---
title_en: "Notice of the Ministry of Industry and Information Technology on Strengthening the Cybersecurity and Data Security of the Internet of Vehicles"
title_zh: "工业和信息化部关于加强车联网网络安全和数据安全工作的通知"
hierarchy: "rule"
issuing_body: "Ministry of Industry and Information Technology"
adopted_date: 2021-09-15
effective_date: 2021-09-15
status: "effective"
related_laws: ["dsl", "csl"]
domains: ["industrial", "data-security"]
url: https://datacompliancechina.com/laws/iov-cybersecurity-data-security-notice/
summary: "This Notice sets out MIIT's consolidated cybersecurity and data security requirements for the Internet of Vehicles (IoV) ecosystem, covering intelligent connected vehicle manufacturers, IoV service-platform operators and related parties. It addresses vehicle network security, vulnerability management, IoV network and communications security, monitoring and emergency response, MLPS grading and filing, platform security, OTA upgrade security, data classification and grading, data security technical safeguards, and cross-border data transfer. Issued as MIIT Cyber Security [2021] No. 134 and effective September 15, 2021."
---

> **Source: Data Compliance China** — https://datacompliancechina.com/laws/iov-cybersecurity-data-security-notice/ · English rendering and annotations by DCC; the Chinese original governs. Cite as: Data Compliance China, "Notice of the Ministry of Industry and Information Technology on Strengthening the Cybersecurity and Data Security of the Internet of Vehicles", https://datacompliancechina.com/laws/iov-cybersecurity-data-security-notice/
**Promulgated by:** Ministry of Industry and Information Technology.  
**Document No.:** MIIT Cyber Security [2021] No. 134.  
**Issued and effective September 15, 2021.**

---

To the industry and information technology authorities of all provinces, autonomous regions and municipalities directly under the Central Government, and the Xinjiang Production and Construction Corps; the communications administrations of all provinces, autonomous regions and municipalities directly under the Central Government; China Telecom Corporation Limited, China Mobile Communications Group Co., Ltd., and China United Network Communications Group Co., Ltd.; the relevant intelligent connected vehicle manufacturers and IoV service-platform operators; and the relevant standardization technical organizations:

The Internet of Vehicles (IoV) is an emerging industrial form arising from the deep integration of new-generation network communication technology with the automotive, electronics, road transport and other fields. An intelligent connected vehicle is a new-generation vehicle equipped with advanced on-board sensors, controllers, actuators and other devices, integrating modern communication and network technologies, achieving intelligent information exchange and sharing among vehicles, roads, persons, the cloud and the like, possessing functions such as complex environment perception, intelligent decision-making and coordinated control, and capable of "safe, efficient, comfortable and energy-saving" driving. As the industry develops rapidly, the security risks of the IoV are becoming increasingly prominent, and the IoV security assurance system urgently needs to be improved and refined. In order to advance the implementation of the Development Plan for the New Energy Vehicle Industry (2021-2035) and strengthen the cybersecurity and data security management of the IoV, the relevant matters are hereby notified as follows:

## I. Basic Requirements for Cybersecurity and Data Security

**(I) Implement primary security responsibility.** Relevant enterprises shall establish cybersecurity and data security management systems, clarify the persons responsible and the management body, and implement cybersecurity and data security protection responsibilities. They shall strengthen internal supervision and administration, increase resource assurance, and promptly discover and resolve security hazards. They shall strengthen cybersecurity and data security publicity, education and training.

**(II) Comprehensively strengthen security protection.** Relevant enterprises shall take management and technical measures, and, in accordance with the relevant IoV cybersecurity and data security standards, strengthen the security protection of vehicles, networks, platforms and data, monitor, prevent and promptly dispose of cybersecurity risks and threats, ensure that data is in a state of effective protection and lawful utilization, and safeguard the secure and stable operation of the IoV.

## II. Strengthening the Security Protection of Intelligent Connected Vehicles

**(III) Ensure vehicle network security.** Intelligent connected vehicle manufacturers shall strengthen the cybersecurity architecture design of the whole vehicle. They shall strengthen the communication security assurance of in-vehicle systems, reinforce measures such as security authentication, domain isolation and access control, and prevent attacks such as spoofing, replay, injection and denial of service. They shall strengthen the security protection and security testing of key devices and components such as the in-vehicle information interaction system, the automotive gateway and electronic control units. They shall strengthen the access and authority management of the on-board diagnostic (OBD) interface, the universal serial bus (USB) port, the charging port, and the like.

