Sep 272024

U.S. Department of Commerce Issues Proposed Rule on ICTS Supply Chain for Connected Vehicles

Jen Fernandez, Elyssa R. Kutner, Aaron L. Flyer, Heather Hedges and Sophia E. Wallach
, , , ,

On September 26, 2024, the U.S. Department of Commerce Bureau of Industry and Security (BIS) Office of Information and Communications Technology and Services (OICTS) published a long-awaited rule proposing to ban certain connected vehicles transactions involving hardware and software linked to the People’s Republic of China (China) and Russia. BIS also proposed extensive compliance obligations for importers and manufacturers of connected vehicles and related components, which come as the automotive industry continues to grapple with how to protect critical safety-related data as vehicle interconnectivity increases.

The restrictions, proposed to take effect beginning with model year (MY) 2027 vehicles, would affect the entire U.S. automotive industry as BIS predicts that all new cars would fall within the scope of “connected vehicles” as defined by the proposed regulations.

This week, EU Commissioner for digital trade and competition Margrethe Vestager is also reported to have said that the EU Commission is conducting a review into security issues surrounding connected vehicles.

The full text of the proposed rule is available here. BIS is seeking comments from interested parties until October 28, 2024.

1. What are BIS and OICTS?

As a bureau of the U.S. Department of Commerce, BIS advances U.S. economic and national security objectives by enforcing export controls and promoting U.S. technology interests. Within BIS, the OICTS focuses on securing the information and communications technology and services (ICTS) supply chain into the United States. OICTS is proposing these regulations pursuant to BIS’s mandate under Executive Order 13873 to mitigate national security risks associated with ICTS transactions, particularly those involving “foreign adversaries,” including China and Russia. OICTS has already taken several unprecedented actions this year to regulate the supply of ICTS into the United States by foreign adversaries in order to limit their ability to access U.S. persons’ data in ways that undermine U.S. national security and disrupt critical infrastructure and the digital economy. The proposed rule builds on and incorporates public feedback on OICTS’s advance notice of proposed rulemaking (ANPRM) issued on March 1, 2024.1

2. What vehicles are covered?

The proposed rule focuses on “connected vehicles” and related components. BIS proposes to define a “connected vehicle” as an on-road vehicle that “integrates onboard networked hardware with automotive software systems to communicate via dedicated short-range communication, cellular telecommunications connectivity, satellite communication, or other wireless spectrum connectivity with any other network or device.”2 Examples of such vehicles include passenger vehicles, motorcycles, buses, small and medium trucks, class 8 commercial trucks, and recreational vehicles.

BIS said it believes that this definition will capture future trends in vehicle development such that, with very few exceptions, the definition of “connected vehicle” will cover “all new vehicles sold in the United States.”3 Importantly, however, only connected vehicles that incorporate certain covered hardware or software components will be subject to the rule.

3. What hardware and software are covered?

The rule targets hardware and software for vehicle connectivity systems (VCS) that enable radio frequency communications over 450 megahertz4 and software for automated driving systems (ADS). In contrast with the ANPRM, and in response to public comments, BIS ultimately chose to exclude hardware and software for certain systems previously identified as likely to present ICTS supply chain risks.5 BIS said it specifically identified VCS and ADS because these systems most directly facilitate communication to and from connected vehicles and control subordinate systems within the vehicles, making them likely targets for data exfiltration or remote vehicle manipulation.6

a. Covered Hardware 

The rule covers VCS hardware, which is the physical components and subcomponents that enable a vehicle to connect and communicate with external networks and devices. BIS proposes to define “VCS hardware” as software-enabled or programmable components and subcomponents that support VCS, including microcontrollers, microcomputers or modules, systems on a chip, networking or telematics units, cellular modem/modules, Wi-Fi microcontrollers or modules, Bluetooth microcontrollers or modules, satellite navigation systems, satellite communication systems, other wireless communication microcontrollers or modules, and external antennas. Accordingly, VCS hardware can also include aftermarket devices that can be added to a vehicle after sale, such as telematics fleet tracking devices and systems.7

b. Covered Software

The proposed rule targets the software-based components that support the functions of VCS or ADS for the connected vehicle. VCS software supports the transmission, receipt, conversion, or processing of radio frequency communications. ADS includes software enabling the control of automated systems classified as Levels 3–5 by SAE International Standard J3016, which has been adopted by the National Highway Traffic Safety Administration (NHTSA) — the agency regulating on-road vehicle safety. ADS software does not include automated systems classified as Levels 0–2 that still rely on the driver to make driving decisions.8 However, the rule does not apply to firmware or open-source software unless the open-source software has been modified for proprietary purposes and not redistributed or shared.

