HD Cameras and Webcam
Projectors and Speakers
VOIP Phones and Gateway
Access Control
LTE and 5G Devices
Smart Sensors And Automation
Fiber and SFP Modules
Firewall & Cloud Controllers
Network Adapters and Accessories
Network Switches
PoE Switches
Point To Point Wireless Radio
Routers
Wireless Access Points
IP Cameras
Memory Cards
NVR
Smart WiFi Cameras
Storage Devices
Desktop & Laptop RAMs
Internal and External Hard Drives
NAS Storage & Enclosures
SSD and NVMe Drives
USB Flash Drives
What is STQC Certification for CCTV Cameras in India? Full form, requirements, validity, and who needs it?
STQC certification stands for Standardisation Testing and Quality Certification, a government body under MeitY (Ministry of Electronics and Information Technology) that runs certifications for the government. STQC has been around since 1991 and operates through a network of testing laboratories and certification centres across India.
CCTV cameras are not the only thing STQC certifies. The directorate runs certification schemes across a wide range of electronics and IT products: biometric devices (fingerprint scanners, iris readers used in Aadhaar authentication), smart cards, government websites (under the GIGW quality certification), eProcurement systems, IT security products under Common Criteria, Quality Management Systems (QMS), Information Security Management Systems (ISMS), and the Trusted Electronics Value Chain scheme that covers the entire lifecycle of ICT products from sourcing to disposal.
CCTV cameras fall under a specific scheme called the IoT System Certification Scheme, or IoTSCS. This scheme covers all IoT devices like sensors, actuators, gateways, cloud interfaces, but CCTV cameras are where the enforcement has teeth right now because of the April 2026 mandate. When people in the surveillance industry say "STQC certified," they mean certified under IoTSCS.
STQC tests the IP camera models against a set of cybersecurity requirements that MeitY published in its Gazette notification dated 6 March 2024. The tests cover things like whether a camera ships with default passwords, whether its firmware is digitally signed, whether the manufacturer discloses where the chipset comes from, and whether the device can handle a cyberattack simulation.
If a model passes, STQC issues a certificate with a unique number (format: STQC/IoTSCS/ER/078). That certificate is locked to three things: a specific model number, a specific firmware version, and a specific firmware hash. Change any one of those, and the certificate no longer applies.
Why did the government mandate ER 01 and STQC certification for CCTV cameras?
The government initiated these mandates as a proactive shield for national security, designed to prevent the very vulnerabilities that hostile actors look to exploit. Although it was initiated much earlier, the critical need for such a framework was starkly illustrated in March 2026, when police in Ghaziabad and Hapur uncovered espionage networks where operatives had installed standalone solar-powered Chinese CCTV cameras at sensitive locations, including areas near railway stations and defence installations. These cameras used 4G SIM cards to transmit live feeds that were accessible from anywhere, including from servers based in China. The investigation linked the network to Pakistan's ISI and the banned terror group Babbar Khalsa International, resulting in 32 arrests across Ghaziabad and Delhi.
The fallout was immediate. Maharashtra's Chief Minister ordered a complete ban on procuring CCTV equipment from Chinese companies and directed a security audit of existing surveillance systems across the state. The central government tightened enforcement of the April 2026 deadline. BIS started warehouse raids.
Timeline
March 6, 2024. MeitY published the Essential Requirements for CCTV security in the Gazette of India.
April 9, 2024. MeitY issued the Compulsory Registration Order (CRO) adding CCTV cameras under the registration framework. Manufacturers got a compliance window.
April 9, 2025. New BIS licences without ER-01 cybersecurity compliance stopped being issued. Existing stock could still be sold, but new product approvals require meeting the cybersecurity bar.
April 1, 2026. The grace period ended. From this date, selling a non-compliant IP camera in India can attract fines up to 10x the product's value and up to 2 years in prison. BIS has already begun enforcement actions.
Why is STQC certification issued to camera models, not to brands?
