On September 23, 2024, the Bureau of Industry and Security (BIS)
issued a proposed rule that would prohibit the
importation and sale of certain connected vehicle hardware or
software that has been developed, manufactured, or supplied by
entities subject to influence by the Chinese or Russian
governments. The proposed rule was issued pursuant to Executive Order 13873, which authorizes the
Department of Commerce to regulate certain transactions involving
U.S. information and communication technology and services (ICTS),
critical infrastructure, and digital economy that pose unacceptable
or undue risks. The proposed rule follows a March 1, 2024 advanced
notice of proposed rulemaking (ANPRM), which sought public comment
on connected vehicle risks.
The proposed rule would generally prohibit certain transactions
involving hardware and software on vehicle connectivity systems
(VCS), which is defined as an item on a connected vehicle that can
transmit, receive, convert, or process radio frequency
communications over 450 megahertz, as well as software for
automated driving systems (ADS). Because BIS proposes to define
connected vehicles to include passenger vehicles and commercial
vehicles that are manufactured for use on public streets, roads,
and highways, the proposed rule is expected to have a broad effect
on automobile and parts manufacturers.
Prohibited Transactions
The import or sale of "VCS hardware" and "covered software" that is "designed, developed, manufactured, or supplied by persons owned by, controlled by, or subject to jurisdiction or direction of" the People's Republic of China (PRC) or Russian Federation (Russia) would be prohibited under the proposed rule. "VCS hardware" and "covered software" are defined as follows:
- VCS hardware: components or subcomponents supporting vehicle connectivity systems, or a part of an item supporting such systems
- Covered software: software-based components, in which there is any foreign interest, executed by VCS or ADS at the vehicle level
The scope of ICTS has been narrowed. The proposed rule does not
cover vehicle operating systems, Advanced Driver-Assistance
Systems, or battery management systems, unless they have VCS
components that fall within the definition of VCS hardware.
The proposed rule identifies three categories of Prohibited
Transactions:
- Prohibited VCS hardware transactions: VCS hardware importers may not knowingly import VCS hardware that is designed, developed, manufactured, or supplied by persons owned by, controlled by, or subject to the jurisdiction or direction of the PRC or Russia.
- Prohibited covered software transactions: Connected vehicle manufacturers may not knowingly import or sell connected vehicles incorporating covered software that is designed, developed, manufactured, or supplied by persons owned by, controlled by, or subject to the jurisdiction or direction of the PRC or Russia.
- Related prohibited transactions: Connected vehicle manufacturers who are owned by, controlled by, or subject to the jurisdiction or direction of the PRC or Russia may not knowingly sell connected vehicles incorporating any VCS hardware or covered software.
BIS does not plan to solely rely on the citizenship of an
importer's or a manufacturer's employees or contractors to
determine whether the company's VCS hardware or covered
software is "designed, developed, manufactured, or supplied by
persons owned by, controlled by, or subject to the jurisdiction or
direction of the PRC or Russia." As such, if Russian employees
developed covered software from a facility located in a third
country, their nationality alone would not prohibit the covered
software under the proposed rule, even though the covered software
was technically "developed by ... persons ... subject to the
jurisdiction" of Russia. However, if the covered software was
developed by a team physically located in Russia, then BIS would
consider the transaction of that software prohibited under the
proposed rule.
VCS hardware importers and connected vehicle manufacturers would be
exempt from prohibitions during a phase-in period. Specifically,
imports of VCS hardware units not associated with a vehicle model
year would be exempt for imports prior to January 1, 2029. Imports
of VCS hardware destined for a vehicle with a model year prior to
2030 would also be exempt. Connected vehicle manufacturers also
would be permitted to engage in otherwise prohibited transactions
involving covered software if the vehicle that is imported or sold
is of a model year prior to 2027.
Compliance Mechanisms
The proposed rule establishes several compliance mechanisms involving reporting requirements, and general and specific authorizations:
- Declaration of Conformity: VCS hardware importers or connected vehicle manufacturers must submit to BIS a Declaration of Conformity if they plan to import or sell VCS hardware or connected vehicles incorporating covered software that are not otherwise prohibited. As such, a Declaration of Conformity would be required for covered software involving a foreign interest or VCS hardware even if it is not designed, developed, manufactured, or supplied by persons owned by, controlled by, or subject to the jurisdiction or direction of the PRC or Russia. The Declaration of Conformity must certify that the submitter has not engaged in a Prohibited Transaction, in addition to providing technical and identifier information pertaining to the VCS hardware or covered software.
- Advisory Opinions: Importers may request BIS guidance on whether a prospective transaction involving VCS hardware or covered software may be prohibited.
- Is-Informed Notices: BIS may also notify an importer or manufacturer through direct letters or Federal Register notices that a specific transaction may be prohibited under the proposed rule.
- General Authorizations: BIS may issue a general authorization allowing a qualified class of VCS hardware importers or connected vehicle manufacturers to engage in otherwise Prohibited Transactions without notifying BIS.
- Specific Authorizations: BIS may grant authorizations to specific importers or manufacturers to engage in otherwise prohibited transactions on a case-by-case basis.
Entities must maintain complete records that relate to any transaction for which a Declaration of Conformity, general authorization, or specific authorization would be required. The recordkeeping requirement is broad, and an importer or manufacturer must keep the records if a transaction would be subject to the regulation, regardless of whether the importer or manufacturer has sought a general or specific authorization.
Conclusion
If promulgated as issued, the proposed rule could have broad impacts on vehicle manufacturers and other companies participating in the connected vehicle supply chain. In particular, the proposed rule would place the burden of regulatory compliance on VCS hardware importers — including importers of finished vehicles containing such hardware — and connected vehicle manufacturers. Because, as BIS noted, today's automobile manufacturers utilize software developers from across the globe, nearly all connected vehicle manufacturers in the United States would fall under the reporting requirements and prohibition in the proposed rule. Given the proposed rule's sweeping application, companies may consider obtaining specific authorizations on a case-by-case basis. Vehicle manufacturers may benefit from limiting their sourcing from Chinese or Russian suppliers, including such suppliers located outside of those countries.
The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.