The software specifically covered by the rule (i.e., “covered software”) is VCS and ADS software in which there is a foreign interest. BIS has defined “foreign interest” as “any interest in property of any nature whatsoever, whether direct or indirect, by a non-U.S. person.”9 Examples provided by BIS include where foreign software developers earn profits, retain data access and sharing rights, or have maintenance obligations related to the software. This definition is exceptionally broad and would likely capture any software not wholly developed in the U.S. by U.S.-owned companies.

As discussed further below, even where VCS hardware and vehicles containing covered software are not prohibited from importation into or sale within the United States, importers and manufactures would be required to submit compliance declarations providing detailed information on such items.

4. What activities would be prohibited?

The proposed rule would prohibit the following activities:

  • knowingly importing into the U.S. VCS hardware that is designed, developed, manufactured, or supplied by persons linked to China or Russia
  • knowingly importing into or selling within the U.S. completed connected vehicles that incorporate covered software designed, developed, manufactured, or supplied by persons linked to China or Russia
  • knowingly selling in the U.S. completed connected vehicles that incorporate VCS hardware or covered software if the seller is linked to China or Russia, regardless of whether the vehicles are manufactured or assembled in the U.S.

We expect BIS to take a broad interpretation of what is “designed, developed, manufactured, or supplied by” persons linked to China or Russia. Although not stated in the proposed regulations, BIS’s commentary on the proposed rule indicates that covered items designed, developed, or otherwise supplied in whole or in part by persons linked to China or Russia are prohibited. This has significant implications for companies with hardware and software development teams located in China or Russia, as we understand that even a small amount of such teams’ involvement (i.e., providing portions of software base code) would trigger the rule’s prohibitions.

5. Who is considered linked to China or Russia?

The prohibitions target VCS hardware and connected vehicles that incorporate covered software that are designed, developed, manufactured, or supplied by persons owned by, controlled by, or subject to the jurisdiction or direction of (collectively, “linked to”) a foreign adversary (i.e., China (including Hong Kong) or Russia). BIS proposes an exceptionally broad definition of persons linked to China or Russia that includes

  • persons acting on behalf of or persons whose activities are supervised, directed, financed, or subsidized by China or Russia
  • citizens or residents of China or Russia who are not U.S. citizens or permanent residents (except that the involvement of Chinese and Russian citizen employees, outside of teams in China or Russia, in hardware or software development does not, by itself, not trigger the rule)10
  • organizations with a principal place of business headquartered in, incorporated in, or organized under the laws of China or Russia (including subsidiaries and joint ventures of U.S. companies)
  • organizations in which any of the above-described persons has the power, direct or indirect, to “determine, direct, or decide important matters” affecting the organization pursuant to majority or dominant minority ownership of the total outstanding voting interests; board representation; proxy voting; special shares; contractual arrangements; formal or informal means to act in concert; or other means (including entities in the United States).

6. What is a knowing violation under the proposed rule?

BIS does not propose to impose a strict liability standard. Rather, BIS seeks to penalize knowing violations according to the knowledge standard with that set forth in the Export Administration regulations (15 C.F.R. § 772.1), which defines “knowledge” as positive knowledge that a circumstance exists or is substantially certain to occur or an awareness of a high probability of its existence or future occurrence. Such awareness can be inferred from evidence of the conscious disregard of facts known to a person or from a person’s willful avoidance of facts.11

7. Who must comply? 

The sweeping restrictions and compliance obligations under the proposed rule would affect the entire U.S. automotive industry. While the rule specifically targets importers and manufacturers of covered hardware and vehicles containing covered software, it will also apply to original equipment manufacturers and component suppliers, who will all be required to reevaluate hardware and software supply chains. The due diligence that such entities would be required to undertake pursuant to the rule would also burden the entire industry, particularly with obligations to maintain and provide supply chain documentation to verify compliance.

