GB 44495-2024, "Cybersecurity Technical Requirements for Whole Vehicles," is a significant mandatory national standard. It forms one of China's first mandatory standards for ICVs, alongside GB 44496-2024 ("General Technical Requirements for Vehicle Software Upgrades") and GB 44497-2024 ("Data Recording System for Automated Driving of Intelligent and Connected Vehicles"). Issued by SAMR and SAC on August 23, 2024, it takes effect on January 1, 2026.
The core of GB 44495-2024 is building a cybersecurity protection system covering the vehicle's entire lifecycle, emphasizing both "Management System" and "Technical Safeguards."
1.CSMS Requirements:
Manufacturers must establish a CSMS covering the whole lifecycle (development, production, post-production). This system requires key processes for:
·Risk Management: Identifying, assessing, classifying, and treating vehicle cybersecurity risks, ensuring ongoing updates.
·Testing and Verification: Processes for vehicle cybersecurity testing.
·Monitoring and Response: Processes for monitoring, responding to, and reporting cyber attacks, threats, and vulnerabilities.
·Supply Chain Management: Managing cybersecurity dependencies with contractors, service providers, and subsidiaries.
2.Cybersecurity Technical Requirements:The standard builds technical defenses across four key areas. Core test items include:
| Testing Area | Key Test Items | Test Method Example |
| External Connection Security | Wireless Interface Security, External Interface Protection | Testing security mechanisms of wireless and external interfaces. |
| Communication Security | Vehicle-Cloud Encryption, Vehicle-to-Vehicle Security | Checking encryption and authentication mechanisms of communication protocols. |
| Software Update Security | OTA Integrity Check, Update Failure Handling | Verifying the integrity and reliability of the software update process. |
| Data Security | Critical Data Anti-Tampering**, Encrypted Data Storage | e.g., Using unauthorized diagnostic tools to connect to the OBD port, attempting to read/modify critical data (e.g., brake parameters) to verify access controls and anti-tampering. |
GB 44495 Certification Process and Items:
1.Applicable Vehicle Categories: M, N, and O category vehicles with at least one Electronic Control Unit.
2.Certification Mode and Process: The process verifies if the company has a compliant CSMS and if the vehicle meets technical requirements.
·System Certification: Audits the company's CSMS for full lifecycle coverage and effective operation.
·Vehicle Type Certification: Tests the vehicle against standard requirements to validate cybersecurity measures.
3."Same Type" Determination: The standard defines criteria for "same type," helping reduce re-testing for new vehicle type applications.
·Direct Acceptance: If the E/E architecture, security measures, critical component hardware/software versions are identical.
·Acceptance After Supplementary Testing: If some parameters change but core architecture/security measures remain, only supplemental testing on changed parts may be needed.
Standard Implementation Timeline:
·From January 1, 2026, newly applying vehicle types must comply.
·From January 1, 2028, vehicle types with existing approval must comply.
Relationship with International Standards:
GB 44495-2024 was developed in coordination with international regulations like UN R155. This means certification also lays a foundation for meeting international cybersecurity requirements.
As a mandatory national standard, GB 44495-2024 sets a clear baseline for vehicle cybersecurity. Its core requires establishing a lifecycle CSMS and building technical defenses in four key areas: external connections, communication, software updates, and data. If you have further questions on specific test items or implementation details, BLUEASIA Technology: 13534225140, provides professional certification consulting services!
