The Impact of Cybersecurity Standards and Regulations

on Automotive industry in China

Minrui Yan

25th May 24, 2022

Abstract
The aim of this report was to investigate the impact of standards and regulations on
cybersecurity situation in the automotive industry of China. Worldwide, the
regulations have been published since 2020 in United Nations Economic Commission
for Europe (UNECE), and the relevant standards have been released since 2021 in
international standardization organizations, such as International Organization for
Standardization (ISO) and International Telecommunication Union
Telecommunication Standardization Sector (ITU-T) and Society of Automotive
Engineers (SAE). In China, Standardization Administration of China (SAC) and
relevant governance departments are following the status of international standards
and regulations to publish and release Chinese own standards and regulations. By
analysis Chinese standards and regulations, this report shows the impact of standards
and regulations in cybersecurity situation in the automotive industry of China.

Key findings include:

 Implemented Automobile-related Regulations
 Released Automobile Standard
 Impact of Standards and Regulations on Automotive Industry
 Table of Contents

ABSTRACT................................................................................................................................... 2

1 INTRODUCTION................................................................................................................. 4

2 METHODS........................................................................................................................... 4

3 FINDINGS............................................................................................................................ 4

3.1 IMPLEMENTED AUTOMOBILE-RELATED REGULATIONS...........................................................4

3.2 RELEASED AUTOMOBILE STANDARDS...................................................................................5
3.3 IMPACT OF STANDARDS AND REGULATIONS ON AUTOMOTIVE INDUSTRY IN CHINA...............6

4 CONCLUSION..................................................................................................................... 6

REFERENCE LIST....................................................................................................................... 7
1 Introduction
There is massive progress in intelligent connected vehicle recent years, and the
number of intelligent connected vehicle is increasing sharply world-wide. Especially
the number in China, since intelligent and connected functions are attractive for the
customers. The share of intelligent connected vehicle is also increasing since 2012. In
2020, 30 million new intelligent connected vehicles were sold, growth rate is around
41% of new car sales worldwide. In 2020, 91% of new cars sold in the United States
were connected cars (Charlotte, 2021).
More intelligent and connected functions will bring more and more security to the
vehicle. Therefore, international, regional organization and governments of counties
have been considering to setup standards and regulations come out to solve these
security problems.
This report examines the history and the impact of standards and regulations in China
which relevant with cybersecurity of intelligent and connected vehicles.

2 Methods
This research was conducted by gathering and investigated the information from
UNECE, ITU-T, ISO, SAE, and SAC, then dig into the connections between
international and Chinese and compare the differences of them.
All the information was gathered from the official websites, and they are reliable and
can be checked at any time.

3 Findings

3.1 Implemented Automobile-related Regulations

In China, there is no standalone regulation for automotive industry, in this case this
report selected two important security-related regulations in Table 1. These two
regulations affect in all industries in China. Before Cybersecurity Law (Qi, 2018)
effected on 1st June 2017, there is no cybersecurity standalone law in China. Instead,
cybersecurity-related policy included in Criminal Law in 2009.

Table 1. List of Chinese Automobile-related Regulations

Implementation Date Title
2009.02.28 Criminal Law
2017.06.01 Cybersecurity Law
2021.09.01 Data Security Law

Other worldwide cybersecurity regulations are listed in Table 2, and they affect all
industries include automotive industry. Germany enacted the world's first
cybersecurity regulation in 1970 (Gantchev, 2019). UK is also a forerunner in
cybersecurity area since she implemented Data Protection Act in 1997.
There is the only one automotive industry cybersecurity regulation called
Cybersecurity Management System (CSMS) (Schmittner, 2020) from UNECE.
UNECE is a regional organization, and this regulation is under 1958 agreement which
is under UNECE with the objective of establishing uniform regulations for vehicles
and their components relating to safety, environment, energy, and anti-theft
requirements.

Table 2. List of Other Automobile-related Regulations Worldwide

Implementation Date Title
2022.06.01 Cybersecurity Management System (UNECE)
1970.09.30 Data Protection Act (Germany)
2012.11.20 Personal Data Protection Act (Singapore)
2018.05.25 General Data Protection Regulation (EU)
1997.07.16 Data Protection Act (UK)

3.2 Released Automobile Standards

By collecting the information from SAC and Ministry of Industry and Information
Technology (MIIT), Chinese automotive standards are listed in Table 3. These
standards were released in 2021, and they are all technical specification standards for
automobile (MIIT, 2022).

Table 3. List of Chinese Automotive Standards

No. Title
Technical requirements and test methods for cybersecurity of
GB/T 40856-2021
on-board information interactive system
GB/T 40861-2021 General technical requirements for vehicle cybersecurity
Technical requirements and test methods for cybersecurity of
GB/T 40857-2021
vehicle gateway
Technical requirements and test methods for cybersecurity of
GB/T 40855-2021
remote service and management system for electric vehicles

International automotive standards are listed in Table 4. ISO and SAE’s standards are
management system standards which do not include technical specification part. ITU-
T X.1376 is technical standard.

Table 4. List of International Automotive Standards Worldwide

No. Title
ISO/SAE 21434:2021 Road vehicles — Cybersecurity engineering
Road vehicles — Guidelines for auditing cybersecurity
ISO/PAS 5112:2022
engineering
 Cybersecurity Guidebook for Cyber-Physical Vehicle
SAE J3061
Systems
Security-related misbehaviour detection mechanism using
ITU-T X.1376
big data for connected vehicles.

3.3 Impact of standards and regulations on automotive industry in China

In this clause, how standards and regulations impact on automotive industry in China
discussed.
On the one hand, the standards listed in Table 1 are national standards, and they are
only references for car maker. Regulations only include high level general
requirements for industry, so these might be supplementary documents for the
regulations. Hence car maker will refer these standards to design their car to complete
potential compliance work.
On the other hand, the regulations listed in Table 3 are mandatory. Car will be allowed
go to market if the cars do not comply these regulations. There is no doubt that
regulations have great effect on any industries.

4 Conclusion
In all, cybersecurity standards and regulations have a huge effect on automotive
industry. This report also provides a guideline for automobile industry compliance.
Due to relevant standards and regulations being published recently, there is few
research in this area. As a result, this report fills the compliance knowledge gap for
automotive industry.
Reference List
Schmittner, C. (2020). A preliminary view on automotive cyber security management
systems. The 23rd Conference on Design, Automation and Test in Europe.
Charlotte. (2021). How many connected cars are sold worldwide? Retrieved from
https://smartcar.com/blog/connected-cars-worldwide/
MIIT. (2022). Notification of Guideline for Automotive Cybersecurity and Data
Security Standard System Construction. Retrieved from
http://www.gov.cn/zhengce/zhengceku/2022-03/07/content_5677676.htm
Qi, A. (2018). Assessing China's Cybersecurity Law. Computer Law & Security
Review. Retrieved from https://doi.org/10.1016/j.clsr.2018.08.007
Gantchev, V. (2019). Data protection in the age of welfare conditionality: Respect for
basic rights or a race to the bottom? European Journal of Social Security.