GB 44495-2024, full title "Technical Requirements for Vehicle Cybersecurity," is China's first mandatory national standard for automotive cybersecurity. Published jointly by the State Administration for Market Regulation and the Standardization Administration of China on August 23, 2024.
"Mandatory national standard" means exactly what it says. Not a recommendation. Not an industry standard. Not a group standard. It's a hard barrier to vehicle market entry. Fail this and you don't get a CCC certificate. No CCC certificate, no homologation filing. No homologation filing, you can't legally sell the vehicle.
The technical content draws from the UN R155 regulatory framework, but with domestic adjustments for China's industry reality. Two areas in particular diverge significantly from R155 — cryptographic algorithm requirements and supplier management obligations.
Three deadlines, each one absolute. New model type approvals filed after July 1, 2026 must have cybersecurity compliance as a mandatory prerequisite for both homologation and CCC. Already-certified models must catch up by July 1, 2027 at the latest. Existing in-production models face a full compliance deadline of January 1, 2028. Three lines. Each one harder than the last.
Amendment No.1, published last year, made two key changes. First, the term "information security management system (CSMS) certification" was deleted from the standard text and replaced throughout with "information security assurance requirements." Companies no longer need a separate CSMS certificate. The capability review merges into vehicle homologation and factory audits. No more separate system certification body engagement. Second, the term for "inspection" was replaced throughout the standard with a revised Chinese term. All filing materials and audit documents using the old term must be updated. Annual audits will check for document remediation on this point. Both changes directly affect how you prepare certification materials and how factory audits go — more on that below.
Information security assurance requirements. This section governs enterprise system capability. It's a document review, not a vehicle test. It covers whether vulnerability management mechanisms are built and actually operational, whether security incident monitoring and response processes are functioning with records to prove it, and whether full-lifecycle security operations — post-market vulnerability patching, patch distribution mechanisms — are institutionally guaranteed.
Amendment No.1 scrapped the standalone CSMS certification requirement. That doesn't mean internal policy documents and operational records get to relax. The factory audit sees actual operational status, not how pretty the paperwork looks.
Information security basic requirements. This section governs vehicle architecture-level security measures. All external communication channels must have access control — WiFi, Bluetooth, cellular, V2X, every channel needs an authentication mechanism. Debug interfaces like JTAG and UART must have access restrictions. You shouldn't be able to plug in and start reading memory. Critical security parameters like root keys and certificate private keys must use hardware-isolated protected storage. They cannot sit in plaintext on the file system.
Information security technical requirements. This section governs specific engineering implementation. It's the meat of VTA vehicle testing. It breaks down into communication security, software upgrade security, data and code security, and cryptographic security sub-domains. Communication channel encryption strength has to meet the standard. OTA upgrade packages must have signature verification and anti-rollback. Critical operations like firmware flashing must have security validation. Cryptographic algorithms must use national SM2, SM3, and SM4.
One point worth clarifying since it gets mixed up a lot. The information security assurance requirements review above is a documentation review — it checks policies and operational records. Penetration testing, communication security testing, and software upgrade security testing are vehicle-level laboratory tests. You send the vehicle in. Different natures, different preparation logic, different scheduling logic.
Which Vehicles Does GB 44495 Apply To
This is where Amendment No.1 made its biggest change. The current effective scope is completely different from the draft-for-comment version.
Mandatory for all M-category passenger vehicles and N-category goods vehicles. That includes buses, light trucks, heavy trucks, and special-purpose work vehicles. Any vehicle carrying ECUs with communication or software upgrade capability must comply with GB 44495.
Four categories get full exemption. L-category two-wheel and three-wheel motorcycles and mopeds. Special-purpose vehicles operating only within factory or port premises that never go on public roads — forklifts and terminal equipment fall here, but if they apply for temporary road travel permits the exemption automatically drops. Vehicles with zero electronic control units, zero communication capability, and zero firmware flashing functionality. And all O-category trailers — this is the most critical change. Amendment No.1 completely deleted all O-category trailer applicability clauses. Whether the trailer has EBS, smart TPMS, or any electronic control modules, it's out. No compliance testing. No system documentation. The draft-for-comment language about O-category trailers is void. Trailer manufacturers still preparing certification materials based on the old version are burning resources for nothing.
How Type Testing Is Classified
Formal VTA testing splits into two categories with fundamentally different natures. Documentation review covers the information security assurance requirements — reviews policies, processes, and records. No vehicle goes into the lab. Vehicle testing includes cybersecurity technical requirement verification and penetration testing. Technical requirement verification covers four security domains. Communication security. Software upgrade security. Data and code security. Cryptographic security. Penetration testing is mandatory, executed per the CMA-stamped plan, and cannot be substituted with a risk assessment report.
Test conclusions are issued per item — compliant or non-compliant. Critical security items flagged non-compliant must be remediated and pass retesting before the report can be issued.
Ongoing Obligations After Certification
Annual CoP surveillance. The auditor simultaneously checks cybersecurity assurance system operations, supplier security agreement update status, annual emergency drill records, and vulnerability closure records. Major deficiencies trigger immediate CCC certificate suspension.
All policy documents, test reports, change records, and vulnerability disposition ledgers archived until ten years after model discontinuation. Electronic archives must have off-site multiple backups with multi-dimensional search capability. Local single-machine storage that can't quickly retrieve historical records gets flagged at annual audit.
Here's what trips people up about CoP after GB 44495 certification. The auditor isn't just looking for the existence of documents. They're looking for continuity. If your vulnerability management procedure says monthly scans and you have November and December missing from the log, that's a finding. If your supplier security agreement with the TBOX vendor expired in March and nobody noticed until the November audit, that's a finding. The system has to actually run, month after month, and produce a trail that proves it ran. A beautiful set of policy documents with no operational records behind them is arguably worse than no documents at all — at least with no documents you know you have a gap.
Amendment No.1 Transition Arrangements
After the amendment was published on January 28, 2026, already-certified models with valid certificates remain valid. No re-application is needed due to terminology changes. But at the next annual audit, the auditor will check whether the enterprise's policy documents have made both terminology updates — CSMS system certification replaced with information security assurance requirements, and the inspection term updated throughout. Documents not updated will receive a corrective action recommendation with a deadline.
Need a detailed gap analysis of GB 44495 requirements against your vehicle platform? Contact BlueAsia Testing's certification consultants at +86 13632500972 (Benson).
相关新闻