GB 44495-2024: China's Mandatory Automotive Cybersecurity Standard Explained

2026-06-30

GB 44495-2024, officially titled General Technical Requirements for Whole-Vehicle Automotive Cybersecurity, is China's first mandatory national standard for automotive cybersecurity. Issued August 23, 2024, effective January 1, 2026. The shift it represents: automotive cybersecurity has moved from an optional corporate initiative to a statutory legal obligation.


What Vehicles Are Covered

M-class passenger vehicles and N-class cargo trucks are fully covered.

O-class trailers require a closer look. Not every O-category trailer falls under the standard. Only trailers equipped with electronic control modules supporting communication, remote upgrade, or data storage — such as EBS or smart TPMS — are regulated. Pure mechanical trailers with no electronic controllers are fully exempt.

The core prerequisite across all vehicle types: the vehicle must have software upgrade functionality or external communication capabilities. Whole vehicles with factory-locked ECU firmware and zero external communication or flash channels are unconditionally exempt.

L-category motorcycles are outside the standard's scope. Factory-exclusive off-road special vehicles are exempt, though that exemption voids if temporary road permits are obtained for public road travel.

Component suppliers — TBOX manufacturers, gateway suppliers, domain controller developers — have no independent GB 44495 certification pathway. They cooperate with OEMs by delivering complete risk assessment and threat mitigation schemes, which the OEM integrates into its own compliance framework.


Two Mandatory Compliance Segments

Both segments must be completed. Neither substitutes for the other.

Cybersecurity Management System Audit

The management system requirement — referred to as the cybersecurity guarantee requirements following the January 2026 Amendment No. 1 — governs the full lifecycle of automotive cybersecurity from design through vehicle scrapping.

Enterprises must build standardised risk identification and assessment workflows covering all on-board cybersecurity threats. These assessments cannot be filed away after initial completion. They require regular updates as the threat landscape and vehicle configurations evolve. Every identified risk requires a corresponding mitigation measure with a fully traceable closed-loop workflow from threat detection to risk closure.

After mass production launch, security teams need active threat detection and vulnerability monitoring capabilities. Security incident response workflows must be in place and operational, not just documented.

Supplier management is frequently underestimated. All external suppliers — TBOX vendors, communication module suppliers, software developers — must be incorporated into the cybersecurity guarantee requirements framework. Auditors review supplier security qualification certificates, written security responsibility allocation agreements, and cross-party emergency linkage mechanisms. Missing formal documentation on any of these generates direct non-conformities.

A practical point that gets overlooked: supplier security qualification certificates expire. An agreement signed three years ago with a supplier whose certificate expired 18 months ago is treated as invalid documentation during an audit. Annual renewal tracking across the full supplier chain is not optional.

Annual CCC CoP factory surveillance audits randomly inspect cybersecurity system operation status, security incident disposal records, and execution of supplier security agreements after certificate issuance. Severe system operation deviations can trigger certificate suspension. Certification is not the finish line.

VTA Whole-Vehicle Technical Testing

Whole-vehicle testing verifies compliance across four independent security domains:

External access security: All external access channels — TBOX cellular ports, WiFi, USB, CAN diagnostic interfaces, remote vehicle control APPs — must implement access control and security authentication. Every channel, not just the primary ones.

In practice, the most failed checkpoint is the USB and OBD port access control test. Manufacturers routinely harden cellular and WiFi interfaces but leave physical diagnostic ports weakly protected. A tester plugging into the OBD port and gaining unauthorised ECU access during a lab trial is a fast way to blow a full-day test slot.

Communication security: Network communication protocols, Bluetooth, V2X, RF smart keys, and OBD interfaces must prevent data eavesdropping and tampering during transmission.

RF smart key replay attack tests trip up a surprising number of vehicles. The standard requires resistance against both simple replay and more sophisticated relay attacks. Vehicles that pass basic replay protection but fail relay-box simulation scenarios require hardware-level fixes — not just software patches — which extends the testing schedule significantly.

Software upgrade security: Upgradable ECUs, upgrade packages, and upgrade logs are verified for security and integrity throughout the full upgrade lifecycle. This domain overlaps with GB 44496's scope, but the testing focus differs. A practical cost note: vehicles supporting only local offline flashing with no OTA functionality can reduce test items within this domain, eliminating full remote attack simulation scenarios and cutting both testing time and fees.

