There is no official, rigid flowchart for GB 44495 (“Technical Requirements for Cybersecurity of Automobiles”) certification steps and timelines, as the process is highly dependent on an enterprise’s existing foundation and preparation. However, combining standard requirements and industry practices, we can outline a clear, practical roadmap and key milestones.
The entire certification follows the logic of “first system, then product; dual-track parallel, final integration.” You can think of it as obtaining two “passes.”
Step 1:Obtain the Enterprise “Management Pass” (CSMS Certification)
This is the foundation, aiming to certify whether your company has established a qualified “Automotive Cybersecurity Management System.”
1.Gap Analysis and System Establishment: Assess cybersecurity gaps in existing R&D, production, and after-sales processes against the standard, and develop or refine management system documentation. This is the most resource-intensive phase, taking 2-4 months.
2.System Operation and Internal Audit: The new system must be operational for a period (typically 1-3 months) with a completed internal audit to demonstrate effectiveness.
3.Certification Body Audit: Engage a CNCA-approved certification body for on-site auditing. Upon approval, you will receive the CSMS certification certificate. The formal audit and certification process typically takes 1-2 months.
Step 2: Obtain the Vehicle Model “Product Pass” (VTA Certification)
This certifies the specific model’s technical security capabilities. Theoretically, it can be prepared in parallel with Step 1 but can only be finalized after CSMS certification.
1.Vehicle Threat Analysis and Test Preparation: Conduct detailed threat analysis and risk assessment for the target model, and prepare test samples and documentation. Takes 1-2 months.
2.Laboratory Testing: Submit vehicles to qualified testing laboratories for full GB 44495 compliance testing. This is a technically complex core phase, typically taking 2-4 months.
3.Certification Body Audit and Certification: The certification body reviews test reports and all documentation, ultimately issuing the VTA certification certificate for the model. This phase takes 1-2 months.
Overall GB 44495 Certification Timeline & Key Planning
For enterprises starting from scratch and certifying a single model, the total cycle (CSMS + VTA) typically ranges from 6 to 12 months. Enterprises with existing foundations (e.g., ISO 21434 compliance) can significantly shorten this timeline.
Mandatory Regulatory Milestones to Monitor:
·January 1, 2026: All new models applying for type approval must meet GB 44495 requirements.
·July 1, 2027: All existing models with type approval must comply.
Core Recommendation:
Start immediately and reserve sufficient buffer time. Do not wait until late 2025. The wise approach is to contact certification bodies now to launch pre-assessment or gap analysis projects. BLUEASIA can develop a precise project timeline for you.
We hope this practical roadmap—integrating GB 44495’s framework and industry experience—helps you plan your content. If you can specify the target audience (e.g., automakers, component suppliers) or specific pain points, contact BLUEASIA at +86 13534225140 for professional certification consulting services.
Related News
