2026 GB44495/44496 Latest Changes: Mandatory Enforcement Timeline

2026-07-15

A single change at the end of 2025 reshuffled the entire industry's compliance timeline for GB44495 and GB44496.

On December 16, 2025, the State Administration for Market Regulation (SAMR) and the Standardization Administration of China (SAC) jointly released Amendment No. 1, pushing the official implementation date from the originally scheduled January 1, 2026 to July 1, 2026. The publishing body is SAMR plus SAC. The standard management and execution fall under MIIT (Ministry of Industry and Information Technology). Don't confuse the publishing authority with the implementing authority.

So automakers that had been scheduling against January 1 now have an extra six-month window. But whether six months is enough depends on how far along the preparation work is.

1. January 1 Doesn't Equal January 1

Implementation Date Pushed to July 1

Originally set for January 1, 2026. By late 2025, industry pushback was intense. OEMs said management system setup wouldn't be ready in time. Suppliers said testing resources couldn't be scheduled.

Amendment No. 1 came down, setting the new effective date at July 1, 2026. Note that only GB44495 and GB44496 were delayed.

GB44497 — the autonomous driving data recording system standard — still follows the original January 1, 2026 mandatory enforcement date. No extension whatsoever.

This distinction trips up a lot of people who assume all three standards were delayed together. They weren't. GB44497's compliance deadline has already passed. Vehicles involving autonomous driving need to comply right now, not in July.

Many automakers had internal compliance plans built around the original dates. The extra six months from the new date need to be spent on what matters, not wasted.

Amendment No. 1 Is Still Unknown to Many

The transparency around Amendment No. 1 has genuinely been insufficient. Quite a few second- and third-tier suppliers still don't know it exists and are rushing against the January 1 deadline.

If you're one of them, update your internal timeline immediately.

  2. What the Three Standards Actually Cover

The three standards were published on August 23, 2024, forming an integrated system. GB44495 governs automotive cybersecurity, GB44496 governs automotive software updates, and GB44497 governs autonomous driving data recording. They have different enforcement rhythms — don't treat them as one package.

GB44495 — Cybersecurity

The core requirement of GB44495-2024 is that automakers establish a cybersecurity management system covering the full vehicle lifecycle.

Full lifecycle means from development through production to after-sales — cybersecurity controls must exist at every stage. It's not just about testing the vehicle's attack surface and calling it done.

The scope covers external connection security, communication security, software update security, and data security, plus risk assessment, risk mitigation, test verification, and security monitoring.

Every item requires documentation, processes, and records. Saying you've done it isn't enough — you need to produce evidence.

GB44496 — Software Updates

GB44496-2024 governs the software update process. Management system, user notification, version readability, and safety protection are all included.

What are the prerequisites for pushing an update? How do you ensure the vehicle has sufficient battery? How do you handle rollback if it fails? The standard has specific requirements for all of these. It also includes dedicated test methods — it's not just about whether you think it's fine.

GB44497 — Data Recording

GB44497 is the autonomous driving data recording system. It governs what to record and how to record it.

The three standards form a chain together. Cybersecurity is the defense line, software updates are the channel, and data recording is the trail.

  3. The Scope Isn't Quite What You'd Expect

M1 and N1 Full Coverage, Category O Removed

GB44495 applies to M1 and N1 category vehicles, provided they have at least one electronic control unit (ECU). Are there even vehicles without ECUs anymore?

Category O trailers have been entirely removed from GB44495's mandatory scope through Amendment No. 1. Regardless of whether they have ECUs, EBS, or TPMS — trailers don't need to comply with this standard. Companies that were previously planning trailer compliance can skip it.

GB44496 also applies to M and N categories — any vehicle with software update functionality must comply. Category O is similarly outside the scope.

Transition Period for Type-Approved Vehicles

Existing vehicle models that have already received type approval get a two-year transition period, ending January 1, 2028.

This deadline is fixed. The amendment only delayed the mandatory enforcement date for new vehicle type submissions — the transition period for existing models is unaffected. No need to confirm with the certification body — there's no room for extension.

If you have a model that's about to undergo a facelift right before the transition period, handle compliance at the same time. Don't push the debt forward.

  4. The Management System Is the Core of GB44495

Technical Compliance Alone Isn't Enough

The hardest part of GB44495 isn't technical metrics — it's the management system.

Whether the body controller has an encryption chip matters. But whether you have a system that proves you're managing this matters more.

During audits, they look for documents, processes, records, and audit trails — not what's written on your PowerPoint.

Documents, Processes, Records — None Can Be Missing

The biggest risk in system building is having things but not being able to produce them. Auditors want signed documents, dated records, and traceable change histories.

Cybersecurity objectives, organizational structure, responsibility allocation, risk assessment reports, test plans, emergency response plans — missing any one of these means failure. Many automakers have the technical foundation but chaotic document management.

TARA Takes the Most Time — Don't Underestimate It

TARA (Threat Analysis and Risk Assessment) is the most time-consuming element of the entire system. Vehicle-level TARA plus system documentation and testing closure takes at least eight to ten months. Component-level can be tighter, but six months for vehicle-level is absolutely not enough.

You need to map out every attack surface on the vehicle, assess the severity and likelihood of each risk, then develop mitigation measures. Skip any step, and the subsequent security design has no foundation.

  5. Supply Chain Compliance Pressure Cascades Down

Suppliers Who Aren't Prepared Will Lose Tenders

OEM pressure flows downward. You might think this is an automaker's problem, but suppliers at every tier will receive compliance requirements.

Controller suppliers need hardware and software security designs. Chip suppliers need documentation and test reports for security modules. Anyone selling components to an OEM in this chain will be asked about compliance.

OEMs Are Already Sending Compliance Questionnaires

Some fast-moving OEMs started sending cybersecurity compliance questionnaires to suppliers in late 2025. Do you have a secure development process? Have you done code audits? Where are your penetration test records? The questions are quite detailed.

If you wait until you receive the questionnaire to start preparing, you're probably too late. These things can't be filled out by just answering questions.

  6. A Few Hard Truths

Management system setup projects are tight even with six months. Large OEMs with dedicated cybersecurity teams can push things in parallel. Smaller OEMs and suppliers with one person wearing multiple hats will likely need overtime.

Priority recommendation: set up the management system framework first, start TARA in parallel, fill in documentation simultaneously, and schedule testing last.

July 1 is a hard deadline. After this date, without a compliance certificate, type approval won't be issued. No type approval means no selling cars.

If your product is still in the design phase, security requirements must be written in at the requirements specification stage. Adding security features during the verification phase means rework costs multiply several times over.

Suppliers can start organizing their development process documents and security test records now. When the OEM comes asking and you scramble to produce them, it's immediately obvious they were rushed.


For more on 2026 GB44495/44496 latest changes, contact BlueAsia Testing & Certification — consultant Benson at 13534225140.