Revised Guidelines and Standards for Charging Infrastructure for Electric Vehicles: An Analysis

To promote e-mobility in India, the Ministry of Power, on 14th January 2022, introduced the revised consolidated Guidelines & Standards for Charging Infrastructure for Electric Vehicles (hereinafter, the Guidelines).[1] The Guidelines play a pertinent role in facilitating the e-mobility transition in India by increasing the affordability, accessibility, and reliability of the charging infrastructure. These guidelines are comprehensive as they deal with issues ranging from public charging stations to the tariff for the supply of electricity.[2] This article aims to study the provisions under the recent Guidelines, analyse the same, and delve into the suggestions for their effective implementation.

Exploring the Contours of the Electric Vehicle Infrastructure Guidelines


The Guidelines allow individuals to charge the Electric Vehicles (hereinafter, “EV”) at their residences and places of work with the help of their existing electricity connections.[3]  A private entity is free to set up a public charging station till the time it complies with the standards and protocols laid down by the Ministry of Power, Bureau of Energy Efficiency and Central Electricity Authority (CEA) from time to time.

The government, through the new Guidelines, aims to establish a grid of 3x3km for the EVs.[4] On the highways, a charging station would be available within every twenty-five kilometres. These charging stations would be present on both sides of the highways. To facilitate this goal, the government may resort to the installation of public charging stations at the existing outlets of the oil marketing companies.[5] It is interesting to note that the Guidelines also target heavy-duty EVs such as trucks and buses. A separate list of compliances, such as the requirement of at least two chargers of a minimum 100 kW (with 200-1000 V) each, has been specified for the long-distance and heavy-duty EVs.[6]

Under the Guidelines, the public charging stations can apply for electricity connection and the distribution licensee would provide the same as per the timelines provided under the Electricity (Rights of the Consumers) Rules, 2020.[7]  The public charging stations set up in metro cities would be able to have connectivity within the seven days of applying.[8] The deadline extends to 15 days in the case of other municipal areas and 30 days in rural areas. The Guidelines also present the option of procuring power from any power generating company through open access.

To provide for advanced remote or online booking of charging slots, it is necessary for the public charging station to have a tie-up with at least a single network service provider. This would allow the EV owners to have the requisite information pertaining to various aspects such as a number of the installed and available chargers, location, and applicable service charges. While acknowledging that few public charging stations would be set up for internal use of an entity, the Guidelines additionally mention that no network service provider tie-ups are needed in that instance.

One of the key features of these Guidelines is that they provide for the single part tariff for the electric supply to the public charging stations, which would not extend the average cost of the supply until March 31st, 2025.[9] A separate meeting arrangement would be provided for the public charging stations, as opposed to the domestic charging, so as to ensure that the consumption is recorded and billed in line with the applicable tariffs. To further reduce the cost, the government has provided electricity at concessional rates along with the subsidies to set up the Public Charging Stations. Moreover, the state governments would be fixing the ceiling of service charges, which are to be levied on these charging stations.[10]  The Guidelines, inter alia, provide that the DISCOMs may leverage on the funding from the Revamped Distribution Sector Scheme for the augmentation of the general upstream network, which is necessitated due to the upcoming charging infrastructure. It specifies that the “cost of such works carried out by DISCOMs with the financial assistance from the Government of India under the revamped scheme should not be charged from the consumers for the Public Charging Stations for EVs.”[11]

The recent guidelines play an instrumental role in ensuring the process of charging is made affordable for EV users. The public charging stations would be set up on a revenue-sharing basis at the fixed rate of Rs 1/kWh.[12] More and more public charging systems would be set up by using the land available with the government and private entities.

It is pertinent to note that a phased manner would be followed with respect to the rolling out process. Phase I, which ranges from the first to third year, would target all the megacities having a population of over four million. In this phase, all the existing expressways and important highways linked with the above megacities would also be included. Thereafter, under the second phase (which would range from the third to the fifth year) would cover certain big cities, state capitals, and headquarters of the Union territories.[13]

Moreover, these Guidelines are made technology agnostic because they provide for prevailing international charging standards available in the market as well as new Indian charging standards.

