While connected vehicles play (and will play) an essential role in modern transport and traffic systems worldwide, governments around the world are striving to contain the associated cyber risks through effective regulations and provisions. China, one of Asia’s most important automotive markets, is currently doing all it can to develop its own cybersecurity regulations in line with global trends and national priorities. Nǐ hǎo GB 44495: Let’s take a closer look at the new cybersecurity directive.
Felix Roth
The Chinese Cybersecurity Regulation GB 44495 was officially introduced in August 2024. It sets out cybersecurity guidelines for the automotive sector, including specific requirements for data protection, threat detection and incident response.
The regulation represents China’s increasing regulatory efforts in cybersecurity and the pursuit of technological sovereignty. It is in line with the country’s broader strategy for autonomous vehicles and smart infrastructure.
GB 44495 incorporates elements of international regulations and standards, such as UN Regulation No. 155 and ISO/SAE 21434:2021, but also represents localised compliance to meet specific market and regulatory requirements in China.
Understanding GB 44495: China’s most important automotive cybersecurity standard
Let’s start with the basics. What does GB mean in GB 44495? In China, GB stands for ‘Guobiao’ (国标), which means ‘National Standard’. These GB standards are used in China to ensure uniformity, safety and quality across all industries. It is important to note that a GB standard can be either mandatory or only recommended.
If the GB is followed by a ‘/T’, this means that it is ‘only’ a recommended national standard, but that compliance is critical for the specific industry.
Please note: For consistency and simplicity, GB 44495 is hereinafter referred to as a regulation, in accordance with UN R155. This is also to reflect its mandatory nature and to avoid confusion with non-binding standards such as ISO/SAE 21434.
The mandatory GB 44495 serves as a key regulation in China’s national efforts to secure connected vehicles and ensure sustainable cybersecurity in an increasingly digitised automotive world.
It addresses cybersecurity risks by establishing a mandatory framework for risk assessment, system integrity and vulnerability management.
In addition, GB 44495 provides guidelines for automakers to follow to prevent cyberattacks that could compromise both vehicle security and user privacy.
Entering China’s Intelligent and Connected Vehicle (ICV) standardisation system
The GB 44495 Cybersecurity Regulation should be seen as an important part of China’s broader Intelligent and Connected Vehicle (ICV) standardisation system.
This holistic system is one of the world’s most ambitious standardisation efforts for connected and autonomous vehicles, and aims to ensure the safe and efficient integration of advanced vehicle technologies. China’s journey towards a fully developed ICV standardisation system began in 2017 with the publication of development guidelines. The complete standardisation system is expected to be fully developed by 2030.
It is therefore worth familiarising yourself with the subject. The ICV standards system is divided into three main series of standards and regulations:
- 100 series: This contains basic standards covering fundamental definitions and key guidelines for ICVs.
- 200 series: These are general specifications covering essential functions such as cybersecurity, functional safety and vehicle communications.
- 300 series: These are standards that focus on specific advanced products and technologies. They are designed to ensure that connected and automated driving systems are harmonised.
A detailed look at GB 44495-2024 Technical Requirements for Vehicle Cybersecurity
In the ICV structure outlined here, GB 44495 is positioned in the 200 series of general specifications. More specifically, in category 220, which focuses on cybersecurity and data protection. In terms of content, it is clear that GB 44495 is essential to ensure in practice that connected vehicles implement effective cybersecurity mechanisms, including secure data management and the avoidance of system vulnerabilities that could lead to external attacks.
The 200 series itself is divided into several categories to cover different aspects of vehicle security. These are
- 210: Functional safety
- 220: Cyber security and privacy (including GB 44495)
- 230: Vehicle Communication and Integration
The GB 44495-2024 timeline: Introduction and Implementation Deadlines
The timeline for the full implementation of GB 44495-2024 highlights China’s ambitious approach to the gradual introduction, and then consistent enforcement, of cybersecurity measures in the automotive sector:
- 08/2024: The regulation was published together with GB 44496 (General technical requirements for vehicle software updates) and GB/T 44464 (General requirements for vehicle data).
- 01/2026: The regulation will apply to new types of vehicles.
- 01/2028: The regulation will become mandatory for all vehicle types, ensuring that every connected vehicle on the market complies with this critical cybersecurity regulation.
These dates are in line with China’s overall ICV standards roadmap, which calls for the development of more than 100 standards by 2025 and 140 standards by 2030. This regulation will play a key role in protecting vehicle systems and consumer data as China pushes to create a fully standardised ICV ecosystem.