8. When does this rule go into effect?

The Biden administration is reportedly trying to finalize this rule by January. If adopted, the proposed rule will formally take effect 60 days after its publication in the Federal Register; however, implementation of various compliance obligations will be phased in over the coming years as BIS recognizes that the automotive industry cannot significantly alter its supply chains immediately. Notably:

  • Starting with MY 2027, manufacturers are prohibited from importing into and selling within the United States connected vehicles containing covered software designed, developed, manufactured, or supplied by persons linked China and Russia.
  • Starting with MY 2030, manufacturers are prohibited from importing VCS hardware and connected vehicles containing VCS hardware designed, developed, manufactured, or supplied by persons linked to China and Russia (or, for hardware not associated with a vehicle model year, as of January 1, 2029).

9. What exemptions and authorizations will be available?

The rule proposes certain exemptions prior to the scheduled implementation dates and general authorizations for otherwise prohibited transactions. The rule also proposes processes for seeking specific authorizations to engage in prohibited transactions as well as for requesting advisory opinions from BIS regarding prospective transactions.

BIS provides general authorizations to alleviate the burden on small businesses (with total MY production of less than 1,000 hardware or vehicle units) and companies engaged in off-road testing, research, and repair, particularly in light of the low risks that these activities pose to U.S. national security. Companies may self-certify that their activities are covered by a general authorization and need not notify BIS; however, such companies are subject to audit and inspection by BIS and must maintain for 10 years records documenting each transaction for which an authorization is claimed.12 Companies linked to China or Russia, or companies determined to be ineligible by BIS, are not permitted to use any general authorization.

10. What are the diligence and compliance obligations?

The rule would impose compliance obligations on VCS hardware importers and connected vehicle manufacturers as a condition of importing or selling covered items in the United States.

  • Declaration of Conformity: For all nonprohibited transactions involving VCS hardware or vehicles incorporating covered software (excluding separately authorized transactions), BIS proposes to require importers and manufacturers to file declarations certifying their compliance prior to importing or selling any such items in the United States. A Declaration of Conformity would require the declarant to certify that it has not knowingly engaged in a transaction prohibited under the rule and to provide detailed information regarding the hardware and/or software to be imported or sold (e.g., bills of materials, endpoint connections, vehicle identification information). Most important, the declarant would be required to provide documentation of due diligence conducted to verify compliance.Such declarations would be required at least 60 days prior to the importation of the first import or sale of items associated with a particular vehicle model, or calendar year, as applicable, and within 30 days of any material change in a prior Declaration.
  • Due Diligence: While there are no specific diligence requirements as of yet, the proposed Declaration of Conformity requirement would impose on the declarant the obligation to conduct a degree of supply chain due diligence and tracing to certify that it has not engaged in prohibited transactions. Notably, as discussed above, the proposed rule would impose a knowledge standard, encompassing positive knowledge and willful avoidance or conscious disregard of facts. Importers and manufacturers subject to the proposed rule, therefore, would need to conduct a level of due diligence into their supply chains beyond, for example, screening entities listed on a bill of materials. Implementing further supply chain due diligence and tracing measures, such as issuing questionnaires and gathering certification from entities in the different tiers of the supply chain, could mitigate the risk of liability under the proposed rule.
  • Recordkeeping: BIS requires maintenance of records related to a Declaration of Conformity, general authorization, or specific authorization for a period of 10 years. Records should include documentation for each relevant transaction, including contracts, import records, bills of sale, and other pertinent documents.

11. What are the penalties for noncompliance?

Penalties for noncompliance include both monetary and injunctive relief. Those found to be not in compliance could expect to receive a prepenalty notice, allowing the recipient to respond within 30 days or an issuance of a finding of violation, which may include an order to cease and desist prohibited activities. Current civil penalties can range up to $368,136 per violation, and criminal penalties can range up to $1 million and/or imprisonment up to 20 years for willful violation.

12. How does the proposed rule affect related open-access requirements for vehicles or regulation of ADS?

The proposed rule does not directly seek to impose any limitations or requirements around the sharing of data associated with connected vehicles that are under consideration at the state level, known as “right to repair” laws. And while the proposed rule recognizes safety-related risks from the manipulation of personal data, it does not prescribe any safety-related requirements related to the remote access of, and communication with, a vehicle’s critical safety systems. Potential safety-related defects associated with the manipulation of telematics data remains under the authority of NHTSA.

