China’s Internet of Vehicles – New Guidelines Set Framework for Industry Standards

Posted by Written by Arendse Huld Reading Time: 10 minutes

China’s Internet of Vehicles will become better regulated over the next few years as authorities seek to standardize data and cybersecurity in the industry. A new set of guidelines from the Ministry of Industry and Information Technology provide a roadmap for the development of data and cybersecurity industry standards across a range of fields. The standards include technical requirements for the security of hardware, such as onboard equipment, terminals, and roadside equipment; software, such as service platforms and apps; and standards for the handling of data and other cybersecurity requirements. The guidelines further extend China’s cybersecurity regime to cover connected vehicles, putting it firmly under the purview of existing data, cybersecurity, and personal information protection legislation. China has big ambitions for the growth of the Internet of Vehicles, and more standardization and regulation will also provide a solid framework for the healthy and sustainable development of the industry.

China's Internet of Vehicles standards


On March 7, 2022, China’s Ministry of Industry and Information Technology (MIIT) issued the Guidelines for the Construction of the Internet of Vehicles Cybersecurity and Data Security Standard System (the “guidelines”) (link in Chinese). This document acts as a roadmap for addressing the cybersecurity and data security needs of China’s Internet of Vehicles (IoV) network and strengthening the standards and technical requirements for the connected vehicle and smart traffic industries.

The reasons for the push to standardize the IoV industry are twofold: more guidelines and standardization will help the industry develop in a healthy and sustainable way and prevent unfettered, disorganized growth, and at the same time bring the industry further into the fold of China’s growing data and cybersecurity regime.

In this article, we first examine China’s ambitions for the IoV industry and the existing framework for cyber and data security. Following this, we provide an overview of industry standards and technical requirements as they unfold – existing, draft stage, and expected.

Background

The IoV refers to the network of hardware and software that allows internet-connected vehicles to communicate and exchange information with one another and the wider traffic infrastructure. Vehicle connectivity is achieved through the implementation of onboard sensors and software systems, roadside equipment, such as smart traffic lights and cameras, satellites, big data, and other communications and artificial intelligence (AI) technology.

The guidelines build upon a foundation of data and cybersecurity regulations as well as development plans for the automotive industry. These are:

  • Cybersecurity Law of the People’s Republic of China
  • Data Security Law of the People’s Republic of China
  • Regulations on the Security Protection of Critical Information Infrastructure
  • The New Energy Vehicle Industry Development Plan (2021-2035)
  • The Connected Automobile Industry Development Action Plan
  • Provisions on Automobile Data Security Management
  • Notice on Strengthening Internet of Vehicles Cybersecurity and Data Security

Development targets for connected vehicles and IoV

China has set its sights on becoming the world leader in connected and self-driving cars. Autonomous driving and smart transport were named as key areas for development in the 14th Five-Year Plan (FYP), China’s highest-level plan for social and economic development. Several policy documents released since 2020 have also set key development targets for the industry, including the Roadmap for Intelligent Connected Vehicle Technology 2.0, which states that by 2025:

  • Intelligent connected vehicles with partially automated driving and conditional automated driving capabilities should account for more than 50 percent of all vehicle sales.
  • The assembly rate of new cars with Cellular Vehicle-to-Everything (C-V2X) terminals should reach 50 percent.
  • Commercial application of vehicles with highly automated driving capabilities should be realized, initially in specific scenarios and restricted areas, before expanding to a wider scope.

Existing cybersecurity and data security framework for connected vehicles and IoV

China has also already taken several steps to shore up the security of the networks that connected vehicles rely on. In October 2021, the Several Provisions on Vehicle Data Security Management (the ‘provisions’) took effect. Compiled by the Cyberspace Administration of China (CAC), China’s top cybersecurity authority, the document outlined new requirements for manufacturers and operators of intelligent connected vehicles to protect personal information and ‘important’ data.

The provisions classify information from a stakeholder in the automobile industry, such as a car owner, driver, passenger, or pedestrian that can be used to identify the stakeholder, as ‘personal information’. This information is subject to certain legal protections and obligations on the part of the data processor.

In addition, the provisions encapsulate a range of data collected by vehicles as ‘important data’ that is subject to more stringent regulations and security requirements. ‘Important data’ in the context of connected vehicles includes data collected from sensitive areas, such as military zones and government agencies, surveying and mapping data of higher precision than that released by official state maps, and any audio or video data collected from outside the vehicle (collected by vehicle cameras and sensors), such as faces, voices, and license plates.

According to the provisions, personal information and important data collected from stakeholders in China must be stored domestically. The data must also undergo a government security review if it is to be exported abroad. These requirements had previously been imposed on data processors in other fields in China’s Cybersecurity Law, Data Security Law, and Personal Information Protection Law (PIPL), but had not explicitly been extended to carmakers until now.

Main targets for IoV industry standardization

The guidelines set targets for the development of standards and technical requirements for the IoV industry.

