
The China Quality Certification Centre (CQC) has announced a major expansion of its voluntary certification scope for smart home products in 2026. Effective April 1, 2026, new certification categories cover smart locks, smart sensors, IP cameras, smart lighting systems, and smart home hubs – with mandatory cybersecurity and interoperability testing. While CQC certification remains voluntary (unlike mandatory CCC), it is increasingly required by major Chinese retailers (JD.com, Tmall) and government procurement tenders. Understanding these CQC smart home certification changes is essential for manufacturers targeting China’s rapidly growing smart home market.
1. New Product Categories Added to CQC Smart Home Scope
The 2026 expansion adds five new product categories to the CQC smart home certification program (certification code 001048):
- Smart door locks: Including fingerprint, facial recognition, and Bluetooth-enabled locks. Testing now covers mechanical durability (100,000 cycles), electrical safety, and anti-picking requirements.
- Smart sensors: Motion, temperature/humidity, door/window contact, and smoke/gas sensors. New RF performance and battery life tests added.
- IP cameras for indoor/outdoor: Includes pan-tilt-zoom models. Testing adds cybersecurity (see section 3) and low-light image quality standards.
- Smart lighting systems: Controllable LED bulbs, strips, and luminaires with wireless connectivity (Wi-Fi, Zigbee, Bluetooth Mesh). Dimming stability and electromagnetic compatibility (EMC) are key tests.
- Smart home hubs/gateways: Devices that aggregate and control multiple smart endpoints. Added requirements for interoperability with multiple ecosystems (AliGenie, Xiaomi, HomeKit).
Existing CQC smart home categories (smart plugs, smart switches, thermostats) have also been updated with stricter requirements, particularly for standby power consumption (≤ 0.5W) and cybersecurity.
2. Mandatory Cybersecurity Testing for Connected Devices
The most significant change in the 2026 expansion is the inclusion of mandatory cybersecurity testing for any smart home product with network connectivity (Wi-Fi, Ethernet, cellular, or Bluetooth). The new CQC standard (CQC 1336-2026) is based on GB/T 35273 (personal information protection) and ETSI EN 303 645 (consumer IoT security). Key requirements include:
- No universal default passwords: Each device must have a unique password or require user‑set password during initial setup.
- Secure update mechanism: Firmware updates must be signed and encrypted; rollback protection is required.
- Vulnerability disclosure policy: Manufacturers must provide a public contact for security researchers and respond within 30 days.
- Data privacy: Any collection of personal data (location, biometrics, usage patterns) must be clearly disclosed and consent-based.
- Network resilience: Devices must not disrupt network operation even when compromised; rate limiting for login attempts is required.
Testing for cybersecurity involves both automated vulnerability scans and manual penetration testing by CQC-accredited labs. Lead times for cybersecurity assessment are currently 4-6 weeks, longer than traditional safety testing. Many manufacturers are now integrating secure boot and trusted execution environments (TEE) into their product designs to pass these tests.
3. New Interoperability Testing Standard (CQC 1337-2026)
Another unique addition for 2026 is interoperability testing for smart home products that claim compatibility with major Chinese ecosystems (Alibaba’s AliGenie, Xiaomi’s Mijia, Baidu’s DuerOS, or Huawei’s HarmonyOS). The new standard requires:
- Successful pairing, control, and status reporting with at least two reference ecosystem platforms (chosen by the manufacturer).
- Maximum response time of 3 seconds for local commands, 5 seconds for cloud commands.
- Stable reconnection after network interruption (Wi-Fi drop, power cycle).
- Consistent behavior across multiple concurrent users (for shared devices like smart locks).
Manufacturers that do not claim compatibility with any ecosystem can skip interoperability testing, but they will lose the “smart home certified” label. Most major brands now integrate with at least two platforms to access the full Chinese market.
4. Updated Electrical Safety and EMC Requirements
While cybersecurity is the headline, traditional safety and EMC standards have also been updated for smart home products:
- Standby power: GB 20943 now limits standby consumption to 0.5W for all connected smart devices. Previously, only certain product types had limits.
- Surge immunity (GB/T 17626.5): Smart home products connected to AC mains must withstand 4kV common mode, 2kV differential mode surges. Many low‑cost power supplies fail this test.
