On January 16, 2025, the Bureau of Industry and Security (BIS)
issued a final rule to address national security
concerns about information and communications technology and
services (ICTS) in connected vehicles. The rule prohibits the
importation and sale of certain connected vehicle hardware or
software that has been designed, developed, manufactured, or
supplied by entities subject to influence by the Chinese or Russian
governments. It also prohibits manufacturers that are owned by,
controlled by, or subject to the jurisdiction or direction of China
or Russia from selling in the U.S. connected vehicles that
incorporate certain software or hardware, regardless of whether
such hardware or software is linked to those countries.
The final rule follows and largely resembles the September 26, 2024
proposed rule. In this final rule, which goes
into effect on March 17, 2025, BIS made certain revisions in light
of public feedback to define the scope of connected vehicles,
identify ICTS integral to connected vehicles, and better clarify
the effects of any potential prohibition. In an executive order
titled "America First Trade Policy," President Trump
directed the Secretary of the U.S. Department of Commerce
(Commerce) to review the final rule and recommend "appropriate
action," including whether controls should be further
expanded.
Key Revisions From the Proposed Rule
Below is an overview of highlights from the final rule, which focuses on key changes from the proposed rule with respect to prohibited transactions, compliance mechanisms, and definitions.
Prohibited Transactions
The final rule largely retains the same prohibitions as the proposed rule, which include the following transactions unless otherwise permitted under a general or specific authorization:
- Vehicle Connectivity Systems (VCS) hardware importers are prohibited from knowingly importing into the U.S. any VCS hardware that is designed, developed, manufactured, or supplied by entities subject to influence by the Chinese or Russian governments.
- Connected vehicle manufacturers are prohibited from knowingly selling within the U.S., or importing into the U.S., completed connected vehicles that incorporate covered software that is designed, developed, manufactured, or supplied by entities subject to influence by the Chinese or Russian governments.
- Connected vehicle manufacturers who are owned by, controlled by, or subject to the jurisdiction or direction of China or Russia are also prohibited from knowingly selling in the U.S. completed connected vehicles that incorporate covered software or VCS hardware, regardless of whether such hardware or software is designed, developed, manufactured, or supplied by entities subject to influence by the Chinese or Russian governments. These connected vehicle manufacturers are also prohibited from offering commercial services in the U.S. that utilize completed connected vehicles that incorporate Automated Driving Systems (ADS).
The software-related prohibitions will be effective starting
with model year 2027. Meanwhile, the hardware-related prohibitions
will be effective for model year 2030 or January 1, 2029 for
hardware not associated with a particular vehicle model year. The
prohibitions on the sale by connected vehicle manufacturers who are
owned by, controlled by, or subject to the jurisdiction or
direction of China or Russia are effective for model year
2027.
BIS noted that the third restriction may be duplicative of the
first two restrictions in many cases, but the final rule clarified
that the third restriction applies even if connected vehicle
manufacturers subject to influence by the Chinese or Russian
governments are not involved in the design or development of the
VCS hardware and covered software.
In addition to revisions with respect to prohibited transactions,
the final rule further outlined the following changes from the
proposed rule:
- Scope of VCS: BIS narrowed the definition of VCS by excluding certain functions such as "automotive sensing (which includes LiDAR, radar, cameras, and ultrawideband); global navigation satellite system (GNSS); and satellite, AM, and FM radio." These functions have been excluded because they are considered low-risk uses.
- Scope of VCS Hardware and Covered Software: BIS narrowed the definitions of "covered software" and "VCS hardware" to include only those items that "directly enable" the function of those systems as opposed to "supports" those systems. In other words, the previous language of "supports" has been replaced by "directly enable." This change was made to allow industry to identify components captured by the VCS hardware definition more easily.
- Exclusion of Legacy Software: BIS excluded legacy software from the definition of "covered software." Legacy software refers to software and software components that were designed, manufactured, or supplied prior to March 17, 2026. This change was made to lessen industry's regulatory burden. Notably, BIS rejected adding a legacy hardware exclusion.
- Refinement of the Open-Source Software Exclusion: BIS also excluded open-source software from the definition of "covered software," unless the open-source software has been modified for proprietary purposes and not redistributed or shared. Open-source software is characterized as software for which the human-readable source code is available in its entirety for use, study, re-use, modification, enhancement, and redistribution by the users of such software.
Compliance Mechanisms
The final rule maintains the three primary compliance mechanisms outlined in the proposed rules with some minor changes:
(1) Declarations of Conformity: The proposed rule mandated that VCS hardware importers or connected vehicle manufacturers submit to BIS annual Declarations of Conformity, attesting that they had not engaged in otherwise prohibited transactions and requested a substantial amount of information to be included in the submissions. With the final rule, BIS clarified the certification requirement, narrowed the information required to be submitted, and added a 10-year recordkeeping requirement. The final rule also extended the timeline for submitting updates or corrections to the declarations from 30 to 60 days.
