On September 26, 2024, a Notice of Proposed Rulemaking (NPRM) was published in the Federal Register to establish regulations that would generally prohibit the sale or import into the United States of certain “connected vehicles” integrating specific pieces of hardware and software, or those components sold separately, with a sufficient nexus to the People’s Republic of China (PRC) or Russia (the Proposed Rule).[1]  The Proposed Rule, which was issued by the U.S. Department of Commerce, Bureau of Industry and Security (BIS), follows an earlier Advanced Notice of Proposed Rulemaking (ANPRM) published on March 1, 2024 and addresses comments received in response to the ANPRM.[2]

The Proposed Rule covers two critical systems in “connected vehicles”: (1) Vehicle Connectivity Systems (VCS) and (2) Automated Driving Systems (ADS).  VCS includes connected components like Bluetooth, connectivity to cellular data and satellites, and Wi-Fi modules.  ADS includes any components that allow a highly autonomous vehicle to operate without a driver behind the wheel.

The Proposed Rule, if implemented, would generally prohibit:[3]

  1. VCS hardware importers from knowingly importing into the United States hardware for VCS that is designed, developed, manufactured, or supplied by persons owned by, controlled by, or subject to the jurisdiction or direction of the PRC or Russia;
  2. Connected vehicle manufacturers from knowingly importing into the United States completed connected vehicles that incorporate covered software, designed, developed, manufactured, or supplied by persons owned by, controlled by, or subject to the jurisdiction or direction of the PRC or Russia;
  3. Connected vehicle manufacturers from knowingly selling in the United States completed connected vehicles that incorporate covered software designed, developed, manufactured, or supplied by persons owned by, controlled by, or subject to the jurisdiction or direction of the PRC or Russia; and
  4. Connected vehicle manufacturers who are persons owned by, or subject to the jurisdiction or direction of the PRC or Russia from knowingly selling in the United States completed connected vehicles that incorporate VCS hardware or covered software. 

The scope of vehicles covered by the Proposed Rule includes all wheeled on-road vehicles, but excludes vehicles not used on public roads, such as farm vehicles.  The software prohibitions, if implemented, would take effect starting in Model Year 2027, whereas the hardware prohibitions would take effect in Model Year 2030 (i.e., January 1, 2029).

Under the Proposed Rule, VCS hardware importers and connected vehicle manufacturers would have documentary compliance obligations even if they do not intend to engage in any transactions that may be prohibited.  Specifically, VCS hardware importers and connected vehicle manufacturers would be required to certify (at least on an annual basis, but whenever material changes occur) that they have not engaged in any prohibited transactions using a “Declaration of Conformity.”  Alternatively, if an importer or manufacturer intends to engage in otherwise prohibited transactions, certain general authorizations may be available for a narrow set of transactions, including in certain instances where imports are for testing purposes or minimal driving on public roads.  If no general authorization is available, VCS hardware importers and connected vehicle manufacturers could seek a specific authorization from BIS.

BIS is also proposing to implement an advisory opinion process through which BIS will provide guidance to VCS importers and connected vehicle manufacturers regarding whether a prospective transaction may be prohibited, as well as a process to inform, using “as-informed” letters, certain importers and manufacturers that a specific authorization may be required.

Violations of the prohibitions set forth under the Proposed Rule would be subject to criminal and civil penalties under the International Emergency Economic Powers Act (IEEPA).[4]

The White House issued a statement accompanying the NPRM explaining that the U.S. government is concerned that malicious access to these connected vehicle systems could allow adversaries to access and collect sensitive data and remotely manipulate cars.[5]

BIS issued the Proposed Rule pursuant to Executive Order (E.O.) 13873, which declared a national emergency under IEEPA with respect to the unusual and extraordinary threat posed to the Information and Communications Technology and Services (ICTS) supply chain by countries of concern.[6]

BIS is seeking public comment on the Proposed Rule until October 28, 2024.


[1] See Securing the Information and Communications Technology and Services Supply Chain: Connected Vehicles, 89 Fed. Reg. 79088 (Sept. 26, 2024) (Notice of Proposed Rulemaking), https://www.federalregister.gov/d/2024-21903; Press Release, Commerce Announces Proposed Rule to Secure Connected Vehicle Supply Chains from Foreign Adversary Threats, U.S. Department of Commerce, Bureau of Industry and Security (BIS) (Sept. 23, 2024), https://www.bis.gov/press-release/commerce-announces-proposed-rule-secure-connected-vehicle-supply-chains-foreign.  The regulations will be codified in 15 C.F.R. Part 791 – Securing the Information and Communications Technology and Services Supply Chain, Subpart E (15 C.F.R. §§ 791.300-791.319, as amended).

[2] See Securing the Information and Communications Technology and Services Supply Chain: Connected Vehicles, 89 Fed. Reg. 15066 (Mar. 1, 2024) (Advanced Notice of Proposed Rulemaking), https://www.federalregister.gov/d/2024-04382.

[3] See proposed 15 C.F.R. §§ 791.302 – 791.304 (defining prohibited VCS hardware transactions, prohibited covered software transactions, and related prohibited transactions).

[4] See proposed 15 C.F.R. § 791.314.

[5] See Press Release, Fact Sheet: Protecting America from Connected Vehicle Technology from Countries of Concern, The White House (Sept. 23, 2024), https://www.whitehouse.gov/briefing-room/statements-releases/2024/09/23/fact-sheet-protecting-america-from-connected-vehicle-technology-from-countries-of-concern/.

[6] See Executive Order 13873, Securing the Information and Communications Technology and Services Supply Chain (May 15, 2019), https://www.federalregister.gov/d/2019-10538.  Under E.O. 13873, BIS may issue regulations when transactions involving critical technologies (1) pose an undue or unacceptable risk of sabotage to or subversion of ICTS in the United States; (2) pose an undue risk of catastrophic effects on the security or resiliency of U.S. critical infrastructure or the digital economy of the United States; or (3) otherwise pose an unacceptable risk to the national security of the United States or the security and safety of U.S. persons.