1Securing the Information and Communications Technology and Services Supply Chain: Connected Vehicles, 89 Fed. Reg. 15066 (March 1, 2024).
2Securing the Information and Communications Technology and Services Supply Chain: Connected Vehicles, 89 Fed. Reg. 79088 (September 26, 2024) (hereinafter, “Proposed Rule”) at 79116.
Proposed Rule at 79091.
4 As a result, the rule will not cover items that BIS considers to pose a lower risk and offer high utility to consumers, such as tire pressure monitoring systems and electronic key fobs. See Proposed Rule at 79092.
5 These include vehicle operating systems (OS), telematics systems, Advanced Driver-Assistance System (ADAS), or battery management systems (BMS). Systems that have VCS components and otherwise fall within the proposed definition of VCS hardware would still be covered by the rule. For example, BIS noted that VCS hardware and software includes the telematics control unit (TCU). Proposed Rule at 79094.
6 See Proposed Rule at 79092.
7 Proposed Rule at 79092.
8 BIS expressly declined to include lower levels of automation found in ADAS such as adaptive cruise control and blind spot detection (automation Levels 0–2) as these systems were determined to present a low risk of data exfiltration. A summary of the six levels of vehicle automation can be found here.
9 BIS proposes to adopt the definition of “interest” used by the Department of Treasury Office of Foreign Assets Control in administering sanctions programs under the International Emergency Economic Powers Act. See 31 C.F.R. Chapter V, and, e.g., 31 C.F.R. §§ 510.313, 535.312.
10 BIS stated that “VCS hardware and covered software would not be considered designed, developed, manufactured, or supplied by persons owned by, controlled by, or subject to the jurisdiction or direction of the PRC or Russia, solely based on the country of citizenship of natural persons who are employed, contracted, or otherwise similarly engaged to participate in the design, development, manufacture, or supply of that VCS hardware or covered software.” Proposed Rule at 79106.
11 Proposed Rule at 79104.
12 BIS has stated that this is the “only compliance requirement” for using a general authorization; therefore, we understand that companies using a general authorization need not file a Declaration of Conformity in connection with the subject transactions. See Proposed Rule at 79115.

This post is as of the posting date stated above. Sidley Austin LLP assumes no duty to update this post or post about any subsequent developments having a bearing on this post.

Jen Fernandez

Washington, D.C.

jen.fernandez@sidley.com

Elyssa R. Kutner

Washington, D.C.

ekutner@sidley.com

Aaron L. Flyer

Washington, D.C.

aflyer@sidley.com

Heather Hedges

Washington, D.C.

hhedges@sidley.com

Sophia E. Wallach

Century City

swallach@sidley.com

You might also like
DOL Confirms Cybersecurity Guidance Applies to All Employee Benefit Plans

The U.S. Department of Labor (DOL) published Compliance Assistance Release No. 2024-01 on September 6, 2024. The release, titled “Cybersecurity Guidance Update,” clarifies that the cybersecurity guidance the DOL issued in April 2021 applies to all employee benefit plans, including health and welfare plans. The DOL states that since the guidance was published, service providers have told plan fiduciaries and Employee Benefits Security Administration (EBSA) investigators that the guidance applies only to retirement plans.

Pharma Companies in Beijing Free Trade Zone to Benefit from Relaxed Data Transfer Rules

On August 30, 2024, the Beijing Municipal Cyberspace Administration, Beijing Municipal Commerce Bureau and Beijing Municipal Government Services and Data Administration Bureau jointly released the “Administrative Measures for the Data Exit Negative List of the China (Beijing) Pilot Free Trade Zone (Trial)” (Administrative Measures) and the “Data Exit Administration List (Negative List) of the China (Beijing) Pilot Free Trade Zone (2024 Edition)” (Negative List) to facilitate the export of important industry data and personal information out of the country by companies operating in the Beijing free trade zone (FTZ).

Asia-Pacific Regulations Keep Pace With Rapid Evolution of Artificial Intelligence Technology

Regulation of artificial intelligence (AI) technology in the Asia-Pacific region (APAC) is developing rapidly, with at least 16 jurisdictions having some form of AI guidance or regulation. Some countries are implementing AI-specific laws and regulation, while others take a more “soft” law approach in reliance on nonbinding principles and standards. While regulatory approaches in the region differ, policy drivers feature common principles including responsible use, data security, end-user protection, and human autonomy.