On January 14, 2025, the U.S. Department of Commerce Bureau of Industry and Security (BIS) published the Final Rule addressing national security risks associated with connected vehicle technologies. The final rule, which follows the earlier Notice of Proposed Rulemaking (NPRM) issued on September 23, 2024, incorporates feedback from stakeholders, including OEMs, NGOs, foreign governments, and other industry representatives, and refines key provisions to mitigate undue compliance burdens while maintaining robust national security safeguards. Our client alert regarding the NPRM can be found here.
This rule, implemented under BIS's Information and Communications Technology and Services (ICTS) authorities as outlined in Executive Order 13873, establishes comprehensive prohibitions targeting specific hardware and software integral to Vehicle Connectivity Systems (VCS) and Automated Driving Systems (ADS). These prohibitions are designed to mitigate national security risks associated with entities owned by, controlled by, or subject to the jurisdiction or direction of the People’s Republic of China (PRC) or Russia.
The rule prohibits importers of VCS hardware (VCS Hardware Importers) from knowingly importing into the United States any VCS Hardware designed, developed, manufactured, or supplied by persons or entities affiliated with the PRC or Russia. This measure aims to prevent potentially vulnerable hardware from entering the U.S. supply chain. The rule also prohibits VCS Hardware Importers from importing completed connected vehicles that incorporate VCS Hardware from the PRC or Russia, as well as subassemblies with such incorporated VCS hardware that is intended to be sold as part of a completed connected vehicle in the United States.
It also prohibits Connected Vehicle Manufacturers from knowingly importing completed connected vehicles for sale in the United States that incorporate covered VCS or ADS software, if such software is designed, developed, manufactured, or supplied by persons or entities under the jurisdiction or direction of the PRC or Russia. Furthermore, these manufacturers are prohibited from knowingly selling completed connected vehicles with such software within the United States.
Additionally, manufacturers owned by, controlled by, or subject to the jurisdiction or direction of the PRC or Russia face even broader prohibitions. These manufacturers are barred from selling in the United States any completed connected vehicles incorporating VCS Hardware or Covered Software, regardless of the hardware or software's origin. They are also prohibited from offering commercial services in the United States using completed connected vehicles that incorporate ADS.
In the Final Rule, BIS states that these provisions reflect the agency’s focused effort to address the national security risks posed by foreign adversary involvement in critical components of connected vehicles, safeguarding the U.S. automotive supply chain and protecting sensitive data from potential exploitation.
Key Updates
The Final Rule incorporates substantial revisions in response to stakeholder feedback, addressing industry concerns while upholding strong national security protections. The key changes between the NPRM and the Final Rule are summarized below.
Changes to Definitions
- “Covered Vehicle”: The Final Rule revises the definition of this term to exclude vehicles with a gross vehicle weight rating (GVR) of more than 4,536 kilograms (10,000 pounds), focusing on passenger vehicles and deferring commercial vehicle regulations to future rulemaking.
- “Covered Software”: The Final Rule revises the definition of this term to
- Clarify that it includes application, middleware, and system software, but explicitly excludes firmware;
- Narrow the scope to regulate only software that "directly enables" ADS or VCS functions at the vehicle level; and
- Introduces a legacy software exclusion for software designed, developed, manufactured, or supplied before March 17, 2026, provided no subsequent maintenance or alteration by an entity owned by, controlled or subject to the jurisdiction of a foreign adversary.
- “Covered Vehicle Manufacturer”: The Final Rule clarifies that the definition of this term includes U.S. persons whose only activity is the integration of ADS software into completed vehicles in the U.S.
- HBOM (Hardware Bill of Materials) and SBOM(Software Bill of Materials): The Final Rule
- Simplifies HBOM requirements to focus on supply chain relationships rather than exhaustive documentation.
- SBOM: Clarified as a record containing the details and supply chain relationships of software components, with revised requirements that remove the need for dynamic and machine-readable inventories, focusing instead on documenting supply chain relationships.
- Vehicle Connectivity System (VCS): Expanded to include additional programmable components (e.g., digital signal processors, field-programmable gate arrays) and refined to specify that included components must be “directly connected” to VCS functions.
- VCS Hardware Importer: Revised to include a more detailed description of the importing process. Importers include those who bring in vehicle control systems (VCS) hardware either for integration into subassemblies or completed vehicles, as well as those who import fully completed vehicles that already incorporate VCS hardware. In both cases, the intent behind the importation is directed toward eventual sale or operation within the U.S.
