The U.S. Department of Commerce's Bureau of Industry and Security, on Sept. 23, issued a notice of proposed rulemaking to curb national security and privacy risks associated with information and communication technologies and services with a nexus to China or Russia in vehicles on public roads that communicate with external sources.
The proposed rule follows a March 2024 advanced notice of proposed rulemaking, comments from stakeholders and the public, and analysis by the BIS of the technical parameters of information and communication technologies and services, or ICTS, in road vehicles warranting control.
The White House has also issued a fact sheet explaining and contextualizing the proposal.
The rules proposed by the BIS focus on national security concerns relating to connected-vehicle ICTS that have a specified nexus with China or Russia. Risks include sabotage of communications technology and autonomous features incorporated into vehicles, gathering of information regarding U.S. roadways and critical infrastructure, and exfiltration of the personal data of U.S. persons.
Such connected vehicles integrate onboard networked hardware with automotive software systems to communicate with external networks and devices.
The proposed regulations would prohibit importation into and sales within the U.S. of vehicle connectivity system, or VCS, hardware that enables vehicle connectivity, and of any vehicles that feature connected software, linked to China or Russia.
The BIS would also require declarations of conformity for imports of nonprohibited connectivity hardware and vehicles, and provide for general and specific authorizations for otherwise prohibited transactions, and avenues to obtain advisory opinions regarding interpretations of the rules.
The rules, if adopted, will apply to model-year 2027 vehicles and beyond, and will prompt significant diligence of automotive supply chains by companies in the industry. Parties were permitted to comment on the proposal through Oct. 28.
Here are nine aspects of the BIS' proposal that interested parties should consider.
1. VCS Hardware Imports
The proposed rule would prohibit U.S. persons from importing VCS hardware that enables road vehicles to communicate with outside networks or devices at a radio frequency of over 450 megahertz, where the importer has knowledge that such hardware was designed, developed, manufactured or supplied by persons with specified links to China or Russia.
The 450 megahertz threshold is intended to avoid application of the rule to items such as key fobs and certain internal wireless sensors.
2. Imports and Sales of Vehicles Incorporating Connected Software
The proposed rule would prohibit U.S. connected vehicle manufacturers from importing or selling in the U.S. completed connected vehicles incorporating covered connected software that was designed, developed, manufactured, or supplied by persons with specified links to China or Russia.
A "connected vehicle manufacturer" is defined as a U.S. person "(1) manufacturing or assembling completed connected vehicles in the United States; and/or (2) importing completed connected vehicles for Sale in the United States."
3. Prohibition for Automakers Owned or Controlled by China or Russia
The notice of proposed rulemaking provides: "Connected vehicle manufacturers who are persons owned by, controlled by, or subject to the jurisdiction or direction of the PRC or Russia, are prohibited from knowingly selling in the United States completed connected vehicles that incorporate VCS hardware or covered software."
4. Knowledge Requirement
The BIS' proposed prohibitions apply where a covered U.S. person has knowledge regarding specified links between covered VCS hardware or connected software with China or Russia. Notably, this would extend beyond positive knowledge to include awareness of a high probability of covered imports and sales or their future occurrence.
Conscious disregard and willful blindness also would be included within the scope of "knowledge." This would likely prompt extensive supply chain diligence for affected companies.
5. Specified Links to China or Russia
The proposed regulations apply to covered VCS hardware or software that is designed, developed, manufactured, or supplied by persons "owned by, controlled by, or subject to the jurisdiction or direction of" China or Russia.
These include:
- Any person who acts as an agent, representative, or employee of China or Russia;
- Any person, wherever located, who is a citizen or resident of China or Russia, and not a U.S. citizen or permanent resident — notably, the BIS emphasizes in the notice that the rules do not apply "solely based on the country of citizenship of natural persons who are employed, contracted, or otherwise similarly engaged to participate in the design, development, manufacture, or supply" of the VCS hardware or covered software;
- Any entity incorporated or headquartered in, or with a principal place of business in, China or Russia;
- Any entity owned or controlled by China or Russia, including entities in which the persons described above possess "the power, direct or indirect, whether or not exercised, through the ownership of a majority or a dominant minority of the total outstanding voting interest in an entity, board representation, proxy voting, a special share, contractual arrangements, formal or informal arrangements to act in concert, or other means, to determine, direct, or decide important matters" affecting such entity.
6. Certificate of Conformity Requirements
U.S. persons importing nonprohibited covered VCS hardware, or importing or selling nonprohibited connected vehicles, would be required to submit a certification that includes, among other things, a declaration that the person has not engaged in any prohibited transactions involving such VCS hardware or connected vehicles.
7. Exempted Transactions
The proposal sets out exemptions to allow staggered implementation of the software and hardware prohibitions.
Specifically, the prohibitions for connected vehicles that incorporate covered software would not apply until model year 2027, while the prohibitions for VCS hardware would not apply until Jan. 1, 2029, or model year 2030, depending on the circumstances.
8. General and Specific Authorizations
The BIS plans to implement narrow general authorizations and consider specific authorizations for otherwise prohibited transactions. General authorizations would apply to vehicles with limited production runs or road use. The BIS will consider specific authorizations on a case-by-case basis.
9. Advisory Opinions
The proposed rule also contains a mechanism for advisory opinions, allowing parties to request a determination on whether prospective transactions are prohibited.
Observations
The proposed rule marks the third major rulemaking — proposed or otherwise — this year by the BIS' Office of Information and Communications Technology and Services, following a January proposal to regulate U.S. infrastructure as a service cloud provider, and a June rule to ban Kaspersky Lab products.
The office significantly ramped up its efforts under the ICTS rules in 2024, a trend that seems likely to continue as the office has a wide array of covered ICTS items to choose from in investigating national security threats.
Regarding connected vehicles in particular, affected parties should expect robust regulation of connected vehicles, vehicle communication systems, and automated driving systems in the future, and increased supply chain diligence inevitably will be necessary in this area.
Along these lines, four aspects of the proposed rule are particularly notable.
1. Prohibition of a Class of Transactions
The proposed rule, if adopted, would mark the first effort by the BIS to ban an entire class of transactions under the ICTS rules. While the office has banned ICTS transactions involving software developed by a specific party — the Kaspersky Lab, a Russia-headquartered cybersecurity company — it has not to date prohibited an entire category of products based on their country of origin or links to a country of concern.
This would be the first such countrywide prohibition, and could usher in similar measures.
2. Supply Chain Due Diligence
The proposed rule would usher in significant supply chain due diligence obligations for the auto industry. This can be quite a challenging task that calls for exhaustive review of bills of material and the domicile and ownership of suppliers and sub-suppliers.
3. Certificate of Conformity Requirement
The proposed requirement to submit a certificate of conformity could expose companies to liability for submitting a false statement, significantly raising the ante for compliance.
4. Potential Application to Other Technologies
It is not difficult to imagine where the office could go from here. Besides connected vehicles, there are any number of other connected technologies subject to the same concerns regarding access to personal data, deployment in critical infrastructure and risk of sabotage, such as, for example, Internet of Things products.
It seems likely that the office will target other such technologies as the ICTS rules continue to mature.
"9 Considerations Around Proposed Connected Vehicle Ban," by Anthony Rapa and Brendan S. Saslow was published in Law360 on November 11, 2024.
