GB 44495-2024 “Technical Requirements for Cybersecurity of Automobiles” is the “cybersecurity permit” for China’s intelligent connected vehicle (ICV) industry. No longer optional, it becomes a mandatory threshold for all new vehicle models seeking market entry in China starting January 1, 2026.
This standard marks China’s shift from “guidelines” to “mandatory compliance” in automotive cybersecurity regulation, with a core requirement that automakers integrate cybersecurity deeply into the entire vehicle lifecycle.
I.Core Requirements of GB 44495 Certification
GB 44495’s requirements can be summarized as “one system, four lines of defense”—emphasizing both management processes and technical benchmarks.
1.One Mandatory System: Cybersecurity Management System (CSMS)
Automakers must establish a “Cybersecurity Management System” covering the entire vehicle lifecycle—from design, development, and production to after-sales service and end-of-life disposal. This system requires enterprises to systematically manage cybersecurity risks, including continuous threat analysis, vulnerability management, and emergency response—not just one-time testing for individual models. Drawing on the UN R155 regulatory framework, it aims to fundamentally enhance enterprises’ security governance capabilities.
2.Four Mandatory Technical Lines of Defense
The standard specifies detailed requirements for four key technical areas, which are also the focus of certification testing:
·External Connection Security: Strictly control vehicle “entry points” such as cellular networks, Wi-Fi, Bluetooth, and USB interfaces to prevent unauthorized access and attacks.
·Communication Security: Ensure confidentiality and integrity of communications between vehicles and the cloud (V2C), vehicle-to-vehicle (V2V), and vehicle-to-infrastructure (V2I) using secure authentication and encryption protocols.
·Software Update Security: Safeguard OTA update processes against tampering, requiring digital signatures, verification mechanisms for update packages, and protection against cyberattacks during updates.
·Data Security: A key focus with Chinese regulatory characteristics. Requires strict protection of vehicle-collected, stored, and transmitted data (especially personal sensitive information and vehicle data), explicitly prohibiting direct cross-border data transfer without authorization.
II.GB 44495 Certification Process & Key Milestones
For automakers, obtaining GB 44495 certification is a systematic project requiring advance planning, typically taking 6-12 months.
Key Phases:
1.Gap Analysis and System Establishment: Assess existing process gaps against the standard and establish or enhance the aforementioned CSMS. This foundational phase takes 1-3 months.
2.Risk Assessment and Test Validation: The core phase. First, conduct threat analysis and risk assessment for the vehicle, then submit samples to qualified laboratories for full standard compliance testing. According to evaluations by MIIT-affiliated institutions, compliance testing tools must cover 38 functional test items and over 190 test cases, with high complexity.
3.Audit, Certification, and Ongoing Surveillance: Certification bodies review documents and test reports to make certification decisions. Per regulations, certification bodies must issue decisions within 90 days of application acceptance. Certification is not permanent—enterprises must undergo annual surveillance audits to maintain compliance.
III.Impact on Enterprises & Action Recommendations
The standard’s mandatory nature is reflected in its clear timeline:
·January 1, 2026: All new vehicle models applying for type approval must meet GB 44495 requirements.
·July 1, 2027: All existing models with type approval must comply during production.
Non-compliant vehicles will be denied market access.
Specific Recommendations for Enterprises:
·Start Immediately to Reserve Time:Given the lengthy preparation and testing cycle, automakers should launch gap analysis and system establishment projects without delay.
·Align with Related Standards:GB 44495 is often implemented alongside GB 44496 “General Technical Requirements for Automotive Software Updates.” Plan for both standards simultaneously.
·Select Authorized Partners:Certification and testing must be conducted by CNCA-designated certification bodies and professionally qualified laboratories. Focus on officially evaluated testing tools and service providers.
GB 44495 is a milestone for China’s ICV industry, forcing the entire sector to shift cybersecurity from an “afterthought” add-on to a “built-in” design foundation. The sooner automakers integrate it into R&D and quality management systems, the more competitive they will be in the future market. Contact BLUEASIA at +86 13534225140 for professional certification consulting services.
Related News
