Jan 222025

U.S. Department of Commerce Finalizes Connected Vehicles Supply Chain Restrictions

Jen Fernandez and Alex Tritell
, , , ,

On January 16, 2025, the U.S. Department of Commerce Bureau of Industry and Security (BIS) Office of Information and Communications Technology and Services (OICTS) published a Final Rule formalizing prohibitions on certain connected vehicles (CVs) transactions involving hardware and software linked to the People’s Republic of China (China) and Russia.1 The Final Rule is scheduled to take effect on March 17, 2025.  However, given that the Final Rule is one of several new regulatory frameworks on trade issued in the final days of the Biden administration, it remains to be seen what will happen with these regulations after January 20.

The Final Rule largely resembles the Notice of Proposed Rulemaking (NPRM) published in September 2024, with certain revisions to narrow the scope of the restrictions and reduce the compliance burden on the automotive industry. Sidley’s coverage of the NPRM is available here. The BIS website offering an overview of the Final Rule and frequently asked questions (FAQs) is here.

We offer takeaways and highlight the key changes from the NPRM below.

Who and what are covered?

Consistent with the NPRM, the restrictions and compliance obligations under the Final Rule affect the entire U.S. automotive industry. CVs generally include all new, on-road vehicles sold in the United States with the exception of commercial vehicles. The rule targets the import and sale of CVs containing certain vehicle connectivity systems (VCS) hardware or software or automated driving software (ADS) (or VCS hardware components sold separately).  Thus, companies throughout the automotive industry — including importers and manufacturers of CVs, equipment manufacturers, and component suppliers — will be affected.

Implementation of the Final Rule will be phased in over the coming years to limit supply chain disruptions. Prohibitions applicable to CVs take effect beginning with model year (MY) 2027 for covered software and MY 2030 for VCS hardware.

What activities are prohibited, and what are the penalties for violations?

The Final Rule generally retains the same prohibitions from the NPRM. Absent a general or specific authorization, the following activities are prohibited:

  • knowinglyimporting into the U.S. VCS hardware that is designed, developed, manufactured, or supplied by persons linked to China or Russia
  • knowingly importing into or selling within the U.S. completed connected vehicles that incorporate VCS or ADS software (i.e., covered software) designed, developed, manufactured, or supplied by persons linked to China or Russia
  • knowingly selling or distributing in the U.S. (including through robotaxi and rideshare services)3 completed connected vehicles that incorporate VCS hardware or covered software if the seller is linked to China or Russia, regardless of whether the vehicles are manufactured or assembled in the U.S.

As explained in our coverage of the NPRM, persons “linked to” China or Russia are those that are “owned by, controlled by, or subject to the jurisdiction or direction of” China (including Hong Kong) or Russia. BIS interpreted this language exceptionally broadly in the NPRM and continues to do so in the Final Rule, providing additional examples to aid industry’s understanding.

BIS explicitly denied requests to provide specific criteria or bright-line rules for determining whether an entity is linked to China or Russia. Some commenters pointed to the use of ownership thresholds in recent national security-related frameworks such as the Department of Justice rule on bulk-transfers of sensitive personal data or the Department of Energy rule for identifying foreign entities of concern. BIS rejected that approach, stating that its broad definition preserves the agency’s flexibility to address “evolving and unique national security risks across a variety of supply chains for distinct industries.”4 BIS plans to use this same broad definition to determine whether an entity is linked to a foreign adversary when reviewing all ICTS transactions under its mandate, as outlined in new regulations published December 2024.5

Persons who violate these prohibitions may be subject to civil and criminal penalties under the International Emergency Economic Powers Act (IEEPA) and fraud provisions in Title 18 of the United States Code.6

What are the key changes from the NPRM?

In response to industry feedback, BIS revised the NPRM to narrow the scope of the restrictions and reduce the compliance burden on the automotive industry.