The Bureau of Energy Efficiency would be the central nodal agency for the rollout of the EV public charging infrastructure.[14] Moreover, every state government can have its own nodal agency for the purposes of setting up the requisite infrastructure.


Requisites of Electric Vehicle Charging Stations


The Guidelines can be perceived as a massive step forward to promote the adoption of EVs in India by increasing accessibility and affordability. They should be lauded for introducing a reliable economically viable and coordinated system to regulate the charging of such vehicles. They further tend to address the long-existing lacunae, which persisted with respect to the applicable tariffs.

In India, one of the reasons as to why the adoption of EVs has been quite staggered is because, according to the data with the Ministry of Road Transport and Highways (“MORTH”), for 9,47,876 registered cars, only 1028 public charging stations are there.[15] This was observed by the Bureau of Energy Efficiency. Therefore, from the above figure, it could be clearly observed that the country does not have the necessary infrastructure to cater to the growing demand for EVs. These guidelines have identified the existing problem and provided appropriate solutions for the same. As discussed above, apart from the installation of an adequate number of public charging stations, the individual consumers will also have the option of charging the EVs at their homes or places of work. The Guidelines state that under private charging, the batteries of the privately owned cars are charged through the domestic charging points and the billing is done via the home or domestic metering.  On the other hand, for charging outside the home premises, the power needs to be billed and payment needs to be collected. Moreover, the power drawn from these chargers is regulated from time to time.

The provision of private charging, in addition to public charging, would overall result in consumer welfare as now the private users do not have to rely completely on the government for the charging process. They can bridge the implementation gap by setting up their own charging stations. Further, the government has also been taking the right steps to bring down the price of electric vehicles by providing subsidies. At present, the price of the majority of Electric two-wheelers and three-wheelers are almost equivalent to their petrol counterparts.[16]

India has set the target of meeting 30% EV sales penetration for private cars, 70% for commercial vehicles, 80% for two and three-wheelers, and 40% for buses by 2030.[17] However, earlier this goal seemed unachievable due to the high costs associated with EVs and lack of the required infrastructure for public charging stations. The new Guidelines strive to make certain that the country is back on the track to meet the above-mentioned objective. This has been possible due to the subsidies that have been provided by the government. It is predicted that the sale of the total electric vehicles in India would reach approximately 10 lakh units. This number is equal to the units sold collectively in the last fifteen years.[18] Apart from this, the government has introduced a portal called e-Amrit to make India a more conducive place for the manufacture and adoption of EVs.[19]

Furthermore, the Guidelines aim to strike a balance between accessibility and safety. By allowing private entities to set up charging stations, the government has not only made the charging of EVs more feasible for individuals but has also reduced its burden of being the sole provider of the charging stations.  Annexure 3 lay down a list of requirements to ensure that the safety protocols have been followed[20]

Instrumental Role Played by EV Charging Infrastructure


The Guidelines would play an instrumental role in transforming and shaping the future of the use of EVs in India. They have efficiently recognized the existing issues and have formulated promising ways for addressing the same. Not only would they help in promoting energy security, but would also help in the reduction of emissions that are harmful to the environment which is a major concern at the global level. This would enable the country to take a step forward in the direction of its concern to save the environment and sustainable development.

However, the success of these Guidelines entirely depends on their effective implementation. Therefore, both central and state governments shall play a crucial role in its success in introducing a user-friendly EV policy. It is suggested that the Central Government or the Central Nodal Agency should keep a check on the performance of all the States with regards to the Guidelines. It should ensure that the development is taking place in a continuous and coordinated manner. Moreover, since the private individuals and entities for public use are free to set up their own charging stations, measures should be taken to ensure that the safety standards are strictly being met.






















