The U.S. Department of Commerce's Bureau of Industry and Security (BIS) issued a Notice of Proposed Rulemaking (Proposed Rule) on Sept. 26, 2024, to address certain undue or unacceptable risks identified in Executive Order (E.O.) 13873 issued on May 15, 2019, titled "Securing the Information and Communications Technology and Services Supply Chain."
The Proposed Rule builds upon an Advance Notice of Proposed Rulemaking (ANPRM) issued by BIS on March 1, 2024, and reflects BIS' consideration of the comments received to the ANPRM. The public is encouraged to submit comments on the Proposed Rule by Oct. 28, 2024.
Background
BIS has been increasingly focused on addressing national security vulnerabilities within the technology sector in recent years, particularly those posed by foreign adversaries such as the People's Republic of China (PRC) and Russia. E.O. 13873, signed by President Donald Trump in May 2019, initiated a national emergency in response to the risk posed by foreign-controlled information and communications technology and services (ICTS) to critical U.S. infrastructure and national security, as well as the economy and safety of U.S. citizens. The E.O. authorized the Commerce Department secretary to assess and regulate transactions involving ICTS that warrant particular scrutiny.
Recognizing the growing complexity and risks posed by connected vehicle systems, BIS published the ANPRM in March 2024 to solicit input on how ICTS integrated into connected vehicles might be susceptible to foreign interference and exploitation. BIS solicited public comments on certain definitions, likelihood of vulnerabilities, consequences if these vulnerabilities were exploited by a foreign adversary and potential economic impact.
The current Proposed Rule builds on this earlier effort by introducing specific regulatory measures to safeguard national security and prevent foreign adversaries from using certain technologies to gain access to sensitive data, manipulate vehicle operations and undermine U.S. infrastructure. The Proposed Rule focuses on hardware and software related to vehicle connectivity systems (VCS) and automated driving systems (ADS) designed, developed or supplied by entities from the PRC or Russia.
Key Elements of the Proposed Rule
Prohibited Transactions
The Proposed Rule delineates three main categories of prohibited transactions, namely:
- the knowing import of VCS hardware into the U.S. that is designed, developed, manufactured or supplied by persons owned by, controlled by or subject to the jurisdiction or direction of the PRC or Russia
- the knowing sale within or imported into the U.S. of a completed connected vehicle containing covered software that is designed, developed, manufactured or supplied by persons owned by, controlled by or subject to the jurisdiction or direction of the PRC or Russia
- the knowing sale of completed connected vehicles that incorporate VCS hardware or covered software by connected vehicle manufacturers who are owned by, controlled by or subject to the jurisdiction or direction of the PRC or Russia
Covered Software and Hardware
The Proposed Rule includes restrictions on the import or sale of connected vehicles using VCS and ADS software, as well as imports of VCS hardware equipment.
- VCS is a hardware or software item within connected vehicles that allows the vehicles to communicate with external networks, collect data (e.g., GPS location, speed and voice commands) and provide services.
- ADS refers to systems that are capable of performing the entire dynamic driving task for a completed connected vehicle on a sustained basis. ADS can operate at different levels of automation, allowing vehicles to operate with minimal to no driver intervention.
VCS and ADS together constitute the term "covered software" within the Proposed Rule.
Covered Entities
The Proposed Rule is intended to cover VCS hardware importers and suppliers, as well as connected vehicle manufacturers.
The Proposed Rule defines a "connected vehicle manufacturer" as a U.S. person that either 1) manufactures or assembles completed connected vehicles in the U.S. or 2) imports completed connected vehicles for sale in the U.S. The term "connected vehicle" is defined broadly and refers to vehicles "driven or drawn by mechanical power and manufactured primarily for use on public streets, roads, and highways, that integrate onboard networked hardware with automotive software systems to communicate via dedicated short-range communication, cellular telecommunications connectivity, satellite communication, or other wireless spectrum connectivity with any other network or device." Vehicles operating solely on rail lines are excluded from the definition. With this definition, BIS aims to encompass all new vehicles sold in the U.S. and most modern vehicles currently operating.
The proposed definition of "VCS hardware importer" covers U.S. persons importing VCS hardware for further manufacturing, integration, resale or distribution. BIS proposes to define "VCS hardware" as certain software-enabled or programmable components and subcomponents that support the function of VCS or that are part of an item that supports the function of VCS. A connected vehicle manufacturer may be a VCS hardware importer if VCS hardware has already been installed in a connected vehicle when imported by the connected vehicle manufacturer.
Foreign Adversaries
The Proposed Rule identifies two key foreign adversaries: the PRC and Russia. BIS highlights the concerns over these countries' ability to exploit ICTS through domestic legislation and regulatory control, potentially leading to data exfiltration and remote vehicle manipulation.
