The US government is stepping up efforts to protect national security by finalizing a new rule aimed at regulating the import and sale of connected vehicles integrating certain software and hardware from what it deems “countries of concern,” specifically China and Russia. The rule bans the use of specific vehicle connectivity systems (VCSs) and autonomous driving systems (ADSs) that, according to the US government, could pose risks to national security, particularly within automotive supply chains.
Who are affected?
This rule primarily affects automotive manufacturers (OEMs) and suppliers that utilize VCSs, technologies that connect vehicles to external systems via Bluetooth, cellular, satellite, or Wi-Fi. Connections through these technologies could potentially expose sensitive information about drivers, passengers, and even critical infrastructure. Additionally, the rule applies to ADSs, which enable highly autonomous vehicles to operate without a driver.
This rule specifically targets automotive software and hardware capable of processing radio frequency (RF) communications or integrated into systems that enable self-driving cars. However, it does not encompass passive components, such as fasteners and plastic covers.
Citing the complexity of the commercial vehicle supply chain, the US government says that the rule applies only to passenger vehicles (defined as those under 10,001 pounds).
When are the key deadlines?
According to the US government, the prohibitions on software will take effect for model year 2027, while hardware restrictions will take effect for model year 2030, or Jan. 1, 2029, for vehicles without a model year. Prohibitions on the sale of connected vehicles by manufacturers with sufficient connections to China or Russia, even if manufactured in the US, will take effect for model year 2027.
How should companies prepare?
Companies in the automotive industry should proactively review their supply chains to avoid dependence on technologies from countries of concern. A good starting point is auditing the software bill of materials (SBOM) and hardware bill of materials (HBOM) to identify the origin of each software and hardware component. Other steps include building partnerships with trusted local or international providers, investing in internal tech development, and keeping open communication with regulatory bodies to ensure compliance and resilience in an ever-evolving threat landscape.
This article was updated on Jan. 16, 2025, at 8:00 a.m. UTC, with information on the finalization of the new rule, based on the latest release from the US Department of Commerce’s Bureau of Industry and Security (BIS).
