Latest Posts
Search for:

BIS Issues Final Rule Regarding Connected Vehicles

By and 13 Mins Read

On January 16, 2025, the U.S. Department of Commerce’s Bureau of Industry and Security (“BIS”) issued a final rule entitled “Securing the Information and Communications Technology and Services Supply Chain: Connected Vehicles” (“Final Rule”) prohibiting certain transactions involving the sale or import of connected vehicles integrating specific hardware and software, or those components sold separately, with a sufficient nexus to China or Russia. The Final Rule, which follows the earlier notice of proposed rulemaking (“NPRM”) published on September 26, 2024, refines key provisions and incorporates feedback received from stakeholders.

The Final Rule will have a significant impact on OEMs and suppliers across all tiers of the automotive sector supply chain who import connected vehicles and certain of their components into the United States. This blog provides a high-level summary of the Final Rule and highlights the open questions presented by the Final Rule.

A brief summary of the key provisions and key open questions presented by the Final Rules follows below.

  1. Prohibitions

The basic prohibitions of the Final Rule are as follows:

  • As of model year 2030 (or as of January 1, 2029 for units not associated with a model year), Vehicle Connectivity System (“VCS”) hardware importers are prohibited from knowingly importing into the United States VCS hardware that is designed, developed, manufactured, or supplied by persons owned by, controlled by, or subject to the jurisdiction or direction of China or Russia. In the Final Rule, BIS added an exemption for VCS hardware components that are imported for purposes of repair or warranty for a connected vehicle with a model year prior to 2030.
  • As of model year 2027, connected vehicle manufacturers are prohibited from knowingly importing or selling into the United States completed connected vehicles containing covered software that is designed, developed, manufactured, or supplied by persons owned by, controlled by, or subject to the jurisdiction or direction of China or Russia.
  • As of model year 2027, connected vehicle manufacturers who are owned by, controlled by, or subject to the jurisdiction or direction of China or Russia, are prohibited from knowingly selling in the United States completed connected vehicles that incorporate covered software or VCS hardware, regardless of whether such VCS hardware or covered software is designed, developed, manufactured, or supplied by persons owned by, controlled by, or subject to the jurisdiction or control of China or Russia. These connected vehicle manufacturers are also prohibited from offering commercial services in the United States that utilize completed connected vehicles that incorporate Automated Driving Systems (“ADS”).
  1. Key Definitions
  • Model year means the year used to designate a discrete vehicle model, irrespective of the calendar year in which the vehicle was actually produced, provided that the production period does not exceed 24 months.
  • VCS means a hardware or software item installed in or on a completed connected vehicle that directly enables the function of transmission, receipt, conversion, or processing of radio frequency communications at a frequency over 450 megahertz. VCS does not include a hardware or software item that exclusively: (1) enables the transmission, receipt, conversion, or processing of automotive sensing (e.g., LiDAR, radar, video, ultrawideband); (2) enables the transmission, receipt, conversion, or processing of ultrawideband communications to directly enable physical vehicle access (e.g., key fobs); (3) enables the receipt, conversion or processing of unidirectional radio frequency bands (e.g., global navigation satellite systems (GNSS), satellite radio, AM/FM radio); or (4) supplies or manages power for the VCS.
    • In response to several comments, BIS modified the definition of VCS proposed in the NPRM to include a variety of function-based exclusions to exclude low-risk use cases and provide greater flexibility to industry.
    • BIS has also refined this definition to specify that covered components must “directly enable” the VCS functions.
  • VCS hardware means software-enabled or programmable components if they directly enable the function of and are directly connected to VCS, or are part of an item that directly enables the function of VCSs, including but not limited to: microcontroller, microcomputers or modules, systems on a chip, networking or telematics units, cellular modem/modules, Wi-Fi microcontrollers or modules, Bluetooth microcontrollers or modules, satellite communication systems, other wireless communication microcontrollers or modules, external antennas, digital signal processors, and field-programmable gate arrays. VCS hardware does not include component parts that do not contribute to the communication function of VCS hardware (e.g., brackets, fasteners, plastics, and passive electronics, diodes, field-effect transistors, and bipolar junction transistors).
    • BIS clarified in the Final Rule that the representative list of VCS hardware included in this definition is not exhaustive but provides a bright line for certain examples where BIS would consider a component to be VCS hardware.
    • BIS has also refined this definition to specify that the hardware has to “directly enable the function of” and be “directly connected to” VCS.
