GB 44495 / China

GB 44495: China’s Mandatory
Vehicle Cybersecurity Standard

GB 44495 is China’s national mandatory standard for vehicle information security technical requirements. This comprehensive guide covers everything you need to know — from key requirements and enforcement timelines to the comparison with UNECE R155 and ISO/SAE 21434, and how ThreatZ helps OEMs and suppliers achieve compliance for the Chinese market.

Read the Guide

GB 44495

ISO/SAE 21434

UNECE R155

China CCC

The Standard

What Is GB 44495?

Understanding China’s national mandatory standard for vehicle information security and its role in the world’s largest automotive market.

The Standard Defined

GB 44495, officially titled “Technical Requirements for Vehicle Information Security” (汽车信息安全技术要求), is China’s national mandatory standard for vehicle cybersecurity. Published by the Standardization Administration of China (SAC), it defines comprehensive information security requirements for connected vehicles and their external interfaces.

The standard addresses the full spectrum of vehicle cybersecurity — from communication security and remote control protection to data security and software update integrity. It applies to all M-category and N-category vehicles equipped with connected capabilities, covering passenger cars, commercial vehicles, and their network-enabled components. Unlike voluntary standards, GB 44495 carries the force of Chinese law, making compliance a prerequisite for selling vehicles in the Chinese market.

Enforcement Timeline

2024

Standard Published

GB 44495 officially published by SAC following extensive industry consultation and alignment with China’s broader connected vehicle regulatory framework including data security and personal information protection laws.

January 2026

Mandatory for New Type Approvals

All new vehicle type approvals submitted in China must demonstrate compliance with GB 44495. New vehicle platforms and substantially revised models require evidence of information security technical conformity.

January 2028

Mandatory for All Vehicles

Full enforcement for all vehicles sold in China, including existing type approvals. All connected vehicles on the Chinese market must comply, with no further transitional provisions.

Key Requirements

Core Requirements of
GB 44495

GB 44495 defines technical requirements across six key domains, covering all aspects of vehicle information security from external communications to internal monitoring.

Vehicle Communication Security

Requires secure communication protocols for all external vehicle interfaces including cellular (4G/5G), Wi-Fi, Bluetooth, and V2X channels. Mandates authentication, encryption, and integrity verification for all data transmitted to and from the vehicle, with specific requirements for Chinese cryptographic algorithms (SM2/SM3/SM4).

Remote Control Security

Defines strict security requirements for remote vehicle control functions such as remote start, unlock, and automated driving commands. Requires multi-factor authentication, command verification, timeout mechanisms, and failsafe behaviors to prevent unauthorized remote access or hijacking of vehicle functions.

External Interface Security

Mandates security protections for all vehicle external interfaces: OBD-II diagnostic ports, USB connections, charging interfaces, and wireless access points. Requires access control, protocol validation, input sanitization, and protection against known attack vectors targeting physical and wireless entry points.

Data Security

Establishes comprehensive requirements for vehicle data protection including personal information, location data, and vehicle operational data. Mandates data classification, encryption at rest, secure storage, access controls, and compliance with China’s Personal Information Protection Law (PIPL) and cross-border data transfer regulations.

Software Update Security

Requires secure over-the-air (OTA) and wired update mechanisms with end-to-end integrity verification, code signing, rollback protection, and user notification. Updates must be authenticated using approved cryptographic methods, and the vehicle must maintain safe operation during and after update processes.

Anomaly Monitoring

Mandates real-time monitoring capabilities to detect cybersecurity anomalies, intrusion attempts, and abnormal vehicle behavior. Requires logging of security events, alerting mechanisms, and the ability to support forensic investigation. Vehicles must maintain tamper-resistant audit trails of security-relevant events.

Comparison

GB 44495 vs R155 vs
ISO/SAE 21434

Understanding how China’s GB 44495 relates to the international UNECE R155 regulation and the ISO/SAE 21434 engineering standard is critical for OEMs operating in multiple markets.

