HD Cameras and Webcam
Projectors and Speakers
VOIP Phones and Gateway
Access Control
LTE and 5G Devices
Smart Sensors And Automation
Fiber and SFP Modules
Firewall & Cloud Controllers
Network Adapters and Accessories
Network Switches
PoE Switches
Point To Point Wireless Radio
Routers
Wireless Access Points
IP Cameras
Memory Cards
NVR
Smart WiFi Cameras
Storage Devices
Desktop & Laptop RAMs
Internal and External Hard Drives
NAS Storage & Enclosures
SSD and NVMe Drives
USB Flash Drives
STQC vs BIS ER-01: what’s the difference and which one do you need?
STQC vs BIS ER-01 comes down to one simple distinction: BIS ER-01 is your licence to sell a CCTV camera in India. STQC is your passport to sell it to the government. Both schemes test the same Essential Requirements (the six cybersecurity rules MeitY published in April 2024). The difference is who runs the test, what level of detail they go into, and where the certificate is recognised.
STQC vs BIS ER - What is the difference between the two certifications?
Parameter BIS ER-01 STQC IoTSCS Run by Bureau of Indian Standards (under MeitY) STQC Directorate (under MeitY) Purpose Mandatory licence to sell IP cameras in India Required for government and PSU procurement Scope Cybersecurity Essential Requirements Cybersecurity ERs + deeper system audit Certificate format BIS ER-01 licence number STQC/IoTSCS/ER/xxx Required for private sale Yes (from April 1, 2026) No, but increasingly preferred What if you have only one Can sell freely, cannot bid for govt. tenders Needs both to bid for govt. tenders
| Parameter | BIS ER-01 | STQC IoTSCS |
|---|---|---|
| Run by | Bureau of Indian Standards (under MeitY) | STQC Directorate (under MeitY) |
| Purpose | Mandatory licence to sell IP cameras in India | Required for government and PSU procurement |
| Scope | Cybersecurity Essential Requirements | Cybersecurity ERs + deeper system audit |
| Certificate format | BIS ER-01 licence number | STQC/IoTSCS/ER/xxx |
| Required for private sale | Yes (from April 1, 2026) | No, but increasingly preferred |
| What if you have only one | Can sell freely, cannot bid for govt. tenders | Needs both to bid for govt. tenders |
Both schemes test against the same six Essential Requirements published by MeitY in the Gazette notification dated 6 March 2024: no default passwords, encrypted streams, signed firmware, disabled debug ports, supply chain transparency, and a vulnerability disclosure policy. We've written the detailed breakdown of each requirement in our BIS ER-01 newsletter.
The difference is depth. BIS ER-01 confirms a camera meets the minimum cybersecurity bar for legal sale. STQC goes further with system-level testing, including invasive and non-invasive attack methodology, covering physical interfaces, communication protocols, and application security. STQC also requires annual surveillance audits for the certificate to stay valid.
Source: STQC Rules and Procedures (IoTSCS/D01) and STQC CCTV Testing Procedure (IoTSCS-P01)
Why did the government create two separate schemes?
The PPO (Public Procurement Order) for CCTV has been in the works since at least early 2024. MeitY's advisory to all government departments explicitly stated that CCTV systems at sensitive locations should comply with the Essential Requirements, and that security testing certificates should be issued by STQC or any other MeitY-notified agency.
But making every camera in the country pass STQC-level testing before it could be sold anywhere would have choked the supply chain. BIS ER-01 was the practical solution: a faster, lighter certification that ensures a cybersecurity baseline for the entire market, while STQC remains the deeper audit reserved for government procurement where the stakes are higher.
Source: MeitY Advisory for VSS/CCTV to all government departments
The Ghaziabad Espionage case that made this real
In March 2026, police in Ghaziabad and Hapur uncovered espionage networks where operatives had installed standalone solar-powered Chinese CCTV cameras at sensitive locations, including areas near railway stations and defence installations. These cameras used 4G SIM cards to transmit live feeds that were accessible from anywhere, including to handlers based in Pakistan, through mobile apps. The investigation linked the network to Pakistan's ISI and the banned terror group Babbar Khalsa International. 32 people, including juveniles, were held across Ghaziabad and Delhi.
The fallout was immediate. Maharashtra's Chief Minister ordered a complete ban on procuring CCTV equipment from Chinese companies and directed a security audit of existing surveillance systems across the state. The central government tightened enforcement of the April 2026 deadline. BIS started warehouse raids.
This is the threat model the Essential Requirements were designed for. Default passwords, unencrypted feeds, undisclosed chipset origins, no firmware verification. Every gap in an unsecured camera is an entry point, and the Ghaziabad case showed those entry points being actively exploited.
Do you need STQC or BIS ER 01?
Government tenders: STQC is mandatory
Any CCTV deployment funded by central or state government, defence, railways, smart city projects, PSUs, or critical infrastructure now requires STQC certification under the PPO. The MeitY advisory explicitly instructs Chief Information Security Officers across all government departments and subordinate organisations to enforce this. If you're bidding for a government tender and your camera only has BIS ER-01, you're not eligible.
Private and enterprise buyers: BIS ER-01 is the legal floor
For private sales, BIS ER-01 is enough. You can buy and install a BIS ER-01 certified camera in your home, office, factory, retail store, or warehouse without violating any rule. The seller needs BIS approval, the camera needs a BIS ER-01 licence, and that's it legally.
But here's where it gets interesting. We've seen procurement teams at large private companies (banks, hospitals, IT campuses, hotel chains, and listed manufacturers) start specifying STQC in their purchase orders even though they don't have to. Three reasons come up repeatedly.
Audit trail. If a camera at a banking branch gets compromised, the bank's IT auditors want to know the device passed an independent government test. STQC gives them that paper trail. BIS ER-01 is a lighter touch.
Vendor consolidation. If a company also bids for any government work, they want one camera SKU that qualifies for both segments. STQC-certified cameras are eligible for everything. BIS-only cameras are limited to private.
Future-proofing. The current rules apply to IP cameras. Industry expectation is that the cybersecurity bar will keep rising (NVRs and DVRs are already under a separate IoTSCS evaluation track). Companies buying STQC-certified cameras today are hedging against stricter rules tomorrow.
So which one do you need? If you're buying cameras for a home, shop, or private office, BIS ER-01 is enough. Make sure the camera has a valid BIS ER-01 licence. That's the legal minimum after April 1, 2026.
If you're buying for any government project, PSU, defence, railways, or smart city deployment, you need STQC. No exceptions.
If you're a large enterprise, legally you need BIS ER-01, but practically, specifying STQC gives you better audit coverage and avoids having to maintain two separate camera inventories.