There is a big change happening in India’s telecom security. The Department of Telecommunications (DoT) runs the National Centre for Communication Security (NCCS). They have officially released the updated Indian Telecom Security Assurance Requirements (ITSAR) for IP Routers, which are now called ITSAR201012512, Version 2.0.0.
This release replaces the older 2018 and 2024 versions, setting a new, higher benchmark for every IP router used across telecom and enterprise networks in India.
Why Is This Update Important?
As networks develop more complicated and connect to the cloud, routers are becoming more and more popular targets for cyber attacks. The new ITSAR 2.0 isn’t just a small change; it’s a complete redesign meant to keep India’s digital infrastructure safe. It makes sure that every piece of gear, from the heart of a telecom network to a tiny business branch, is “secure by design.”
Key Highlights of ITSAR 2.0 (Version 2.0.0)
The updated requirements focus on six critical areas that manufacturers (OEMs) and importers must address:
- Strict Access Controls: The new rule says that both user and machine accounts must employ multi-factor authentication (MFA). It also stops “root” access from a distance to stop unauthorized changes at a high level.
- Strong Password Policies: “admin123” is no longer allowed. Routers must now require passwords that are at least 8 characters long and have a variety of kinds, as well as automatic lockout procedures for accounts that aren’t used.
- Firmware Integrity: OEMs must make sure that every software update is signed with a cryptographic key. This stops “backdoor” entry and makes sure that no harmful code is added during a normal update.
- No Vulnerable Protocols: We don’t support legacy and unsafe services like Telnet, FTP, and SNMPv1/v2 anymore. Now, the main thing is safe, secured communication, such SSH and HTTPS.
- Enhanced Logging: Routers now have to save audit logs in local storage for at least two days. These logs must be safe from tampering, which means that even an administrator can’t erase them.
- Advanced Traffic Defense: To keep network traffic flowing efficiently and safely, the standards include special defenses against DDoS attacks, BGP hijacking, and ARP poisoning.
Who Does This Affect?
The ITSAR 2.0 applies to a wide range of deployment modes, including:
- Edge & Core Routers
- Access & Aggregation Routers
- MPLS Routers
- Modern SDN & Cloud-Native Network Functions (CNF/VNF)
Compliance Deadlines
The new standard goes into effect on December 1, 2025, but the government has given people time to get used to it. The current exemption for Wi-Fi CPE and IP routers that are used in the cloud has been extended until March 31, 2026. But stakeholders are strongly encouraged to start the certification process as soon as possible to avoid problems at the last minute.
How Instacertify Can Help
It can be hard to figure out how to get NCCS and MTCTE certification. The criteria are strict, ranging from writing technical documents and vulnerability assessments to working with NCCS-approved labs.
We make it easier for you to comply at Instacertify. You can focus on your business while our professionals keep up with these changes in the law. Now is the time for manufacturers and importers of IP routers to check the security architecture of their products against the new ITSAR 2.0.
Need help getting your NCCS Security Certification? [Get in touch with our experts today] for a free consultation to make sure your products meet India’s most recent security regulations.
Frequently Asked Questions
ITSAR 2.0 is the updated security standard (Version 2.0.0) released by the NCCS. It sets stricter benchmarks for IP routers to ensure "secure by design" telecom infrastructure in India.
The National Centre for Communication Security (NCCS), operating under the Department of Telecommunications (DoT), officially released these updated Indian Telecom Security Assurance Requirements (ITSAR) for IP routers.
Routers must now enforce multi-factor authentication (MFA) and require complex passwords of at least eight characters. Using weak defaults like "admin123" is strictly prohibited to prevent unauthorized access.
The new standard explicitly bans vulnerable legacy protocols such as Telnet, FTP, and SNMPv1/v2. Manufacturers must replace them with secure alternatives like SSH and HTTPS for all communications.
Original Equipment Manufacturers (OEMs) are required to sign every software update with a cryptographic key. This ensures firmware integrity and prevents the insertion of malicious backdoors during updates.
The standards became effective on December 1, 2025. However, the government extended the exemption for Wi-Fi CPE and cloud-based IP routers until March 31, 2026.
These regulations apply to a wide range of devices, including Edge and Core routers, Access routers, MPLS routers, and modern Cloud-Native Network Functions (CNF) used in telecom networks.
Routers must maintain tamper-proof audit logs in local storage for a minimum of two days. These logs must be secured so that even administrators cannot delete or alter them.
Instacertify helps manufacturers navigate NCCS and MTCTE certification by managing technical documentation, facilitating vulnerability assessments, and coordinating with approved labs to ensure products meet these strict security rules.