UN Regulation No. 155 / UNECE WP.29 vs. China’s GB 44495: Comparison, Similarities and Differences
Both UN Regulation No. 155 and China’s GB 44495 place a strong emphasis on enforcing effective cybersecurity practices in the context of connected vehicles.
While UN R155 and GB 44495 share a common objective, there are differences as well as similarities, particularly when it comes to implementation. These can be grouped into three main areas:
- Cyber Security Management System (CSMS),
- Vehicle type requirements
- and the handling of supporting documents.
These are discussed in more detail below.
UN R155 vs. GB 44495: Cybersecurity Management System (CSMS)
With regard to the Cybersecurity Management System (CSMS), UN R155 and GB 44495 define a very similar structure and approach.
In both cases, manufacturers are required to implement and maintain a CSMS to create the conditions at an organisational, process and product level to counter potential threats throughout the lifecycle of a vehicle.
One of the key similarities is in the required CSMS processes, including the identification, assessment and management of cyber risks and the implementation of cybersecurity measures.
In addition, both regulations emphasise the fundamental need for continuous monitoring from a cybersecurity perspective, combined with the need to update cybersecurity measures as new threats emerge.
Unlike UN R155, GB 44495 does not explicitly mention a Certificate of Compliance (CoC) as a necessary proof of a successfully implemented and audited CSMS. While UN R155 defines the approving authorities and technical services that carry out the certification (see also UN R155 Audit), GB 44495 does not specify the institutions involved at this point.
However, GB 44495 also expects a re-audit every three years to ensure that cybersecurity measures and processes are up to date.
UN R155 vs. GB 44495: A look at the vehicle type approval process and specific test cases
While the general approach to vehicle cybersecurity is fundamentally the same between the two regulations, there are significant differences in the vehicle type approval process.
In particular, the requirements for a vehicle type to be approved are different.
One of the main differences is that GB 44495 provides specific test cases for the vehicle type approval process. This level of detail is not provided in UN R155.
These specific test cases are designed to ensure that vehicles meet strict cybersecurity principles and can be demonstrated to withstand real-world cyber threats.
UN R155 focuses less on such specific tests during the type approval phase and instead takes a risk-based approach.
UN R155 vs. GB 44495: Guideline for auditing
GB 44495 is to be supplemented by an audit guideline (currently in draft form, as of October 2024) which defines specific minimum requirements for cybersecurity.
This document takes the relevant sections of GB 44495 and adds ‘Key Points’ and ‘Supporting Material’. The supporting material can also be seen as the necessary evidence to be presented to the auditor during an audit. It can be seen that both the theoretical approach and the practical implementation and application in the form of ‘reports’ are required.
This guidance is directly related to Clause 5 and other Clauses of ISO/SAE 21434:2021 that address key areas such as risk management, threat analysis and vulnerability assessments.
This supplementary guidance is another important difference between GB 44495 and UN R155, as the latter offers a similar approach with the interpretation document, but this is not considered mandatory, only informative.
- In August 2024, China officially introduced the GB 44495-2024 guideline on cybersecurity in the automotive sector, which sets requirements for automotive industry players and their products in the field of connected vehicles.
- GB 44495 is inspired by UN Regulation No. 155 and ISO/SAE 21434, but its specific requirements have been adapted to meet the needs of the Chinese market.
- The aim of the guideline is to holistically ensure vehicle security and safety in the context of increasing connectivity - in line with the broader approach of China's standardisation efforts, which are expected to be fully developed by 2030.
- Despite alignment with international regulations and standards, automotive industry players face the challenge of meeting localised compliance requirements along with Chinese legislation.
- Key Learnings
Conclusion: China’s GB 44495 and the implications for tomorrow’s automotive cybersecurity
The new GB 44495 cybersecurity regulation shows how China is responding to the growing challenges of digitalisation in the automotive sector. Not only is data protection and the protection of connected vehicles from cyber threats a driving force, but the emerging standardisation framework makes it clear that China wants to play a leading role in the global regulation of connected and digitalised vehicles.
Although there are differences with UN R155, such as specific testing requirements for type approval, key elements such as the Cybersecurity Management System (CSMS) are being adopted.
For international automotive players, manufacturers and suppliers alike, it will continue to be imperative to address China’s technological sovereignty and meet localised compliance requirements in order to remain competitive.
