What OEMs Need to Know About China's Cybersecurity RegulationsWhat OEMs Need to Know About China's Cybersecurity Regulations


January 21, 2022



Min Read

What OEMs Need to Know About China's Cybersecurity Regulations

This is an external post, click the button below to view.
View Post

Click here for Simplified Chinese

China is a key player in the global automotive market. Annually, they account for one-third of new vehicle sales worldwide, a number that is only expected to rise in the years to come. In light of new international cybersecurity legislation from governing bodies such as the World Forum for Harmonization of Vehicle Regulations (WP.29) and the International Organization for Standardization (ISO), it should come as no surprise that China has started to develop its own regulatory framework. By 2025, they are expected to have over 97 regulations designed to mitigate the risks associated with over-the-air (OTA) software and update systems utilized in intelligent connected vehicles (ICV) and electric vehicles (EV). Such legislation will not only be imperative to ensure driver, vehicle, and community safety, but also to safeguard personal and national data. 

If foreign OEMs wish to maintain traction in this lucrative market, they will need to adhere to all Chinese government regulations. What do China’s cybersecurity laws look like? How do they impact OTA systems, ICVs, and EVs? Most importantly, what is the best way for OEMs to achieve compliance? Keep reading to find out. 

National Cybersecurity Law

One of the most important laws affecting ICVs and EVs is the National Cybersecurity Law (CSL) of 2017. Under CSL any “provider” that utilizes computers or other technology to gather, store, process, transmit, and distribute data must adhere to specific regulations. CSL doesn’t apply exclusively to ICVs and EVs, but three parts contain specific relevance. 

The first demands having processes in place to protect critical information. This includes implementing an internal security management system that assesses and mitigates cyberattacks and security breaches. OEMs must perform an annual risk assessment of their systems and equipment to determine the potential scope of a breach and whether their current preventative measures are adequate. The results of this assessment are then submitted to the appropriate government authorities, such as the State Council, to obtain a compliance certificate. 

The second relevant part of CSL dictates requirements for personal information protection. OEMs must only collect personal information with consent and refrain from disclosing said data to unauthorized parties. It also requires data protection measures to be in place and a remedial action plan to mitigate the impact of a breach. This regulation specifies that any personal data collected from a “critical network,” such as a traffic or transportation network, must be housed on servers located in China. 

The final part of CSL outlines requirements for equipment and products that collect, house, and manage important data protection. Before any technological service or product is approved for sale in China, including ICVs, it must prove compliance with all national security standards and requirements. This aspect was expanded upon in June 2020 with China’s Cybersecurity Review Measures. OEMs must now look beyond the local impact level of a breach and anticipate their product’s risk to national security as well. All findings must be declared to the Office of Cybersecurity Review for further assessment. 

MIIT and SAC Cybersecurity Standards

While the National Cybersecurity Law was not designed specifically for the automotive industry in mind, China has several committees that focus exclusively on ICVs and EVs regulation. Since 2017 the Ministry of Industry and Information Technology (MIIT) and the National Standards Committee of China, have been releasing guidelines on the development of a National Internet of Vehicles (IoV) Industry Standard System. This system is broken into five categories, including the IoV Industry Standard for Intelligent Connected Vehicles (ICV). 

There are expected to be around 100 ICV guidelines by the year 2025, around 30 of which specifically pertain to cybersecurity. Although MIIT worked to form the IoV standards system, the primary committee responsible for implementing new cybersecurity mandates falls under the umbrella of the Standardization Administration of China (SAC).  

TC114/SC is the National Technical Committee of Intelligent and Connected Vehicles 114, Subcommittee 34. It is responsible for creating and publishing EV security regulations and standards in China. Specific interests of this committee include establishing standards for LTE-V2X communication, information security, information breach early detection systems, vehicle passwords, and digital certificates. They also oversee the integration of international standards, which we will discuss in greater detail later. 

It is important to note, that in the event of conflicting mandates, any standards developed by SAC committees are superseded by the CSL. 

Personal Information Protection Law

The Personal Information Protection Law (PIPL) focuses on providing more comprehensive data protection regulation measures for personal information usage by companies that operate in China. It came into effect in November of 2021 and has a direct impact on data collected via OTA software solutions. PIPL is quite similar to international standards as many of its 74 articles were drawn directly from the General Data Protection Regulation (GDPR)

Comparable International Standards

The logo “Made in China” has long been associated with mass-produced goods of low value. China is determined to change this perception with a national strategy known as the Made in China 2025 policy. The plan aims to transition from a labor-based manufacturing industry to a technology-based industry leader, particularly in the Green energy and automotive sector. To expedite this process, China has based many of its OTA standards on existing international regulations. 