Revisions to Key Terms

  • Connected vehicle” — BIS largely retained the definition for CVs as vehicles “driven or drawn by mechanical power and manufactured primarily for use on public streets, roads, and highways” that integrate certain networked hardware and software systems.  To clarify that the Final Rule does not apply to commercial vehicles, however, BIS revised the definition to explicitly exclude vehicles with a gross vehicle weight rating of over 10,000 pounds (4,536 kilograms).This definition generally aligns with the distinction between passenger and commercial vehicles used by other government agencies.In response to industry comments, BIS clarified that the rule does apply to motorcycles but does not apply to electric scooters and e-bikes (which cannot be ridden legally on public highways and many roads).8
  • Connected vehicle manufacturer” — BIS previously identified CV manufacturers as persons who (1) manufacture or assemble completed CVs in the United States and/or (2) import completed CVs for sale in the United States. In response to industry questions, BIS added another category of persons to this definition — (3) persons who integrate ADS software on otherwise completed CVs for sale in the United States.9
  • Covered software” —  In the NPRM, BIS defined “covered software” as software-based components, in which there is a foreign interest, executed by the primary processing unit of items supporting the function of VCS or ADS. To align with industry practices, BIS revised this definition as follows:
    • narrowed the scope to cover software-based components of items that directly enable the function of VCS or ADS
    • clarified that application, middleware, and system software are subject to the restrictions, while firmware and open-source software are not
    • exempted legacy software subcomponents produced prior to March 17, 2026 (provided they are not maintained or modified by an entity linked to China or Russia after March 17, 2026)

As explained in our coverage of the NPRM, covered software designed, developed, or otherwise supplied in whole or in part by persons linked to China or Russia are prohibited. Under the NPRM, even a small portion of base code produced by software development teams in China or Russia could have triggered the rule’s prohibitions. The new exemption for legacy subcomponents significantly eases the burden on companies with teams in China or Russia by limiting the application of the prohibitions to only such teams’ prospective involvement in the development or maintenance of covered software.

We note that BIS also clarified that VCS and ADS software added to completed CVs is within the scope of “covered software.” In fact, BIS explicitly rejected requests to exclude such software on the grounds that it poses the same national security threat as software added at the time of the vehicle’s manufacture.10

  • VCS” and “VCS hardware” — In the NPRM, BIS defined VCS as items for CVs that enable radio frequency communications over 450 megahertz and VCS hardware as the physical components and subcomponents that support the function of VCS. In response to industry comments, BIS narrowed the definition of both terms.  Specifically, BIS
    • narrowed the scope of “VCS” to cover only those items that “directly enable” radio frequency communications
    • excluded from “VCS” certain low-risk functions, including automotive sensing (e.g., LiDAR, radar, video, ultrawideband), global navigation satellite systems, and satellite, AM, and FM radio
    • narrowed the scope of “VCS hardware” to cover only components that “directly enable” and “are directly connected to” VCS

BIS believes that these changes will allow industry to more easily identify components that are considered VCS hardware, aftermarket devices included. As with aftermarket software, BIS explicitly rejected a request to exclude aftermarket VCS devices from the rule and confirmed such that devices directly fulfilling VCS functions are within the scope of “VCS hardware.”11

Importantly, BIS did not create a legacy exemption for VCS hardware similar to that created for covered software.12  BIS did, however, note that VCS hardware components imported for repair or warranty are exempted if intended for CVs of model years prior to MY 2030.13

  • Foreign interest” — BIS offered additional guidance on the definition “foreign interest” as related to identifying covered software subject to the rule’s restrictions and compliance obligations.  As stated in the NPRM, a foreign interest must be an interest in property held by a non-U.S. person, such as direct ownership, interest in profits, data access and sharing rights, or maintenance obligations.In the Final Rule, BIS provides additional examples that illustrate the breadth of this definition. For example, BIS notes that a foreign company that provides a software development kit used by a third party to develop covered software would hold a foreign interest in the software.14  For practical purposes, BIS clarified that small amounts of foreign interest, particularly in public companies where holdings fluctuate, could make this assessment challenging; therefore, foreign interest in software arising solely from equity ownership (absent any control rights) does not trigger the rule’s restrictions or compliance obligations.15

Compliance Obligations and Due Diligence Requirements

As proposed in the NPRM, BIS will require importers and CV manufacturers to file annual declarations certifying their compliance with this rule prior to importing or selling CVs with VCS hardware or covered software (or VCS hardware components) in the United States.  However, as detailed below, BIS significantly revised the proposed framework to clarify the certification obligations and reduce the compliance burden on industry.