Image Credits: Image by Photo by Michael Marais on Unsplash

The success of these Guidelines entirely depends on their effective implementation. Therefore, both central and state governments shall play a crucial role in its success in introducing a user-friendly EV policy. It is suggested that the Central Government or the Central Nodal Agency should keep a check on the performance of all the States with regards to the Guidelines. It should ensure that the development is taking place in a continuous and coordinated manner.


IS17428 -A New Privacy Assurance Standard in India

Recently, Aditya Birla Fashion and Retail Ltd (ABFR) faced a major data breach on its e-commerce portal. As per the reports, personal information of over 5.4 million users of the platform was made public. The 700 GB data leak included personal customer details like order histories, names, dates of birth, credit card information, addresses and contact numbers. Additionally, details like salaries, religion, marital status of employees were also leaked.  Forensic and data security experts were pro-actively engaged to implement the requisite damage-control measures and launch a detailed investigation into the matter.[1] This demonstrates the need to have wider awareness and establish standardized protocols for personal data management. 

The battle of data protection and privacy currently stands at a juxtaposition with a flourishing data economy. 2021 was a watershed moment in the privacy & data protection dialogue in the country. The need for comprehensive data protection law was louder than ever and there were major initiatives on the legislative and executive front.

In June of 2021, the Bureau of India Standards (BIS) introduced IS 17428 for data privacy assurance. It is a privacy framework designed for organisations to handle the personal data of individuals that they collect or process. The certification provided by BIS for IS 17428 can be deemed as an assurance extended to the customers/users by the organizations of well-implemented privacy practice. The BIS being a statutorily created standard-setting body of our country will bring some welcome change in our data management.  

IS 17428 is divided into 2 parts[2]:

  • Part 1 deals with the Management and Engineering parameters that are mandatory for an organization to comply with. This part provides for establishing and cultivating a competent Data Privacy Management System.
  • Part 2 deals with the Engineering and Management guidelines which enable the implementation of Part 1. These guidelines are not mandatory in nature but a reference framework for an organization to implement good practices internally.


The Context – Privacy & Data Protection laws in India


The Data protection bill was expected to be tabled in parliament back in 2019 but was postponed due to the ongoing pandemic. The country was hoping to pass the bill last year, however, it was sent to the Joint Parliament Committee (JPC) for perusal. The JPC made its report on the bill public in the month of December 2021.

Also, Information Technology (Reasonable security practices and procedures and sensitive personal data or information) Rules, 2011 had been implemented back in 2011, primarily to safeguard the sensitive personal data of individuals that are collected, processed, transferred, or stored by any organisation and enumerate security practices. The rule lays down certain practices and procedures to be followed by a stakeholder while dealing with sensitive personal data. International Standard IS/ISO/IEC 27001 is one such acceptable standard.

Later ISO27701 was specifically introduced that focused on Privacy Information Management.  However, our Indian enactment has not specifically endorsed any such standards though Standards formulated by the industry association that is approved and notified by the Central Government are also deemed appropriate.  In this background, BIS introducing a standard is a welcome initiative as it will help in bringing uniformity in terms of the implementation of privacy practices across Indian industries.

Components of Part 1 of IS 17428[3]

Development of Privacy Requirements:

While developing the privacy requirements of the organisation in relation to the data collected or processed, the organisation has to take into consideration various factors such as jurisdiction, statutory requirements and business needs.

Personal Data Collection and Limitation:

The organisation is permitted to collect the personal information of the individuals, provided the same has been consented to by such individuals.

Privacy notice: 

The organisation is bound to provide a notice to individuals while collecting information from them and when such collection is through an indirect method employed by the organisation, then it is the duty of the former to convey by the same in an unambiguous and legitimate means.

