China Expands CCC Framework with New Vehicle Data and Cybersecurity Certification Rules
30. April 2026China has introduced a dual regulatory update under its CCC certification system, establishing new requirements for both vehicle data security and vehicle cybersecurity. The new CCC certification for vehicle cybersecurity and data security is defined through two complementary documents: CAV-11-2025 and CAV-14-2025, issued by the Certification Alliance for Vehicle (CAV). The cybersecurity certification rules were released on July 31, 2025, and implemented on August 1, 2025, while the data security certification rules were issued and implemented on October 20, 2025. These updates reflect China’s continued strengthening of regulatory oversight on automotive digital systems and data handling.
Both frameworks apply to automotive products and systems involving data processing and cybersecurity management. They align with national standards such as GB/T 44464-2024 and related information security requirements, creating a unified certification structure. Automotive products usually require CCC certification in order to be approved for import and sale in China.
Integrated Certification Structure for Cybersecurity and Data Protection
The cybersecurity certification rules (CAV-11-2025) focus on vehicle-level information security, including the Cybersecurity Management System (CSMS) and protection of in-vehicle communication, software, and external interfaces. As shown on page 1 of the cybersecurity document, the regulation applies to complete vehicles and their cybersecurity capabilities, with certification covering system design, risk management, and technical safeguards.
In parallel, the data security certification rules (CAV-14-2025) establish requirements for handling personal information and important data generated by vehicles. These rules define a certification model based on type testing and post-certification supervision, with detailed requirements for anonymization, data collection devices, and processing methods. According to the document, compliance is assessed against specific clauses of GB/T 44464-2024 and GB/T 41871-2022.
Both certifications follow similar procedural steps, including application submission, technical documentation review, type testing, certification decision, and ongoing surveillance. The documents also include structured annexes with detailed product descriptions and parameter tables (e.g., data collection devices and cybersecurity components), which can be summarized as TABLE PLACEHOLDER.
Compliance Implications for Automotive Manufacturers
The introduction of these two certification schemes significantly increases compliance obligations for vehicle manufacturers, importers, and suppliers. Companies must now demonstrate both cybersecurity resilience and robust data governance practices as part of CCC certification.
For cybersecurity, manufacturers must implement and document a compliant CSMS, ensuring protection against unauthorized access and system vulnerabilities. For data security, they must provide detailed information on data processing activities, including handling of personal and sensitive data, anonymization mechanisms, and storage or transmission practices.
Both certifications require type testing conducted by qualified laboratories, followed by periodic surveillance inspections—typically within 12 months of certification—to ensure continued compliance. Certification validity is generally limited to three years, with strict requirements for reporting product changes or system updates.
These regulatory developments indicate a shift toward lifecycle-based compliance in China’s automotive sector, where both digital security and data protection are continuously monitored. Manufacturers targeting the Chinese market should align product development and certification strategies with these new CCC requirements. Further regulatory details may be available through official certification channels and compliance resources.
For more information on how CCC certification, the CCC Self-Declaration and voluntary CCAP or CQC certification may affect your company, or for more information about CCC certification in general, please visit our News Section where you will find current updates twice a week.
Please do not hesitate to contact us for further details and consultation. You can contact us via email, Chat, or call us (UK: +44 2071931135, Europe: +49 69 2713769150, US: +1 773 654-2673).
You can also check our free CCC-Brochure, which can be downloaded as a PDF file. The brochure also contains information on the CCC Self-Declaration and the voluntary CQC- and CCAP-Certification).
