Standard GB 44495 certification takes 3~5 months for medium-complexity vehicle from project launch to final MIIT announcement filing completion. Total timeline fluctuates significantly, possibly doubling due to vehicle intelligent configuration, internal document preparation maturity, mandatory paired GB44496 OTA testing and applicant’s procedural familiarity. The No.1 Amendment allows parallel information security system audit and vehicle bench testing delivering much larger cycle optimization than most manufacturers expect.
Phase1: Pre-Project Gap Analysis
·Basic non-connected fuel vehicle: 1-week completion
·Regular mid-range smart connected passenger car: 2~3 weeks
·High-end multi-domain control vehicle with V2X and self-developed OTA framework: up to 4 weeks
Many OEMs skip gap analysis to send samples directly for official testing which is highly inadvisable. Post-gap-analysis preliminary bench pre-check scans all external vehicle interfaces closing unused debug ports, correcting default insecure access credentials and invalidating plaintext key configuration. A 2~3-day pre-inspection drastically shortens subsequent official rectification cycle by over 50%.
Phase2: Design Rectification & Technical Dossier Compilation (3~8 weeks, main timeline divergence stage)
Two core document packages need full preparation:
·Technical Documentation: Whole-vehicle network topology drawing, cybersecurity protection specification, external interface inventory, OTA upgrade scheme and vehicle data privacy management document.
·Compliance System Files (renamed from original CSMS post amendment): Full-lifecycle risk assessment report and upstream supply chain conformity declaration covering component supplier security qualification proof.
Rectification workload depends entirely on prior gap analysis thoroughness: In-depth early vulnerability identification limits modification scope to minor optimization such as access permission adjustment and cryptographic algorithm upgrade from MD5 to SM4/SHA-256. Skipped pre-analysis often leads to core architecture overhaul extending rectification period over 3 months.
Phase3: On-Site Official Laboratory Testing (2~5 weeks)
Two preconditions before sample delivery: Test vehicle maintains mass-production specification without prototype engineering modification; spare critical components including T-BOX, IVI host and gateway controller are prepared for replacement during accidental hardware damage in testing.
Official lab conducts verification against four core cybersecurity defense layers plus mandatory full-vehicle penetration testing (100% full inspection enforced starting July 1 instead of random sampling previously). Project schedule delay often arises from penetration test lab resource shortage and appointment backlog; manufacturers must confirm penetration testing capability of designated accredited lab beforehand. Most projects complete two rounds of testing: initial vulnerability identification + corrective redesign + secondary validation inspection.
Phase4: Test Report Issuance & MIIT Filing (1~3 weeks)
Accredited lab releases official stamped test report permanently valid for matching announcement vehicle; supplementary partial retest is required only when core T-BOX, OTA or communication architecture is substantially revised. Complete document set including test report, system compliance files and technical dossiers is submitted onto MIIT equipment management platform to finish announcement approval.
OTA-enabled vehicles require synchronous GB44496 certification sharing identical test vehicle and lab resource; complete full-function multi-ECU OTA triggers additional 2~4 weeks testing cycle while simple partial-component OTA only adds around one week inspection duration.
Overall Certification Timeline Summary
Gap analysis: ~2 weeks | Rectification + document drafting:1~2 months | On-site formal testing:~1 month | Government filing:~2 weeks → Total standard cycle:3~5 months.Brand-new domain-control architecture, newly-adopted unqualified component suppliers and proprietary customized OTA protocol may prolong total cycle beyond 6 months; mature standardized platform with pre-certified upstream suppliers shortens whole project to roughly 3 months.
Blueasia optimizes full certification timeline via early gap analysis, in-house pre-test vulnerability screening, customized corrective solution drafting and priority accredited lab appointment arrangement for MIIT announcement testing. Contact Blueasia expert consultant:13534225140
Related News