In Subpart 202-21 of China’s new IVC standards, TC114/SC34 has established technical requirements for vehicle software update systems based on those outlined in WP.29 Regulation 156. They have also adopted WP.29 Regulation 155 in Subpart 202-22. Foreign OEMs wishing to achieve compliance in China can therefore utilize these UN regulations as a reference point. 

There is, however, one main difference between UNECE WP.29 standards and those created by TC114/SC34. UN Regulation 155 mandates that “processes” must be in place to prevent manipulation and keep updates, or data, secure. It does not specify what those processes are, providing OEMs with the freedom to explore options and solutions. China’s ICV standards are not so flexible. They include detailed specifications on testing procedures, processes, and expectations. 

For more detailed information on UNECE regulations, please refer to our WP.29 blog series

ISO Regulations

In addition to WP.29 regulations, TC114/SC34 is working to convert several ISO regulations into national standards. ISO 21434 focuses on cybersecurity requirements from an engineering standpoint. It examines every aspect of the vehicle’s lifecycle, from product design and production to maintenance and decommissions. Meanwhile, ISO 20077 clarifies concepts related to the “extended vehicle,” or anything that exists beyond the physical confines of the unit. It includes general requirements for design constraints, extended vehicle interfaces, and diagnostic processes. 

China already has an ISO/IEC 27001 equivalent, which we discussed above: the National Cybersecurity Law (CSL). Both ISO 27001 and CSL provide detailed requirements for information security management systems. Although neither pertains exclusively to the automotive industry, they have huge security implications for the development, implementation, and utilization of over-the-air (OTA) software update systems. 


GDPR is a data protection law that pertains to data subjects who reside within the European Union. Data processors, such as OTA providers and ICV OEMs, must adhere to GDPR if:

  • They are dealing in data where goods and services are offered, even when no payment is required, or 
  • They are monitoring people’s behavior

PIPL upholds the same protection principles, but for data subjects residing in China. Although GDPR and PIPL are aligned on many aspects, such as mandating workforce training and allowing class-action lawsuits on behalf of data subjects, there are a few key differences for OEMs to consider. 

PIPL places restrictions on data portability rights. It requires data handlers to provide individuals with a safe “channel” that will only initiate data transfer when prescribed security conditions are met. PIPL also outlines three procedures for cross-border transfers: 

  1. Separate and informed consent must be given by the data subject
  2. Protection impact assessments must be performed and recorded by the data controller
  3. Adequate safety measures must be ensured with PIPL approved methods 

In addition, PIPL requires every foreign data handler to have a representative based in China. Although it uses GDPR’s “lawful basis” approach to data processing, it does not include “legitimate interests” as an acceptable reason for accessing or collecting personal data. PIPL classifies financial information as “sensitive,” while GDPR does not, and offers post-mortem data rights. In the event of a data breach, it requires handlers to provide immediate notification to users, compared to GDPR’s 72-hour grace period. 

PIPL can be enforced by any number of governing bodies, though the most likely authority is a branch of government involved in the ICV industry, such as MIIT. Fines for failed compliance can be as high as 5 percent of annual revenue, though it is unclear whether this number is based on worldwide annual revenue or China-based annual revenue.  

Global Compliance With Sibros

Regardless of whether you’re looking at China or other international cybersecurity regulations, one thing is for certain: OEMs who want to maintain a competitive edge in the automotive industry must comply. Intelligent connected vehicles and electric vehicles are the future. A future that is impossible without a vehicle-wide OTA software solution. 

Building a compliant OTA software solution in-house is one option. However, the risks involved are extremely high. Along with having an in-depth understanding of all international regulations, the OEM must have a team of industry experts to construct a viable solution. Even then, there are likely to be setbacks, delays, unanticipated expenses, and dead ends. 

Rather than waste time at the drawing board, a quicker, reliable, and cost-effective option is to utilize a pre-existing solution. Sibros Deep Connected Platform (DCP) not only offers OEMs with an easy to integrate, no-code solution for real-time data logging, remote software updates, and reduced telematics OPEX costs, but it is compliant with the following international standards and regulations for functional safety, cybersecurity and data privacy: 

As a manufacturer, you shouldn’t have to navigate the world of OTA solution standards and cybersecurity regulations on your own, and you don’t have to. Contact Sibros today to schedule a demonstration and start preparing your fleet to take on the future. 

Amber Parle
Amber Parle
Amber is a Field Marketing Manager at Sibros with over ten years of writing and blog content experience. She is a University of California at Davis graduate and an avid world traveler.