GB 44495 applies to complete vehicles. Not components. Not standalone cybersecurity systems. TBOX units, gateways, domain controllers — none of these have an independent certification pathway. Their compliance is delivered entirely through the vehicle they're installed in.
Get that straight first. Now let's go through the vehicle categories one by one.
M1-class vehicles — your everyday sedans, SUVs, MPVs. All covered. Combustion, pure electric, hybrid — the cybersecurity requirements apply equally. The reason is simple. These vehicles all come standard with TBOX or similar remote communication modules, OTA capability, and remote control functions. The full attack surface is there.
Pure combustion vehicles have a common misperception worth addressing. A lot of people think no high-compute domain controller means no cybersecurity concern. In reality, if the vehicle has a TBOX, remote communication channels, and flashable ECUs like the engine control unit — cybersecurity risk exists.
But there's an important boundary distinction here. Combustion vehicles with TBOX, remote OTA, and external wireless communication interfaces run the full 14-item VTA test suite, same standard as new energy vehicles. Combustion vehicles with no TBOX, no remote OTA, and no external wireless communication interfaces — only local diagnostic-port ECU flashing — only need 8 basic local security tests. All 6 OTA-specific remote penetration test items are exempt. The test cycle and cost gap between these two scenarios is huge. Don't lump them together when budgeting.
M2 and M3 medium and large buses are also covered. Beyond standard vehicle communication security, these need extra attention on the fleet management platform-to-vehicle communication channel. Many bus manufacturers run their own remote monitoring and dispatch platforms. The channel through which the platform sends control commands and parameter configurations to the vehicle must have security protection. Penetration testing typically covers this as an additional test scenario.
N-Category Goods Vehicles
N1, N2, N3 — all classes covered. N1 light trucks and pickups have simpler electronic architectures than passenger vehicles, but if they carry TBOX and remote monitoring requirements, communication security testing and OTA security testing are still mandatory.
N2 and N3 medium and heavy trucks have one difference from passenger vehicles worth noting. National regulations require these vehicles to install driving recorders and compliant satellite positioning devices. The TBOX is often deeply hardware-coupled with or shares communication modules with both of these systems. Communication security testing naturally extends to the driving recorder's data upload channel and the positioning data transmission link. Broader test coverage.
Another easily overlooked detail. Medium and heavy truck TBOX selection and installation locations differ significantly from passenger vehicles. Commercial vehicle TBOX units are typically mounted outside the cabin or in the chassis area — easier physical access. If the testing body's penetration test finds the TBOX easily physically accessible, they'll flag it as an additional risk item. Not a direct test failure, but it deepens the remediation opinion.
O-Category Trailers
Let's correct the most important thing first. Amendment No.1, effective January 28, 2026, completely deleted all O-category trailer applicability clauses. Whether your trailer has EBS electronic braking, smart TPMS tire pressure monitoring — doesn't matter. All O-category trailers are exempt from GB 44495. No cybersecurity assurance system needed. No VTA testing of any kind. No annual surveillance.
A lot of articles still circulating claim electronically-controlled trailers need the full certification process. That information is outdated. Ignore it.
L-Category Motorcycles
L-category motorcycles — full exemption. Two-wheel and three-wheel motorcycle electronic architectures don't present the connected-vehicle attack surface as defined by GB 44495. The vehicle cybersecurity standard doesn't cover these products.
Other Exempt Vehicles
Special-purpose vehicles operating only within factory or port premises — forklifts, mining vehicles, internal transport vehicles — exempt, as long as they stay off public roads. One caveat. If these vehicles apply for temporary road travel permits and go on public roads, the exemption automatically drops. Compliance becomes mandatory.
Vehicles with zero ECUs, zero communication modules, zero firmware flashing channels — exempt. No electronic control units means no cybersecurity attack surface. The logic is straightforward.