The contents of a privacy notice at the minimum should include the following[4]:

  • Name and Address of the entity collecting the personal data
  • Name and Address of the entity retaining the personal data, if different from above
  • Types and categories of personal data collected
  • Purpose of collection and processing
  • Recipients of personal data, including any transfers
Choice and Consent:

As mentioned earlier, while collecting information, the organisation should get the consent of the individual at the initiation of the process while offering such individuals the choice of the information that they consent to disclose. This entire process should be done in a lawful manner and according to the privacy policies implemented by the organisation.

Data Accuracy: 

The data collected by the organisation should be accurate, and in case it is inaccurate, it should be corrected promptly.

Use Limitation: 

The data collected by the organisation should be used for the legitimate purpose for which it was agreed upon and it shall not be used for any other purposes.


The organisation should implement a strict security program to ensure that the information collected is not breached or compromised in any manner.

Data Privacy Management System: 

The organisation is required to establish a Data Privacy Management System (DPMS). The DPMS shall act as a point of reference and baseline for the organisation’s privacy requirements/objectives.

Privacy Objectives: 

The privacy objective of the organisation shall be fixed and set out by the organisation itself. While determining the objectives the organisation shall also look into various factors such as the nature of business operations involving the GDPR processing of personal information, the industry domain, type of individuals, the extent to which the processed information is outsourced and the personal information collected. Moreover, the organisation shall also ensure that the objectives are in alignment with its privacy policy, business objectives and the geographical distribution of its operations.

Personal Data Storage Limitation: 

The organisation shall be allowed to retain the information collected from the individual only for a specific time period as required by the law or the completion of the purpose for which it was collected in the first place. The individual shall have the right to delete their personal information from the organisation database upon request.

Privacy Policy: 

The organisation shall create and implement a privacy policy that shall determine the scope and be applicable to all its business affiliates. The senior management of the organisation shall be in charge of the data privacy function. Moreover, the privacy policy should be in consonance with the privacy objectives of the organisation.

Records and Document Management

The organisation shall keep a record of its processing activities which shall, in turn, ensure responsibility towards the compliance of data privacy. The possible way to achieve such a standard is to lay out procedures that help to identify various records. While laying out procedures, the organisation shall take into consideration certain factors such as a record of logs that demonstrate affirmative action and options chosen by individuals on privacy consent and notice, evidence of capture events related to access or use of personal information, and retention period of obsolete documents.

Privacy Impact Assessment: 

A privacy impact assessment shall be carried out by the organisation from time to time. Such an assessment shall help in estimating the changes and the impact that they can possibly have on the data privacy of the individuals.

Privacy Risk Management

The organisation shall put in place and document a privacy risk management methodology. The methodology shall determine how the risks are managed and how the risks are kept at an acceptable level.

Grievance Redress:  

A grievance redressal mechanism shall be established by the organisation to handle the grievances of the individuals promptly. The organisation shall ensure that the contact information of the grievance officer shall be displayed or published and that they have the channel of receiving complaints from the individuals. Moreover, the organisation shall also make it clear as to the provision for escalation and appeal and the timelines for resolution of the grievance.

Periodic Audits: 

The organisation shall conduct periodic audits for the data privacy management system. The audit shall be conducted by an independent authority competent in data privacy, internal or external to the organization, at a periodicity appropriate for the organization, at least once a year.

Privacy Incident Management: 

Privacy breaches and data privacy incidents shall be reported regularly and the organisation shall come up with a mechanism to manage such incidents. The process shall involve identifying the incident at the first stage and investigating the root cause, preparing analysis and correcting the incidents in the second stage. The last stage is basically informing the key stakeholders including Data Privacy Authority about the breach or incident.

Data Subject’s Request Management: 

The organisation shall develop a mechanism to respond to requests from individuals concerning their personal data. This process shall include the means to verify the identity of the individual, provision access to the information and the means to update the information.


How IS 17428 would help in Privacy and Data Protection? 