Changes to Declarations of Conformity
The Final Rule makes a number of changes to the requirements related to submission of Declarations of Conformity, primarily to reduce the regulatory burden on vehicle manufacturers.
- New Requirements for VCS Hardware: Persons who import VCS hardware separately from completed connected vehicles are now required to submit declarations for the hardware. Previously, the Declaration of Conformity requirement applied only to completed vehicles.
- Reduced Frequency: Removes the annual declaration requirement for unchanged models, allowing a confirmation in place of full re-submission if there are no material changes.
- Streamlined Submissions: Eliminates the need to submit SBOMs and HBOMs alongside declarations, replacing this with enhanced recordkeeping and certification obligations.
- Due Diligence and Recordkeeping: Stipulates that declarants are required to conduct due diligence and must ensure all necessary documents are available for submission to BIS if required.
- Reliance on Third-party Certifications: Permits manufacturers and importers to rely on supplier statements provided all due diligence is documented.
- Update Requirements: Mandates updates to declarations in the event of material changes or omissions, ensuring that compliance records remain accurate and up-to-date.
Exclusions and Thresholds
Introduced a legacy software exclusion, easing the burden of compliance for software created before one year from the rule’s effective date. BIS rejected proposals for a de minimis threshold for foreign adversary content due to enforcement challenges and circumvention risks. Instead, the focus remains on excluding pre-existing legacy code while addressing security risks comprehensively.
General Authorizations
- General authorizations were removed from the rule text. BIS retains the authority to issue these authorizations as needed, providing flexibility for low-risk transactions.
- Specifically, BIS has modified its procedures to provide greater flexibility and responsiveness in issuing general authorizations. Instead of specifying predetermined general authorizations within the regulatory text, BIS can now issue them directly on its website and through the Federal Register. This change was influenced by public comments urging BIS to expand the use of general authorizations, including suggestions to create authorizations for connected vehicle manufacturers who meet stringent security standards to address national security concerns. By moving away from enumerated categories in the rule, BIS can act more swiftly to issue or update general authorizations as necessary, without relying on an extensive rulemaking process. BIS plans to issue a set of general authorizations shortly after this rule’s publication, consistent with the proposals outlined in the NPRM. These authorizations are expected to cover areas such as small businesses, infrequent public road use of connected vehicles, display/testing/research activities, and repair, alteration, or competition purposes.
Procedural Revisions
- Expanded Penalties: Procedural provisions for imposing penalties were clarified, emphasizing compliance and documentation requirements.
- Advisory Opinions: BIS introduced a 60-day response timeline for advisory opinion requests, providing greater procedural clarity.
Additional Clarifications
- BIS clarified that any ADS software containing a module developed, manufactured, or supplied by a foreign adversary renders the entire ADS software suite subject to the rule. This clarification aligns with national security objectives by addressing modular software risks.
- Importers and manufacturers may rely on supplier certifications and documentation, provided they maintain records and document their due diligence.
These revisions balance the need for security with stakeholder concerns, ensuring practical compliance mechanisms while addressing the identified risks of foreign adversary involvement in connected vehicle technologies.
Prohibited Transactions
The Final Rule would, absent a General or Specific Authorization, prohibit all of the following:
- VCS Hardware Importers from knowingly importing into the United States any “VCS Hardware,” as further defined below that was designed, developed, manufactured, or supplied by persons owned by, controlled by, or subject to the jurisdiction or direction of China or Russia. Because the term VCS Hardware Importers is defined to include importers of connected vehicles and subassemblies thereof that incorporate VCS hardware, this prohibition also extends to such complete connected vehicles and subassemblies intended to be sold as completed vehicles in the United States
- Connected Vehicle Manufacturers from knowingly importing into the United States Completed Connected Vehicles incorporating certain software that supports the function of VCS or ADS (VCS and ADS software are collectively referred to herein as “Covered Software,” as further defined below) designed, developed, manufactured, or supplied by persons owned by, controlled by, or subject to the jurisdiction or direction of China or Russia.
- Connected Vehicle Manufacturers from knowingly selling within the United States Completed Connected Vehicles that incorporate Covered Software designed, developed, manufactured, or supplied by persons owned by, controlled by, or subject to the jurisdiction or direction of China or Russia.
