication Security Assurance Requirements. It is the technical framework, developed by NCCS, that defines the security requirements telecom equipment must meet before it can be deployed in Indian networks.
ITSAR requirements are defined at the equipment category level. The specific requirements applicable to a given product depend on the category of equipment it falls into: router, Wi-Fi access point, CPE, network switching equipment, and others. Each category has a defined set of security requirements covering the protocol surfaces, authentication mechanisms, and security functions relevant to that equipment type.
The requirements are not purely documentary. They are not satisfied by a vendor declaring that their product meets defined security principles or by providing a self-assessment. They require testing by a designated TSTL against the specific ITSAR requirements for the equipment category, with a test report produced by the TSTL as the compliance evidence.
How the NCCS and ITSAR Framework Works
The framework operates as a scheme with defined roles and a clear process flow. NCCS defines the requirements and administers the scheme. TSTLs conduct the assessments. OEMs submit equipment for assessment and receive test reports as compliance evidence.
An OEM seeking ITSAR compliance for a product selects an NCCS-designated TSTL that is authorised for the relevant equipment category, submits the product with the required technical documentation, and undergoes the TSTL assessment. The TSTL conducts the security testing programme defined by the ITSAR requirements for that category, documents the findings, and produces a test report.
The test report is the primary compliance artefact. It documents the equipment tested, the testing scope, the methodology applied, the findings identified, and the remediation status of those findings. For OEMs, the test report is the evidence that demonstrates ITSAR compliance to network operators, procurement teams, and regulatory bodies that require it.
The scheme is designed to maintain consistency across the small number of designated TSTLs. NCCS specifies the testing requirements that TSTLs must apply, which means an ITSAR test report from one TSTL should reflect the same assessment scope as one from another, for the same equipment category. This consistency is important for OEMs because it means the compliance evidence produced by one TSTL is comparable to that produced by another.
How ITSAR Relates to MTCTE
ITSAR and MTCTE are the two primary compliance frameworks for telecom equipment in India and they are related but distinct. Understanding the relationship avoids the common mistake of assuming that compliance with one framework satisfies the other.
MTCTE, the Mandatory Testing and Certification of Telecommunications Equipment scheme, is administered by the Telecommunications Engineering Centre under the Department of Telecommunications. It covers the broad range of market access requirements for telecom equipment including conformance, electromagnetic compatibility, and safety requirements in addition to security. MTCTE certification is the market access requirement: equipment without it cannot be imported or sold in India.
ITSAR is a security-specific framework administered separately by NCCS. It defines the security assurance requirements for telecom equipment and operates through TSTLs rather than through the CABs that conduct MTCTE assessments.
For many equipment categories, both apply. An OEM selling Wi-Fi access points or routers into India needs MTCTE certification for market access and may also face ITSAR requirements for security assurance, depending on the customer and deployment context. Network operators and enterprises procuring equipment for deployment in critical network infrastructure increasingly require ITSAR compliance as a condition of procurement, separate from the MTCTE market access certification.
The practical implication is that OEMs should not assume that achieving MTCTE certification satisfies their India telecom security obligations. For security-sensitive equipment categories and security-conscious customers, ITSAR compliance is an additional requirement that MTCTE does not cover.
Which Equipment ITSAR Applies To
ITSAR applies to telecom equipment categories defined by NCCS. The scheme has been progressively developed since its introduction and the equipment categories in scope reflect the priority areas for India’s telecom security assurance programme.
The equipment categories most relevant to current ITSAR assessments include routers and network switching equipment, Wi-Fi access points and CPE, and the network infrastructure equipment deployed by Indian telecom operators. These categories reflect the equipment that sits at the boundary of Indian telecom networks and that poses the highest security risk if its protocol implementations contain vulnerabilities.
The Group-VI IoT expansion is bringing additional device categories into scope. Smart electricity meters, vehicle tracking devices, and feedback devices are being brought within the India telecom compliance framework as connected IoT devices become a more significant part of the network equipment landscape.
For OEMs, the relevant question is whether their specific product category is within current ITSAR scope or is likely to come within scope as the framework develops. The safe assumption for any product that communicates over Indian telecom networks is that ITSAR requirements will apply, either now or in the near future.