Imported Vehicles
Imported vehicles must comply with GB 44495. Overseas certification doesn't substitute. Vehicles that completed UN R155 compliance assessment in their country of origin can submit equivalence assessment materials when applying for the domestic CCC certificate, requesting reduction of the information security assurance requirement review portion.
But the cybersecurity technical requirement VTA testing cannot be reduced. The national cryptographic algorithm implementation must be separately submitted. Overseas-used international algorithm schemes cannot replace domestic national algorithm requirements.
Parallel imports get a much stricter treatment. Scattered single-unit parallel import vehicles are not accepted for equivalence assessment. They must go through the full domestic CCC process as independent new models. The cybersecurity portion gets the full new-vehicle VTA test suite. A lot of import projects don't catch this limitation early enough, and their scheduling takes a serious hit.
New Energy and Intelligent Connected Vehicles
New energy vehicles and intelligent connected vehicles face significantly larger cybersecurity challenges than traditional combustion vehicles. High-compute domain controller architectures, advanced driver assistance system perception and decision-making chains, full-vehicle OTA and multi-domain coordinated upgrade capability — the more functionality, the larger the attack surface, the more issues surface in testing.
What we see in actual projects. New energy vehicle cybersecurity VTA testing typically goes through one to two more remediation rounds than traditional combustion vehicles, with longer remediation cycles. It's not that new energy vehicles are doing a worse job. The system complexity itself drives a higher probability of vulnerability discovery.
A specific example. A typical smart EV might have four separate domains with inter-domain gateways, an OTA master that coordinates updates across all four, a telematics unit handling both customer-facing services and regulatory data uploads, and V2X hardware for future deployment. Each of those subsystems introduces its own attack surface. The gateway's domain isolation gets tested. The OTA master's cross-domain update coordination gets tested. The telematics unit's separation between customer data and regulatory data gets tested. The V2X stack's certificate management gets tested even if the service isn't active yet — the hardware is there and the stack is loaded, so the attack surface exists regardless of whether marketing has flipped the feature switch on. A combustion vehicle with one CAN bus, one ECU, and a basic TBOX doesn't have any of those extra surfaces to worry about.
Three Critical Deadlines
Automakers doing product planning need these three lines burned into memory. First. July 1, 2026 onward, new model homologation filings require full GB 44495 compliance as a mandatory prerequisite. That date has already passed for new programs. Second. July 1, 2027 — full-model CCC mandatory market access. All in-production and in-sale vehicles must complete cybersecurity compliance or they don't get a CCC certificate. Third. January 1, 2028 — all existing in-production models must complete remediation. This is the final deadline.
Ongoing Obligations After Certification
Getting the certificate isn't the finish line. Annual factory surveillance audits spot-check cybersecurity assurance system operational records, security incident closure, and supplier security agreement update status. Production vehicles may also be randomly selected for retesting of security items like OBD protection and national algorithm encryption performance. A dormant system gets flagged as a major non-conformity and triggers certificate suspension.
On change filing. Swapping TBOX supplier or model, changing communication modules or encryption chips, modifying national algorithm implementation, major-version gateway software architecture upgrades — major cybersecurity changes requiring filing and partial VTA retesting. HMI text changes and security reminder copy optimization in the user interface — minor changes, filing only. Pure exterior and interior changes not involving electronic control unit replacement — no cybersecurity filing needed.
Document archiving. All system policies, test reports, vulnerability remediation closure materials, supplier security agreements, component firmware ledgers — retained until ten years after model discontinuation. Electronic archives must have off-site multiple backups with multi-dimensional search capability. Local single-machine storage that can't quickly retrieve historical records gets flagged at annual audit.
Amendment No.1 mandates terminology replacement. All system documents and test plans submitted to review bodies must replace the old CSMS terminology with information security assurance requirements, and the old inspection term with the updated one. Mixed usage of old terms gets the submission returned for correction.
Need to confirm which GB 44495 requirements apply to your specific vehicle type? Contact BlueAsia Testing's certification consultants at +86 13632500972 (Benson).
相关新闻