GB 44495 Vehicle Cybersecurity Certification Process — From Project Kickoff to CCC Certificate

2026-07-01

Amendment No.1, published January 28, 2026, killed the old CSMS system certification stage and merged it into "information security assurance requirement" documentation review. If you've been using CSMS as your go-to term, it's time to pivot — submit materials with the old terminology and they'll bounce right back. Everything below uses the updated language.

A quick hit on the deadlines. For new model type approvals filed after July 1, 2026, cybersecurity compliance is a mandatory prerequisite for the CCC certificate. That ship has already sailed for new programs. Already-certified models must catch up by July 1, 2027. Existing in-production models have until January 1, 2028 for full compliance. Three lines in the sand. Each one firmer than the last.

The Six-Step GB 44495 Certification Process

Step 1: Gap Analysis

Hire a CMA-qualified testing body to run a clause-by-clause gap analysis against GB 44495. Three areas get the deepest scrutiny.

Vehicle-side security architecture. Does the TBOX have a hardware encryption module? Does the gateway have intrusion detection capability? Does the OTA upgrade channel have signature verification and anti-rollback? Missing hardware pre-embedding on any of these three probably means a hardware redesign.

Whether the "information security assurance requirements" are actually built and running. Vulnerability management processes, security incident response plans, supplier security management policies — this isn't about writing a document and filing it. You need operational records that prove the system is live.

The interface with other CCC domains. Do the homologation parameters — software version numbers, encryption chip model numbers — match the cybersecurity submission? Parameter mismatches between homologation filings and CCC filings are one of the most common rejection reasons.

Once the gap analysis report is out, the development team works through the gap list. The biggest time sink is national algorithm adaptation. If the TBOX hardware doesn't have SM2/SM3/SM4 acceleration modules pre-embedded, trying to run national algorithms through firmware alone usually doesn't cut it — actual tested encryption/decryption latency exceeds the standard threshold. Hardware replacement still ends up being the answer. Hardware changes cascade through homologation parameters, BOM, software baselines, and configuration management.

On parallel operations. Once the gap analysis is done and the system documentation draft is ready, you can pre-book a lab for exploratory pre-testing. No need to wait until every remediation item is closed to get in the queue. This can save one to two months of window time.

Step 2: Pre-Testing

Don't go straight to formal testing after remediation. Run a pre-test round first. Pre-test reports are for internal R&D reference only — they carry zero legal weight and cannot be used for CCC filing. Formal filing requires the complete CMA-stamped VTA report set from the testing body. Plenty of teams mix this up, submit pre-test reports as filing materials, and get rejected immediately.

Pre-testing can happen at the same testing body or a different one for cross-validation. Vehicle-level testing like OBD port security scanning and wireless communication packet capture must happen on site. Remote won't cut it.

Communication security, OTA security, and data security are the high-risk zones. These are also where pre-tests catch the most failures. Late 2026 through the July 1, 2027 cutoff is peak submission season. Top-tier labs charge 30% to 50% more for rush slots, but those slots compress the testing cycle — a controllable timeline lever.

What a good pre-test round actually looks like. You send the vehicle in with the full test plan, run every item that will appear in formal VTA, and treat every finding as if it's a formal failure. The OBD security scan finds the diagnostic firewall lets through three unauthorized commands. You fix them. The OTA signature check flags that the rollback protection only checks major version numbers, not minor. You fix that too. You don't leave anything for the formal round to catch. Pre-test is your last chance to fail cheap.

Step 3: Application Submission

Submit the product certification application to CQC. Here's where a lot of teams stumble. Incomplete materials, no acceptance. Four items are non-negotiable. Complete risk assessment (TARA) report. Full set of supply chain security agreements. Chinese translations of foreign-language materials with certified translation agency stamps. For imported vehicles, the UN R155 equivalence assessment report.

The vehicle configuration in the application materials must match the test vehicle exactly. Software version numbers, ECU hardware part numbers, TBOX model. Write down configuration A and submit vehicle B — CQC sends it straight back and you re-enter the queue.

Step 4: Formal VTA Testing

VTA testing splits into three blocks. Cybersecurity assurance requirement review. Cybersecurity basic requirement testing. Cybersecurity technical requirement testing. All three blocks, full coverage. Nothing is skippable.

Penetration testing is mandatory. The testing body's penetration team runs a comprehensive probe of the vehicle attack surface against the CMA-stamped test plan. TBOX, gateway, IVI, OBD port, USB port — highest priority attack entry points. Critical vulnerabilities found must be remediated and pass retesting, with the complete stamped documentation package filed.

The gap between passing on the first round and going through three rounds of remediation can be one to two months. National algorithm performance and OTA signature verification are the most frequent failure zones.

Step 5: Factory Audit

After VTA passes completely and formal qualified reports are in hand, the certification body schedules an on-site factory audit. The auditor looks at three things. Whether the cybersecurity management system is actually live and producing records. Whether supplier security agreements are signed one by one and current. Whether cybersecurity-critical component controls on the production line are implemented and traceable.

Factory audits run together with the vehicle CoP audit. No separate cybersecurity-only audit session.

Step 6: CCC Certificate Issuance

Testing reports and factory audit report both complete, CQC review passes, and the cybersecurity compliance record gets embedded into the vehicle CCC certificate. Issued together with the full vehicle certificate. One more time for clarity. There is no separate standalone GB 44495 certificate. Cybersecurity compliance is a technical clause within the vehicle CCC certificate.

Side note on components. A TBOX supplier cannot independently go through the full GB 44495 certification process. They can only submit technical records supporting the vehicle OEM. No independent certification pathway exists for components.

  Ongoing Obligations After Certification

Annual CoP surveillance. The Conformity of Production control plan must include a dedicated cybersecurity management section. Missing it or failing to execute on it means an instant non-conformity.

Change filing. Swapping a TBOX supplier or model, changing a communication module, modifying national algorithm implementation, major-version gateway software architecture upgrades — all require filing and partial retesting to update certificate parameters. Exterior and interior changes that don't touch electronic control units don't need filing.

Security incident reporting. High-risk cybersecurity vulnerabilities or connected-vehicle attack incidents must be reported in writing to CQC within 15 working days, with complete remediation closure materials. Missing the deadline is automatically classified as a major non-conformity and triggers certificate suspension. This deadline is absolute. No retroactive filing.

Document archiving. Records must be retained until ten years after model discontinuation. Electronic archives need off-site multiple backups with multi-dimensional search capability. Local single-machine storage that can't quickly pull historical records gets flagged as a non-conformity at annual audit.

CCC certificate renewal at the five-year mark. If GB 44495 released amendments or added test conditions during that five-year window, VTA supplementary retesting is mandatory. Fail the retest, no renewal.


Need help navigating the GB 44495 certification process for your vehicle program? Contact BlueAsia Testing's certification consultants at +86 13632500972 (Benson).