  • VCS hardware importer means a U.S. person who imports: (1) VCS hardware for further manufacturing, incorporation, or integration into a completed connected vehicle that is intended to be sold or operated in the United States; or (2) VCS hardware that has already been installed, incorporated, or integrated into a connected vehicle, or a subassembly thereof, that is intended to be sold as part of a completed connected vehicle in the United States.
    • In the Final Rule, BIS adjusted this definition to include only those entities that import VCS hardware components that are for use in completed connected vehicles or that are already incorporated into a connected vehicle (incomplete or completed).
  • Connected vehicle means a vehicle driven or drawn by mechanical power and manufactured primarily for use on public streets, roads, and highways, that integrates onboard networked hardware with automotive software systems to communicate via dedicated short-range communication, cellular telecommunications connectivity, satellite communication, or other wireless spectrum connectivity with any other network or device. Connected vehicle does not include (1) a vehicle operated only on a rail line and (2) a connected vehicle with a gross vehicle weight rating of more than 4,536 kilograms (10,000 pounds).
    • The Final Rule has been narrowed to only address vehicles under 10,001 pounds (i.e., the passenger vehicle market). BIS intends to supplement this Final Rule with a separate rule to address vehicles over 10,000 pounds (i.e., the commercial vehicle market).
  • Completed connected vehicle means a connected vehicle that requires no further manufacturing operations to perform its intended function. For the purposes of this subpart, the integration of an ADS into a connected vehicle constitutes a manufacturing operation for a completed connected vehicle.
  • Connected vehicle manufacturer means a U.S. person who: (1) Manufactures or assembles completed connected vehicles in the United States for sale in the United States; (2) Imports completed connected vehicles for sale in the United States; and/or (3) Integrates ADS software on a completed connected vehicle for sale in the United States. A connected vehicle manufacturer may also be a VCS hardware importer, as defined herein, if VCS hardware has already been installed in a connected vehicle when the connected vehicle manufacturer imports it.
    • In the Final Rule, BIS modified the proposed definition in the NPRM to clarify that persons who manufacture or assemble completed connected vehicles in the United States are connected vehicle manufacturers only if the vehicles are intended for sale in the United States (not for export and sale abroad).
    • In addition, BIS amended this definition to specify that a person whose sole manufacturing or assembly operation is integrating ADS into an otherwise completed connected vehicle would be considered a connected vehicle manufacturer.
  • Covered software means the software-based components, including application, middleware, and system software, in which there is a foreign interest, executed by the primary processing unit or units of an item that directly enables the function of VCSs or ADS at the vehicle level. Covered software does not include (1) firmware, which is characterized as software specifically programmed for a hardware device with a primary purpose of directly controlling, configuring, and communicating with that hardware device; (2) open-source software, which is characterized as software for which the human-readable source code is available in its entirety for use, study, re use, modification, enhancement, and redistribution by the users of such software, unless that open-source software has been modified for proprietary purposes and not redistributed or shared; and (3) software subcomponents that were designed, developed, manufactured, or supplied prior to March 17, 2026, as long as those software subcomponents are not maintained, augmented, or otherwise altered by an entity owned by, controlled by, or subject to the jurisdiction or direction of a foreign adversary after March 17, 2026.
    • In response to comments, BIS explicitly included middleware and system software while continuing to exclude firmware.
    • In addition, BIS has refined this definition to specify that it only includes software that “directly enables” ADS or VCS functions at the vehicle level.
    • BIS has aligned the definition of open-source software with that of the National Defense Authorization Act for Fiscal Year 2019 while adding some clarifications to address advances in artificial intelligence and the evolution of the use of the term “open-source” in artificial intelligence applications by including “in its entirety” to the definition.
    • Additionally, in order to protect products that have already gone to the market, BIS has incorporated a specific exclusion within the definition for legacy code, excluding all source code that is designed, developed, manufactured, or supplied before March 17, 2026.
  • Foreign interest means any interest in property of any nature whatsoever, whether direct or indirect, by a non-U.S. person.
  • Automated Driving System (ADS) means hardware and software that, collectively, are capable of performing the entire dynamic driving task for a completed connected vehicle on a sustained basis, regardless of whether it is limited to a specific operational design domain (ODD).
  1. Declarations of Conformity