Aspect	GB 44495	UNECE R155	ISO/SAE 21434
Type	National mandatory standard (GB)	International regulation (UNECE)	International voluntary standard (ISO/SAE)
Scope	Vehicle information security technical requirements for connected vehicles	Cybersecurity Management System (CSMS) for vehicle type approval	Cybersecurity engineering for vehicle E/E systems across the full lifecycle
Geography	China (mandatory for all vehicles sold domestically)	60+ UNECE contracting parties (EU, UK, Japan, South Korea, etc.)	Global (voluntary, but referenced by R155 for CSMS compliance)
CSMS Requirement	Implicit — requires organizational cybersecurity capability but not formal CSMS certification	Yes — Certified CSMS mandatory for type approval	Yes — Defines organizational CSMS framework (Clause 5)
TARA Requirement	Implicit — risk-based approach required, but does not mandate TARA by name	Required as part of CSMS evidence	Yes — Defines full TARA methodology (Clause 15)
SBOM Requirement	Emerging — expected through linked data security regulations	Not explicitly required, but increasingly expected by auditors	Not explicitly required, but supports Clause 8 vulnerability monitoring
Enforcement Dates	Jan 2026 (new type approvals), Jan 2028 (all vehicles)	Jul 2022 (new types), Jul 2024 (all vehicles)	Published Aug 2021 (voluntary, no enforcement date)
Type Approval Required	Yes — via China CCC / type approval process	Yes — CSMS certificate required for type approval	No — engineering standard, not a regulation
Data Localization	Yes — strict data residency and cross-border transfer restrictions	No — no data localization requirements	No — no data localization requirements
Cryptographic Requirements	Chinese national standards (SM2/SM3/SM4) required	No specific cryptographic algorithm mandated	No specific cryptographic algorithm mandated
Key Differentiator	China-specific data security, Chinese crypto standards, integration with PIPL and Cybersecurity Law	CSMS certification by accredited technical service, focus on organizational processes	Comprehensive engineering framework, TARA methodology, full lifecycle coverage

ThreatZ Platform

How ThreatZ Supports
GB 44495 Compliance

ThreatZ is a purpose-built automotive cybersecurity platform for multi-standard compliance. Enter the Chinese market with confidence using AI-powered TARA, unified compliance workflows, and market-specific evidence generation.

TARA Module

AI-Powered TARA

Automated threat analysis and risk assessment that generates GB 44495-aligned evidence. ThreatZ’s AI identifies threats specific to Chinese market requirements, including risks related to data localization, cross-border communication, and Chinese cryptographic standards.

GB 44495-specific threat libraries
Automated risk scoring and treatment
Chinese market attack vector analysis

Explore TARA Module

Compliance Engine

Multi-Standard Compliance

Comply with GB 44495, UNECE R155, and ISO/SAE 21434 simultaneously from a single project workspace. ThreatZ maps your cybersecurity artifacts across all three frameworks, generating standard-specific reports and evidence packages without duplicating work.

Single TARA, triple compliance output
Cross-standard gap analysis
Automated requirement mapping

Explore Compliance Engine

Market Templates

Chinese Market Templates

Pre-built templates aligned with GB 44495 requirements, Chinese type approval processes, and CCC certification workflows. Includes Chinese-language report generation, SM2/SM3/SM4 cryptographic requirement checklists, and data localization compliance templates.

Chinese-language report exports
CCC certification checklists
Data localization templates

Explore Templates

BOM & Supply Chain

SBOM & Vulnerability Monitoring

Centralized Software Bill of Materials management with continuous vulnerability monitoring. Track open-source and third-party components, correlate with CVE databases, and generate GB 44495 anomaly monitoring evidence to demonstrate compliance with software supply chain security requirements.

Centralized SBOM management
Continuous CVE/NVD monitoring
Supply chain risk scoring

Explore BOM Module

Knowledge Graph

Knowledge Graph Traceability

ThreatZ’s AI-powered knowledge graph connects every cybersecurity artifact — assets, threats, risks, controls, requirements, and test results — in a semantically linked model. Provides full traceability from GB 44495 requirements through to implementation evidence, enabling auditors to verify compliance at every level.

