The cybersecurity compliance record isn't a standalone certificate. It's a technical clause embedded in the vehicle CCC certificate. Validity period, annual audits, renewal, suspension, revocation — every one of these rules follows the vehicle CCC certificate. There's no separate timeline, no separate renewal process, no separate annual fee.
A lot of companies kick off projects thinking they need a separate cybersecurity certificate, separate renewal, separate annual payments. That understanding is wrong from the ground up.
Vehicle CCC certificates have a statutory five-year validity period starting from the issuance date. At the five-year mark, renewal must be applied for. No automatic extension exists.
During those five years, mandatory annual factory surveillance audits — CoP audits — run every year. CoP audits bundle the whole vehicle. Nobody schedules a separate cybersecurity session. The auditor comes on site and randomly spot-checks. Cybersecurity assurance system operational status. Security incident handling and closure over the past year. Supplier security agreement update status.
If the cybersecurity system went dormant after certification — no security incident records all year, no emergency drills, supplier security agreements expired en masse — the auditor writes a major non-conformity. Major non-conformities trigger certificate suspension. During suspension, the vehicle model cannot be produced, cannot leave the factory, cannot be sold, cannot be registered, cannot be imported. The entire chain locks. Dealer inventory becomes unsellable stock. Reinstating the certificate requires completing remediation and passing a re-audit. The losses between suspension and reinstatement go way beyond audit fees.
Change Filing — What Needs Reporting
Cybersecurity changes split into two tiers. Minor changes and major changes.
Minor changes — HMI text modifications, security reminder copy optimization in the user interface. File a change description for record. No retesting needed.
Major changes must be filed and go through partial VTA retesting. This covers TBOX supplier or model changes, communication module changes, encryption chip changes or national algorithm implementation modifications, and major-version gateway software architecture upgrades. These changes go through a change assessment body review. Confirmation that security protection levels haven't been lowered is required before certificate parameters can be updated.
Pure exterior and interior changes — seat fabric swaps, body color changes, decorative trim additions — not involving electronic control unit replacement. No cybersecurity filing needed.
Component suppliers doing internal upgrades without notifying the OEM — if the annual surveillance audit catches it, the liability sits entirely on the OEM. This is why the security responsibility agreement with suppliers must explicitly require advance written notification to the OEM for any hardware or software changes affecting cybersecurity functions.
What Triggers Certificate Suspension or Revocation
Beyond annual audit major non-conformities, several other situations trigger immediate certificate suspension.
Market spot-checks finding that sold vehicles' cybersecurity configurations don't match certificate parameters. Certificate suspended. Retrospective remediation covering all sold units of that model required.
High-risk cybersecurity vulnerabilities or connected-vehicle attack incidents. Must be reported in writing to CQC within 15 working days with complete remediation closure materials. Missing the deadline is automatically classified as a major non-conformity and triggers certificate suspension. This deadline is absolute. Retroactive filing does not exist as an option.
Two consecutive annual audits with major non-conformities not remediated. Certificate revoked. Revocation is much more severe than suspension. Suspension can be lifted. Revocation means the certificate is void. That vehicle model must restart the entire certification process from scratch to re-enter the market.
Renewal Process and Supplementary Testing
Renewal application starts 90 days before the five-year expiry date. Renewal is not a rubber stamp. The certification body reviews all five years of surveillance records, change filing records, and security incident records for that model. Unclosed non-conformities or suspension history means a tougher renewal review.
One easily overlooked rule. During the five-year validity period, if GB 44495 issued amendments or added test conditions, supplementary VTA retesting is mandatory at the renewal stage. Fail the retest, no renewal.
Under the current Amendment No.1 transition period, existing model renewals all need terminology update verification and new test item checks. Renewal passes, new certificate issued, new five-year period starts the day after the old certificate expires. If the renewal application is submitted late and the old certificate expires while the new one hasn't been approved, the vehicle cannot be legally sold during that gap period.
This gap-period risk is worth taking seriously. If your certificate expires June 30 and the renewal isn't approved until August 15, every vehicle produced, shipped, or sold in that six-week window is technically non-compliant. Dealers can't register them. Customers can't plate them. The recall and remediation logistics alone would dwarf whatever you saved by not starting the renewal 90 days early. Start early. There's no prize for cutting it close.
Amendment No.1 Transition Period
The January 28, 2026 amendment. Already-certified models with valid certificates remain valid. No re-application needed for terminology changes. But at the next annual audit, the auditor checks whether enterprise policy documents have replaced CSMS system certification with information security assurance requirements, and whether the old inspection term has been updated. Documents not updated get a corrective action recommendation with a deadline.
Which Vehicles Are Exempt From These Rules
Not all vehicles are subject to this framework. The following categories get full exemption. No certificate validity. No annual surveillance. No change filing obligations.
L-category motorcycles. Special-purpose vehicles operating only within factory or port premises, not on public roads. Vehicles with zero ECUs, zero communication modules, zero OTA upgrade channels — no electronic control units means no cybersecurity attack surface.
O-category trailers need separate determination. After Amendment No.1, all O-category trailers are fully exempt regardless of electronic equipment. The old rule about trailers with EBS or smart TPMS requiring compliance is gone.
Special Rules for Imported Vehicles
Imported vehicles that used UN R155 equivalence assessment to reduce initial system build requirements cannot substitute overseas system documentation for domestic requirements during annual audits. Every year for the full five-year validity period, the auditor still checks domestic cybersecurity assurance documentation and national algorithm implementation records.
Document Archiving Requirements
All system policies, test reports, change records, component firmware ledgers — retained until ten years after model discontinuation. Electronic archives must have off-site multiple backups with multi-dimensional search capability. Local single-machine storage that can't quickly retrieve historical records gets flagged as a non-conformity at annual audit.
What "multi-dimensional search capability" means in practice. If the auditor asks for the vulnerability scan report from March 2029 for model XYZ, you need to find it without opening fifteen folders manually. If the auditor asks for all supplier security agreements signed between January 2028 and December 2030, you need to pull that list in under a minute. If your archiving strategy is a shared folder called "Certification Docs" with 400 subfolders named by whoever saved the file, start planning a proper document management system now. The ten-year retention window means the person who created those files probably left the company years before the archive requirement expires.
Export-to-Domestic Conversions and Used Vehicle Re-imports
Export-specification vehicles re-imported for domestic sale. Original export certificates cannot substitute for domestic GB 44495 compliance. Must re-apply for a domestic CCC certificate as an independent new model. The cybersecurity portion starts from scratch.
Overseas-returned used vehicles similarly need cybersecurity assurance system effectiveness re-confirmation. During overseas use, the vehicle may have received software updates from overseas markets — those operation records fall outside domestic standard requirements.
Need guidance on GB 44495 certificate maintenance, annual surveillance preparation, or renewal planning? Contact BlueAsia Testing's certification consultants at +86 13632500972 (Benson).
相关新闻