GB 44495-2024, the mandatory national standard for vehicle-end cybersecurity in China, has entered full implementation across the automotive industry in 2026. The first amendment officially released on January 28 adjusted critical enforcement timelines, certification audit basis, and document submission specifications comprehensively.
This mandatory regulation covers M-category passenger vehicles, N-category commercial vehicles nationwide, and O-category trailers equipped with electronic control units (ECUs). In practical compliance operations, it must be implemented alongside GB 44496 for vehicle software upgrade specifications and GB 44497 for onboard data recording standards. The complete compliance documents serve as essential prerequisites for new vehicle announcement applications and CCC certification filings.
Updated Enforcement Timelines (Clarified in 2026 Amendment)
·All new type approval applications must strictly comply with the standard starting from July 1, 2026. The original early-year enforcement date was postponed by six months to reserve sufficient debugging and rectification cycles for automakers.
·Existing models with valid official announcements and mass production approval must complete full compliance rectification before July 1, 2027. Please correct the widespread industry misconception that the deadline is 2028; misjudging the schedule will severely disrupt production planning.
·The revised regulation issued on January 28, 2026, took effect immediately. All newly launched certification projects must follow updated clauses, and documents prepared per the old version will be rejected directly during preliminary reviews.
Core 2026 Certification Revisions
·The previous rigid requirement for valid CSMS (Cybersecurity Management System) certification has been eliminated entirely. Currently, official recognition relies solely on laboratory test reports with a three-year validity period, significantly reducing capital and time costs for small and medium-sized enterprises in system construction.
·Unified professional terminology optimization across the full standard text; routine wording adjustments clarify the legal validity of all verification activities. Documents with non-standard expressions will be returned for revision at the initial review stage.
·New judgment rules for platforms sharing the same architecture are added. Series models with consistent foundational vehicle structures and cybersecurity protection designs can share one valid test report without repeated physical testing, cutting overall testing costs and project cycles effectively.
2. Full GB 44495 Certification Process in 2026
The entire procedure is streamlined into two core segments: complete vehicle technical conformity testing and official platform filing, eliminating independent CSMS system audits. Despite simplified workflows, document scrutiny and on-site evaluation criteria have become far stricter compared with previous years.
Preparatory Phase (2–4 Weeks)
·Conduct comprehensive risk assessment and hazard troubleshooting for the entire vehicle architecture, focusing on four key areas: external interface data transmission, internal in-vehicle communication links, remote OTA upgrades, and core onboard data storage management. Mark clear risk levels and formulate feasible targeted protection solutions.
·Define accurate testing scopes aligned with new regulatory requirements. Non-core ECUs can apply for compliance exemptions to streamline testing procedures and improve overall efficiency.
·Partner exclusively with testing institutions double-certified by the MIIT and CNAS. Five additional qualified laboratories were accredited in China in 2026; prioritize organizations with complete full-vehicle testing capabilities.
·Test sample configurations must fully match mass-produced vehicles. Prepare one complete finished vehicle prototype plus two sets of backup core electronic components, including T-BOX remote terminals, infotainment hosts, and gateway controllers. Inconsistent sample specifications will invalidate all test results directly.
Technical Document Compilation (1–2 Weeks, 2026 Focus Priority)
Preliminary document reviews face tightened thresholds in 2026, with incomplete dossiers facing immediate rejection and supplementation requests. Mandatory core deliverables include:
·A comprehensive vehicle cybersecurity protection scheme detailing hardware protection layouts, mainstream encryption algorithm selections (AES-256 and SM4 only), hierarchical background authority management, and local log storage meeting the 6-month minimum retention requirement.
·Systematic risk assessment reports compiled following ISO/SAE 21434 and UNECE R155 global industry frameworks, documenting clear risk sources, hierarchical classification standards, and closed-loop rectification records.
·Customized laboratory test plans outlining detailed test cases, execution steps, and pass/fail judgment benchmarks for core assessment modules. Prioritize providing existing GB 44495 compliance certificates for outsourced parts such as onboard terminals and gateway modules to avoid redundant full-vehicle retesting.
·All official documents must be drafted primarily in Chinese. Foreign-language original materials require professionally certified human translations; machine-translated files are no longer accepted for official audits in 2026.
Laboratory On-Site Testing (3–5 Weeks, Strict Mandatory Inspections)
All physical tests adhere strictly to the original standard text plus the latest supplementary amendment clauses. Beyond conventional baseline evaluations, in-depth vulnerability scanning and remote penetration attack testing are designated compulsory non-exempt items for 2026 compliance verification.