- The final rule requires a certification statement that the hardware or software at issue in the declaration was not designed, developed, manufactured, or supplied by entities subject to influence by the Chinese or Russian governments.
- The declarations also require importers and manufacturers to (1) certify to BIS, annually or whenever "material changes" occur, that they are not engaging in prohibited transactions (and entities may submit a confirmation in lieu of a new declaration) and (2) provide relevant information on the import of VCS hardware and/or the import or sale of completed connected vehicles. Here, "material change" means "discovery, by the declarant, of an omission, inaccuracy, or error in the information provided to the Department in a prior Declaration that could reasonably mislead as to the true source of VCS hardware or covered software in question."
- The final rule further requires entities to submit to BIS the name and contact information of the importer or manufacturer, as well as additional information based on whether the entity is engaging in a covered software or VCS hardware transaction. Entities must also certify that they have conducted due diligence into their supply chain, and primary business records documenting such due diligence efforts must be maintained by the declarant or a third-party and made available to BIS upon request. In response to comments, BIS also removed reporting requirements related to third-party external endpoints from the final rule.
- Hardware Bill of Materials (HBOM) and Software Bill of Materials (SBOM), as well as a list of third-party external VCS hardware connection endpoints, are no longer required as part of the declarations in an effort to address concerns related to the submission of sensitive information in the declarations.
- Finally, the final rule includes a "foreign interest" exemption to the declarations requirement for circumstances where the only foreign interest arises when a foreign person owns equity of a public company but does not affect the company's management or control.
(2) General Authorizations: VCS hardware
importers and connected vehicle manufacturers are permitted to
engage in otherwise prohibited transactions without the need to
notify BIS prior to engaging in the transaction. Under the amended
provisions, importers and manufacturers using general
authorizations must monitor their use of such authorizations, and,
within 30 days of discovering a change in circumstance, conduct an
inquiry as to whether the authorization still applies. Should the
entity determine that the authorization no longer applies, it must,
within an additional 30 days, cease all prohibited conduct and
submit a report to BIS. BIS will issue general authorizations
through its website and the Federal Register.
(3) Specific Authorizations: VCS hardware
importers and connected vehicle manufacturers who do not otherwise
qualify for a general authorization may request specific
authorization from BIS. The final rule lists several examples of
documentation that could be used to support the information
contained in a specific authorization application. The final rule
also notes that specific authorizations will generally be approved
for a duration of no less than one model or calendar year. BIS will
advise specific authorization applicants about the duration of any
approved specific authorizations when issued. However, BIS
clarifies that exceptions may apply for BIS to approve a specific
authorization for less than one model or calendar year if supply
chains are affected by force majeure events, or due to an
unexpected change in the supply chain during model year
production.
BIS noted that, depending on the product, VCS hardware importers and connected vehicle manufacturers could be required to use a combination of the three compliance mechanisms to meet their obligations under the final rule.
Recordkeeping Requirements
As previously noted, BIS eliminated in the final rule the requirements to submit SBOMs, HBOMs, and the list of third-party external VCS hardware connection endpoints. These requirements have been replaced with certification and recordkeeping requirements with submissions to BIS required only upon request. According to the final rule, all regulated entities must (1) retain all primary business records related to "any transaction for which a Declaration of Conformity, general authorization, or specific authorization would be required," for 10 years (i.e., "recordkeeping requirements"), and (2) submit reports and statements according to the instructions of each specific authorization (i.e., "certification requirements"). In addition, third-party assessors must also comply with all recordkeeping requirements.
Penalties
Persons who violate, attempt to violate, conspire to violate, or knowingly cause a violation of the final rule will be subject to civil and/or criminal penalties. The maximum civil penalty for violations is $377,700.17 per violation (adjusted for inflation) and the maximum criminal penalty is $1 million and/or 20 years in prison. BIS will consider applying a reduction of potential penalties for those voluntarily disclosed.
Advisory Opinions and Is-Informed Notices
VCS hardware importers and connected vehicle manufacturers may
seek an advisory opinion from BIS to provide guidance on whether a
prospective transaction is prohibited. In the final rule, BIS added
a 60-day timeline for BIS to respond to advisory opinion requests
and clarified procedural requirements of submitting an appeal
request. As with the Declaration of Conformity, SBOM and HBOM
submissions are no longer required for advisory opinion requests.
In addition, interested parties may submit information directly to
BIS in support of an advisory opinion request.
The final rule also made no changes to the proposed rule details
about is-informed notices, which BIS may send through direct
letters or Federal Register notices to notify an importer or
manufacturer that a specific transaction may require a specific
authorization because the transaction would be prohibited under the
final rule.
Definitions
In response to public feedback, BIS amended or clarified the definitions for the following terms in the final rule (the terms mentioned in the final rule but were not modified in the final rule are not included below):
- Connected Vehicle: "a vehicle driven or drawn by mechanical power and manufactured primarily for use on public streets, roads, and highways, that integrates onboard networked hardware with automotive software systems to communicate via dedicated short-range communication, cellular telecommunications connectivity, satellite communication, or other wireless spectrum connectivity with any other network or device." Vehicles operated only on a rail line are not included in this definition, and BIS also narrowed the scope by adding that a connected vehicle that is more than 10,000 pounds is not included in this definition.
