On August 23, 2024, the State Administration for Market Regulation and Standardization Administration issued GB 44495-2024 Technical Requirements for Vehicle Cybersecurity, effective January 1, 2026. Many automakers obtain CCC certification and cybersecurity classified protection yet face MIIT announcement rejections due to unmet GB 44495 requirements.
GB 44495-2024 is a mandatory national standard specifying vehicle cybersecurity technical requirements and verification methods.
·Mandatory Status: Not voluntary. New models applying for the Road Motor Vehicle Manufacturer and Product Announcement must comply from January 1, 2026; existing models also require compliance for extensions or changes.
·Scope: Applies to M, N, and O-category vehicles with at least one electronic control unit — covering nearly all automobiles.
II. Relationship Between GB 44495 & Other Certifications
Many enterprises question: Why GB 44495 with existing CCC and classified protection?
·vs. CCC: CCC focuses on safety, environmental protection, and energy efficiency; GB 44495 addresses dedicated vehicle cybersecurity.
·vs. Cybersecurity Classified Protection: Classified protection sets general system requirements; GB 44495 specifies vehicle-specific rules (in-vehicle networks, external communication, OTA).
·vs. GB/T Standards: GB is mandatory; GB/T is voluntary.
Key Point: GB 44495 supplements, not replaces, existing certifications.
III. Core GB 44495 Requirements
·External Communication Security: Encrypted channels, identity authentication, data integrity for cloud/APP/V2X interactions
·In-Vehicle Network Security: CAN/Ethernet message authentication, access control, anomaly detection
·OTA Security: Signed updates, anti-tampering, failure rollback
·Data Security: Encryption, anonymization, access control for collected/stored/transmitted data
·Hardware Security: Secure elements and key storage requirements
IV. Easily Overlooked Requirements
·Vehicle-Level Security Architecture: Mandatory domain isolation between critical and non-critical systems
·Supply Chain Security: Automaker-led supplier security assessment and component controls
·Lifecycle Security: Design, development, production, operation, and scrapping coverage
·Security Incident Response: Dedicated teams and processes for incident handling
These are management, not just technical, requirements — frequent certification barriers.
V. GB 44495 Certification Process & Key Milestones
1.Preparation: Gap analysis and rectification planning (2–3 months)
2.Rectification: Product, process, and system improvements (6–12 months)
3.Testing: Accredited laboratory verification (2–3 months)
4.Audit: Technical document and report review (1–2 months)
5.Announcement: MIIT product listing approval
Total Timeline: 12–18 months — advance planning critical.
GB 44495-2024 is a mandatory automotive cybersecurity standard effective January 1, 2026, supplementing existing certifications.Contact BLUEASIA Testing & Certification Consultant: +86 13534225140
Related News