By the end of 2023:

  • Complete the preliminary construction of an IoV cybersecurity and data security standards system.
  • Focus R&D on general and common industry-wide standards and specifications, cybersecurity of terminals and equipment, communications networks security, data security, mobile app security services, and security guarantee and support.
  • Formulate at least 50 urgently needed sets of standards.

By 2025:

  • Achieve a relatively complete IoV cybersecurity and data security standards system
  • Formulate over 100 sets of standards.
  • Improve the coverage of standards in sub-fields.
  • Strengthen the service capabilities of the standards.
  • Improve the application of the standards.
  • Support the safe and healthy development of the IoV industry.

Types of standards for the IoV industry

The guidelines provide an overview of the types of standards and technical requirements that need to be formulated. These include general standards applicable across the industry as well as specific standards and requirements for segmented fields, such as the security of terminals and equipment and network communication security standards, to name a few.

The guidelines also come with a list of a total of 103 industry standards, of which 12 have already been finalized and issued and a further 15 are in the process of being drafted. The remaining 76 are yet to be formulated. Below we look at some of the major standards and technical requirements.

General and basic common standards

These are the general standards for cybersecurity and data security that can be applied across the industry. These are divided into three main categories: technology and definitions, general architecture requirements, and password application standards.

General and Common Standards for IoV Cybersecurity (To be Formulated)
Terminology and definitions
Common terms and definitions of IoV cybersecurity
General architecture
Overall IoV architecture cybersecurity
Password application standards
General requirements for IoV password applications
Technical requirements for commercial password applications of intelligent connected vehicles
Technical requirements for password application of IoV communication equipment
Basic requirements for the application of vehicle cloud communication passwords

Cybersecurity standards for terminals and facilities

Cybersecurity standards for terminals and facilities will mainly cover the security requirements related to IoV terminal equipment and infrastructure. These include security requirements for onboard equipment, vehicle networks, roadside communications equipment, and network equipment and systems.

Cybersecurity Standards for Terminals and Facilities
Onboard equipment security
Technical requirements and test methods for cybersecurity of vehicle gateway Issued (effective from May 1, 2022)
Technical requirements and test methods for cybersecurity of on-board information interactive system Issued (effective from May 1, 2022)
Technical requirements for network security protection of automotive electronic control units To be formulated
Technical requirements for network security of automotive security chips To be formulated
Onboard network security
Information security technology—Cybersecurity guide for automotive electronics systems Issued ((in force)
General technical requirements for vehicle cybersecurity Issued (effective from May 1, 2022)
Technical requirements for cybersecurity of onboard  bus systems To be formulated
Technical requirements for vehicle ethernet cybersecurity To be formulated
Roadside communications equipment security
Security technology and testing requirements for roadside wireless communication equipment To be formulated
Security technology and testing requirements for roadside detection and information service equipment To be formulated
Network facilities and systems security
IoV network facilities and system security protection requirements To be formulated
IoV network facilities and system security testing requirements To be formulated
Note: The above list is not exhaustive. All links in Chinese.

Security standards for network communication

Security standards for network communication mainly regulate the security requirements for IoV communications networks and ID verification.

Below are some of the standards that are yet to be formulated.

Security Standards for Network Communication
Communications security
Technical guide for wireless communication security of IoV Issued (in force)
Technical requirements for connected car information security based on public telecommunication networks Issued (in force)
LTE-based vehicle networking communication security technical requirements Issued (in force)
Technical requirements for IoV network security access To be formulated
Technical requirements for IoV satellite communication security To be formulated
ID verification
Transportation—Digital certificate format Issued (in force)
Application Specification for Automotive Digital Certificate To be formulated
Technical safety requirements for electronic driver’s license To be formulated
Note: The above list is not exhaustive. All links in Chinese.

Data security standards

Data security standards will mainly cover the data security and personal information protection requirements for smart connected vehicles, IoV platforms, onboard app services, and other sources of data collection and processing related to IoV. The standards cover a number of fields that are also addressed in other data and cybersecurity legislation, such as the Data Security Law, Cybersecurity Law, and PIPL.

Notably, the list of standards to be formulated includes requirements for the transfer of IoV data overseas, as well as requirements for the data security assessment of such data before export. These standards, when formally issued, will provide significant clarity for automakers in China on how to interpret and implement the existing data laws and regulations.

The data security standards also include a subset of classification standards. This refers to the classification of data into different security levels depending on its level of sensitivity. Previous regulations have required data processors in certain industries to classify data as ‘core data’, ‘important data’, and ‘general data’, with different security requirements prescribed for different levels of security risk.

The inclusion of this in the guidelines indicates that regulators are planning specific data classification standards for the IoV industry.

Data Security Standards
General requirements
Intelligent and connected vehicles — General requirement of data — Part 1:Classification and code In progress
Model and specification for data security sharing of intelligent networked vehicles To be formulated
Reference architecture for data security sharing of intelligent and connected vehicles To be formulated
Classification
IoV information service data security technical requirements Issued (in force)
Technical specifications for important data recording systems of IoV service platforms In progress
Data export security
Security management requirements for cross-border transfer of IoV data To be formulated
Specifications for security assessment of cross-border transfer of IoV data To be formulated
Personal information protection
IoV information service requirements for user personal information protection Issued (in force)
Technical requirements for application and protection of automobile user data based on mobile Internet In progress
App data security
Information security technology – Data security guidelines for ride-hailing car service In progress
Data security protection requirements for online ride-hailing service platforms In progress
Note: The above list is not exhaustive. All links in Chinese.

