Get Expert Help

Introduction

Published on: March 23, 2026 | Category: TEC/MTCTE Certification

The National Centre for Communication Security (NCCS), under the Department of Telecommunications (DoT), has issued an important notification dated 17th March 2026. This update brings greater clarity and flexibility regarding software modifications in devices that are undergoing security testing.

The notification is especially relevant for stakeholders involved in MTCTE certification, including OEMs, importers, and testing laboratories, as it directly impacts compliance procedures and testing workflows.

NCCS notification 2026 allowing software changes during MTCTE security testing with Annexure I and II compliance

Key Highlights of the NCCS Update

  • Issued by: National Centre for Communication Security (NCCS)
  • Department: Department of Telecommunications (DoT), Government of India
  • Notification Date: 17 March 2026
  • Subject: Software Changes in Devices Under Security Testing
  • Applicable To: Devices Under Test (DUT) under MTCTE Certification
  • Testing Environment: Telecommunication Security Testing Labs (TSTLs)
  • Key Update: Software modifications are now permitted during ongoing security testing, subject to submission of required declarations
  • Mandatory Requirement::
    • Annexure-I (Software Upgradation Declaration)
    • Annexure-II (ITSAR BOM Change Declaration)
  • Compliance Condition: Software changes must not affect already compliant ITSAR clauses.
View Official Notification

What is the Latest NCCS Rule for Software Changes in DUT?

NCCS has introduced a significant update allowing software modifications in Devices Under Test (DUT) even during ongoing security testing at Telecommunication Security Testing Labs (TSTLs). This provides much-needed flexibility for applicants to implement necessary fixes or updates without stopping or restarting the testing process. However, this provision is subject to strict compliance requirements to ensure that security standards and ITSAR compliance are not compromised.

Key Points to Understand

  • Software changes are allowed during testing under MTCTE
  • Changes must be supported with Annexure-I and Annexure-II declarations
  • Proper documentation and justification is mandatory
  • The Impact Assessment Document (IAD) must be submitted
  • Changes should not affect already compliant ITSAR clauses
  • Full traceability (version & hash values) must be maintained

Important Considerations

While this update provides flexibility, it does not reduce compliance responsibility. Every software modification must be carefully evaluated, documented, and justified to ensure that the product continues to meet all regulatory requirements.

Failure to follow the prescribed process or submitting incomplete documentation may lead to delays, re-evaluation, or even rejection of the certification application. Therefore, maintaining proper control over software changes is critical for a smooth MTCTE approval process.

Detailed Compliance Requirements

NCCS has defined a clear and structured approach for managing software changes during MTCTE security testing. Each stage of modification requires proper documentation, declarations, and justification to ensure compliance with ITSAR requirements and avoid delays in certification.

1. Software Modification During Testing

When any software change is made in the Device Under Test (DUT), it must be formally declared and documented. This ensures that all updates are traceable and approved within the compliance framework.

Key Requirements
  • Submission of Annexure-I (Software Upgradation Declaration)
  • Submission of Annexure-II (ITSAR BOM Change Declaration)
  • Both declarations must be submitted together

Important Note: Any software modification without a proper declaration may lead to non-compliance or rejection during the certification process.

2. Key Information Required in Annexure-I

Annexure I focuses on capturing complete technical details of the software modification. It helps authorities understand what changes were made and ensures that compliance is maintained.

Details to be Provided
  • Software component details
  • Original vs modified version and hash values
  • Description of the software changes
  • Impact Assessment Document (IAD)
  • Confirmation that existing ITSAR compliance remains unaffected
  • Declaration related to ITSAR BOM revision

Important Note: Incomplete or unclear information in Annexure-I may result in delays or additional clarification requests from authorities.

3. ITSAR BOM Corrections (Without Software Change)

In cases where there is no actual software change and only minor errors in documentation need correction, the process is simplified. This applies mainly to typographical mistakes in the ITSAR BOM.

Key Requirements
  • Only Annexure-II needs to be submitted
  • Annexure-I is not required

Important Note: This provision is applicable only for minor corrections. Any actual software change will still require both Annexures.