- Connected Vehicle Manufacturers who are owned by, controlled by, or subject to the jurisdiction or direction of China or Russia from knowingly selling in the United States Completed Connected Vehicles that incorporate VCS Hardware or Covered Software, regardless of whether such VCS Hardware or Covered Software is designed, developed, manufactured, or supplied by persons owned by, controlled by, or subject to the jurisdiction or control of China or Russia.
- Connected Vehicle Manufacturers who are owned by, controlled by, or subject to the jurisdiction or direction of China or Russia from offering commercial services in the United States that utilized Completed Connected Vehicles that incorporate ADS.
Key Defined Terms
In the Final Rule, BIS incorporated comments following the Proposed Rule regarding the definition of certain terms. After full consideration of the submitted comments, BIS included definitions for certain key terms, including the following.
Automated Driving System
The Final Rule defines “Automated Driving System” as hardware and software that, collectively, are capable of performing the entire dynamic driving task for a completed connected vehicle on a sustained basis, regardless of whether it is limited to a specific operational design domain (ODD). BIS confirms this definition aligns with industry terminology for advanced autonomous driving systems and is consistent with definitions from the National Highway Traffic Safety Administration (NHTSA). Specifically, it corresponds to automation levels 3, 4, and 5, full automation, as outlined in the current SAE International standard J3016 (Taxonomy and Definitions for Terms Related to Driving Automatic Systems for On-Road Motor Vehicles) (April 2021). BIS also confirms that when enforcing this rule it will only consider “Automated Driving Systems” that fall within the scope, which is further detailed in the explanations of Levels 3, 4, and 5 systems contained within J3016. BIS declined to include LiDAR and other sensing systems within the scope because “this rulemaking will address only ADS software and not the multiple hardware systems that support or directly enable ADS operation,” particularly within the narrow scope of the automotive sector.
Completed Connected Vehicle
BIS defines a “completed connected vehicle” as a connected vehicle that requires no further manufacturing operations to perform its intended function. This definition aligns with NHTSA’s definitions. Additionally, BIS clarifies that integrating an ADS into a Connected Vehicle constitutes a manufacturing operation for a "Completed Connected Vehicle." Therefore, any entity under the control or jurisdiction of China or Russia that solely integrates ADS into an otherwise completed vehicle would be subject to the rule’s prohibitions and would need a Specific Authorization to import or sell such vehicles in the United States. However, BIS does not suggest that these prohibitions apply only to products equipped with ADS.
Connected Vehicle
BIS defines a “connected vehicle” as a vehicle driven or drawn by mechanical power and manufactured primarily for use on public streets, roads, and highways, that integrates onboard networked hardware with automotive software systems to communicate via dedicated short-range communication, cellular telecommunications connectivity, satellite communication, or other wireless spectrum connectivity with any other network or device. Vehicles operated exclusively on rail lines are excluded from this definition. Additionally, a connected vehicle with a gross vehicle weight rating of more than 4,536 kilograms or 10,000 pounds is not included in this definition, only vehicles under 10,000 pounds, which largely apply to the passenger vehicle market. This definition reflects suggestions from NPRM commenters, many of whom requested greater clarity with respect to covered passenger, recreational, and commercial vehicles. BIS excludes commercial vehicles from the rule and incorporates the weight limitation, in alignment with definitions used by other government agencies, e.g., the Federal Motor Carrier Safety Administration, to distinguish between passenger and commercial vehicles. BIS confirms that motorcycles, as defined in 40 CFR 205.151, are covered within the scope of this definition, while transactions involving covered software and VCS hardware not integrated into a connected vehicle are not subject to this regulation.
Connected Vehicle Manufacturer
BIS defines a “connected vehicle manufacturer” to mean a U.S. person who: (1) manufactures or assembles Completed Connected Vehicles in the United States for sale (which could include contracting operations) in the United States (not for export and sale abroad); (2) imports Connected Vehicles for sale in the United States; and/or (3) integrates ADS software on a Completed Connected Vehicle for sale in the United States. In other words, the manufacturer, or assembler, or importer of record. BIS aims to include entities who purchase Completed (and compliant) Connected Vehicles from a third party and integrate their proprietary ADS on that vehicle to enable autonomous driving. Additionally, BIS clarifies “that a person whose sole manufacturing or assembly operation is integrating ADS into an otherwise Completed Connected Vehicle would qualify such a person as being a ‘connected vehicle manufacturer.’”
