Commerce Curbs Connected and Autonomous Vehicles with a Nexus to China or Russia

Continuing the Biden administration’s focus on securing the nation’s critical technologies, on September 23, 2024, the U.S. Department of Commerce’s Bureau of Industry and Security (BIS) announced a Notice of Proposed Rulemaking (NPRM) that would prohibit the import or sale of connected vehicles and vehicle systems and components designed, developed, manufactured, or supplied by entities connected to the People’s Republic of China (PRC) or Russia.

Although the proposed rule will apply principally to vehicles entering the market near the end of the decade, the development is noteworthy because it is another indication that, when it perceives supply chain vulnerabilities—in this case, potential foreign adversary access to, data exfiltration from, and manipulation of connected vehicles—the U.S. government will not hesitate to ban certain market participants. Moreover, notwithstanding the lag time, automakers will need to assess the supply chains in the short term given the long lead times in the development and launching of new vehicles. 

The NPRM is a follow-up to an Advanced Notice of Proposed Rulemaking published by BIS on March 1, 2024. BIS is inviting public comments on the NPRM, which are due October 28, 2024. The proposed rule proceeds from the broad authorities delegated to the Secretary of Commerce under the Trump-era executive order “Securing the Information and Communications Technology and Services Supply Chain” and is the first sector-wide expansion of regulations previously published under that authority.

The Proposed Rule’s Prohibitions

The proposed rule would prohibit the import or sale of vehicles in the United States with certain Vehicle Connectivity Systems (VCS) or Automated Driving Systems (ADS) hardware or software with a nexus to the PRC or Russia.  VCS allow a vehicle to communicate externally (for example, Bluetooth, cellular, satellite, and Wi-Fi modules). ADS covers components and systems that allow autonomous vehicles to operate without a driver. Many driverless cars use in‑vehicle AI computing and machine vision; connected vehicles that utilize this type of software would be impacted by the proposed rule.

The proposed rule covers VCS and ADS hardware and software designed, developed, manufactured, or supplied by persons who are owned by, controlled by, or subject to direction or jurisdiction of the PRC or Russia, regardless of their location. For such hardware and software, the rule would prohibit:

• U.S. persons from importing specified software-enabled or programmable VCS hardware components for further integration or sale;
• U.S.-person connected vehicle manufacturers from importing vehicles with this hardware installed;
• U.S.-person connected vehicle manufacturers from importing or selling vehicles that incorporate covered VCS or ADS software; and
• Connected vehicle manufacturers who are owned by, controlled by, or subject to direction or jurisdiction of the PRC or Russia from selling connected vehicles that incorporate VCS hardware or software or ADS software in the United States, even if the vehicle was manufactured in the United States (thus, restricting the import into the United States of these specified hardware and software products for use in U.S.-made vehicles).

The threshold within the proposed rule for persons or entities owned by, controlled by, or subject to the jurisdiction or direction of a foreign adversary (for purposes of the proposed rule, PRC and Russia) includes:  

• Any person, wherever located, who acts as an agent, representative, or employee of PRC or Russia or a person whose activities are controlled or financed by PRC or Russia;
• Citizens or Residents of PRC or Russia or a country controlled by PRC or Russia;
• Any organization with a principal place of business in, headquartered in, incorporated in, PRC or Russia or a country controlled by PRC or Russia; or
• Any organization, wherever organized or doing business, that is controlled by a person or organization that meets the above criteria.

Under the proposed rule, the prohibitions on software would take effect for model year 2027 vehicles, while the hardware prohibitions would take effect for model year 2030 vehicles (or January 1, 2029, for units without a model year).

Compliance Processes

BIS is also proposing processes to monitor and facilitate compliance with the rule. These measures are intended to ensure members of the impacted industries understand the prohibitions and are not caught off guard by enforcement actions. The proposed processes include:

• Declarations of Conformity whereby impacted importers and manufacturers would certify annually that they had not knowingly engaged in a prohibited transaction and provide information on their imports of VCS hardware or connected vehicles;
• Advisory opinions to allow impacted firms to seek guidance from BIS as to whether a specific (not hypothetical) transaction is subject to a prohibition;
• General and specific authorizations subject to approval by BIS to permit a hardware importer or connected vehicle manufacturer to engage in an otherwise prohibited transaction; and
• A process by which BIS may inform hardware importers and vehicle manufacturers, individually or by public notice, that certain activities may require an authorization because the activity could constitute a prohibited transaction.

Takeaways

Parties potentially affected by the NPRM should set time aside now to consider whether  and to what extent, the NPRM will affect their operations. As technologies advance and potential national security vulnerabilities are identified, the U.S. government may increase or introduce new controls in this and related sectors. The NPRM puts automakers on notice that the U.S. government views their industry as part of the national’s critical technology infrastructure, alongside companies in the semiconductor, quantum computing, AI, and other spaces.