4. Annexure-II Requirements

Annexure-II is used to document changes related to the ITSAR BOM and ensures transparency in updates made during testing.

Details to be Provided
  • Existing vs revised ITSAR BOM details
  • Justification for changes (typo or software update)
  • Status of DUT declaration (unchanged or revised)
  • Updated the ITSAR BOM document attachment

Important Note: All changes must be clearly justified and supported with proper documentation to avoid re-evaluation or compliance issues.

Overall Important Consideration

Across all stages, maintaining proper documentation, traceability, and accuracy is critical. Any gap in submission or justification can impact the certification timeline and may lead to delays or rejection.

Importance of NCCS Software Change Update

The NCCS notification 2026 on software changes during MTCTE testing is a major improvement in the telecom certification process in India. It allows companies to make necessary software updates in Devices Under Test (DUT) without restarting testing, helping reduce delays and improve efficiency. At the same time, it ensures strict compliance through proper documentation and declarations, making the overall MTCTE certification process faster, smoother, and more industry-friendly.

Key Benefits:

  • Reduces delays in MTCTE certification approval
  • Avoids re-testing due to minor software changes
  • Enables software modification during testing in India
  • Improves efficiency in telecom product certification process
  • Ensures compliance with NCCS and ITSAR requirements
  • Supports faster product launch and market readiness
  • Enhances transparency through proper documentation and declarations

Who Should Pay Attention to This NCCS Update?

The latest NCCS notification on software changes during MTCTE testing is relevant for a wide range of stakeholders involved in telecom product certification. Any organization or team responsible for product compliance, testing, or regulatory approvals should carefully review and implement these updated guidelines to ensure smooth certification.

Key Stakeholders Affected

  • OEMs & Manufacturers: Developing telecom equipment requiring MTCTE approval
  • Importers & Dealers: Bringing telecom products into the Indian market
  • Telecom Product Applicants: Applying for MTCTE certification in India
  • Compliance & Certification Teams: Managing regulatory documentation and approvals
  • TSTLs (Testing Labs): Conducting security testing and validating compliance

What You Should Know

This notification reflects a shift towards adaptive compliance frameworks, where controlled flexibility is provided without compromising security assurance and regulatory integrity.

Organizations should now focus more on:

  • Robust documentation practices
  • Pre-validation before submitting DUT for testing
  • Software version control systems

Conclusion

While NCCS has introduced flexibility by allowing software changes during testing, maintaining strong compliance discipline remains essential. Organizations must ensure that every modification is properly controlled, justified, and aligned with regulatory requirements to avoid any impact on certification outcomes.

Accurate declarations, thorough documentation, and a clear impact analysis have now become more critical than ever. These practices not only ensure transparency but also help in achieving a smooth and efficient certification process under MTCTE without delays or rejections.

Read the Official NCCS Notification on Software Changes During MTCTE Security Testing (2026)

Frequently Asked Questions (FAQs)

Yes, as per the latest NCCS notification (17 March 2026), software modifications are allowed in Devices Under Test (DUT) during ongoing testing, subject to compliance requirements.

Applicants must submit Annexure-I (Software Upgradation Declaration) and Annexure-II (ITSAR BOM Change Declaration) along with supporting technical details.

Annexure I is mandatory only when there is an actual software modification. It is not required for minor documentation corrections.

If changes are limited to typographical errors in the ITSAR BOM, only Annexure-II needs to be submitted.

An IAD explains the impact of software changes and confirms that the modification does not affect already compliant ITSAR requirements.

Software changes are allowed, but they must not impact already compliant ITSAR clauses. Proper documentation is required to ensure approval.

Incomplete or incorrect submissions may lead to delays, re-evaluation, or rejection of the certification application.

Yes, testing can continue without restarting, provided all required declarations and compliance conditions are fulfilled.

OEMs, importers, telecom product applicants, compliance teams, and TSTL labs must follow this update.

It reduces testing delays, avoids re-testing, lowers costs, and makes the MTCTE certification process more efficient and flexible.

Request Service Today!

Ready to get certified or need expert compliance support? Fill out the form below and our team at SS Global Services will connect with you shortly.

We offer fast, reliable, and hassle-free assistance for all BIS and regulatory certification needs.