Covered Software
BIS defines “covered software” as the software-based components, including application, middleware, and system software, in which there is a foreign interest, executed by the primary processing unit or units of an item that directly enables the function of Vehicle Connectivity Systems (VCS) or Automated Driving Systems (ADS) at the vehicle level.
This excludes firmware, which is characterized as software specifically programmed for a hardware device with a primary purpose of controlling, configuring, and communicating with that hardware device. This also excludes open-source software, which is characterized as software for which the human-readable source code is available in its entirety for use, study, re-use, modification, enhancement, and redistribution by the users of such software, unless that open-source software has been modified for proprietary purposes and not redistributed or shared. Open-source software for purposes of this definition does not include large language models (LLMs) or related neural networks. This definition also excludes software subcomponents that were designed, developed, manufactured, or supplied prior to March 17, 2026, as long as those software subcomponents are not maintained, augmented, or otherwise altered by an entity owned by, controlled by, or subject to the jurisdiction or direction of a foreign adversary after March 17, 2026. Entities should assess whether the relevant software component is considered “application” software by industry standard(s) and if the product’s primary processor executes the software to determine if such a component would qualify as application software under this definition.
Covered Software includes operating systems like real-time operating systems (RTOS) and general-purpose operating systems. For ADS, it could include machine learning software for tasks like object detection. Notably, this definition is not limited to Chinese or Russian-origin products.
Foreign Interest
BIS defines "foreign interest" as any interest in property of any nature whatsoever, whether direct or indirect, by a non-U.S. person, including ownership, intellectual property, contracts, profit-sharing, or licensing. This definition follows the sanctions framework issued by the U.S. Department of the Treasury’s Office of Foreign Assets Control. BIS plans to regulate transactions involving VCS Hardware or Covered Software from entities controlled by China or Russia. Affected entities would need to obtain a General or Specific Authorization. Additionally, VCS Hardware Importers and Connected Vehicle Manufacturers must submit an annual Declaration of Conformity, ensuring their supply chains do not involve prohibited foreign interests. However, Declarations of Conformity are not required for those transactions where the only foreign interest in the product is (1) tied to a foreign entity’s equity ownership in a U.S. person, or (2) related to covered software that resides in open-source or legacy code. The rule also covers software interests retained by foreign developers post-integration into vehicles, making Connected Vehicle Manufacturers responsible for compliance. BIS also aims to regulate vehicle sales if foreign adversaries have data-sharing or profit-sharing agreements tied to the Connected Vehicle's VCS Hardware or Covered Software.
Hardware Bill of Materials
BIS defines “Hardware Bill of Materials” (HBOM) as a formal record of the supply chain relationships of parts, assemblies, and components required to create a physical product, including information identifying the manufacturer, and related firmware. BIS updated the HBOM definition from the NPRM to better align with industry practices.
Import
BIS defines “import”, with respect to any article (namely, VCS hardware and covered software), as the entry of such article into the United States Customs Territory. It does not include admission of an article from outside the United States into a foreign-trade zone for storage pending further assembly in the foreign-trade zone or shipment to a foreign country. This definition also applies to related terms such as “importing” and “imported.”
Person owned by, controlled by, or subject to the jurisdiction or direction of a foreign adversary
Consistent with the scope of E.O. 13873, BIS defines a “person owned by, controlled by, or subject to the jurisdiction or direction of a foreign adversary” as:
- Any person, wherever located, who acts as an agent, representative, or employee, or any person who acts in any other capacity at the order, request, or under the direction or control, of a foreign adversary or of a person whose activities are directly or indirectly supervised, directed, controlled, financed, or subsidized in whole or in majority part by a foreign adversary;
- Any person, wherever located, who is a citizen or resident of a foreign adversary or a country controlled by a foreign adversary, and is not a United States citizen or permanent resident of the United States;
- Any corporation, partnership, association, or other organization with a principal place of business in, headquartered in, incorporated in, or otherwise organized under the laws of a foreign adversary or a country controlled by a foreign adversary; and
- Any corporation, partnership, association, or other organization, wherever organized or doing business, that is owned or controlled by a foreign adversary, to include circumstances in which any person identified in paragraphs (a) through (c) possesses the power, direct or indirect, whether or not exercised, through the ownership of a majority or a dominant minority of the total outstanding voting interest in an entity, board representation, proxy voting, a special share, contractual arrangements, formal or informal arrangements to act in concert, or other means, to determine, direct, or decide important matters affecting an entity.
