On September 26, 2024, the U.S. Department of Commerce's Bureau of Industry and Security (BIS) issued a Notice of Proposed Rulemaking (NPRM) aimed at securing the automotive supply chain from foreign adversaries. The rule seeks to address national security concerns by prohibiting the import and sale of connected vehicles and key components, including Vehicle Connectivity Systems (VCS) and Automated Driving Systems (ADS), that have ties to entities subject to the jurisdiction or direction of, or otherwise linked to, certain foreign adversary jurisdictions, currently identified as China and Russia.
If finalized, the rule would have far-reaching implications for the automotive industry, including automakers, component suppliers, and software developers. The proposed prohibitions target critical technologies that could be exploited for surveillance or sabotage by foreign adversaries, and they impose significant compliance obligations.
The NPRM was issued pursuant to BIS's new information and communications technology and services (ICTS) rules and, together with the Advance Notice of Proposed Rulemaking (ANPRM) on the same topic, marks the first time BIS has sought to regulate a class of transactions under those rules. BIS has previously used the ICTS rules to take targeted action against the Russian cybersecurity company Kaspersky. Earlier this year, Elizabeth Cannon was appointed as the first director of the Office of Information and Communications Technology and Services (OICTS) within BIS. This uptick in activity may be a sign of things to come with additional ICTS actions likely in the future.
This rulemaking is also likely to serve as a template for other, future ICTS rules targeting classes of transactions in different sectors. To that end, the general structure of the NPRM, including the recordkeeping obligations, general and specific authorizations, and advisory opinion process are particularly noteworthy.
As a proposed rule, the NPRM does not yet have the force and effect of law. Comments on the NPRM are due by October 28, 2024.
What Is Covered Under the NPRM?
The NPRM proposes to define a "connected vehicle" as any vehicle that integrates onboard networked hardware with automotive software systems capable of communicating with external networks or devices via Bluetooth, cellular, satellite, or Wi-Fi. In this regard, the NPRM would apply to a broad range of vehicles manufactured primarily for use on public roadways in the United States, including passenger cars, buses, trucks, and motorcycles. The rule specifically targets VCS and ADS technologies that enable connectivity and autonomous driving capabilities.
- Vehicle Connectivity Systems (VCS):
The meaning of VCS would include hardware and software that enable
external communications in a vehicle, such as Bluetooth, cellular
modems, satellite navigation, and telematics units.
- VCS hardware would be defined as software-enabled or programmable components and subcomponents that support VCS, including microcontrollers, microcomputers or modules, systems on a chip, networking or telematics units, cellular modem/modules, Wi-Fi microcontrollers or modules, Bluetooth microcontrollers or modules, satellite navigation systems, satellite communication systems, other wireless communication microcontrollers or modules, and external antennas. As such, VCS hardware can also include aftermarket devices that can be added to a vehicle after sale, such as telematics fleet tracking devices and systems.
- VCS software would mean software that supports the transmission, receipt, conversion, or processing of radio frequency communications.
- Automated Driving Systems (ADS): The meaning of ADS would include systems that allow a vehicle to operate autonomously, at Levels 3–5 of automation, as defined by SAE International standards. ADS software controls the vehicle's driving functions without human intervention. Notably, ADS software does not include automated systems classified as Levels 0–2 that still rely on the driver to make driving decisions.
Prohibited Activities
The NPRM would prohibit:
- knowingly importing into the United States VCS hardware that is designed, developed, manufactured, or supplied by certain persons linked to China or Russia;
- knowingly importing into or selling within the United States completed connected vehicles that incorporate covered VCS or ADS software designed, developed, manufactured, or supplied by certain persons linked to China or Russia; and
- knowingly selling in the U.S. completed connected vehicles that
incorporate VCS hardware or covered VCS or ADS software if the
seller is linked to China or Russia, regardless of whether the
vehicles are manufactured or assembled in the United States.
- This prohibition would apply regardless of whether the hardware or software was designed, developed, manufactured, or supplied by persons linked to China or Russia.
The prohibitions on the import or sale of connected vehicles that incorporate covered VCS or ADS software would take effect for Model Year 2027 vehicles. The prohibitions on the import of VCS hardware would take effect for Model Year 2030 vehicles, or January 1, 2029, for hardware not associated with a specific model year.
Who Is Considered Linked to China or Russia?
The NPRM would apply to VCS hardware and ADS software that are designed, developed, manufactured, or supplied by persons with certain direct or indirect links to China or Russia. The NPRM provides a broad definition of what would constitute a "link" to these countries, including:
- Foreign Nationals: Individuals who are citizens or residents of China or Russia and are not U.S. citizens or permanent residents.
- Organizations Controlled by China or Russia: Any organization with a principal place of business in China or Russia, or an organization that is owned or controlled by entities in these countries. This includes subsidiaries and joint ventures, even if they are located outside of China or Russia.
- Supervised or Directed Entities: Persons or entities that are directly or indirectly supervised, directed, financed, or subsidized by China or Russia. This includes persons, wherever located acting on behalf of, or at the request of, foreign adversaries, including any agent, representative, employee, or other person acting in any other capacity, or under the direction of, such foreign adversaries.
