China’s GB Standards (44495 – 44497) revisited

In a previous blog post, we took an in-depth look at GB Standard 44495-2024, China’s newly introduced cybersecurity standard for intelligent connected vehicles (ICVs). We explored its implications for vehicle manufacturers, how it aligns with global standards like UNECE R155 and ISO/SAE 21434, and what it means for automotive cybersecurity going forward.

However, GB 44495-2024 was not introduced in isolation. Alongside it, China simultaneously published two additional regulations: GB 44496-2024, which focuses on software update management, and GB 44497-2024, which sets requirements for automated driving data recording. Together, these three standards create a comprehensive regulatory framework for intelligent connected vehicles and will come into effect on January 1, 2026.

While compliance with these new regulations presents challenges, it also opens opportunities—especially for companies that already have a structured validation and testing approach in place. HydraVision, with its extensive test case template portfolio, provides a strong foundation for companies needing to efficiently adapt to these new GB standards. In this article, we will break down the three new standards and show how leveraging HydraVision can make compliance significantly easier.

1. GB 44495-2024: Technical Requirements for Vehicle Cybersecurity

Background and Need for Cybersecurity Standards

As vehicles become increasingly connected—incorporating wireless communication, external data interfaces, and autonomous driving features—the risk of cybersecurity threats has escalated. Malicious cyberattacks can compromise vehicle control, endanger passengers, and lead to data breaches. GB 44495-2024 sets out technical requirements to mitigate these risks and ensure that vehicles meet stringent cybersecurity protection standards in the Chinese market.

Key Provisions

• Cybersecurity Management System (CSMS):
  • Automakers must establish a comprehensive cybersecurity framework covering the entire lifecycle of the vehicle—from development and production to post-market monitoring and response.
  • The framework aligns with international regulations like UNECE R155 (Cybersecurity Management System) and ISO/SAE 21434.
• External Interfaces Protection:
  • The standard mandates strict control over wireless communications, USB ports, Bluetooth, and CAN bus connections to prevent unauthorized access.
  • Secure authentication and encryption protocols must be implemented for data exchanges between vehicles and cloud platforms.
• Software Protection and Secure Updates:
  • GB 44495-2024 requires tamper-proof mechanisms to prevent unauthorized software modifications or hacking attempts.
  • Vehicles must implement intrusion detection and prevention systems (IDPS).
• Incident Response and Monitoring:
  • Automakers must establish real-time cybersecurity monitoring systems to detect, log, and report potential cyber threats.
  • Post-market monitoring and rapid security patching are mandatory.

Differences and Similarities to UNECE R155

GB 44495-2024 requires an audit instead of UNECE R155’s renewable CSMS certification and mandates 27 specific cybersecurity tests. It also sets stricter conditions for extending approvals to other models. Read more here.

Relevance for Testing

HydraVision already includes a comprehensive set of security-related test cases, providing a solid foundation for GB 44495 compliance. Each test case template is directly mapped to the relevant GB 44495 sections and includes references to the corresponding legal text, ensuring a precise and efficient adaptation process. This structured approach simplifies implementation and reduces the effort required for OEM-specific adjustments.

2. GB 44496-2024: General Technical Requirements for Software Updates

The Importance of Secure Software Updates

Modern vehicles rely heavily on software-defined functionalities, with features such as adaptive cruise control and infotainment systems requiring frequent upgrades. However, software vulnerabilities can lead to performance issues, cybersecurity risks, and even legal liabilities if not managed properly. GB 44496-2024 establishes a framework to regulate how automakers handle vehicle software updates.

Key Provisions

• Software Update Management System (SUMS):
  • Automakers must set up a dedicated software update management system to ensure compliance with regulatory requirements.
  • The system should cover pre-update evaluation, validation, deployment strategies, and rollback mechanisms.
• Over-the-Air (OTA) Updates:
  • The standard promotes secure OTA updates, ensuring that software patches, security fixes, and performance enhancements are safely delivered without requiring physical servicing.
  • OTA updates must have fail-safe mechanisms to prevent vehicles from becoming inoperable in case of update failures.
• User Notification and Consent:
  • Automakers must inform vehicle owners about upcoming software updates and obtain their consent before deployment.
  • Updates must not disrupt driving safety—they should either occur when the vehicle is stationary or allow users to schedule them conveniently.
• Version Control and Safety Assurance:
  • Every software update must include a detailed changelog, validation reports, and security checks.
  • In case of an update failure, rollback mechanisms should ensure that vehicles can revert to a previously stable software version.