This broad definition aims to cover entities that could potentially be influenced or controlled by foreign adversaries whether located in or outside of China and Russia. Reference to “majority or dominant minority” and “direct or indirect” control could be read to cover a broad scope of corporate and investment structures. BIS also confirms that participation by individual contributors holding Chinese or Russian citizenship is not itself determinative of the related VCS hardware or covered software being designed, developed, manufactured, or supplied by a person owned by, controlled by, or subject to the jurisdiction or direction of China or Russia, and thus subject to the rule’s prohibitions.
Sale
BIS defines “sale” in this subpart as distributing for purchase, lease, or other commercial operations a new Completed Connected Vehicle for a price, to include the transfer of Completed Connected Vehicles from a Connected Vehicle Manufacturer to a dealer or distributor, as those terms are defined in 49 U.S.C. 30102. This definition also extends to related terms such as "sell" or "selling," and includes direct-to-consumer sales from the manufacturer to the final purchaser.
Software Bill of Materials
In alignment with the National Telecommunication and Information Administration’s (NTIA) Minimum Elements for a Software Bill of Materials, BIS defines a “Software Bill of Materials” (SBOM) as a formal record containing the details and supply chain relationships of various components used in building software. Software developers and vendors often create products by assembling existing open-source and commercial software components and the SBOM enumerates these components in a product. BIS modified the SBOM definition for ease of compliance by manufacturers and small entities as the prior minimum documentation requirements were complex, extensive, and detailed.
VCS
BIS defines “Vehicle Connectivity System” as a hardware or software item installed in or on a completed connected vehicle that directly enables the function of transmission, receipt, conversion, or processing of radio frequency communications at a frequency over 450 megahertz. VCS specifically excludes hardware or software items that exclusively (1) enable the transmission, receipt, conversion, or processing of automotive sensing (e.g., LiDAR, radar, video, ultrawideband); (2) enable the transmission, receipt, conversion, or processing of ultrawideband communications to directly enable physical vehicle access (e.g., key fobs); (3) enable the receipt, conversion or processing of unidirectional radio frequency bands (e.g., global navigation satellite systems (GNSS), satellite radio, AM/FM radio); or (4) supply or manage power for the VCS. This definition excludes most remote keyless entry fobs, immobilizers, automotive sensing, and certain internal wireless sensors and relays. VCS software is also included in the definition of Covered Software.
VCS Hardware
BIS defines “VCS hardware” as the software-enabled or programmable components and subcomponents if they directly enable the function of Vehicle Connectivity Systems or are part of an item that directly enables the function of Vehicle Connectivity Systems, including but not limited to: microcontroller, microcomputers or modules, systems on a chip, networking or telematics units, cellular modem/modules, Wi-Fi microcontrollers or modules, Bluetooth microcontrollers or modules, satellite navigation systems, satellite communication systems, other wireless communication microcontrollers or modules, external antennas, digital signal processors, and field-programmable gate arrays. It excludes parts that do not contribute to VCS hardware communication functions, like brackets, fasteners, plastics, and passive electronics. The definition also applies to aftermarket devices that can be integrated into or attached to a vehicle to perform VCS functions.
VCS Hardware Importer
BIS defines a “VCS hardware importer” as a U.S. person who imports (1) VCS hardware for further manufacturing, incorporation, or integration into a completed connected vehicle that is intended to be sold or operated in the United States; or (2) VCS hardware that has already been installed, incorporated, or integrated into a connected vehicle, or a subassembly thereof, that is intended to be sold as part of a completed connected vehicle in the United States. This definition includes Connected Vehicle Manufacturers if they import vehicles with pre-installed VCS Hardware. The scope covers OEMs as well as tier 1 and tier 2 suppliers who import VCS Hardware into the United States with the intention of incorporating it into the U.S. automotive supply chain.
Compliance
Declaration of Conformity
BIS is requiring VCS Hardware Importers and Connected Vehicle Manufacturers to submit annual Declarations of Conformity, at least 60 days prior to the first import or sale of each model year of complete connected vehicle that incorporates covered software, certifying they have not engaged in prohibited transactions and are in compliance with this regulation, as indicated by their completion of due diligence requirements. Entities engaged in VCS hardware transactions and entities engaged in covered software transactions are also required to submit Declarations of Conformity, even if not engaged in prohibited transactions. The declaration must include the name and contact information of the VCS hardware importer or connected vehicle manufacturer, as well as additional information outlined in section 791.305, based on whether the entity is engaging in a covered software or VCS hardware transaction. BIS does not mandate specific due diligence but allows companies to provide specific documented evidence, namely primary business records and or third-party verification entities, of efforts tailored to their operations. HBOMs and SBOMs are not required, though they can be considered an adequate form of recordkeeping.