- Associated Entities: Organizations in which any of the above-described persons has the power, direct or indirect, to "determine, direct, or decide important matters" affecting the organization pursuant to majority or dominant minority ownership of the total outstanding voting interests; board representation; proxy voting; special shares; contractual arrangements; formal or informal means to act in concert; or other means (including via entities in the United States).
BIS anticipates taking a broad approach in its interpretation of what constitutes a "link" to these countries. For example, even minor involvement by software development teams in China or Russia, such as writing base code for VCS or ADS software, could trigger the NPRM's prohibitions.
General and Specific Exemptions, and the Advisory Opinion Process
The NPRM would include exemptions and authorizations to minimize disruption to the automotive industry, particularly for small producers and low-risk activities. These fall under three categories:
- General Authorizations: The NPRM
provides a self-executing license for certain transactions,
including:
- Importation of vehicles for display, testing, or research, provided the vehicles are not driven on public roads;
- Vehicles used solely for competition off public roads or those imported for repair or alteration; and
- For certain prohibitions, small producers with a total model year production of fewer than 1,000 vehicles.
- Specific Authorizations: BIS may grant specific authorizations (i.e., written approval) on a case-by-case basis, allowing companies to engage in transactions that would otherwise be prohibited, provided that national security risks can be mitigated. These authorizations require an application and approval from BIS.
- Exemptions: VCS hardware importers and connected vehicle manufacturers would be exempt from certain prohibitions of the NPRM for a limited period.
BIS anticipates establishing an advisory opinion process to enable companies to seek guidance on whether a proposed transaction or product falls under the NPRM's prohibitions. This process is designed to prevent inadvertent violations by offering clarity on the rule's scope.
Knowledge Standard Under the NPRM
BIS intends to enforce the rule using a "knowledge" standard, which will penalize companies for "knowing violations." Under this standard, knowledge is defined not only as actual knowledge of prohibited activities but also as "conscious disregard" of facts or willful avoidance of learning the facts. This approach mirrors the knowledge standard set forth in the Export Administration Regulations (15 C.F.R. § 772.1), which BIS uses for export controls enforcement.
Companies must therefore be proactive in assessing their supply chains and conducting due diligence to avoid penalties. Ignorance of the involvement of Chinese or Russian entities in the production of VCS hardware or ADS software will not serve as a defense under the rule if BIS finds evidence of willful avoidance.
Compliance and Recordkeeping Obligations
The NPRM would impose significant compliance and recordkeeping obligations on companies importing or selling covered vehicles and components in the United States. Central to these obligations is the requirement to submit Declarations of Conformity to BIS. These declarations must:
- Certify that the company has not engaged in prohibited transactions.
- Include detailed information about the imported or sold items, such as bills of materials and documentation of due diligence conducted to verify compliance.
Declarations of Conformity would be required to be filed at least 60 days prior to the importation of the first import or sale of items associated with a particular vehicle model, or calendar year, as applicable, and within 30 days of any material change in a prior Declaration. This certification process imposes a significant compliance burden, requiring companies to trace their supply chains and verify that no prohibited entities are involved in covered activity.
- Supply Chain Due Diligence: The NPRM places significant emphasis on due diligence, requiring companies to investigate their entire supply chain to ensure compliance. This includes verifying the involvement of third-party suppliers and conducting thorough screening of contractors. Given the broad definition of "foreign interest," companies may need to implement additional supply chain controls to mitigate the risk of unknowingly violating the rule.
- Recordkeeping: Companies must maintain records related to Declarations of Conformity and authorizations for a minimum of 10 years. These records must include contracts, bills of materials, import records, and any other documentation related to the transaction. Failure to maintain adequate records could result in penalties, including fines or enforcement actions.
Penalties for Noncompliance
Violations of the prohibitions would result in significant penalties under the International Emergency Economic Powers Act (IEEPA) (50 U.S.C. 1705). Civil penalties can result in a maximum of $368,136 per violation (or twice the value of the violative transaction, whichever is greater), while criminal penalties, for willful violations, can include fines of up to $1 million and imprisonment for up to 20 years. BIS will issue a pre-penalty notice to companies it believes have violated the rule, allowing them 30 days to respond before further enforcement action is taken.
Next Steps for Affected Parties
Automakers, component suppliers, and other affected parties should begin reviewing their supply chains and compliance procedures in light of the NPRM. Given the broad scope of the prohibitions and the extensive compliance obligations, companies will need to implement rigorous due diligence processes to ensure compliance, assuming a final rule is promulgated in similar form.
BIS is accepting public comments on the NPRM through October 28, 2024. Stakeholders are encouraged to provide feedback on the technical and economic implications of the rule to ensure their concerns are considered before the rule is finalized.
Conclusion
The NPRM represents a major step in the U.S. government's efforts to safeguard critical automotive technologies from foreign adversaries. By targeting VCS and ADS technologies linked to China and Russia, the rule aims to mitigate potential risks to U.S. national security. Companies operating in the automotive sector should take steps to assess their exposure and begin preparing for a final rule's potential impact on their operations and supply chains.
The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.