Differences and Similarities to UNECE R156

GB 44496-2024 builds on UNECE R156 but introduces key differences. While both require a Software Update Management System (SUMS), GB 44496 mandates user consent for over-the-air (OTA) updates, stricter handling of failed updates, and emergency protocols. It also includes specific requirements for user interaction during updates, such as ensuring that vehicle occupants can unlock doors if needed—features not explicitly required by UNECE R156.

Relevance for Testing

HydraVision effectively helps to fulfill the security requirements set by GB 44496-2024 by ensuring that OTA updates are delivered securely and remain unaltered by third parties. It verifies that software packages are transmitted safely, applied correctly, and protected against tampering. By validating encryption, authentication protocols, and post-update security, HydraVision enables manufacturers to meet GB 44496 compliance with confidence.

3. GB 44497-2024: Intelligent Connected Vehicle Automated Driving Data Recording System

Why Autonomous Driving Needs Data Recording Standards

Autonomous vehicles rely on sensor fusion, AI algorithms, and real-time data analysis to make driving decisions. However, in cases of accidents or malfunctions, determining responsibility is challenging without accurate data logs. With autonomous driving being widely more accepted in China, GB 44497-2024 introduces data recording and storage standards to ensure transparency in accident investigations and autonomous driving system performance.

Key Provisions

• Event Data Recorder (EDR) for Autonomous Driving Systems:
  • The standard requires intelligent connected vehicles (ICVs) with automated driving capabilities to store and retrieve key operational data.
  • Data to be recorded includes:
    • Vehicle speed
    • Steering input
    • Brake usage
    • Sensor data (LIDAR, cameras, radar)
    • AI decision-making logs
• Data Storage and Encryption:
  • Recorded data must be encrypted and protected from unauthorized access.
  • Storage systems should withstand extreme environmental conditions to ensure data integrity.
• Crashworthiness and Regulatory Compliance:
  • The data recording system must be impact-resistant and comply with national crashworthiness standardsto survive collisions.
  • It should also be interoperable with law enforcement and regulatory bodies to assist in accident analysis.

European Equivalent of GB 44497-2024

While there is no direct European equivalent to GB 44497-2024, EU Regulation 2019/2144 requires event data recorders (EDRs) to capture crash-related data. Unlike GB 44497, which records vehicle status, environment, and driver interactions during automated driving, EDRs focus on accident analysis. UNECE R157, which governs Automated Lane Keeping Systems (ALKS), includes some data storage requirements but is limited to specific automation functions.This makes GB 44497 broader in scope, while European regulations prioritize crash forensics – which ultimately makes sense given the comparatively low adoption of autonomous driving in the EU.

Relevance for Testing

With GB 44497-2024, manufacturers need a structured approach to validate data recording mechanisms. They also must make sure that this data is encrypted and protected against unauthorized access. HydraVision provides test cases that verify compliance with recording requirements, ensuring that all relevant data is captured, stored securely, and available for regulatory review.

Conclusion: How HydraVision Makes GB Compliance Easier

Adapting to GB 44495, GB 44496, and GB 44497 can seem overwhelming. However, HydraVision significantly reduces the complexity of compliance by offering:

✔ Predefined test cases mapped to the GB standards: Instead of building a validation strategy from scratch, companies can use HydraVision’s test case templates as a structured starting point.
✔ Scalable test case adaptation: Each test case template comes with a tag as well as a detailed description and references to the relevant GB paragraph, making it easy to adjust our templates to OEM-specific needs.
✔ A strong foundation for new regulations: If you’re unsure where to start, HydraVision provides a solid testing base that simplifies your entry into GB compliance.

By leveraging HydraVision’s test case templates and the adaptable framework, companies can ensure compliance with the latest standards while minimizing resource-intensive test development. Whether you need cybersecurity validation, software update verification, or automated driving data recording tests—HydraVision is the best and fastest solution to get you there.