Scope of GB/T 44495 & GB/T 44496

GB/T 44495 and GB/T 44496 outline guidance for road-vehicle cybersecurity and software updates within the Chinese market. This page summarizes what is typically considered in scope: vehicle categories, software and interfaces, lifecycle coverage, and organizational obligations. It is a non-normative overview for awareness and planning.

1) Vehicle Categories Covered

• Road vehicles broadly equivalent to UN categories M (passenger) and N (goods), and related configurations placed on the Chinese market.
• Variants and trims intended for China (including localized features, services, or connectivity).
• Trailers or specialized bodies where E/E systems or updates influence vehicle cybersecurity posture.

2) Software & Interfaces in Scope

• Embedded software/firmware on ECUs, gateways, and communication modules.
• Configuration & calibration data that can alter behavior or security posture.
• Update agents & service tools used by dealers/workshops; backend systems that orchestrate downloads, eligibility, and telemetry.
• External interfaces that expose or influence risk: cellular/telematics, Wi-Fi/BLE, V2X, OBD/service ports, USB, diagnostic protocols, cloud APIs.

3) Lifecycle Coverage

GB/T expectations typically extend across the full lifecycle to ensure a consistent, traceable approach:

• Concept & development — risk analysis, requirements, design controls, verification.
• Production — secure provisioning, configuration, and release management.
• Operation & maintenance — monitoring, vulnerability handling, incident response.
• Software updates — planning, packaging/signing, eligibility, delivery, validation, records.
• Decommissioning — secure removal/erasure of sensitive data and credentials.

4) Organizational Obligations

• Define governance, roles, and competence for cybersecurity and updates.
• Operate a documented process framework (risk management, verification/validation, vulnerability handling/PSIRT, software update control, records/retention).
• Maintain traceability and evidence demonstrating consistent application to China-market vehicle types and variants.
• Ensure supplier integration: flow-down requirements, exchange evidence, and audits/assessments proportionate to risk.

5) Boundaries & Exclusions (Clarifications)

• Purely mechanical parts with no update capability are generally out of scope.
• Backend or cloud services are considered to the extent that they impact vehicle risk (e.g., update distribution, authentication, telemetry integrity).
• Legacy components may require compensating controls and enhanced monitoring if full parity with current practices is not feasible.
• Localization differences (e.g., regional apps, data flows) should be explicitly documented and controlled.

6) Relationship to Global Instruments

• ISO/SAE 21434 — engineering practices and work products for cybersecurity.
• UNECE R155 — organizational capability (CSMS) and type-approval style evidence.
• UNECE R156 / ISO 24089 — software update management and engineering alignment.
• Organizations commonly reuse global processes and add China-specific governance and documentation.

7) Typical Outputs / Evidence (At a Glance)

• China-market scope definition (vehicle types, variants, interfaces, dependencies).
• Risk analysis artifacts (TARA-style) with requirements and verification evidence.
• Update control records: signing/eligibility/anti-rollback specs; post-update validation results.
• Supplier coverage: contracts/SOW clauses, SBOMs, exchanged test results, assessment records.
• Traceability & retention: per-type and per-VIN records aligned to local expectations.