It’s been nearly three years since UNECE WP.29 regulations came into force for new vehicle types in Europe, and the global ripple effect is in full motion. WP.29 laid the groundwork for how cybersecurity is handled across the automotive lifecycle – from design and development through post-production and updates.

But what’s happening beyond Europe?

India: AIS 189 and a Push for Local Compliance

India is moving forward with AIS 189, its variant of the WP.29 Cybersecurity and Software Update Regulations. While similar in intent – securing vehicles against cyber threats – AIS 189 puts a distinctly local lens on compliance. The focus is not only on automotive OEMs but also Tier 1 and Tier 2 suppliers, ensuring the entire supply chain is aligned.

Indian regulators are also pushing for alignment with ISO/SAE 21434, another key standard referenced in WP.29. The message is clear: cybersecurity is not optional, and it must be demonstrable through proper Cybersecurity Management Systems (CSMS) and Software Update Management Systems (SUMS).

China: GB Standards for Automotive Cybersecurity

In China, the regulatory approach is framed under the GB/T standards, which translate many of the WP.29 principles into national compliance requirements. Chinese authorities are known for their strict data residency and privacy rules, and those principles are embedded in their cybersecurity expectations for vehicles.

What’s particularly interesting is how China’s interpretation leans heavily into threat modelling and post-market monitoring – areas that require not just compliance paperwork, but real, automated capability across the vehicle’s lifetime. There’s an increasing emphasis on PKI automation, certificate lifecycle management, and zero trust architectures to address long-term compliance.

The Common Thread: Continuous Cybersecurity Across the Vehicle Lifecycle

Whether it’s WP.29 in Europe, AIS 189 in India, or GB/T standards in China, the challenge is the same – how to ensure end-to-end IoT security for connected vehicles, from the factory to the road.

All three frameworks require OEMs and suppliers to:

• Monitor threats and vulnerabilities in real time
• Manage secure over-the-air updates
• Prove compliance with auditable systems and processes
• Maintain long-term trust through identity, authentication, and secure communications

Same Problem, Different Names

The labels may change depending on geography – WP.29, AIS 189, GB/T – but the underlying challenges are consistent: connected vehicles must be secured by design, by default, and throughout their lifecycle.

Device Authority, along with our partners Microsoft and CyberArk, delivers automated, scalable cybersecurity solutions that help you meet these global automotive cybersecurity standards.

From certificate management and key provisioning to secure update delivery and compliance reporting, we make it easier to meet regulations and keep your vehicles safe and secure.