Contact Us

India: Security Framework for O-RAN 5G RIC Finalized

Home / Country Update / India: Security Framework for O-RAN 5G RIC Finalized

On January 8, 2026, India’s National Centre for Communication Security (NCCS) released the first version of the Indian Telecom Security Assurance Requirements (ITSAR303042601) for Open RAN (O-RAN) 5G Radio Intelligent Controller (RIC) components. This release marks an important step in establishing a robust security framework for next-generation radio access networks under India’s MTCTE (Mandatory Testing and Certification of Telecom Equipment) regime.

The document sets binding security requirements for network equipment vendors (OEMs) deploying components such as O-Cloud, SMO (Service Management and Orchestration), Non-Real Time RIC (rApps), and Near-Real Time RIC (xApps) in the Indian telecom ecosystem.

india pointed out with green pointer on blue world map

Scope and Applicability

The ITSAR applies to all O-RAN components explicitly supported by 3GPP and the O-RAN Alliance. The defined security controls cover the entire lifecycle of network functions, addressing everything from user authentication and system hardening to application integrity and data protection. Compliance is mandatory for OEMs introducing O-RAN-based 5G solutions into the Indian market.

Key Security Control Areas

The ITSAR outlines extensive Common Security Requirements applicable to all O-RAN components. Highlights include:

  • Access and Authorization Controls: Enforced mutual authentication, role-based access, remote login restrictions for privileged users, and strict authorization boundaries.

  • Authentication Management: Multi-factor authentication (using cryptographic keys, tokens, or passwords), password complexity policies, session timeouts, and brute-force attack prevention measures are required.

  • Software Integrity and Application Lifecycle Management:

    • OEMs must certify secure coding practices and declare freedom from OWASP Top 10 and CWE Top 25 vulnerabilities.

    • Application packages must be signed, validated, and tested for vulnerabilities before onboarding.

    • Secure update mechanisms and secure deletion protocols must be implemented as per ETSI NFV specifications.

  • System and Network Security: Only essential services and protocols are permitted; all vulnerable or legacy services (e.g., FTP, Telnet, SNMPv1/v2) are to be permanently disabled. Network traffic is to be filtered, segmented, and protected using strong cryptographic controls.

  • Logging and Audit Controls: All O-RAN components must implement detailed log management systems, including authenticated time-stamping, micro perimeter protection, and support for log data rotation and tamper prevention.

Interface-Specific Protection

Security requirements extend across key O-RAN interfaces including:

  • A1 (policy communication between Non-RT and Near-RT RIC),

  • O1 (SMO to network components),

  • O2 (SMO to O-Cloud),

  • E2 (Near-RT RIC to CU/DU),

  • and open fronthaul interfaces (M-plane and CUS-plane between O-DU and O-RU).

Each interface must be protected against spoofing, unauthorized access, and data exfiltration using country-approved cryptographic mechanisms.

Compliance and Certification

OEMs are required to submit detailed documentation, test reports, and undertakings as part of the security assurance process. This includes:

  • Proof of secure software development practices

  • Malware and backdoor checks

  • Removal of unused and unsupported software components

  • Detailed service and protocol matrices

  • Logging configurations and policy enforcement records

Certification under MTCTE is a prerequisite for market entry, and non-compliance may lead to enforcement action or denial of certification.

For this article’s source information and any product certification guidance, please contact Global Validity. 

Quick Country Facts

India

Certification Body: Ministry of IT and Communications, Wireless Planning & Coordination Wing

Certification Type: Mandatory

License Validity: Indefinite

Application Language: English

Legal License Holder: Local Representative

In-Country Testing Requirement: Testing Not Required

The regulatory information above is based on radio type approval certification. Access additional certification requirements in over 200 countries and territories with Global Validity’s free proprietary product certification management software, Access Manager. Learn more about the platform here or fill our quick contact form! 

Global Validity is your partner for global certification success

Want to learn more about regulatory compliance and how we can help? Simply fill out the form below and we’ll be in touch! 

Have a question on what regulations and requirements are needed for your product’s compliance?

Contact us
Obtain the global regulatory certifications your products need with Global Validity. Expert-led, technology-driven, and built to simplify your path to market.
Linkedin-in Envelope
Company
Newsletter
Copyright © 2026 Global Validity, All rights reserved.
  • 8601 Six Forks Rd. Suite 400 Raleigh, NC 27615
  • support@globalvalidity.com
  • (877) 464-6753