What ITSAR Means for OEMs
For OEMs, ITSAR means engaging with a structured, scheme-administered security assessment process that has specific evidence requirements and specific testing organisations involved.
The assessment is not optional for equipment in scope. Operators and enterprises in India increasingly specify ITSAR compliance as a procurement requirement, and for some deployment contexts it is a regulatory requirement. OEMs that do not have ITSAR compliance evidence for their products are excluded from those procurement processes.
The assessment is conducted by designated TSTLs using defined testing requirements. This means OEMs can, and should, understand what the TSTL assessment will examine before submitting. The ITSAR requirements for each equipment category define the protocol surfaces, security functions, and testing scope that the assessment covers. Pre-testing against those requirements before submission reduces the risk of unexpected findings during the official assessment.
The test report produced by the TSTL is the compliance evidence. It is what procurement teams, network operators, and regulators ask to see. Maintaining a current test report for each product version submitted for deployment in India is the ongoing compliance obligation, not a one-time activity.
How ProtoCrawler Supports ITSAR Compliance
ProtoCrawler supports ITSAR compliance through pre-certification protocol security testing for OEMs and through protocol testing capability for TSTLs conducting ITSAR assessments.
For OEMs, ProtoCrawler tests the protocol surfaces that ITSAR assessments examine for Wi-Fi and router equipment. The supported protocols relevant to ITSAR testing for these equipment categories include DHCP, ARP, BGP, and CWMP TR-069. Pre-certification testing using ProtoCrawler identifies the findings that an ITSAR assessment would find, allowing OEMs to resolve them before submission. Findings resolved before TSTL submission do not appear in the official test report.
For TSTLs building or expanding their ITSAR protocol testing capability, ProtoCrawler provides the protocol-aware testing infrastructure that ITSAR assessments require. The protocol models cover the testing surfaces in scope for current ITSAR requirements, and the reporting output is structured to support the evidence format that ITSAR test reports need to contain.
For the full list of supported protocols, see the protocol models page.
- DHCP → https://cytal.co.uk/protocols/dhcp-protocol/
- ARP → https://cytal.co.uk/protocols/arp/
- BGP → https://cytal.co.uk/protocols/bgp-protocol/
- CWMP TR-069 → https://cytal.co.uk/protocols/cwmp-tr-069-cpe-protocol/
- protocol models page → https://cytal.co.uk/protocols/
Common Questions
Is ITSAR compliance legally mandatory for all telecom equipment in India?
ITSAR compliance is a regulatory and procurement requirement for equipment categories defined by NCCS. For equipment in those categories sold to or deployed by Indian network operators and enterprises, ITSAR compliance is effectively mandatory as a condition of procurement. The legal framework supporting ITSAR requirements sits within India’s telecommunications regulatory structure administered by the Department of Telecommunications and NCCS.
How many TSTLs are currently designated by NCCS?
NCCS currently designates nine Telecom Security Test Labs authorised to conduct ITSAR security testing. The TSTL list includes organisations operating across both Indian domestic and international testing capability. OEMs should verify the current designation status of any TSTL before engagement, as designations are subject to change.
Does ITSAR compliance expire?
ITSAR compliance is based on the test report produced by the TSTL for a specific product version. Material changes to the product, particularly to the software, firmware, or protocol implementations that were tested, typically require reassessment. OEMs should treat ITSAR compliance as version-specific and plan reassessment as part of their product update processes.
What is the difference between ITSAR and the NCSC guidelines that UK operators follow?
ITSAR is the Indian framework administered by India’s National Centre for Communication Security. The NCSC referenced in UK contexts is the National Cyber Security Centre, a separate organisation that is part of GCHQ and publishes guidance for UK critical infrastructure. The two organisations are unrelated beyond both having cybersecurity mandates within their respective national contexts.
Ready to pre-test your protocol implementations before TSTL submission, or explore how ProtoCrawler supports ITSAR assessment workflows? Book a demo to see how ProtoCrawler covers the protocol surfaces that NCCS and ITSAR security testing requires.