Declarations of Conformity would be required by:
- VCS Hardware Importers;
- Connected Vehicle Manufacturers importing Completed Connected Vehicles with Covered Software; and
- Connected Vehicle Manufacturers selling Completed Connected Vehicles for Sale in the United States.
Declarations must be submitted annually, once per model or calendar year, and may cover multiple transactions. BIS increased the submission deadline to 60 days in all instances and all connected vehicle manufacturers and VCS hardware importers must also notify BIS of any material change within 60 days of the discovery of such a change.
BIS further clarified that for the purposes of a Declaration of Conformity, a duly authorized designee is: (i) In the case of a partnership, any general partner thereof; (ii) In the case of a corporation, the chief executive officer, or any officer with the authority to bind the corporation; (iii) An employee with authority to make certifications on behalf of the company as designated by a person in (i) or (ii); and (iv) In the case of an entity lacking partners and officers, any individual manager, or designated agent who has been explicitly authorized by the board of directors or equivalent to sign contracts and make legally binding agreements on behalf of the entity.
Exemptions
BIS includes a phased approach for exempting transactions involving VCS Hardware and Covered Software from the prohibitions under the new rule, allowing time for market participants to adjust their supply chains.
- For VCS Hardware, importers would be exempt from the prohibitions until January 1, 2029, for hardware not tied to a specific model year, or for hardware integrated into vehicles with model years prior to 2030. After January 1, 2029, importers would need to obtain specific authorization for any prohibited transactions and submit an annual Declaration of Conformity for any continued imports.
- For Covered Software, Connected Vehicle Manufacturers would be exempt from the prohibitions until model year 2027. Beginning with model year 2027, manufacturers would need to obtain specific authorization for transactions involving prohibited Covered Software and submit Declarations of Conformity for imports and sales of Completed Connected Vehicles.
- Connected Vehicle Manufacturers owned or controlled by entities from China or Russia would also be permitted to engage in otherwise prohibited transactions for vehicles with model years prior to 2027. Starting with model year 2027, these manufacturers would be required to obtain specific authorization for transactions prohibited by the Final Rule.
- Parts that are imported for purpose of warranty or repair of a completed connected vehicle with a model year prior to 2030.
Authorizations
General Authorizations
Importers of VCS hardware and connected vehicle manufacturers may utilize a general authorization to conduct transactions that would otherwise be prohibited, provided they meet specified conditions and avoid restrictions. Records evidencing compliance must be kept for 10 years, and the BIS may review these records upon request.
General authorizations, published on the BIS website and in the Federal Register, may serve as an alternative to specific authorizations, which will not be granted when a general authorization is applicable.
However, users of these general authorizations must adhere to reporting and instruction requirements; failure to do so can nullify the authorization and lead to enforcement actions. Any changes in circumstances affecting eligibility must be addressed within 30 days, and importers must stop prohibited activities, investigate, and report violations to BIS. Restrictions include ineligibility notifications from BIS and ownership or control by certain foreign entities. BIS retains the authority to verify compliance and request supporting documentation as needed.
Specific Authorizations
VCS Hardware Importers and Connected Vehicle Manufacturers ineligible for a general authorization or exemption must apply for a Specific Authorization to engage in otherwise prohibited transactions. BIS reviews these applications on a case-by-case basis to assess the national security risks involved, particularly the extent of foreign adversary involvement. Applicants cannot proceed with the transaction until BIS grants the authorization, and engaging in the transaction without approval would be a violation.
Applications must include detailed information about the transaction, including the parties involved, the VCS Hardware or Covered Software, and documentation to support the application. BIS will review on a case-by-case basis and typically provide a response or request further information within 90 days of the application.
BIS evaluates several factors when reviewing applications, such as the applicant's ability to limit foreign adversary influence, security standards, and proposed mitigations. BIS's decision applies only to the specific transaction and may include conditions, such as technical or operational controls, to mitigate risks. The duration of the authorization will generally be approved for a duration of no less than one model year or calendar year.
If an application is denied, the applicant can reapply with a different transaction or demonstrate a material change in circumstances for reconsideration.
