Recently, a critical policy development related to China’s mandatory automotive cybersecurity standard GB 44495 has emerged, potentially reshaping your compliance strategy. This standard—officially titled “Technical Requirements for Cybersecurity of Automobiles”—is set to evolve from an independent technical regulation to a mandatory certification basis for automotive market access.
According to a draft announcement released by the State Administration for Market Regulation (SAMR) on November 25, 2025, GB 44495-2024 is planned to be formally incorporated into the mandatory certification basis for automotive products. This means GB 44495’s requirements will be more closely aligned with China’s Compulsory Product Certification (CCC) system.
The core of this adjustment: In the future, automotive products must meet GB 44495 as a mandatory prerequisite to obtain CCC certification and market access. Currently, for newly accepted certification applications, certification bodies may add GB 44495 requirements based on enterprise requests. For existing certified models in production, authorities typically set a reasonable transition period—enterprises must closely monitor the final deadline specified in the official announcement to schedule technical modifications.
Recap of Core GB 44495 Requirements
To understand this update, it’s critical to revisit GB 44495’s core requirements, which focus on two key areas:
1.“Software” System Requirements:
Similar to UN R155, automakers cannot focus solely on individual products—they must establish a comprehensive cybersecurity management system covering the entire vehicle lifecycle. This requires enterprises to systematically manage security risks through organizational and process improvements.
2.“Hardware” Technical Requirements:
The standard imposes specific technical security requirements on vehicles themselves, focusing on four key areas:
·External Connection Security: Protect interfaces such as cellular networks, Wi-Fi, Bluetooth, and USB from unauthorized external access.
·Communication Security: Ensure confidentiality and integrity of in-vehicle and external communications, preventing data interception or tampering.
·Software Update Security: Safeguard OTA update processes, including update package signature verification and rollback mechanisms for update failures.
·Data and Code Security: Provide full-lifecycle protection for vehicle-collected, stored, and transmitted data, ensuring compliance with domestic data security regulations.
GB 44495 Implementation Timeline & Impact
The standard was released on August 23, 2024, and will take effect on January 1, 2026, with phased implementation:
·January 1, 2026: All new vehicle models applying for type approval must meet GB 44495 requirements.
·July 1, 2027: All existing models with type approval (i.e., in production and on sale) must comply.
The standard applies to M-category (passenger vehicles), N-category (commercial vehicles), and O-category (trailers) vehicles equipped with at least one electronic control unit (ECU)—essentially covering all intelligent connected vehicles in China’s market.
GB 44495’s transition from a technical standard to a mandatory certification basis signals China’s “zero-tolerance” approach to ICV cybersecurity. Compliance is no longer optional but a prerequisite for market access. Contact BLUEASIA at +86 13534225140 for professional certification consulting services.