Security standards for app and platform services

The security standards for app services cover the security requirements of IoV service platforms and apps, as well as security requirements for typical business application service scenarios. The standards regulate:

  • Platforms such as IoV information service platforms, over-the-air (OTA) service platforms, edge computing platforms, and more.
  • Security protection and detection requirements for IoV apps.
  • Service safety requirements for typical scenarios such as automotive remote diagnosis, advanced assisted driving, and vehicle-road collaboration.
App Services Security Standards
Platform security
Technical requirements for security protection of IoV information service platforms Issued (in force)
Technical requirements and test methods for cybersecurity of remote service and management system for electric vehicles Issued (effective from May 1, 2022)
App security
IoV app security technology and test requirements To be formulated
Service security
Security technical requirements for interaction between IoV service platform and vehicle terminal To be formulated
Network security technical requirements for remote diagnosis services of connected vehicles To be formulated
Note: The above list is not exhaustive. All links in Chinese.

Security guarantee and support standards

Security guarantee and support standards refer to the regulation of security standards related to IoV network security management and support services. This includes regulating risks assessments, security monitoring, and emergency response capabilities.

These standards also reflect the requirements of the existing data protection and cybersecurity regime. Multiple pieces of legislation and regulations require data processors to put in place robust security monitoring and reporting systems. For instance, data protection regulations for industrial and telecom companies that were recently rereleased require data processors to formulate an emergency response plan for data security incidents and carry out periodic emergency drills to prepare for possible data leaks, breaches, and cyberattacks.

Given the amount of data collected and stored by IoV operators, it is only natural that such standards and requirements be set for this industry as well. More guidance in the form of industry standards will help companies better manage security operations and ensure their data is protected.

Security Guarantee and Support Standards
Risk evaluation
IoV network security risk assessment specifications To be formulated
IoV network security risk assessment guidelines To be formulated
Security assessment requirements for IoV password applications To be formulated
Security monitoring and emergency response management
Vehicle cybersecurity incident response management guidelines In progress
IoV security management interface specifications To be formulated
Note: The above list is not exhaustive. All links in Chinese.

Standardization as a roadmap for healthy development

The effort to standardize the IoV industry over the past few years marks a significant shift for the government in its attitude toward IoV technology and the industry as a whole. As in many other technology sectors, authorities have in the past adopted an ‘innovate now, regulate later’ approach to allow the industry, then in its infancy, the space to develop quickly.

The IoV industry is now becoming increasingly mature and saturated and has the potential to become disorganized and inefficient. Ensuring a safe, secure, and well-regulated industry will be key to securing China’s ambitions to become a leader in internet of vehicle technology and services.

In addition to the commercial drives, China is also growing increasingly concerned over national security. This has prompted the government to tighten data and cybersecurity regulations in a number of industries, in particular those deemed to handle particularly sensitive data. The inclusion of standards on the – although not yet – signals that the government considers the IoV industry to be another front on which to bolster cybersecurity.

Public opinion will also be a consideration for authorities. As consumers become more and more tech-savvy and aware of the issues surrounding personal data, there will be more pressure to ensure their information is protected and not misused by companies.

Some challenges remain, however. Certain definitions are still ill-defined even in existing data and cybersecurity legislation. This includes terms such as ‘important data’, which is subject to stricter security requirements than other forms of data. Although attempts have been made to clarify the types of data that fall under this category, the definition remains somewhat vague, and as of writing this article, no catalogs have been released detailing the types of data that fall under this category. This indicates that regulators have experienced some difficulty in properly defining the types of data that inherently pose a security risk.

The inclusion of ‘important data’ in the new guidelines suggests that regulators plan industry-specific definitions for data classification. This could provide a better-defined framework for regulators to classify data types and come out with a concrete set of standards for data classification and would certainly be a huge help for companies in complying with data and cybersecurity regulations.

Whether this can be achieved in the next three years, as suggested in the guidelines, remains to be seen.


About Us

China Briefing is written and produced by Dezan Shira & Associates. The practice assists foreign investors into China and has done so since 1992 through offices in Beijing, Tianjin, Dalian, Qingdao, Shanghai, Hangzhou, Ningbo, Suzhou, Guangzhou, Dongguan, Zhongshan, Shenzhen, and Hong Kong. Please contact the firm for assistance in China at china@dezshira.com.

Dezan Shira & Associates has offices in Vietnam, Indonesia, Singapore, United States, Germany, Italy, India, and Russia, in addition to our trade research facilities along the Belt & Road Initiative. We also have partner firms assisting foreign investors in The Philippines, Malaysia, Thailand, Bangladesh.