Downloads:
Consultation paper on the regulatory framework for Vehicle-to-Everything (V2X)
communication
The telecom regulator TRAI has floated a consultation paper to explore spectrum allocation, pricing and authorisation frameworks for vehicle-to-everything (V2X) communication technology. V2X enables vehicles to wirelessly exchange real-time data with other vehicles (V2V), road infrastructure (V2I), pedestrians (V2P), and mobile networks (V2N). This includes critical information such as location, speed, braking, and blind-spot alerts.
Why this matters: In 2023 alone, India lost 1.73 lakh lives to road accidents. 92% of road accidents worldwide are attributed to human error. V2X technology can tackle this challenge head-on. However, India has not set up a single roadside unit (RSU) as part of the proposed intelligent transport system as of April 2026. RSUs function as a communication infrastructure deployed along roadways to enable vehicle-to-infrastructure interactions.
- The core security challenge: V2X messages are intrinsically broadcast-based. Vehicles continuously share information with other vehicles, network providers, and roadside units. These messages carry safety-critical data, including collision warnings and emergency braking signals, in real time. This means that any security failure goes beyond a mere data breach. It could potentially lead to fatalities. Unlike conventional digital authentication, V2X authentication must happen within milliseconds, without human intervention.
- The surveillance problem: Since V2X systems continuously share vehicle data, including location, with other vehicles and cellular data network providers, this could enable round-the-clock surveillance, profiling of user behaviour and the misuse of personal data. Such risks raise significant concerns, particularly regarding data protection and individual privacy rights.
What the DoT has proposed for India: The Department of Telecom (DoT) has proposed adopting Cellular V2X (C-V2X) as the standard Intelligent Transport System (ITS) for India, resolving a long-running global debate between C-V2X and the traditional Dedicated Short Range Communications (DSRC) system.
- Further, it recommends the 5.875–5.925 GHz band for C-V2X technology. While 30 MHz of spectrum within the 5.875–5.925 GHz band has been earmarked for initial deployment, an additional 20 MHz (within the 5.905–5.925 GHz range) will be reserved for future ITS applications.
- Notably, the TRAI consultation paper proposes a dual licensing framework for V2X technologies. Within the 5.875-5.925 GHz, on-board units (OBUs) will be exempt from a licence under certain conditions. This would enable easy installation of OBUs in all types of vehicles, encouraging widespread adoption and accessibility for individual users. An OBU (on-board unit) is an electronic device installed in a vehicle that records traffic and driving data and connects to roadside and satellite navigation systems.
- On the other hand, a licensing framework would apply to RSUs, with appropriate spectrum charges to ensure proper deployment, maintenance, and operation in lower-power, short-range spectrum. The state government, any other authority empowered on its behalf, the National Highways Authority of India (NHAI), or any other road-owning agency will handle oversight and authorisation for RSU installation.
- The V2I (vehicle-to-infrastructure) communication service authorisation is expected to be granted primarily to public entities, including state governments, city bodies, and the National Highways Authority of India (NHAI), rather than to commercial telecom operators.
- Private entities may be considered for non-safety V2X applications. TRAI is mulling whether RSUs and OBUs should be brought under the Mandatory Testing and Certification of Telecommunication Equipment (MTCTE) regime.
How is the proposed licensing regime different from those in other countries?
- For OBU: Globally, there is no individual licensing for OBUs. The OBUs are license-exempt (or Class Licensed globally by rule, with no individual license required).
- For RSUs: In Europe, RSUs are license-exempt, and in a few other countries (e.g., Australia, Indonesia), they are class-licensed with no individual license required due to spectrum safety considerations. In other countries, RSUs are licensed by competent authorities, such as road operators and traffic agencies, as the main entities.
Country-by-country security framework
- United States — Security Credential Management System (SCMS): The US uses a distributed Public Key Infrastructure, explicitly designed to prevent any single entity from linking a vehicle’s identity to its communications. Trust is spread across multiple independent Certificate Authorities. The system relies on short-lived pseudonym certificates that rotate frequently. It includes misbehavior detection and certificate revocation to exclude compromised devices from the network.
- European Union — Cooperative Credential Management System (CCMS): The EU uses a harmonised ETSI-based trust framework defined by ETSI TS 102 941 and ETSI TS 103 097. It enables interoperability across all EU member states through a common trust model with standardised certificate lifecycle management. Vehicles use pseudonym-based authorisation tickets that rotate periodically. The framework includes mechanisms for detecting misbehaviour and revoking access.