  • Declarations of Conformity: Importers and CV manufacturers will be required to certify, once per model or calendar year (as applicable), the following:
    • The VCS hardware or covered software to be imported or sold is not designed, developed, manufactured, or supplied by persons owned by, controlled by, or subject to the jurisdiction or direction of (i.e., linked to) China or Russia.
    • They (or a third party) have conducted due diligence to inform the above certification and maintain supporting records.
    • They have taken all possible measures to ensure necessary information will be furnished to BIS upon request (either directly or via third parties).

BIS eliminated the proposed requirements for importers and manufacturers to submit, along with the Declaration of Conformity, detailed hardware or software bills of materials and documents evidencing the diligence performed to verify compliance. However, companies must still create and maintain documentation evidencing their compliance with the rule and be ready to produce it upon request. Companies may rely on third parties for these records but must ensure that the documents will be provided to BIS if requested.

BIS also extended the timeline for importers and manufacturers to notify BIS of any material changes to a previously submitted Declaration of Conformity from 30 days to 60 days.16

Declarations of Conformity may be filed using fillable forms that will be made available on the BIS website when the rule takes effect March 17, 2025. Forms should be submitted to CV-intake@bis.doc.gov.  BIS advised that companies prioritize declarations for covered software due to the earlier implementation of the rule’s prohibitions on software compared to VCS hardware.17

  • Due Diligence: The Final Rule still requires importers and manufacturers to conduct significant due diligence to verify compliance (either independently or by hiring a third-party assessor).  BIS explained that diligence and certification requirements offer numerous advantages over mere recordkeeping requirements, such as by incentivizing supply chain reviews and allowing BIS to more efficiently verify that no covered items developed by persons linked to China or Russia come into the U.S.
  • Recordkeeping: BIS retained the 10-year recordkeeping requirement established in the NPRM, consistent with the statute of limitations under IEEPA.

Authorizations

BIS amended the framework for issuing general authorizations of otherwise prohibited lower-risk transactions. Specifically, BIS removed the authorizations from the rule itself and said it will instead publish notices regarding general authorizations on its website (similar to the Office of Foreign Assets Control’s method for issuing general licenses for its sanctions programs).  Initially, BIS expects to publish the same four general authorizations identified in the NPRM (e.g., small business exemptions; CVs not used on public roads; CVs imported for display, testing, or research; CVs imported for repairs). We note that this method gives BIS greater flexibility in issuing, amending, and revoking general authorizations while creating somewhat more uncertainty for industry.

BIS also retained the framework for importers to obtain specific authorizations, adding that it may offer limited-duration authorizations for companies affected by force majeure events or unexpected supply chain disruptions and work with such companies to develop permanent solutions covered by longer-term authorizations.18

Exemptions

BIS retained exemptions offered in the NPRM prior to the scheduled implementation dates of MY 2027 for CVs containing covered software and MY 2030 for CVs containing VCS hardware (or VCS hardware sold separately). BIS also added that it may grant limited specific authorizations to allow CV manufacturers that are mid-generation during the rule’s implementation period, provided that the manufacturers can demonstrate they are moving into compliance for the next generation.19

What issues might BIS address in the future?

  • Advisory opinions — BIS has established a process through which regulated entities can seek and obtain greater clarity on the application of these regulations to specific factual scenarios not addressed in the Final Rule. BIS will provide such guidance in the form of advisory opinions, which will generally be provided within 60 days from the receipt of a written request.  BIS may publish on its website advisory opinions on issues of broad public interest.
  • Commercial vehicles — Commercial vehicles are not covered by this Final Rule but will be covered by a separate rulemaking. BIS explained that although there are grave national security concerns associated with commercial vehicles, BIS decided to exclude such vehicles from these regulations in part due to the significant compliance concerns associated with the commercial vehicle sector.  BIS stated that it intends to propose a new rule tailored specifically to commercial vehicles in the coming months.20 
  • Related technologies — BIS did not include ADS hardware in this rulemaking.21 BIS also identified other technologies — including LiDAR and ADS cloud infrastructure — that are used in critical infrastructure and pose a threat to national security and yet are beyond the scope of this rulemaking. BIS explained that the decision not to subject these items to the prohibitions under this Final Rule does not preclude BIS from addressing them in a subsequent rulemaking.

