Security Manual for Licensed Defence Industries, 2025: Key compliance updates

Partner: Sumi Saikia, Senior Associate: Ananya Kumar, Associate: Sidhant Kapoor

On 3 July 2025, the Department of Defence Production (DDP), Ministry of Defence (MoD), released the Security Manual for Licensed Defence Industries (SMLDI 2025), replacing the Security Manual for Licensed Defence Industries issued in 2014 (SMLDI 2014). The revised manual establishes updated safety and security procedures for companies in the defence sector and marks a significant shift in the compliance framework with enhanced focus on cyber and personnel security, expanded applicability, and tighter enforcement mechanisms.

In tandem, the Department for Promotion of Industry and Internal Trade (DPIIT) issued Press Note No. 3 (2025 series) on 23 July 2025, directing all companies holding industrial licenses from the DPIIT to comply with SMLDI 2025 before commencing production of licensed items.

Key changes introduced under SMLDI 2025

Expanded scope and revised product categorisation

SMLDI 2014 prescribed security measures according to a three-tier categorisation of the products being manufactured at the premises. In contrast, SMLDI 2025 adopts a simplified two-tier system: Category A encompasses highly classified and sensitive products, and Category B includes semi-finished products, sub-systems or less sensitive finished products. Notably, the earlier Category C under SMLDI 2014, which included generic items not specifically designed for defence use, has been omitted (probably because manufacturing of most such items would not require a license under the defense regulatory regime).

Additionally, SMLDI 2025 explicitly clarifies that the security manual extends not only to private sector entities holding defence industrial licenses under the Arms Act, 1959 and the Industries (Development and Regulation) Act 1951, but also applies to Defence Public Sector Undertakings (Indian Licensed Defense Companies or ILDC).¹

Tightened personnel security and mandatory vetting

SMLDI 2025 introduces stronger standards for the appointment of security personnel and employee vetting and verification for ILDCs. ILDCs are required to appoint personnel for two key security roles:

• Chief Company Security Officer (CCSO): As under SMLDI 2014, the CCSO must be an Indian citizen and for Category A ILDCs, the CCSO must be a former officer of the army, air force, navy, central para-military forces or the police.
• Cyber Information Security Officer (CISO): While the functions of a CISO may be discharged by a senior officer having sufficient knowledge of IT systems of the company, SMLDI 2025 mandates a dedicated CISO to be appointed for companies with a turnover exceeding INR 250 crore—a significant departure from the earlier regime.

SMLDI 2025 continues the erstwhile requirement of SMLDI 2014 (for Category A and B industries) that all employees of an ILDC are required to undergo a thorough verification, and personnel employed on ‘Top Secret Work’ must be subject to vetting both prior to joining and periodically thereafter. Additionally, SMLDI 2025 requires that both the CCSO and the CISO undergo pre-appointment vetting by government agencies, with re-verification every three years.

SMLDI 2025 also sets out detailed responsibilities across different tiers of management for ensuring cybersecurity compliance and oversight, highlighting the organisational accountability embedded in the revised framework.

Revised physical and electronic access controls

Building upon the framework laid out in SMLDI 2014, the 2025 manual strengthens and upgrades the requirements for controlling access and surveillance of sensitive storage areas. While SMLDI 2014 permitted photo ID, proximity cards, smart cards, or biometric access controls at vital points (i.e., sensitive areas housing classified equipment), SMLDI 2025 mandates biometric access control as the baseline standard at all vital and sensitive locations. In addition, a second layer of access authorisation is now compulsory for such areas.

Another notable enhancement is the requirement for mandatory night patrolling to be conducted at staggered intervals. This expands on the earlier discretionary provision and ensures continuous monitoring and deterrence even during non-operational hours.

Cybersecurity protocols overhauled

SMLDI 2025 significantly expands the scope of information security policy for ILDCs. While SMLDI 2014 outlined basic controls to be included in such security policy, such as malware protection, password management, and backup verification (primarily for Category A ILDCs), SMLDI 2025 introduces a detailed set of mandatory cybersecurity practices and advanced measures, applicable across both Category A and B ILDCs. These include:

• Firewall configuration rules,
• Intrusion Detection System/Intrusion Prevention System,
• Security Information and Event Management/Security Orchestration, Automation, and Response tools,
• Policies for Industry 4.0 systems, such as Supervisory Control and Data Acquisition/Industrial Control Systems, and
• Stringent privileged account management, to limit elevated access and prevent insider threats.

A key structural change is the requirement that all official work be conducted on an air gapped network that is isolated from the internet. Devices utilising such air gapped networks need to meet specific standards set out in the manual to ensure data containment and system integrity.

ILDCs that are either: (a) entrusted with procurement orders and technologies developed by any government agency; or (b) privy to defence-related designs, plans or products, must now integrate their necessary log data with the MoD’s Cyber Security Operations Centre (CSOC) to facilitate real-time threat monitoring and centralised oversight.

SMLDI 2025 mandates the inclusion of a ‘Cyber Awareness and Evaluation Module’ in the employee induction process, emphasising a culture of cyber vigilance from the start.

New compliance standards for material handling and document security

SMLDI 2025 revises protocols for managing the movement of materials and safeguarding sensitive information within the ILDC’s facility. A key requirement is the mandatory implementation of a Computerised Material Management System (CMMS). This system is to be used for generating gate passes and maintaining data backups, enhancing traceability and accountability.

A formal Data Classification Policy is now compulsory and must include definitive protocols for handling, storage and transmission of classified information, labeled as ‘Secret’ or ‘Top Secret’, etc., and other sensitive designations.

To further strengthen operational security, enhanced communication security protocols, such as hostile call procedures and social media sensitisation programs, have also been prescribed. These are aimed at reducing the risk of unintentional information leaks by employees.

Protocols for visits by foreigners

SMLDI 2025 introduces stringent procedural and reporting requirements concerning visits by foreign nationals. Visits by such persons to areas or zones where manufacturing related to MoD projects is underway continue to require prior clearance by MoD, as under previous guidelines. However, even visits to non-sensitive or non-strategic areas, approved by the CEO of the ILDC, must now be reported to the Nodal Office of the DDP through an online portal in a timely manner and also included in a quarterly report to the DDP. This replaces the previous requirement of reporting such visits only to the Intelligence Bureau within 15 days of the visit. Entry to vital installations on tourist or e-tourist visas is now explicitly prohibited.

Reporting requirements

SMLDI 2025 introduces a more detailed reporting framework, covering various intimation requirements such as commencement of production, sales data, inspection reports and event-based reporting. This is a significant enhancement over SMLDI 2014, which prescribed a more general quarterly reporting structure without such specificity or standardised formats.

The revised framework introduced under SMLDI 2025 reflects the Government of India’s heightened focus on national security, cyber resilience, and regulatory accountability within the defence manufacturing ecosystem. While no clear timeline has been provided for licensed defence entities (that have already commenced production) to comply with the additional requirements set out under SMLDI 2025, ILDCs should commence a thorough assessment of their internal security protocols and align their operations with the procedural mandates set out in the manual. Compliance with these requirements will serve as a critical reference point during regulatory audits.

[1] This position was not entirely clear in SMLDI 2014 because at multiple places it referred to it being applicable to the private sector.

If you require any further information about the material contained in this newsletter, please get in touch with your Trilegal relationship partner or send an email to alerts@trilegal.com. The contents of this newsletter are intended for informational purposes only and are not in the nature of a legal opinion. Readers are encouraged to seek legal counsel prior to acting upon any of the information provided herein.