U.S. Department of Commerce Finalizes Connected Vehicles Supply Chain Restrictions
On January 16, 2025, the U.S. Department of Commerce Bureau of Industry and Security (BIS) Office of Information and Communications Technology and Services (OICTS) published a Final Rule formalizing prohibitions on certain connected vehicles (CVs) transactions involving hardware and software linked to the People’s Republic of China (China) and Russia.1 The Final Rule is scheduled to take effect on March 17, 2025. However, given that the Final Rule is one of several new regulatory frameworks on trade issued in the final days of the Biden administration, it remains to be seen what will happen with these regulations after January 20.
NHTSA Proposes Sweeping Voluntary Program for Vehicles With Automated Driving Systems
On December 19, 2024, the Chief Counsel of the U.S. Department of Transportation’s National Highway Traffic Safety Administration (NHTSA or the Agency) signed a notice of proposed rulemaking (NPRM) in which the Agency proposed a sweeping voluntary program relating to the evaluation and oversight of motor vehicles equipped with automated driving systems (ADS). NHTSA defines ADS-equipped vehicles, which can also be called autonomous vehicles (AVs), as vehicles designed to fully perform the driving task without any expectation of an attentive human driver.
U.S. Department of Commerce Issues Proposed Rule on ICTS Supply Chain for Connected Vehicles
On September 26, 2024, the U.S. Department of Commerce Bureau of Industry and Security (BIS) Office of Information and Communications Technology and Services (OICTS) published a long-awaited rule proposing to ban certain connected vehicles transactions involving hardware and software linked to the People’s Republic of China (China) and Russia. BIS also proposed extensive compliance obligations for importers and manufacturers of connected vehicles and related components, which come as the automotive industry continues to grapple with how to protect critical safety-related data as vehicle interconnectivity increases.
EU Reaches Political Agreement on Cyber Resilience Act for Digital and Connected Products
On 30 November 2023, the EU reached political agreement on the Cyber Resilience Act (“CRA”), the first legislation globally to regulate cybersecurity for digital and connected products that are designed, developed, produced and made available on the EU market. The CRA was originally proposed by the European Commission in September 2022. Alongside the recently adopted Data Act, Digital Operational Resilience Act (“DORA”), Critical Entities Resilience Act (“CER”), Network and Information Systems Security 2 Directive (“NISD2”) and Data Governance Act, the CRA builds on the EU Data and Cyber Strategies, and complements upcoming certification schemes, such as the EU Cloud Services Scheme (“EUCS”) and the EU ICT Products Scheme (“EUCC”). It responds to an increase in cyber-attacks in the EU over the last few years – in particular the rise in software supply chain attacks which have tripled over the last year –as well as the significant rise in digital and connected products in daily life which magnifies the risk of such attacks.