**(IV) Implement security-vulnerability management responsibility.** Intelligent connected vehicle manufacturers shall implement the relevant requirements of the Provisions on the Management of Network Product Security Vulnerabilities, and clarify the enterprise's work procedures for discovering, verifying, analyzing, repairing and reporting vulnerabilities. Upon discovering or learning of a vulnerability in a vehicle product, the manufacturer shall immediately take remedial measures and report the vulnerability information to the MIIT cybersecurity threat and vulnerability information sharing platform. Where it is necessary for users to take measures such as software or firmware upgrades to repair a vulnerability, the manufacturer shall promptly inform the potentially affected users of the vulnerability risk and the repair method, and provide the necessary technical support.

## III. Strengthening IoV Network Security Protection

**(V) Strengthen the security protection capability of IoV network facilities and network systems.** Relevant enterprises shall strictly implement the requirements of graded cybersecurity protection, strengthen the asset management of network facilities and network systems, reasonably divide cybersecurity domains, strengthen access control management, ensure network boundary security protection, and take technical measures to guard against trojans, viruses, cyberattacks, network intrusions and other conduct that endangers IoV security. They shall, on their own or by entrusting testing institutions, regularly carry out cybersecurity compliance testing and risk assessment, and promptly eliminate risks and hidden dangers.

**(VI) Ensure IoV communications security.** Relevant enterprises shall establish IoV identity authentication and security trust mechanisms, strengthen the secure communication capabilities of on-board communication equipment, roadside communication equipment, service platforms, and the like, take necessary technical measures such as identity authentication and encrypted transmission, prevent security risks such as forgery of communication information, data tampering and replay attacks, and safeguard the communication security of vehicle-to-vehicle, vehicle-to-road, vehicle-to-cloud, vehicle-to-device and other scenarios. Relevant enterprises and institutions are encouraged to access the MIIT IoV security trust root management platform, and to jointly promote cross-model, cross-facility and cross-enterprise interconnection, mutual recognition and interoperability.

**(VII) Carry out IoV security monitoring and early warning.** The State shall strengthen the development of the IoV cybersecurity monitoring platform, and carry out the monitoring, early warning and notification of cybersecurity threats and incidents, and security assurance services. Relevant enterprises shall establish cybersecurity monitoring and early-warning mechanisms and technical means, carry out cybersecurity-related monitoring of intelligent connected vehicles, IoV service platforms and connected systems, promptly discover cybersecurity incidents or abnormal behavior, and retain the relevant network logs for not less than 6 months in accordance with provisions.

**(VIII) Carry out IoV security emergency response.** Intelligent connected vehicle manufacturers and IoV service-platform operators shall establish cybersecurity emergency response mechanisms, formulate contingency plans for cybersecurity incidents, regularly conduct emergency drills, and promptly dispose of cybersecurity risks such as security threats, cyberattacks and network intrusions. Upon the occurrence of an incident endangering cybersecurity, they shall immediately activate the contingency plan, take corresponding remedial measures, and report to the relevant competent authorities in accordance with the Contingency Plan for Public Internet Cybersecurity Emergencies and other provisions.

**(IX) Carry out IoV cybersecurity protection grading and filing.** Intelligent connected vehicle manufacturers and IoV service-platform operators shall, in accordance with the relevant IoV cybersecurity protection standards, carry out cybersecurity protection grading of their network facilities and systems, and file with the communications administration of the province (region or municipality) where they are located. For newly built network facilities and systems, the cybersecurity protection grade shall be determined at the planning and design stage. The communications administrations of the provinces (regions and municipalities) shall, together with the industry and information technology authorities, carry out the review of grading and filing.

## IV. Strengthening the Security Protection of IoV Service Platforms

**(X) Strengthen platform cybersecurity management.** IoV service-platform operators shall take necessary security technical measures to strengthen the access security of platforms for intelligent connected vehicles, roadside equipment and the like, the facility security of platform hosts, data storage systems and the like, and the application security protection capabilities of resource management, service access interfaces and the like, so as to prevent security risks such as network intrusion, data theft and remote control. Where telecommunications business such as online data processing and transaction processing or information services business is involved, a telecommunications business operation license shall be obtained in accordance with the law. Where a platform is determined to be critical information infrastructure, the operator shall implement the relevant provisions of the Regulation on the Security Protection of Critical Information Infrastructure, use commercial cryptography for protection in accordance with relevant State standards, and, on its own or by entrusting a commercial cryptography testing institution, carry out a commercial cryptography application security assessment.

