STQC Certification for CCTV in India: Government Compliance, the IT Act, and Which Brands Qualify

If you're supplying or installing CCTV for a government department, PSU, bank, or any critical-infrastructure site in India, you've likely already run into the requirement for STQC-certified cameras. This isn't paperwork for its own sake — it exists because surveillance hardware with weak firmware, default credentials, or undisclosed data channels is a real cybersecurity risk when it's watching a government building, a data center, or a metro station. Here's what the certification actually covers, why it became mandatory, and what it means for your project.

What STQC certification actually is

STQC stands for Standardisation Testing and Quality Certification — a directorate under India's Ministry of Electronics and Information Technology (MeitY). For CCTV and surveillance equipment, STQC-empanelled labs test cameras and recording hardware specifically for cybersecurity vulnerabilities: weak or hardcoded default passwords, unencrypted data transmission, undocumented backdoors, and firmware that could allow unauthorised remote access. A camera passing STQC testing has been independently checked for these risks — it's not a general quality stamp, it's specifically a security vetting.

Why the government tightened CCTV procurement rules

In recent years, Indian government departments and public sector undertakings have moved to require STQC testing specifically for surveillance hardware, largely driven by concerns over foreign-made cameras — particularly low-cost, unverified hardware of Chinese origin — being deployed at sensitive sites without any independent security check on what the firmware actually does. This mirrors a similar move in the US, where the NDAA (National Defense Authorization Act) restricts certain surveillance brands from government use for the same underlying reason: unverified hardware watching sensitive infrastructure is a security risk, not just a procurement preference. Several of our partner brands maintain NDAA-compliant product lines for exactly this reason, which is a useful signal even outside the US — it generally indicates a brand takes this category of scrutiny seriously across markets.

BIS certification — a separate but related requirement

BIS (Bureau of Indian Standards) certification covers a different scope — general electronics safety and quality standards rather than cybersecurity specifically. Government and PSU tenders often require both: BIS for the hardware's basic safety and build quality, and STQC for the cybersecurity vetting. We've maintained STQC and BIS certification across our camera range for this reason — it's standard practice for any installer serious about institutional and government work, not an optional upgrade.

How this connects to the IT Act and data security obligations

Certified hardware is only one half of compliance. India's IT Act, 2000 (particularly Section 43A, on reasonable security practices for sensitive personal data) and the newer Digital Personal Data Protection Act, 2023 both apply to how CCTV footage is stored, accessed, and transmitted — and footage containing identifiable faces is personal data under most readings of these frameworks. In practice this means: encrypted video transmission and storage, access-controlled NVR logins (not default credentials left unchanged), defined retention periods rather than indefinite storage, and a clear record of who can access footage and when. STQC-certified hardware gives you a secure starting point; how you configure access control and retention on top of it is what actually determines whether a deployment is compliant day to day.

Which of our partner brands support government and PSU-grade projects

As authorised dealers for Hanwha Vision, Honeywell, Matrix Comsec, Panasonic i-Pro, and Pelco, we work with brands that maintain STQC and BIS-certified lines specifically for the Indian government and institutional market. One important caveat worth being upfront about: certification applies to a specific model and firmware version, not a brand as a whole — a certificate can lapse or a newer model may not yet be certified. We check current certification status against your exact tender requirements before quoting, rather than assuming a brand's reputation covers every model in its catalog.

This isn't theoretical for us — our work with Reserve Bank of India data center networking, the Mumbai Metro Aqua Line 3 security infrastructure, and hospital surveillance during the Covid-19 pandemic for MMRDA, MMRC and MCGM all sat within these same compliance expectations. See examples of that project work.

If you're bidding on or running a government/PSU project

• Confirm the STQC certificate covers the exact camera model and firmware version you're quoting — not just the brand
• Check whether the tender also requires BIS certification separately
• Plan for encrypted storage/transmission and access-controlled logins as part of the install, not as an afterthought
• Define a clear footage retention period rather than leaving an NVR set to record indefinitely
• Work with a dealer who can provide current certification documentation alongside the quote

If you're preparing a government, PSU, or institutional tender and need current STQC/BIS-certified options across Hanwha, Honeywell, Matrix, Panasonic i-Pro, or Pelco, get in touch and we'll confirm exactly what's certified for your requirement.