·Verify multi-level identity authentication for Bluetooth, Wi-Fi, USB interfaces, cellular networks, and diagnostic ports to confirm effective interception of malicious forged commands targeting vehicle control systems.
·Audit end-to-end encryption, anti-tampering protection, and anti-replay defense mechanisms for in-vehicle CAN bus interaction, vehicle-to-cloud data transmission, and V2X communication channels, limiting valid encryption protocols exclusively to AES-256 and national domestic SM4 algorithms.
·OTA upgrade evaluations validate encrypted signature verification for installation packages, file integrity checks, automatic rollback mechanisms upon upgrade failures, and mandatory user pop-up notifications, fully aligning with supporting GB 44496 regulatory constraints.
·Strict compliance audits cover encrypted transmission/storage, hierarchical access authorization, and desensitization processing for sensitive data including vehicle positioning records, driver identity information, and real-time operating status, alongside long-term traceable operation log retention protocols.
·Rigorous final pass criteria mandate 100% closed-loop remediation for all identified vulnerabilities and zero failures across critical cybersecurity test items. The historical lenient practice of merely downgrading risk levels is no longer recognized by regulatory authorities.
Report Review & Official Filing (1–2 Weeks)
Qualified accredited laboratories issue officially stamped test reports incorporating all 2026 amendment provisions, valid for three years from the issuance date. Consolidated full-test archives are submitted for centralized archiving on the MIIT equipment management platform. Critical timeline reminder: starting July 1, 2026, models without official filing confirmation cannot initiate new vehicle announcement declaration procedures. Auditors focus on cross-verifying consistency between technical documents and physical test data, complete test coverage, and detailed vulnerability closed-loop rectification records, with an independent additional dedicated data security verification module added in 2026 for enhanced oversight.
Certification Issuance & Long-Term Maintenance (Within 1 Week)
Industry practitioners must clarify a foundational fact: standalone paper GB 44495 certification certificates are not issued officially. Authorized compliance proof consists solely of stamped laboratory test reports paired with electronic MIIT filing receipts for permanent archiving use. Initiate renewal applications three months before the three-year report expiration date; full retesting is unnecessary, requiring only targeted sampling inspections of critical security items with a 2–3 week standard renewal cycle. Automakers must submit annual production consistency self-declaration documents consistently to ensure mass-produced vehicles maintain identical security designs and core component versions matching certified prototypes. Failure to submit annual filings will trigger temporary suspension of official announcement qualifications for corresponding on-sale models.
3. Overall 2026 GB 44495 Certification Cycle
·Brand-new independently developed vehicle models: 8–12 weeks total covering preliminary planning, document drafting, laboratory testing, and official MIIT filing.
·Derivative facelift models sharing unified original architecture: existing qualified test reports can be reused, with evaluations limited only to modified differentiated modules, shortening the cycle to 4–6 weeks.
·Initial testing failures requiring vulnerability rectification and retesting typically extend timelines by 2–4 weeks. Elevated 2026 remediation standards often cause schedule delays for overall vehicle launch roadmaps without proactive pre-inspection protocols. Automakers must strictly control project timelines; new vehicles failing complete GB 44495 compliance before the July enforcement deadline will be barred from official announcement approval and market launch directly.
4. Practical 2026 Compliance Recommendations
·Reverse-engineer overall project schedules aligned with the July mandatory enforcement date, completing all laboratory testing and platform filings ideally before April to avoid mid-year laboratory overcrowding and audit backlogs.
·Prioritize sourcing core components (T-BOX terminals, gateways, communication modules) pre-qualified with finalized GB 44495 certification during component selection, cutting comprehensive testing durations and overall compliance costs by approximately 30%.
·Address elevated penetration testing benchmarks proactively by conducting multiple internal pre-inspections and simulated penetration assessments before formal sample delivery, eliminating common foundational vulnerabilities to ensure one-time audit approval.
·Conduct line-by-line validation of all filing archives complying with revised 2026 clause specifications, submitting fully complete finalized dossiers in a single submission to eliminate repetitive supplementary material delays.
GB 44495 compliance represents an unavoidable core threshold for domestic full-vehicle cybersecurity regulation in 2026. While revised streamlining optimizes operational workflows, evaluation precision standards and physical testing baseline requirements have both risen substantially. For professional regulatory updates and customized compliance guidance, follow BLUEASIA for continuous industry insights. For inquiries and project cooperation, contact +86 13534225140 (WhatsApp & WeChat available).
Related News
