Why India built a security regime for telecom equipment
Telecom networks are critical infrastructure: the same boxes that carry office WiFi also carry payments, government services and emergency traffic. Over the last decade, governments worldwide concluded that the security of that infrastructure depends not only on how equipment performs, but on who designed it, who built it, and who can update it. India's answer is a layered regime — a supply-chain layer that governs vendors, and a testing layer that governs the equipment itself. Most vendor marketing blurs these layers together; buyers evaluating a network purchase need them separated, because each produces a different piece of paper and answers a different risk.
The Trusted Telecom framework: NSDTS in brief
The National Security Directive on the Telecommunication Sector (NSDTS) was approved by the Cabinet Committee on Security in December 2020 and became operational in mid-2021. Its core rule is simple: licensed telecom service providers may induct specified new network equipment only from vendors designated as Trusted Sources, and only their approved Trusted Products. The directive was implemented as an amendment to telecom licence conditions, and it is administered by the National Cyber Security Coordinator (NCSC) under the National Security Council Secretariat, through the online Trusted Telecom Portal. The rule applies to new inductions — it did not force operators to rip out existing equipment — but it decisively reshaped procurement: for a licensed network, an unapproved vendor is simply not purchasable.
Trusted Source vs Trusted Product
The framework designates at two levels. A Trusted Source is the vendor entity itself — assessed on ownership, control and supply-chain integrity. A Trusted Product is a specific product from that source, approved for induction into licensed networks. The distinction matters in procurement: a vendor claiming "we are trusted" should be able to show both its source designation and the approval covering the actual models being quoted. One does not automatically imply the other.
How designation works
Vendors seeking designation submit detailed disclosures through the Trusted Telecom Portal — corporate ownership and control, directors, manufacturing locations, and supply-chain information — on the basis of which the National Cyber Security Coordinator makes the trust determination. The process exists precisely because a network vendor's riskiness is not visible on a datasheet: it lives in who controls the firm, where code is written, and where hardware is built. For Indian OEMs with domestic ownership and manufacturing on Indian soil, the disclosures are straightforward; for complex multinational supply chains, they are not — which is much of the directive's point.
NCCS: India's security certifier for telecom equipment
The National Centre for Communication Security (NCCS), a Department of Telecommunications body headquartered in Bengaluru, owns the equipment-security layer. Its role is distinct from TEC's: where MTCTE tests general technical conformance, NCCS runs the security certification scheme for telecom equipment — defining the security standards (ITSARs), designating the security test labs, and certifying that specific equipment meets the security requirements before it is deployed in Indian networks. Security certification is being phased in category by category, with network elements such as routers and Wi-Fi equipment among the categories addressed, and it is progressively becoming a procurement checkbox alongside MTCTE.
ITSAR: the standards the testing happens against
ITSAR — Indian Telecom Security Assurance Requirements — are the published, equipment-specific security standards issued by NCCS. Each ITSAR defines what a category of equipment must demonstrate: secure boot and update mechanisms, credential and access-control behaviour, protection of management interfaces, logging, resistance to known attack classes, and so on. Equipment is tested against the applicable ITSAR at designated security test labs (see the category guides for WiFi access points and routers & switches), and the result is a security certification for that model. For buyers, ITSAR does for security what Essential Requirements do for technical conformance under MTCTE: it converts a vague promise ("our products are secure") into a testable, certifiable claim tied to a specific standard and model.
How the pieces fit: the full Indian compliance stack
Put together, Indian network equipment sits under five distinct regimes, each answering a different question:
- NSDTS / Trusted Source (NCSC) — who may you buy from? Vendor and supply-chain trust.
- NCCS security certification against ITSAR — is the equipment secure? Security testing of the product.
- MTCTE (TEC) — does the equipment conform? Technical testing against Essential Requirements; see our MTCTE explainer.
- WPC approval — may the radio transmit? Spectrum and RF authorisation for wireless products.
- BIS (CRS) — is it electrically safe? Safety registration.
A vendor's certification file should cover every layer that applies to the product being sold. The layers are not interchangeable, and no foreign mark — CE, FCC or otherwise — substitutes for any of them.
Who must comply — and who should
Must: licensed telecom service providers, for specified equipment inducted into their networks — the licence condition leaves no discretion. Increasingly do: PSUs, government departments and critical-infrastructure operators, whose tenders now reference Trusted Source status and security certification even where the licence condition does not strictly bind them. Should: private enterprises running networks that carry sensitive traffic — hospitals, financial offices, campuses — for whom the framework functions as a free, government-grade vendor-screening tool. If the Government of India will not let carriers buy from an unvetted vendor, an enterprise buyer may reasonably ask why it should.
How buyers verify a vendor's claims
- Ask whether the vendor is a designated Trusted Source, and for evidence of its status and of product approvals covering the quoted models — in the vendor's own name, not a distributor's.
- For security certification, ask which ITSAR the product category falls under and what the certification status is.
- Cross-check the rest of the stack the same way: MTCTE certificate numbers, WPC approvals, BIS registrations — verified on the respective portals, matched to exact models.
- Treat vagueness as data. A vendor operating honestly inside this regime can answer all of the above in one email.
Where Immunity Networks stands
Immunity Networks is a Trusted Source under the Trusted Telecom framework, with products on the Trusted Telecom Portal — and the rest of the stack is in place in Immunity's own name: products MTCTE certified (and CE, FCC & RoHS compliant), WPC approvals for the radios, and manufacturing at GIDC Sanand (Gujarat) with devices shipping under Immunity's own IEEE-registered MAC block. For operators, PSUs and enterprises that have adopted the framework as their screening bar, that means the full portfolio — NetWave WiFi, NetForce Switches, NetGuard Controller and NetCloud Central — clears the compliance conversation before the technical one begins. Talk to us early in your procurement cycle and we will map the paperwork to your tender checklist.
Frequently asked questions
Is Trusted Source approval mandatory for private enterprise networks?
No — the licence condition binds telecom service providers. But PSU and government tenders increasingly reference it, and private buyers are free to (and increasingly do) use it as a vendor-screening criterion.
Does NCCS certification replace MTCTE?
No. They are complementary: MTCTE covers technical conformance under TEC, NCCS covers security certification against ITSAR. Depending on the equipment category and phase-in status, a product may need both.
What does an ITSAR actually contain?
Equipment-specific security requirements — secure boot and updates, access control, management-interface protection, logging and more — that the model must demonstrably meet at a designated security test lab.
How do I check a vendor's status?
Ask for evidence of Trusted Source designation and product approvals in the vendor's own name, plus certificate numbers for MTCTE and WPC, and verify each on the relevant government portal before award.