As mentioned above, covered entities would be prohibited from knowingly importing any VCS hardware designed, developed or supplied by entities owned by, controlled by or subject to the jurisdiction or direction of the PRC or Russia, as well as importing or selling any completed vehicles that incorporate covered software from these foreign adversaries. Notably, BIS broadly defines the term "owned by, controlled by, or subject to the jurisdiction or direction of" foreign adversaries to include:
- any individual, regardless of their location, who acts as an agent, representative or employee of a foreign adversary
- any citizen or resident of a foreign adversary, excluding U.S. citizens and permanent residents
- any corporation, partnership, association or other organization based, headquartered, incorporated or organized under the laws of a foreign adversary
- any corporation, partnership, association or other organization owned or controlled by a foreign adversary
Compliance Requirements and Mechanisms
The Proposed Rule includes several mechanisms aimed at facilitating compliance with its prohibitions, as well as authorizations that would grant VCS hardware importers and connected vehicle manufacturers the ability to engage in otherwise prohibited transactions:
1. Declarations of Conformity
To encourage compliance, the Proposed Rule requires a Declaration of Conformity be submitted to BIS annually by VCS hardware importers and connected vehicle manufacturers certifying that they have not engaged in a prohibited transaction. Additionally, such declaration is required whenever there is a material change that impacts the content of the previous declaration.
A Declaration of Conformity must be submitted at least 60 days prior to the first sale or import of certain vehicles or prior to the import of VCS hardware. In the event of a material change, an updated Declaration of Conformity must be submitted within 30 days. BIS is expected to provide a portal on its website through which VCS hardware importers and connected vehicle manufacturers can submit their Declarations of Conformity.
2. General and Specific Authorizations
A general authorization would be available for VCS hardware importers and connected vehicle manufacturers seeking to engage in otherwise prohibited transactions in a narrow set of circumstances, including:
- connected vehicle manufacturers or VCS hardware importers who produce small quantities (fewer than 1,000 units per calendar year) of completed connected vehicles or VCS hardware
- completed connected vehicles incorporating covered software or VCS hardware that will be used on public roadways on fewer than 30 calendar days in any calendar year
- completed connected vehicles incorporating covered software or the VCS hardware used solely for the purpose of display, testing or research and not used on public roadways
- completed connected vehicles incorporating covered software or VCS hardware that are imported solely for purposes of repair, alteration or competition off public roads and will be reexported within one year from the time of import
For VCS hardware importers and connected vehicle manufacturers who wish to engage in a prohibited transaction but do not otherwise qualify for a general authorization, a specific authorization from BIS would be required. Specific authorizations are evaluated by BIS on a case-by-case basis.
3. Advisory Opinions and "Is-Informed" Notices
The Proposed Rule offers a mechanism for BIS to issue advisory opinions, similar to the process outlined in the Export Administration Regulations (EAR), aimed to assist connected vehicle manufacturers and VCS hardware importers with understanding how to comply with the Proposed Rule. BIS may publish on its website advisory opinions that are of broad interest to the public.
Additionally, BIS may issue "Is-Informed" notices to notify connected vehicle manufacturers and VCS hardware importers that certain transactions require a specific authorization, as it would constitute prohibited activities. Any person who engages in a transaction covered by an "Is-Informed" notice would be considered to have knowledge that such transaction is prohibited and would therefore be in violation of the NPRM.
Recordkeeping Requirements
Under the Proposed Rule, BIS would require connected vehicle manufacturers and VCS hardware importers to maintain complete records related to any transaction for which a Declaration of Conformity, general authorization or specific authorization would be required for a period of 10 years.
Exemptions and Timeline
Transactions conducted by VCS hardware importers and connected vehicle manufacturers will be exempt from the prohibitions and requirements of the Proposed Rule for a limited period. Broadly, the prohibitions on software would take effect for Model Year 2027, and the prohibitions on hardware would take effect for Model Year 2030. These exemptions reflect BIS' effort to address numerous public comments highlighting the complexity of hardware supply chains for connected vehicles, which necessitate several years to modify.
Penalties
Violations under the proposed rule are subject to both civil and criminal penalties pursuant to the International Emergency Economic Powers Act (IEEPA). Civil penalties can reach up to $368,136 per violation (current amount subject to increase), while criminal penalties may be as high as $1 million.
Conclusion
The Proposed Rule reflects the U.S. government's ongoing efforts to protect national security by regulating the import and sale of certain connected vehicle systems designed, developed, manufactured or supplied by entities with a sufficient nexus to the PRC or Russia. To protect against PRC or Russian companies setting up operations in other parts of the respective regions to develop and manufacture VCS hardware and covered software, the Proposed Rule extends to companies owned or controlled by a PRC or Russian company.
Though the Proposed Rule would not take full effect for a couple of years given the intricacies of manufacturing a vehicle with embedded hardware and software noted here, companies involved in the vehicle supply chain should take note immediately.
Building on public feedback on the related ANPRM, the Proposed Rule outlines compliance requirements, penalties and authorizations aimed to prevent these countries of concern from exploiting connected vehicle technologies and ensuring the protection of critical U.S. infrastructure and data. Companies affected by the Proposed Rule are encouraged to submit comments and provide input on its potential impacts for their business operations.
Further, expect this proposed measure on connected vehicles to be a catalyst for continued regulation by BIS in other areas that are deemed sensitive (e.g., unmanned systems, sensors, etc.).
