The U.S. Department of Commerce’s Bureau of Industry and Security (“BIS”), on September 23, 2024, issued a notice of proposed rulemaking (“NPRM”) to curb national security and privacy risks associated with information and communications technology and services (“ICTS”) with a nexus to China or Russia in vehicles on public roads that communicate with external sources. The proposed rule follows a March 2024 advanced notice of proposed rulemaking (“ANPRM”), comments from stakeholders and the public, and analysis by BIS of the technical parameters of ICTS in road vehicles warranting control. The White House has also issued a fact sheet explaining and contextualizing the NPRM, which we will discuss in an upcoming webinar on October 10, 2024.
BIS’s proposed rules focus on national security concerns relating to connected vehicle ICTS with specified links with China or Russia. Risks include sabotage of communications technology and autonomous features incorporated into vehicles, gathering of information regarding U.S. roadways and critical infrastructure, and exfiltration of personal data of U.S. persons. Such connected vehicles integrate onboard networked hardware with automotive software systems to communicate with external networks and devices.
The proposed regulations accordingly would prohibit importation into the United States of vehicle connectivity system (“VCS”) hardware enabling vehicle connectivity, and importation and U.S. sales of completed vehicles featuring connected software, respectively involving VCS hardware and software linked to China or Russia. BIS also would require declarations of conformity for imports of non-prohibited connectivity hardware and vehicles, provide for general and specific authorizations for otherwise prohibited transactions, and establish an avenue to obtain advisory opinions regarding interpretations of the rules.
The rules, if adopted, will apply to model-year 2027 vehicles and beyond, and will prompt significant diligence of automotive supply chains by companies in the industry. Parties can comment on the NPRM through October 28, 2024.
See our prior article and webinar on BIS’s ICTS rules, and sign up for our upcoming webinar here.
Below are nine aspects of BIS’s NPRM that interested parties should consider:
- VCS hardware imports. The NPRM would prohibit U.S. persons from importing VCS hardware enabling road vehicles to communicate with outside networks or devices at a radio frequency of over 450 megahertz where the importer has knowledge that such hardware was designed, developed, manufactured, or supplied by persons with specified links to China or Russia (as explained below). The 450-megahertz threshold is intended to avoid application to items such as key fobs and certain internal wireless sensors.
- Imports / sales of vehicles incorporating connected software. The NPRM would prohibit U.S. person “connected vehicle manufacturers” from importing or selling in the United States completed connected vehicles incorporating covered connected software designed, developed, manufactured, or supplied by persons with specified links to China or Russia. A “connected vehicle manufacturer” is defined as a U.S. person “(1) manufacturing or assembling completed connected vehicles in the United States; and/or (2) importing completed connected vehicles for Sale in the United States.”
- Prohibition for connected vehicle manufacturers owned or controlled by China or Russia. The NPRM provides: “Connected vehicle manufacturers who are persons owned by, controlled by, or subject to the jurisdiction or direction of the PRC or Russia, are prohibited from knowingly selling in the United States completed connected vehicles that incorporate VCS hardware or covered software.” See below for further detail regarding the definition of the term “owned by, controlled by, or subject to the jurisdiction of” China or Russia.
- Knowledge requirement. BIS’s proposed prohibitions apply where a covered U.S. person has “knowledge” regarding specified links between covered VCS hardware or connected software with China or Russia. Notably, this would extend beyond positive knowledge to include awareness of a high probability of covered imports and sales or their future occurrence. Conscious disregard and willful blindness also would be included within the scope of “knowledge.” This likely will prompt extensive supply chain diligence for impacted companies.
- Specified links to China or Russia. The proposed regulations apply to covered VCS hardware or software designed, developed, manufactured, or supplied by persons “owned by, controlled by, or subject to the jurisdiction or direction of” China or Russia. Notably, the NPRM sets out several examples, with detailed fact patterns, describing the scope of persons included within this definition. Such persons include:
- Any person who acts as an agent, representative, or employee of China or Russia;
- Any person, wherever located, who is a citizen or resident of China or Russia and not a U.S. citizen or permanent residents (notably, BIS emphasizes in the NPRM that the rules do not apply “solely based on the country of citizenship of natural persons who are employed, contracted, or otherwise similarly engaged to participate in the design, development, manufacture, or supply” of the VCS hardware or covered software)
- any entity incorporated or headquartered in, or with a principal place of business in, China or Russia; or
- any entity “owned or controlled” by China or Russia, including entities in which the persons described above “possesses the power, direct or indirect, whether or not exercised, through the ownership of a majority or a dominant minority of the total outstanding voting interest in an entity, board representation, proxy voting, a special share, contractual arrangements, formal or informal arrangements to act in concert, or other means, to determine, direct, or decide important matters” affecting such entity.
- Certificate of conformity requirements. U.S. persons importing non-prohibited covered VCS hardware or importing or selling non-prohibited connected vehicles would be required to submit a certification including, inter alia, a declaration that the person has not engaged in any prohibited transactions involving such VCS hardware or connected vehicles.
- Exemptions for specified pre-2027 / pre-2030 transactions. The NPRM sets out exemptions that provide for staggered implementation of the software and hardware prohibitions. Specifically, the prohibitions for connected vehicles incorporating covered software would not apply until model year 2027, while the prohibitions for VCS hardware would not apply until January 1, 2029, or model year 2030, depending on the circumstances.
- General / specific authorizations. BIS plans to implement narrow general authorizations and consider specific authorizations for otherwise prohibited transactions. General authorizations would apply to vehicles with limited production runs or road use. Furthermore, BIS will consider specific authorizations on a case-by-case basis.
- Advisory opinions. The proposed rule also contains a mechanism for advisory opinions, allowing parties to request a determination on whether prospective transactions are prohibited.
Affected parties should expect robust regulation of connected vehicles, vehicle communication systems, and automated driving systems in the future, and increased supply chain diligence inevitably will be necessary in this area.