**(XI) Strengthen over-the-air (OTA) upgrade-service security and vulnerability testing and assessment.** Intelligent connected vehicle manufacturers shall establish a security verification mechanism for OTA upgrade software packages, and use secure and trusted software. They shall carry out cybersecurity testing of OTA upgrade software packages and promptly discover product security vulnerabilities. They shall strengthen the security verification capabilities of the OTA upgrade service, take technical measures such as identity authentication and encrypted transmission, and safeguard the cybersecurity of the transmission environment and the execution environment. They shall strengthen cybersecurity monitoring and emergency response throughout the OTA upgrade-service process, regularly assess the cybersecurity status, and prevent cybersecurity risks such as software forgery, tampering, destruction, leakage and virus infection.

**(XII) Strengthen application security management.** Intelligent connected vehicle manufacturers and IoV service-platform operators shall establish security management systems for the development, launch, use and upgrade of IoV applications, and enhance the security capabilities of applications such as identity authentication, communications security and data protection. They shall strengthen IoV application security testing, promptly dispose of security risks, and prevent attacks and propagation by malicious applications.

## V. Strengthening Data Security Protection

**(XIII) Strengthen data classification and grading management.** In accordance with the principle of "whoever is in charge is responsible, whoever operates is responsible," intelligent connected vehicle manufacturers and IoV service-platform operators shall establish data management ledgers, implement data classification and grading management, and strengthen the protection of personal information and important data. They shall regularly carry out data security risk assessments, strengthen the investigation and rectification of hidden dangers, and file with the communications administration and the industry and information technology authority of the province (region or municipality) where they are located. The communications administration and the industry and information technology authority of the province (region or municipality) where they are located shall supervise and inspect the enterprises' performance of data security protection obligations.

**(XIV) Enhance data security technical assurance capabilities.** Intelligent connected vehicle manufacturers and IoV service-platform operators shall collect data by legal and legitimate means, take effective technical protection measures throughout the data lifecycle, and prevent risks such as data leakage, destruction, loss, tampering, misuse and abuse. Relevant enterprises shall strengthen the development of data security monitoring, early-warning and emergency-response capabilities, and enhance their capabilities in abnormal-flow analysis, monitoring of non-compliant cross-border transmission, and traceability of security incidents; they shall promptly dispose of data security incidents, report relatively major or more serious data security incidents to the communications administration and the industry and information technology authority of the province (region or municipality) where they are located, cooperate in the conduct of relevant supervision and inspection, and provide the necessary technical support.

**(XV) Standardize data development, utilization, sharing and use.** Intelligent connected vehicle manufacturers and IoV service-platform operators shall reasonably develop and utilize data resources, and prevent infringement of users' rights to privacy and to be informed when using automated decision-making technology to process data. They shall clarify the security management and responsibility requirements for data sharing and development and utilization, review and assess the data security protection capabilities of data partners, and supervise and administer the sharing and use of data.

**(XVI) Strengthen cross-border data transfer security management.** Where intelligent connected vehicle manufacturers and IoV service-platform operators need to provide important data collected and generated within the territory of the People's Republic of China to overseas parties, they shall conduct a data export security assessment in accordance with the law and file with the communications administration and the industry and information technology authority of the province (region or municipality) where they are located. The communications administrations of the provinces (regions and municipalities) shall, together with the industry and information technology authorities, carry out work such as data export filing and security assessment.

## VI. Improving the Security Standards System

**(XVII) Accelerate the development of IoV security standards.** The compilation of guidelines for the development of the IoV cybersecurity and data security standards system shall be accelerated. The China Communications Standards Association, the National Technical Committee of Auto Standardization, and the like, shall accelerate the organization and formulation of standards and specifications, and related testing, assessment and certification standards, for IoV protection grading, service-platform protection, vehicle vulnerability classification and grading, communication-interaction authentication, data classification and grading, incident emergency response, and the like. Relevant enterprises and social organizations are encouraged to formulate enterprise standards and group standards with technical requirements higher than national or industry standards.

This Notice is hereby issued.

Ministry of Industry and Information Technology

September 15, 2021