Data security: Critical data stored and transmitted on infotainment units, TBOX, gateways, and ADAS domain controllers must be protected against leakage and unauthorised modification of key operating parameters.

The test includes both data-at-rest and data-in-transit scenarios. Vehicles storing personal driving data or location logs in plaintext on the infotainment storage — still common on budget models — fail this domain outright. Data encryption requirements apply to everything from ADAS calibration parameters to navigation history.


Where Compliance Efforts Most Often Fall Short

From the lab side, a few failure patterns show up across nearly every round of initial submissions.

Supplier gap in the security framework. OEMs document their own cybersecurity processes thoroughly but neglect to bring component suppliers into the same framework. Auditors check for signed security responsibility agreements and cross-party incident response mechanisms with every external supplier that touches vehicle communication or data. Missing agreements with even one minor supplier generates a non-conformity.

OBD port left as a blind spot. Nearly every vehicle that completes cellular and WiFi hardening then fails because the OBD diagnostic interface has no access control. Manufacturers treat it as a service tool and forget the standard treats it as an external access channel. Fixing it after test failure adds 2 to 4 weeks to the schedule.

National cryptographic algorithm gaps. Domestic-market vehicles retaining overseas encryption architectures — AES or RSA where SM2/SM3/SM4 is required — fail the crypto checklist immediately. Algorithm replacement is a hardware-level change, not a software patch. Vehicles with soldered security chips that cannot be field-reprogrammed need board-level redesign.

Data in plaintext. Infotainment units, gateways, or TBOX modules storing vehicle operating parameters or personal driving data in unencrypted plaintext fail the data security domain on the first inspection. This is especially common on cost-optimised budget platforms with limited storage. The fix involves either adding encryption capacity or removing the data collection entirely — both options carry engineering cost.


Where GB 44495 Differs From UN R155

GB 44495 is technically compatible with the UN R155 framework. Automakers with existing UN R155 certification can apply for cybersecurity guarantee system equivalence assessment to reduce domestic system construction workload. This equivalence pathway is only available for batch mass whole-vehicle imports. Scattered single-unit parallel imports are generally ineligible and must build complete systems independently.

The testing stringency gap between the two standards is substantial and often misunderstood. UN R155 defines 7 categories with 32 cybersecurity threats and requires enterprises to self-conduct TARA risk analysis and formulate their own protection measures. There are no unified mandatory quantitative test indicators — compliance relies heavily on corporate self-assessment. GB 44495 operates differently: standardised test methodologies with clear pass/fail thresholds for every security domain, with item-by-item mandatory compliance requirements. The domestic standard's compliance threshold and testing stringency are higher than R155, not lower.

One hard difference: domestic mandatory compliance requires commercial national cryptographic algorithms SM2, SM3, and SM4 across all externally facing vehicle communication, firmware signature, and data storage scenarios for domestically sold vehicles. Pure export-only vehicles with no domestic sales may be exempt from national crypto requirements. Domestically sold vehicles cannot retain overseas non-national cryptographic architectures — hardware or algorithm reconstruction is required.


The Mandatory Timeline

January 1, 2026 — standard effective date, though the formal enforcement window opens later.

July 1, 2026: New vehicle models filed for official catalog inclusion must submit complete dual-standard compliance documents — both GB 44495 and GB 44496 — with official laboratory test reports. Verbal compliance statements are inadmissible. Failed announcement filing blocks all subsequent CCC certification workflows.

July 1, 2027: Full-vehicle mandatory CCC compliance deadline. All newly certified and pre-announced stock M/N/O vehicles must complete full GB 44495 compliance and update conformity records on CCC certificates before this date. Rumours of a March 1, 2027 CCC deadline have no regulatory basis. The unified statutory industry-wide deadline is July 1, 2027.


Change Filing and Amendment Risks

Replacing core security components — TBOX, gateway, communication module, encryption chip — constitutes a major change requiring supplementary partial VTA testing and formal change filing. Cosmetic interior and exterior modifications with unaltered electronic architectures do not require cybersecurity change reporting.

GB 44495 Amendment No. 1 is under discussion, with potential new test items including on-board intrusion detection and bidirectional cloud-vehicle protection. Vehicles that complete testing before the official amendment release may face supplementary differential testing requirements. Build schedule buffers accordingly.


BlueAsia delivers end-to-end automotive cybersecurity compliance services covering system construction guidance, risk assessment, and full VTA whole-vehicle security testing. For enquiries, contact BlueAsia Compliance Consultant: +86 13534225140 (Benson)