BIS Narrows Connected Vehicle Prohibitions; Compliance Begins in Model Year 2027

Automated driving is defined as sustained driverless operation -- it doesn't cover lane-assist, automated braking or parking functions.

Chinese hardware that enables the out-of-car communication above 450 MHz will be banned beginning in the 2029 model year, or, for items that aren't associated with a model year, before Jan. 1, 2029. The final rule adds that later imports that would otherwise be banned, that are to repair completed connected vehicles model year 2029 or earlier, also will be allowed. Examples of these sorts of hardware are telematics control units, cellular modems and antennas that collect data from GPS, accelerometers, gyroscopes, BMS and other units. The agency said the list of parts is not exhaustive, but clarified the rule to say the hardware must "directly enable" the connected capabilities.

These systems cannot be designed or manufactured by companies from adversary countries because the administration says they could imperil infrastructure and "enable mass collection of sensitive information, including geolocation data, audio and video recordings, and other pattern-of-life analysis."

The White House fact sheet noted that Chinese firms manufacturing cars in the U.S. -- Polestar and Volvo are examples -- that include advanced features that qualify them as connected vehicles, would be banned from sale after the 2026 model year. They would be covered even if they didn't contain prohibited telematics or other technology. However, BIS could allow those companies to continue in the U.S. market with a specific authorization. The companies did not respond to a request for comment by deadline. Similarly, Chinese manufacturers, even with cars that don't use Chinese software for automated driving, are prohibited from offering taxi services or ride-sharing rentals.

The majority of comments said navigation systems, satellite and traditional radio should not be covered; BIS agreed. Chinese hardware that enables autonomous driving, such as cameras, sensors, LiDAR or radar, are not prohibited -- and that was unchanged from the proposed rule.

The final rule made numerous changes to the compliance rules and to BIS's responsibilities for prompt response, but fewer changes to the scope of what's regulated to prevent the risk of foreign adversaries remotely controlling vehicles, or using data from those vehicles to gain intelligence about U.S. infrastructure or emergency responses. The rule also covers Russian software and hardware, but there isn't any substantial Russian presence in these areas. Chinese participation -- especially by the broad definition of the rule, which includes companies operating in the U.S. or allied countries but with significant Chinese investment or ownership -- is widespread.

One major change in the final rule is that commercial vehicles, such as buses and heavy trucks, aren't covered. BIS said it will issue a proposed rule specifically for that sector in coming months, and said the segment's omission "in no way implies that these risks are lesser than in the passenger vehicle market."

Cars destined for export also won't be covered.

BIS estimated there could be as many as 215 companies affected by the new compliance requirements, including car manufacturers, vehicle connectivity system (VCS) tier 1 and tier 2 suppliers and importers. It said its revisions to the rule were addressing comments from more than 100 stakeholders on the proposed rule, and that it also held 35 stakeholder meetings since the proposed rule was released in September. The agency said it was meeting auto industry players "where they are" and said it "dramatically reduced the information submission requirements" by removing the requirement to submit a Hardware Bill of Materials and Software Bill of Materials to show that supply chains aren't compromised. However, companies will have to maintain primary business records related to their certification that due diligence was conducted, which could include HBOMs -- and produce those records for BIS, if requested.

Companies that make connected cars and light trucks or import VCS hardware will need to submit annual declarations of conformity that they did not engage in prohibited transactions in hardware or software. If nothing changes from year to year in the supply chain, the company can attest the previous declaration still applies. Material changes -- or discovered errors -- must be sent to BIS within 60 days. Once the requirements begin, connected vehicle manufacturers and VCS hardware importers will have to submit digital documentation of their compliance at least 60 days prior to the first import or first sale of each model year of a completed connected vehicle or VCS hardware each model year or calendar year.

Importers don't have to go all the way down into the supply chain; they only have to conduct due diligence on components that directly enable the function of, and are directly connected to, the VCS systems. Moreover, carmakers may rely on statements from their Tier 1 suppliers as long as those suppliers have produced documentation on their due diligence, and those suppliers would furnish that documentation to BIS, if asked.

BIS also said that third-party manufacturers in China that contract with U.S. automakers are subject to the rule, even if the technology is designed in the U.S.

The agency discussed what could help obtain a specific authorization, though it said each would be granted on a case-by-case basis. It said conformity with cybersecurity standards, controls on corporate governance, third-party audits and enhanced reporting requirements could help companies manage risks. It also said that if a Chinese-owned firm conducts software and hardware design in a trusted country, that, along with its security practices, "will play an important factor in BIS’s decision to issue specific authorizations." Integrating the VCS software and hardware and automated driving systems (ADS) software in the U.S. might also be required in a specific authorization, the rule said.

It said a commenter asked that manufacturing covered items in adversary countries be allowed if carmakers "met certain security standards such as the independent design of covered software and VCS hardware, verifiable hardware and software integrity, secure key and certificate management, and ongoing monitoring. BIS appreciates this recommendation and may utilize this suggestion when issuing specific authorizations."

Also on specific authorizations, the rule said: "BIS understands that the implementation dates for the rule may fall mid-generation for many connected vehicle manufacturers. In this situation, BIS would consider issuing a timebound specific authorization in cases where connected vehicle manufacturers are able to demonstrate that they are moving into compliance with the rule for the next vehicle generation refresh," the rule said, though it said it believed its timeline was sufficient for supply chains to adjust.

One commenter asked BIS to phase in the requirement so that a third would be compliant the first year, two-thirds the second year and 100% the third year. "BIS appreciates this as a recommendation and will consider it as a compliance approach when issuing specific authorizations," the rule said.

The agency intends to offer general authorizations for small-scale manufacturers (fewer than 1,000 vehicles annually), for connected vehicles that mostly aren't on public roads, for items used for testing or research rather than for customers, and for items imported for repair or alteration.

Companies may request an advisory opinion on specific transactions, or if they are unsure if they are importers covered by the rules, and BIS said it will aim to respond within 60 days. Those requests have to share specific information about transactions, not be hypotheticals. The agency noted commenters asked BIS to allow carmakers to fully own software purchased from a Chinese company. The rule said BIS "is willing to discuss such an approach through an advisory opinion request...."

The agency said it may make those advisory opinions public, with redactions to protect confidential business information, if they are of broad interest. However, it will not publish approved specific authorizations.

BIS said it will post future guidance here.