Appeals
BIS establishes an appeal mechanism for any person whose application for a Specific Authorization is denied, suspended, revoked, or who has been deemed ineligible for a general authorization. Appeals must be submitted in writing (via email or mail) to the Office of the Under Secretary within 45 days of the notice of adverse action, consistent with 15 CFR 756.2(c). The appeal should outline how the appellant has been adversely affected and provide reasons for reversing or modifying BIS’s decision.
The Under Secretary may delegate the appeal review to the Deputy Under Secretary or another BIS official. The designated official can, at their discretion, arrange informal hearings with relevant parties. Appellants may submit additional information in support of their appeal but typically no later than 30 days after the original submission. If supplementary information is requested, appellants have 30 calendar days to respond. Appellants can also request an informal hearing in writing, though hearings are not required and are granted at the discretion of the Under Secretary or designated official.
Third parties may submit amicus filings in support of parties undergoing an informal appeals hearing if, for example, their technology is the subject of the appeal.
Advisory Opinions
BIS establishes a 60-day deadline for issuing advisory opinions as part of a broader mechanism that is similar to the process in the Export Administration Regulations (EAR). This process aims to provide clarity to Connected Vehicle Manufacturers, VCS Hardware Importers, and other stakeholders on complying with the proposed rule. However, BIS notes that these advisory opinions would not confirm that the ICTS transaction falls outside the jurisdiction of other U.S. Government agencies.
BIS may publish advisory opinions of broad public interest on its website, with necessary redactions to protect Confidential Business Information. To request an advisory opinion, parties must submit a written request via email or a portal on the BIS website (mail submissions will not be accepted). The request must include contact details and complete information about the prospective transaction, including technical details on VCS Hardware or Covered Software, SBOM and/or HBOM, and any other relevant materials.
BIS will only provide advisory opinions for actual transactions, not hypothetical scenarios, and all parties must be identified. Advisory opinions can only be relied upon if the information submitted was complete and remains accurate throughout the process.
“Is-Informed” Notices
BIS may notify Connected Vehicle Manufacturers or VCS Hardware Importers, either through direct letters or via a Federal Register notice, that a transaction involving specific Covered Software, VCS Hardware, or entities requires a Specific Authorization. This notification, known as an “Is-Informed” notice, indicates that the transaction would be classified as a Prohibited Transaction under the proposed rule. Any person who engages in a transaction covered by such a notice without first obtaining a Specific Authorization from BIS would be in violation of the proposed rule as they would have knowledge that such transaction is prohibited.
"Is-Informed" notices can only be issued by, or at the direction of, the Under Secretary or a BIS employee designated by the Under Secretary.
Recordkeeping and Reporting Requirements
BIS proposes requiring Connected Vehicle Manufacturers and VCS Hardware Importers to maintain complete records for any transaction subject to a Declaration of Conformity, general authorization, or specific authorization under this rule, for a period of at least ten years. This recordkeeping requirement applies whether or not the transaction was conducted with authorization, and even if the authorization has not yet been sought.
Records are limited solely to primary business records related to the execution of the transaction.
Additionally, BIS may request these records at any time—before, during, or after a transaction. This requirement ensures that manufacturers and importers maintain documentation that can be reviewed by BIS to confirm compliance with the proposed regulations.
Enforcement
Penalties
IEEPA authorizes this rulemaking, and violations of the rule, if finalized, may result in civil or criminal penalties under IEEPA. This includes engaging in prohibited transactions without proper authorization or failing to comply with authorization conditions. Penalties may include fines up to $377,700 per violation and criminal penalties up to $1,000,000 or imprisonment. BIS will issue a Pre-Penalty Notice for potential violations, giving the recipient 30 days to respond or contest. If no settlement is reached, BIS will issue a final penalty notice, which can be contested in U.S. District Court. BIS will, however, take into consideration voluntary self-disclosures of potential violations when deciding whether to issue a penalty.
Finding a Violation
BIS may determine that a violation has occurred but that a civil monetary penalty is not warranted. In such cases, BIS would issue a "finding of violation," identifying the violation and possibly including an administrative response, such as a cease-and-desist order. Recipients of this finding can contest it by submitting a response within 30 days. BIS will review any new information and then make a final decision. If no response is submitted within 30 days, the right to contest is waived. The finding of violation constitutes a final agency action and is not subject to appeal.
[View source.]