Semantic artifact linking
Impact analysis for change management
Audit-ready traceability reports

Explore Knowledge Graph

Supply Chain

Supply Chain Management

Manage cybersecurity requirements across your supply chain for the Chinese market. ThreatZ facilitates supplier cybersecurity capability assessments, interface agreements, and evidence collection — ensuring your Tier-1 and Tier-2 suppliers meet GB 44495 requirements alongside R155 obligations.

Multi-market supplier assessments
Interface agreement tracking
Distributed evidence collection

Explore Supply Chain

Explore ThreatZ View Pricing

FAQ

Frequently Asked Questions About
GB 44495

What is GB 44495?

GB 44495 is China’s national mandatory standard for vehicle information security technical requirements. Published by the Standardization Administration of China (SAC), it defines comprehensive cybersecurity requirements for connected vehicles and their external interfaces, covering communication security, remote control security, data protection, software update security, and anomaly monitoring. As a mandatory national standard (with the “GB” prefix indicating compulsory compliance), it carries the force of Chinese law and is a prerequisite for vehicle type approval and sales in the Chinese market.

How does GB 44495 relate to UNECE R155?

Both GB 44495 and UNECE R155 address vehicle cybersecurity, but they serve different markets and have distinct requirements. GB 44495 is China-specific and includes additional requirements not found in R155, such as mandatory use of Chinese cryptographic algorithms (SM2/SM3/SM4), data localization requirements, cross-border data transfer restrictions aligned with China’s Cybersecurity Law and PIPL, and specific technical test procedures for the Chinese type approval process. While there is significant overlap in core cybersecurity management concepts, organizations selling vehicles in both markets must comply with both frameworks independently. ThreatZ supports dual compliance by mapping overlapping requirements and highlighting China-specific gaps.

Who needs to comply with GB 44495?

All vehicle manufacturers selling in the Chinese market must comply with GB 44495, including both domestic Chinese OEMs (such as BYD, NIO, Geely, and Great Wall) and foreign OEMs entering China (such as Volkswagen, Toyota, BMW, and Tesla). Tier-1 suppliers providing connected vehicle systems, telematics control units (TCUs), V2X modules, gateway ECUs, and other network-enabled components are also affected, as OEMs will flow down GB 44495 requirements through their supply chain. Compliance is verified through China’s Compulsory Certification (CCC) system and the vehicle type approval process administered by MIIT (Ministry of Industry and Information Technology).

Can ThreatZ help with dual compliance for GB 44495 and R155?

Yes, ThreatZ supports simultaneous compliance with GB 44495, UNECE R155, and ISO/SAE 21434. The platform’s knowledge graph maps cybersecurity artifacts across all three frameworks, generating standard-specific reports and evidence packages from a single unified analysis. This means you perform your TARA once and produce compliance evidence for every target market — eliminating redundant work and ensuring consistency across regulatory submissions. ThreatZ also highlights requirements unique to GB 44495 (such as Chinese cryptographic standards and data localization), ensuring nothing falls through the cracks when preparing for Chinese type approval.

Related Resources

Continue Learning About
Automotive Cybersecurity

Compliance

UNECE R155 Type Approval: What OEMs Need to Know

Everything about R155 type approval requirements, the CSMS certification process, and how ISO/SAE 21434 maps to regulatory compliance in 60+ countries.

Read Article

Pillar Guide

ISO/SAE 21434: The Complete Guide to Automotive Cybersecurity

Comprehensive pillar guide covering every aspect of ISO/SAE 21434 — from organizational CSMS requirements and TARA methodology to work products and ThreatZ automation.

Read Guide

Best Practice

SBOM Management Best Practices for Automotive

Build, maintain, and leverage Software Bills of Materials across the automotive supply chain for multi-standard compliance including GB 44495.

Read Article

Related Standards & Resources

GB 44495 Compliance

Enter the Chinese Market
with Confidence.

The Chinese automotive market is the largest in the world — and GB 44495 is the gateway. ThreatZ is the purpose-built platform that automates GB 44495 compliance alongside UNECE R155 and ISO/SAE 21434, providing Chinese market templates, multi-standard TARA, and audit-ready evidence generation — so you can focus on building great vehicles, not managing compliance spreadsheets.

GB 44495 ISO/SAE 21434 UNECE R155

GB 44495: China’s MandatoryVehicle Cybersecurity Standard