India and California Tighten Autonomous Vehicle Oversight While U.S. Eliminates Manual Control Requirements

Autonomous vehicle regulation is fracturing along two distinct paths: jurisdictions moving to eliminate manual safety controls while simultaneously imposing stricter cybersecurity and operational oversight. The contrast reveals a fundamental tension in how different regions assess risk from driverless technology.

The United States has moved to relax hardware requirements for fully Autonomous Vehicles. The National Highway Traffic Safety Administration proposed eliminating mandatory manual brake pedals for cars designed to operate without human intervention, provided they meet stopping-distance performance criteria through alternative testing. This shift would lift production caps currently limiting manufacturers to 2,500 vehicles annually under exemption pathways. Meanwhile, India’s Ministry of Road Transport and Highways published draft cybersecurity and software-update rules that mandate formal management systems for all connected vehicles and impose hardware-independent compliance deadlines through 2029. California tightened oversight further by requiring manufacturers to respond to emergency calls within 30 seconds and enabling local authorities to issue geofencing directives that electronically restrict vehicle movement in crisis zones.

These divergent approaches reflect competing philosophies about how to manage autonomous vehicle deployment: the U.S. framework emphasizes design flexibility for manufacturers willing to prove performance, while India and California prioritize transparency, emergency coordination, and continuous monitoring of vehicle behavior in real-world conditions.

The Case for Design Freedom Versus Operational Accountability

NHTSA’s brake-pedal proposal assumes that removing manual controls eliminates a false sense of driver authority and simplifies vehicle design without compromising safety, since performance requirements remain unchanged. The agency argued this approach removes what it called “pointless barriers” while holding developers accountable for stopping performance. Tesla’s newly launched Cybercab, which has no steering wheel or pedals, stands as the primary beneficiary; the company has not yet applied for a production exemption and faces production speed restrictions under current rules.

This logic inverts the traditional safety model. Rather than require hardware redundancy, the U.S. framework trusts manufacturers to achieve the same safety outcome through untested software and sensor systems. Approval depends not on demonstrated experience but on theoretical performance modeling and manufacturer claims about system reliability.

India and California adopted the opposite approach. India’s draft rules insert two new provisions into motor vehicle standards requiring all connected vehicles to implement a Cyber Security Management System and a Software Update Management System, with compliance deadlines escalating from October 2026 for Level 3 automation through October 2029 for any vehicle with over-the-air updates. These rules, aligned with United Nations frameworks already adopted in the EU, Japan, and South Korea, treat security and update protocols as type-approval conditions, not optional features.

California’s regulations go further operationally. New rules require manufacturers to maintain 30-second response times to emergency personnel and allow local officials to issue temporary “do not enter” zones that vehicles must obey electronically. Violating geofencing directives can result in permit suspension. These requirements assume that autonomous vehicles, however capable, operate in complex social environments where emergency response coordination matters as much as technical performance.

Testing Requirements and the Path to Deployment

The jurisdictions also differ sharply in deployment timelines and measurement. California requires manufacturers to complete 50,000 miles of light-duty testing and 500,000 miles of heavy-duty testing at each phase before advancing from safety-driver modes to driverless operation, then to commercial deployment. Manufacturers must submit a “structured safety case” demonstrating hardware, software, and operational safety. These milestones are verifiable and retrospective.

The U.S. federal proposal contains no equivalent testing timeline or distance thresholds. It references “alternative testing procedures” but does not specify what those are. Approval depends on manufacturer-submitted performance data and NHTSA’s assessment of whether stopping criteria are met. There is no requirement for public operational data or third-party verification before widespread production.

India’s approach splits the difference. Phased compliance deadlines acknowledge that different vehicle classes carry different risks: Level 3 automation faces the earliest deadlines (October 2026 for new models), followed by vehicles capable of over-the-air updates, then all software-capable vehicles. The rules rely on established cybersecurity standards (AIS-189) and update protocols (AIS-190) rather than performance testing, shifting accountability from driving ability to system integrity and update reliability.

Who Bears Liability When Systems Fail

A critical open question is liability. The U.S. proposal effectively transfers liability risk to manufacturers and insurers once manual controls are removed, since no human driver can intervene. India’s structured compliance approach maintains oversight chains: vehicles must respond to commands, update securely, and remain contactable. California’s 30-second emergency response requirement creates a legal obligation that links vehicle behavior to government directives.

The insurance industry is already grappling with this uncertainty. As autonomous commercial vehicles move toward broader deployment, underwriters are rethinking traditional driver-based risk models and exploring how liability frameworks might shift responsibility from individual operators toward vehicle systems and technology providers. This transition remains unsettled; coverage structures are evolving, but no consensus has emerged about how liability will be distributed between manufacturers, fleet operators, and insurers once autonomous vehicles dominate a market segment.

These regulatory divergences matter because they establish which markets innovators prioritize and which safety assumptions become embedded in vehicle design. A manufacturer building for both U.S. and California markets must meet California’s operational requirements even if selling in states that follow the federal model. Similarly, companies targeting India, EU, or Japanese markets must implement formal cyber and update management systems regardless of their approach in North America. No single global standard yet exists, meaning companies pursuing global deployment must design for the strictest jurisdiction they operate in.

The Next Inflection Point

The timeline for these rules to take effect spans 2026 to 2029. India’s cybersecurity deadlines begin in October 2026. California’s heavy-duty autonomous vehicle regulations are now active. The U.S. brake-pedal proposal remains in notice-and-comment phase and could face legal or congressional challenges before finalization.

Within this window, the operational record from early deployments in California, Phoenix, and other limited zones will inform whether manual-backup or geofencing-based models prove more effective at preventing accidents and managing emergency response. The divergence will likely persist: manufacturers will optimize for the least restrictive market they can operate in, while regulators in more cautious jurisdictions will cite operational data to justify tighter requirements.

The question is not whether one approach is correct, but whether fragmented global standards create a race-to-the-bottom dynamic or whether operational data from stricter regions eventually influence federal and international harmonization.