Background: In December 2025, MIIT issued the 1st Amendment to GB 44495-2024, revising “cybersecurity management system requirements” to “cybersecurity assurance requirements”. This shifts audit focus from system compliance to practical vehicle cybersecurity assurance capabilities.
A common misunderstanding: confusing internal working documents with official submission materials. Below are the core documents for regulatory submission.
Core Submission Documents
·Full-lifecycle risk assessment report (TARA): Mandatory core document, covering threat identification, risk evaluation, and corresponding measures tailored to the model.
·Cybersecurity assurance requirements document: Replaces cybersecurity management system files post-amendment. ISO 27001 certificates are not mandatory, but evidence of risk control, vulnerability response, and change management capabilities is required.
·Supply chain security compliance declaration: New requirement post-amendment, confirming management of critical suppliers (T-BOX, OTA, autonomous driving components).
·Vehicle cybersecurity test report: Issued by qualified third-party institutions.
·Vehicle technical documents: Network architecture diagrams, security function descriptions, OTA mechanism specifications, etc.
Documents NOT Required for Submission
Detailed vulnerability response procedures, change evaluation records, and full internal cybersecurity management systems. These are post-launch operation obligations, not submission materials.
2.Key Requirements for Core Documents
Risk Assessment Report (TARA)
Generic templates are invalid; content must match the model’s actual configuration (T-BOX, OTA, autonomous driving functions). Threat analysis must align with real attack surfaces.
Vehicle Technical Documents
Each security requirement must correspond to implementation descriptions, which must match test conclusions:
·OTA security: Specify signature verification, key storage, and failure handling.
·Network architecture: Provide clear domain division, connection diagrams, and isolation mechanisms.
·Access control: Define external interface permissions and diagnostic authentication logic.
Explicitly state “function not applicable” for unsupported features (e.g., V2X) instead of omitting them.
Supply Chain Compliance Declaration
Focus on critical suppliers; full supplier documentation is not required. Attaching security agreements for key suppliers strengthens compliance.
3.GB 44495 Certification Validity
·Certificate validity: GB 44495 certificates are valid for 3 years, with annual surveillance audits. Non-compliance may result in suspension or revocation.
·Document & report validity: Tied to vehicle status. Re-assessment/testing is required for network architecture changes, T-BOX/OTA supplier replacements, encryption mechanism modifications, etc.
·Document storage obligation: Retain all GB 44495 documents for at least 10 years after model discontinuation.
BLUEASIA provides full-process technical support for GB 44495, including gap analysis, document compilation, review, and testing agency.Contact: +86 13534225140
Related News