- Connected Vehicle Manufacturer: "a U.S. person who: (1) manufactures or assembles completed connected vehicles in the U.S. for sale in the United States; (2) imports connected vehicles for sale in the U.S.; and/or (3) integrates ADS software on a completed connected vehicle for sale in the U.S." The amended definition clarifies that the integration of ADS into an otherwise completed connected vehicle is subject to this final rule, and that (1) applies only if the vehicles are intended for sale in the U.S.
- Covered Software: "the software-based components, including application, middleware, and system software, in which there is a foreign interest, executed by the primary processing unit or units of an item that directly enables the function of VCS or ADS at the vehicle level." BIS specified the definition in the final rule to explicitly include application, middleware, and system software. The definition also excludes firmware, open-source software, and software subcomponents "designed, developed, manufactured, or supplied prior to March 17, 2026, as long as [they] are not maintained, augmented, or otherwise altered by an entity owned by, controlled by, or subject to the jurisdiction or direction of a foreign adversary after [the said date]."
- Declarant: "the U.S. person submitting a Declaration of Conformity to BIS." BIS included this new definition to clarify the final rule, where the term is used throughout.
- HBOM: "a formal record of the supply chain relationships of parts, assemblies, and components required to create a physical product, including information identifying the manufacturer, and related firmware." Notably, BIS will not require HBOMs as part of Declarations of Conformity.
- SBOM: "a formal record containing the details and supply chain relationships of various components used in building software." Notably, BIS removed several SBOM elements from requirements to apply for a Declaration of Conformity or specific authorization.
- VCS: "a hardware or software item installed in or on a completed connected vehicle that directly enables the function of transmission, receipt, conversion, or processing of radio frequency communications at a frequency over 450 MHz." BIS modified the definition to include explicit hardware and software exclusions, as well as function-based exclusions.
- VCS Hardware: "software-enabled or programmable components if they directly enable the function of VCS, or are part of an item that directly enables the function of VCS, including but not limited to: microcontroller, microcomputers or modules, systems on a chip, networking or telematics units, cellular modem/modules, Wi-Fi microcontrollers or modules, Bluetooth microcontrollers or modules, satellite communication systems, other wireless communication microcontrollers or modules, external antennas, digital signal processors, and field-programmable gate arrays." BIS replaced "support the function of" with "directly enable the function of" in response to the commenters' suggestions.
- VCS Hardware Importer: a U.S. person who imports: (1) VCS hardware for further manufacturing, incorporation, or integration into a completed connected vehicle that is intended to be sold or operated in the U.S.; or (2) VCS hardware that has already been installed, incorporated, or integrated into a connected vehicle, or a subassembly thereof, that is intended to be sold as part of a completed connected vehicle in the U.S. BIS clarified the definition to include only entities who are importing VCS hardware components that are for use in completed connected vehicles or are already incorporated in a connected vehicle (incomplete or completed).
Conclusion
Given its scope, the final rule will have broad impact on VCS
hardware importers, connected vehicle manufacturers, and other
participants in the connected vehicle supply chain. Interested
parties are encouraged to review the restrictions in detail to
determine what impact they may have on their business.
As noted above, there is a phased approach to implement the new
prohibitions. The software-related prohibitions and prohibitions on
the sale by connected vehicle manufacturers subject to influence by
the Chinese or Russian government will be effective starting with
model year 2027. The hardware-related prohibitions will be
effective for model year 2030 or January 1, 2029 for hardware not
associated with a particular vehicle model year.
Going forward, BIS anticipates issuing a set of general
authorizations, which will include general authorizations for small
businesses; for connected vehicles used infrequently on public
roads; for display, testing, or research purposes; and for repair,
alteration, or competition. BIS also anticipates posting guidance
and responses to frequently asked questions on its website to
assist industry. In light of the substantial national security
concerns and the comments received regarding the commercial vehicle
market in connection with the definition of completed connected
vehicles, BIS plans to issue a new proposed rule specifically for
the commercial vehicle sector and will also supplement the
definition of connected vehicles in this final rule with an
additional rule to address vehicles over 10,000 pounds.
On January 20, 2025, President Trump issued an executive order
titled "America First Trade Policy," under which the
Secretary of Commerce "shall review and recommend appropriate
action" with respect to this final rule. Given that this
executive order directed Commerce to consider whether controls on
ICTS transactions should be expanded to account for
additional connected products, there will likely be additional
rulemaking to enhance these prohibitions. Industry should continue
to monitor for any further regulatory actions that may be
announced. Please contact any author of this Advisory or your
Arnold & Porter relationship attorney if you have any questions
or to seek further guidance or advice.
The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.