Finally, we note that Liz Cannon, the Executive Director of OICTS, said the office will soon be publishing additional guidance and FAQs on its website as well as hosting compliance-oriented workshops and educational events related to the Final Rule.

1Securing the Information and Communications Technology and Services Supply Chain: Connected Vehicles, 90 Fed. Reg. 5360 (January 16, 2025) (Final Rule).
2 Final Rule at 5383-84, 5408, 5415; see Sidley’s coverage of the NPRM for additional discussion of the “knowing” standard.
3The NPRM previously prohibited the “sale” of CVs in the U.S. by persons linked to China or Russia, where “sale” was defined as “distributing for purchase, lease, or other commercial operations.” BIS stated that this language intended to capture the use of CVs with integrated ADS to provide commercial services such as rideshare or robotaxi services. For additional clarity, in the Final Rule, BIS has explicitly prohibited CV manufacturers linked to China or Russia from offering commercial services in the U.S. using completed CVs that incorporate ADS. See Final Rule at 5394.
4Final Rule at 5388.
5See Securing the Information and Communications Technology and Services Supply Chain, 89 Fed. Reg. 96872 (December 6, 2024), available here; see also Securing the Information and Communications Technology and Services Supply Chain: Unmanned Aircraft Systems, 90 Fed. Reg. 271 (January 3, 2025), available here.
6See Final Rule at 5408, 5423.
7Final Rule at 5375, 5415.
8Final Rule at 5375.
9BIS has stated that this includes third-party manufacturers or assemblers operating on behalf of a U.S. entity. If such persons are linked to China or Russia, the restrictions under the Final Rule apply.
10Final Rule at 5378.
11Final Rule at 5392.
12Final Rule at 5392.
13Final Rule at 5392, 5404.
14Final Rule at 5382.
15Final Rule at 5381.
16Final Rule at 5399, 5417.
17See Declarations of Conformity: Frequently Asked Questions (FAQs), BIS (Jan. 2025), available at https://www.bis.gov/oicts/connected-vehicles/declarations-of-conformity.
18Final Rule at 5404.
19See Final Rule at 5384.
20Final Rule at 5365, 5374.
21See Final Rule 5373, 5378.

This post is as of the posting date stated above. Sidley Austin LLP assumes no duty to update this post or post about any subsequent developments having a bearing on this post.

Jen Fernandez

Washington, D.C.

jen.fernandez@sidley.com

Alex Tritell

Washington, D.C.

atritell@sidley.com

You might also like
New U.S. Export Controls on Advanced Computing Items and Artificial Intelligence Model Weights: Seven Key Takeaways

On January 15, 2025, the U.S. Department of Commerce Bureau of Industry and Security (BIS) published in the Federal Register updated export controls on advanced computing items (including advanced integrated circuits (ICs) and related equipment, software, and technology) and, for the first time, controls on artificial intelligence (AI) model weights under the Export Administration Regulations (EAR).1 These new regulations were published as an interim final rule and took effect on January 13, 2025, although compliance is not required until May 15, 2025.2 BIS also published in the Federal Register a smaller companion rule on January 16, 2025, that expands licensing requirements on foundries and packaging companies seeking to export advanced computing equipment and requires compliance by January 31, 2025.3

Action Items for U.S. Public Companies for 2025

Rapid rulemaking and aggressive enforcement by the SEC, combined with legislative, judicial, and regulatory developments, have created new requirements and expectations for U.S. public companies.

Spotlight on Women in Privacy: Nathalie Barrera

Check out the December issue of Spotlight on Women in Privacy, featuring Nathalie Barrera. Nathalie discusses her role as a privacy attorney at Palo Alto Networks, the importance of continuous learning, and some of the key developments she will be watching out for.