STQC certification tests physical hardware behaviour. A 2MP indoor dome running a Taiwanese chipset is a fundamentally different device from an 8MP outdoor bullet with the same brand logo on it. Different processors, different firmware, different attack surfaces. The certification has to reflect that.
On top of that, certificates are tied to firmware versions. If a brand pushes a major firmware update, the existing certificate may need re-validation. So even within a single model, certification is a snapshot in time.
CP Plus, for example, sells hundreds of CCTV models in India. Only 45 of them are STQC certified as of April 2026. The rest aren't in the STQC system at all.
When someone tells you "Brand X is STQC certified," what they actually mean is "Brand X has at least one certified model." That's a very different claim. Always ask which model. Ask for the certificate number. We maintain the complete STQC certified CCTV camera list with all 196 certified camera models currently certified in India.
Â
What does the STQC certification tests?
Both STQC certification and BIS ER-01 test against the same six Essential Requirements from MeitY's Gazette notification. Here's what they cover:
- No default passwords. The camera can't ship with admin/admin or any shared credentials. Every device must force a unique password at first setup.
- Encrypted video streams. All data must travel over TLS/HTTPS. No unencrypted feeds sitting on a LAN for anyone to intercept.
- Secure boot with signed firmware. The camera verifies its own firmware is legitimate before running it. This blocks tampered firmware from loading onto the device.
- Disabled debug and test ports. No open serial ports, no JTAG interfaces, no telnet access left over from factory testing. These are exactly the entry points that get exploited in real attacks.
- Supply chain transparency. The manufacturer must disclose chipset and component origins. This is the requirement that knocked most Chinese-chipset cameras off the certified list.
- Vulnerability disclosure policy. The manufacturer must publish a process for handling reported security flaws. Not optional, not "we'll add it later."
We've written a detailed breakdown of each requirement (with real-world hacking examples that explain why each one exists) in our BIS ER-01 breakdown.Â
What STQC certification does not cover?
STQC applies to IP and network-connected cameras because the certification is fundamentally about cybersecurity. Analog and HD-CVI cameras don't connect to a network directly (they connect to a DVR over coax), so they fall outside the scheme's scope. NVRs and DVRs are covered under a separate evaluation track within IoTSCS, but at a different assessment level.
Who needs STQC Certification?
Government procurement: mandatory. Any CCTV deployment funded by the central or state government, defence, railways, smart city projects, PSUs, or critical infrastructure requires STQC certification under the Public Procurement Order.
Private buyers: not mandatory, but increasingly preferred. For private sales, BIS ER-01 is the legal floor. You can buy and install a BIS ER-01 certified camera in your home, office, or factory without any issues. But we've seen procurement teams at banks, hospitals, IT campuses, and hotel chains start specifying STQC in their purchase orders even though they're not legally required to. The reasoning is practical: STQC certificates are publicly searchable on a government portal, harder to fake, and signal a higher level of audit.
Where to check: We've built the only consolidated STQC Certified CCTV Camera list available on the web, and we update it every 30 days.Â
How long is the STQC certification valid?
Level 1, 2, and 3 certifications are valid for three years from the date of issue, with one surveillance audit required each year. Level 0 certification is valid for only one year and is a one-time occurrence. Manufacturers holding Level 0 are expected to pursue higher-level certification within that window.
Major firmware changes can require re-validation regardless of the certificate's remaining validity.
Source: STQC Technical Construction File document (IoTSCS/F03, Issue 04)
FAQ
Can a brand be STQC certified, or only individual camera models?
Only individual models. STQC issues certificates to specific model numbers tied to specific firmware versions. When someone says "Brand X is STQC certified," they mean "Brand X has at least one STQC-certified model." Always ask for the specific model number and certificate ID.
Do I need STQC certification for analog cameras?
No. STQC IoTSCS applies to IP and network-connected cameras. Analog and HD-CVI cameras are outside the scope of the current rules.
How long is an STQC certificate valid?
Most STQC IoTSCS certificates are issued for three years from the date of issue, subject to firmware version stability. Major firmware changes can require re-validation.