On January 8, 2026, the National Centre for Communication Security (NCCS) in India published the Indian Telecom Security Assurance Requirements (ITSAR) for 5G Open RAN network components. Issued under the MTCTE framework, this ITSAR (ITSAR303042601) outlines comprehensive national security standards applicable to Open RAN (O-RAN) elements, including O-RU, O-DU, and O-CU components, along with O-Cloud infrastructure.
Mandatory Compliance for OEMs
The ITSAR applies specifically to Original Equipment Manufacturers (OEMs) supplying equipment for 5G networks. All listed requirements are binding, and compliance is mandatory for OEMs seeking market access in India.
The document references global standards from 3GPP, the O-RAN Alliance, and TSDSI, while integrating India-specific security needs for deployment in public telecom networks.
Comprehensive Security Requirements
The ITSAR introduces both common and component-specific security controls across a broad range of technical domains:
Access and Authorization: Devices must implement multi-factor authentication, strong password enforcement, role-based access control, and restrictions on remote login for privileged users.
Software and OS Security: Provisions include source code review, malware screening, elimination of unused software and services, and secure boot and update mechanisms.
Data and Traffic Protection: Cryptographic security controls must align with India’s designated cryptographic standards for confidentiality, integrity, and anti-replay protections across network interfaces.
Log Management and Audit: Extensive requirements for security logging, log retention, tamper-proof storage, and controlled access to log data are outlined.
Lifecycle and Decommissioning: Applications must be signed, version-tracked, and securely deleted or revoked upon decommissioning. Application updates must resist downgrade attacks and meet ETSI NFV security specifications.
Dedicated Requirements for Each O-RAN Component
The ITSAR includes targeted security mandates for:
O-RU (Radio Unit): Protects control/user plane traffic between radio unit and user equipment (UE).
O-DU (Distributed Unit): Defines protections for F1 and eCPRI interfaces connecting to O-RU and O-CU.
O-CU (Central Unit): Includes safeguards for RRC signaling, key refresh, algorithm selection, and interface confidentiality.
O-Cloud: Focuses on virtualized infrastructure protection, secure storage, cryptographic key handling, and secure notification APIs.
Certification and Testing Obligations
OEMs must submit several declarations and technical artifacts, including:
Proof of compliance with secure coding standards and absence of known software vulnerabilities (e.g., CWE Top 25, OWASP Top 10).
Assurance of removal of default credentials.
Detailed documentation of required software and protocols for conformance testing.
Security testing will be conducted by designated Telecom Security Testing Labs (TSTLs), and source code may be reviewed at authorized locations.
For this article’s source information and any product certification guidance, please contact Global Validity.
Quick Country Facts
India
Certification Body: Ministry of IT and Communications, Wireless Planning & Coordination Wing
Certification Type: Mandatory
License Validity: Indefinite
Application Language: English
Legal License Holder: Local Representative
In-Country Testing Requirement: Testing Not Required
The regulatory information above is based on radio type approval certification. Access additional certification requirements in over 200 countries and territories with Global Validity’s free proprietary product certification management software, Access Manager. Learn more about the platform here or fill our quick contact form!
Global Validity is your partner for global certification success
Want to learn more about regulatory compliance and how we can help? Simply fill out the form below and we’ll be in touch!