- Australia has adopted the ETSI EN 302 571 standard for its ITS Class Licence conditions, operating in the 5855–5925 MHz band with a maximum EIRP of 23 dBm/MHz.
- China — National Sovereign Security Architecture: China has built a highly centralised, state-controlled framework through the national standard YD/T 3957-2021, driven by the CCSA and CAICT. It implements a Chinese Security Credential Management System (C-SCMS) with government-controlled root certificate authorities and a nationally managed trust framework. Unlike the US and EU, China uses domestic cryptographic algorithms — SM2, SM3, and SM4 — rather than the global elliptic curve cryptography (ECC) standards, while retaining core features such as pseudonym certificates and message authentication. China’s Ministry of Industry and Information Technology (MIIT) allocated 20 MHz in the 5905–5925 MHz band for LTE-V2X.
Risks of deploying V2X
Cybersecurity Risks
- Spoofing: A malicious actor can transmit fabricated V2X messages such as false collision warnings, fake emergency vehicle alerts, or non-existent hazards, impersonating legitimate vehicles or roadside units. This can force sudden braking, cause lane changes into oncoming traffic, or create artificial traffic congestion.
- Replay Attacks: Previously captured legitimate V2X messages can be retransmitted by an attacker at a later time or location, causing vehicles to react to stale or inapplicable safety information.
- Sybil Attacks: A single attacker can create multiple fake identities within the V2X network, impersonating multiple legitimate vehicles. This could create phantom traffic jams or manipulate the collective decision-making of connected vehicles.
- Message Tampering: V2X messages in transit can be altered. For example, changing speed or direction data, modifying hazard severity levels, or deleting critical alerts altogether.
- Denial of Service (DoS)/Availability Attacks: V2X channels can be jammed or flooded with spurious messages, degrading or eliminating the availability of safety-critical communications.
- Infrastructure Compromise: RSUs are deployed outdoors, often in remote highway locations, where physical and network access may be vulnerable. A compromised RSU can inject malicious messages into the V2X network, affecting all vehicles within its range, functioning as a trusted insider threat within the PKI hierarchy.
Privacy and Surveillance Risks
V2X systems continuously broadcast a vehicle’s location, speed, direction, and timing to surrounding entities. The paper identifies this as enabling, without adequate safeguards:
- Persistent surveillance of individual vehicles over time
- Profiling of user behaviour: patterns of movement, regular routes, frequent stops, time of travel
- Misuse of personal data: linking movement data to vehicle owners or individuals
Currently, India has not proposed a V2X-specific privacy protection framework. The pseudonym certificate rotation mechanism, the primary technical privacy protection used globally, depends on the PKI architecture that India has not yet finalised.
The India-Specific Structural Risk: PKI Incompatibility
India’s existing digital trust infrastructure is incompatible with global V2X security standards. It only recognises the ITU-T X.509 certificate format. Both global V2X security stacks — IEEE 1609.2 and ETSI ITS — use different certificate formats. The two are structurally incompatible, and no global standard exists to bridge them.
Any bridging solution would require custom system-level development, making it globally non-compatible, meaning Indian-equipped vehicles would not automatically be able to communicate securely with V2X infrastructure in the US, EU, or elsewhere, and foreign vehicles may not interoperate with Indian RSUs.
Interoperability and Standards Lock-in Risk
The higher-layer ITS stack above the access layer is not harmonised globally. ETSI (Europe) and IEEE WAVE/SAE (US) are not interoperable. India must choose one. The Task Force recommends ETSI, but locking into a single stack means vehicles designed for a different market may not be fully interoperable in India, and vice versa, affecting both imports and exports of connected vehicles.
Also Read:
- MoRTH’s New Data Sharing Policy: Who Gets Access To Personal Information?
- Explained: The Motor Vehicles Aggregator Guidelines, 2025
- Transport Ministry Confirms API Access to Vehicle Data, Concerns About Data Sharing with Private Companies
For You
- Read Reasoned by Nikhil Pahwa: How AI is changing our world
- Sign up for MediaNama's Daily Newsletter to receive regular updates
- Sponsor a MediaNama Event























