- with readers working within the Insurance industries
On June 18, 2026, the U.S. Department of Commerce, Bureau of Industry and Security (BIS) issued a new General Authorization Number 3 (“GA3”), establishing a “Trusted Supplier” program that could significantly change how automotive manufacturers and suppliers approach compliance with the BIS Information and Communications Technology and Services (ICTS) Connected Vehicle Rule (“the Rule”). This alert reviews the existing prohibitions under the Rule, the new pathway created by GA3, and practical considerations for stakeholders.
Background: The ICTS Connected Vehicle Rule
As detailed in our prior client alert, the ICTS Connected Vehicle Rule restricts the import and sale of vehicles and components tied to foreign adversaries China and Russia. The regulations target Vehicle Connectivity Systems (VCS) that enable external communications and Automated Driving Systems (ADS). The Rule’s objective is to prevent data exfiltration and remote manipulation by foreign adversaries.
For hardware, the Rule covers physical components that facilitate connection and communication over radio frequencies above 450 MHz, sweeping in telematics control units, Bluetooth and Wi-Fi modules, and cellular modems. For software, the Rule applies to application, middleware, and system software running on the primary processing unit that directly drives VCS or ADS functions.
To the extent covered hardware or software is designed, developed, manufactured, or supplied by parties owned by, controlled by, or subject to the jurisdiction of adversary nations (identified in the Rule as Russia or China), and unless an exemption or exclusion applies, such hardware or software currently is or will be prohibited from being imported into the United States absent a specific or general authorization from BIS. BIS has previously issued narrow General Authorizations for imports of certain otherwise prohibited hardware or software. BIS has also granted certain specific authorizations to some auto manufacturers and importers, but we understand those have been time-limited and subject to significant limitations. Additionally, current tier 1 or lower-level suppliers have not been eligible to directly apply for specific authorizations.
GA3 and the Trusted Supplier Program
GA3 now allows suppliers to directly apply to BIS for approval of their VCS hardware or covered software (i.e., otherwise prohibited items) such that connected vehicle manufacturers and VCS hardware importers can use those products without obtaining individual specific authorizations from BIS. It should be noted that importers and auto manufacturers that are themselves owned by, controlled by, or subject to the jurisdiction of an adversary foreign nation will not be eligible to apply for participation in the Trusted Supplier program.
Once a supplier is approved by BIS, the approved product and supplier will be listed together on a Trusted Supplier Registry, and no specific authorization will be required for imports. The importer or manufacturer will still need to file a declaration of conformity in compliance with the current Connected Vehicle Rule requirements governing such submissions.
Trusted Supplier Application Requirements
GA3 provides some guidance regarding the information BIS expects to be included in applications for the Trusted Supplier program. Suppliers will be required to submit a justification and detailed proposal sufficient for BIS to assess the national security risk associated with their continued use of covered hardware/software, including a description of existing or planned controls over the covered items and mitigation measures.
BIS will review applications on a case-by-case basis against an “undue or unacceptable risk” standard of the underlying Rule and may require a letter of assurance, a mitigation agreement, or other conditions before granting Trusted Supplier status.
Ongoing Obligations and Removal
Approved suppliers will be subject to ongoing compliance, reporting, and recordkeeping requirements demonstrating compliance with GA3. Suppliers will be expected to report to BIS within 30 days of discovering a change in circumstance that impacts their qualification for GA3. If suppliers determine that such circumstances result in non-compliance they must, within 30 days of such a determination, cease any prohibited conduct. In such instances, suppliers must submit a report to BIS identifying prohibited transactions, the number of connected vehicles or VCS hardware units implicated, and the proposed remedial measures.
BIS may, at its discretion, verify (i.e., audit) connected vehicle manufacturers and VCS hardware importers to determine whether they are relying on a General Authorization or any supplier listed on the Approval Supplier Registry. A supplier may be removed from the Trusted Supplier program for non-compliance, false statements, significant changes in circumstance that create additional risk, or other factors at the discretion of BIS.
Potential Impact of Pending Legislation
Prospective applicants should continue to monitor progress of the Connected Vehicle Security Act (“CVSA”), introduced this session in the Senate and currently pending further action by Congress. The most recent version of the CVSA contains provisions that would expand coverage of the Rule to a broader set of hardware and software, reduce current exceptions and exclusions, extend the scope to include additional connected vehicle manufacturer ownership structures, and most importantly with respect to GA3, limit the ability of BIS to issue General Authorizations and sunset existing General Authorizations by 2032.
Key Takeaways
The Trusted Supplier Registry program offers a potentially valuable compliance pathway that shifts the authorization burden to the supplier of the covered product, allowing eligible manufacturers and importers to source approved products without securing transaction-by-transaction specific authorizations. Suppliers and their customers should evaluate eligibility, begin assembling the risk-assessment and mitigation information that BIS will expect, and build the ongoing compliance and recordkeeping infrastructure necessary to maintain Trusted Supplier status.
The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.
[View Source]