- Radiated emissions (GB/T 9254.2): Stricter limits for devices operating in 2.4GHz band (Wi-Fi, Zigbee) – maximum allowed -30 dBm/MHz for spurious emissions.
- Temperature rise under continuous operation: For devices with motors (e.g., smart blinds, smart locks), temperature must not exceed 50°C rise above ambient after 8 hours of continuous operation.
Manufacturers should request a gap analysis from their test lab to identify which updated standards apply to their specific product design. Pre-compliance testing is strongly recommended before formal CQC application.
5. Transition Periods and Certification Pathways
CQC has established staggered timelines for the 2026 expansion:
- April 1, 2026: New applications for the five expanded product categories must include cybersecurity and (if claimed) interoperability testing. Applications submitted before this date are processed under old rules.
- July 1, 2026: All existing CQC smart home certificates (issued before 2026) must be updated to include cybersecurity testing. Certificates not updated by this date will be suspended.
- October 1, 2026: Major e‑commerce platforms begin requiring cybersecurity test reports for new product listings. Full certification is not mandatory, but the security test report is.
- December 31, 2026: Final deadline for all smart home products sold in China (including offline retail) to have the updated CQC certification or equivalent provincial-level certification. After this date, uncertified products may be subject to market withdrawal orders.
For manufacturers with large product portfolios, CQC offers a “family model” certification where up to five similar models can be grouped under one application, provided they share the same core hardware and software platform. This reduces testing costs by 40-60%.
6. Testing Labs and Documentation Requirements
Only CQC-accredited laboratories with the new cybersecurity testing scope can perform the required tests. As of March 2026, nine labs have been accredited, including CQC itself, TÜV Rheinland Shanghai, and Intertek Guangzhou. Lead times for cybersecurity testing range from 4 to 8 weeks depending on lab workload.
Documentation requirements for CQC smart home certification now include:
- Source code review (partial): For cybersecurity assessment, labs may request up to 20% of the device firmware source code (or a binary analysis report) to verify no backdoors or known vulnerabilities.
- Network traffic capture: 48 hours of continuous network traffic logs showing communication with cloud servers (if applicable).
- Privacy policy in Chinese: A legally compliant privacy notice that aligns with China’s Personal Information Protection Law (PIPL), including data retention and deletion procedures.
- Manufacturing quality system certificate: ISO 9001 or equivalent is required for certification (not just for CCC).
Foreign manufacturers should prepare these documents early, especially the privacy policy, which often requires legal review by a China-based attorney.
7. Practical Compliance Roadmap for Manufacturers
To successfully obtain CQC certification for smart home products under the 2026 expanded scope, follow this five‑phase plan:
- Gap analysis (Week 1-2): Compare your product against the new cybersecurity, interoperability, and updated safety/EMC standards. Engage a CQC-accredited lab for a pre-assessment.
- Design modifications (Week 3-6): Address any gaps – add secure boot, improve encryption, replace weak power supplies, reduce standby power. For cybersecurity, consider hiring a specialized IoT security firm to perform a white-box audit.
- Pre‑testing (Week 7-8): Send samples to an accredited lab for preliminary cybersecurity and safety tests. Fix remaining issues.
- Formal application and testing (Week 9-14): Submit application through CQC’s online portal (English interface available). Provide all documents (translated into Chinese). The lab conducts final tests and issues report.
- Certificate issuance and maintenance (Week 15+): CQC issues certificate valid for 5 years. Annual follow-up inspections (remote allowed for low-risk categories) and quarterly sample testing (random) are required.
Total costs for full CQC smart home certification (including cybersecurity testing, safety/EMC, and lab fees) typically range from $12,000 to $25,000 per product family, depending on complexity. This is a significant investment, but it unlocks access to China’s $60 billion smart home market and is often required by major retailers.
Summary: CQC has significantly expanded its certification scope for smart home products in 2026, adding smart locks, sensors, cameras, lighting, and hubs, with mandatory cybersecurity and interoperability testing. Manufacturers must update their designs, pre‑test, and apply before the October 2026 e‑commerce deadlines. While certification remains voluntary, it is rapidly becoming a de facto requirement for market access. Early adopters will gain a competitive edge in China’s fast‑growing smart home ecosystem.