The Information Technology (Reasonable security practices and procedures and sensitive personal data or information) Rules, 2011 (RSPP and SPDI rules) had been the only law for organisations to follow. The rules did not prescribe or detail any specific requirements or standards in relation to personal data management and in the absence of formulated standards for the protection of the sensitive personal data of individuals, industry bodies were struggling to have uniform procedures. 

This being the case, introducing specific standards for personal data management will bring more clarity and will help companies to adhere to an approved standard prescribed by a government agency. Moreover, principles narrated in this standard are in accordance with the Internationally recognised privacy principles and will help Indian companies to proffer confidence when dealing with their commercial counterparts.

Introduction of record and document management, risk assessment and data subject request management are a few of the aspects that bring onerous responsibilities on companies making them more accountable and transparent.  These aspects have laid down procedures and mechanisms for an organisation to improve their privacy management, for example, introducing processes such as verification of identity, access to information, evidence of capture events of consent and retention period of obsolete documents.


The proposed data protection legislation and the IS 17428


The IS 17428 standard has been inspired primarily from the principles dictated from OECD privacy principles, GDPR and ISO27701. The proposed data protection legislation on the other hand has many divergences from the above instruments in many respects. For Instance, the IS standard has an elaborate description provided for the privacy objective of the organisation and the factors that need to be taken into account. Most of these objectives are covered under Sections 22 and 23 of the draft Bill but nevertheless, the standard has recommended a few other factors such as geographical operation, industrial domain and type of individuals as specific factors to be taken into consideration while drafting the privacy objectives. How much discretionary privacy standards can be created, what is allowed freedom for industries in this regard is unclear.

Section 28 of the draft bill talks about the records and document management of the data collected or processed and the standard covers almost every bit of the section. In addition to the consideration mentioned under the bill, the standard goes forward and echoes the need to establish a policy on the preservation of obsolete policies and process documents. Data and record-keeping should be for a defined period. The majority of other legislation prescribes an average of 7 years of data-keeping. Keeping any data beyond such a reasonable period may not serve many purposes. Why this standard has prescribed such obsolete data retention is again unclear.

The standard could be made effective by only having an enactment for data protection legislation in place. For instance, the grievance redressal mechanism, though the standards do envisage an appeal mechanism, they do not establish appeal machinery. This part of the standard can be put to use only after the Data Protection Authority as per section 32 is constituted. The standard also calls for an investigative process in the event of any breach or compromise of data. The organisation is welcome to conduct an onsite or internal investigation into the breach or incidents, but once again an independent authority to investigate in a legitimate and fair manner is required.

In short, I am afraid, has it failed to take into account the special requirements contemplated under the PDPB, 2019 which may eventually become the law of the country thereby, once this law is enacted, this standard will also be required to be modified. The government has not made any announcement as per the RSPP and SPDI rules, that IS 17428 is an appropriate standard certifying the compliance of personal data management. In the absence of such explicit endorsement, the ambiguity continues as to whether the adoption of this standard is sufficient compliance under the said rules.

Finally, with the Data protection bill around the corner, the Data Protection Authority envisaged being constituted under the legislation which shall have the power to issue code, guidelines, and best practices for protecting the privacy of data subjects. How IS 17428 standards framed by the BIS will be looked at by the DPA or the proposed rule will offer a different set of practices shall be an interesting development to observe.



[2] The IS 17438 was established on November 20, 2020 and notified in the official gazette on December 4, 2020. Please see the notification available at: (last visited Jan 18, 2022).

[3] Supra note 2.

[4] Sub-clause 4.2.2 of the IS Requirements: “Privacy Notice”.



Photo Credits:

Image by Darwin Laganzon from Pixabay 

Introduction of record and document management, risk assessment and data subject request management are a few of the aspects that bring onerous responsibilities on companies making them more accountable and transparent.  These aspects have laid down procedures and mechanisms for an organisation to improve their privacy management, for example, introducing processes such as verification of identity, access to information, evidence of capture events of consent and retention period of obsolete documents.