The Final Rule requires VCS hardware importers and connected vehicle manufacturers to certify to BIS that they are not engaging in prohibited transactions, that they have conducted due diligence to inform such certification, and to provide certain information on the import of VCS hardware and/or the import or sale of completed connected vehicles as relevant.

BIS has sought to reduce the burden for declarations of conformity in the Final Rule as compared to the NPRM. The NPRM required the submission of extensive information, including a hardware bill of materials (“HBOM”) or software bill of materials (“SBOM”), and a list of external endpoints connected to the VCS hardware. However, in the Final Rule, BIS reduced the amount of required information, although it has introduced recordkeeping requirements.

Declarations of conformity must be submitted annually, once per model (or calendar year for units not associated with a vehicle model year), and may cover multiple transactions. The submission is due 60 days prior to the first import or sale of each model year (or calendar year).

In response to comments, BIS included an exemption from the requirement to submit declarations of conformity for those transactions where the only foreign interest in the transaction arises from a foreign entity’s equity ownership in a U.S. person, whether through ownership of public shares or otherwise.

  1. Licensing Grounds and Advisory Opinions

The final rule allows BIS to issue general authorizations for certain types of transactions that are determined to pose a lower risk. It also allows regulated parties to seek (i) specific authorizations permitting them to engage in otherwise prohibited transactions, or (ii) advisory opinions to ask BIS for a determination if a prospective transaction may fall within the scope of the Final Rule.

  • General Authorizations: BIS may issue general authorizations to engage in otherwise prohibited transactions if stated requirements or conditions are met. Instead of detailing these authorizations within the regulatory text, the Final Rule allows BIS to publish them directly on its website and in the Federal Register. Persons availing themselves of certain general authorizations may be required to file reports and statements in accordance with the instructions specified by BIS in each general authorization. Records demonstrating compliance with the terms of general authorizations must be retained for a period of 10 years and be made available to BIS upon request.
  • Specific Authorizations: Upon receipt of a valid and complete application, BIS may grant specific authorizations to permit engaging in an otherwise prohibited transaction. Applications for specific authorizations will be reviewed on a case-by-case basis, and conditions to be applied to each specific authorization may vary as needed to mitigate any risk that arises as a result of the otherwise prohibited transaction. The Final Rule provides that BIS will decide on specific authorizations within 90 days unless BIS determines that additional time is required. Persons receiving a specific authorization are required to maintain records for a period of 10 years, as well as to submit reports and statements in accordance with the instructions specified in each specific authorization.  
  • Advisory Opinions: VCS hardware importers and connected vehicle manufacturers may request an advisory opinion from BIS to determine whether a prospective transaction is subject to a prohibition or a requirement under the Final Rule. The requestor must have a direct financial interest in the substance of the question(s) presented and the submission must include the name of the parties to the transaction. Thus, advisory opinion requests must address actual transactions that have not been initiated or executed, rather than hypothetical or unspecified transactions.
  1. Possible Compliance Challenges and Open Questions

Passenger vehicle OEMs and their suppliers should assess the impact of the Final Rule on their supply chain. In addition, while BIS will likely issue further guidance on the Final Rule and parties can seek advisory opinions, the current text of the Final Rule leaves several issues open to interpretation and/or uncertainty, such as the following:

  • Definition of foreign interest: This definition is key to determine whether the covered software-related prohibitions and requirements apply. BIS has provided several practical examples of cases where a foreign interest exists. However, companies will have to asses this on a case-by-case basis taking into consideration the whole supply chain. Notably, BIS refused to amend the definition of foreign interest to exclude certain allied countries, considering that this would inadequately mitigate the national security risk this rule seeks to address.
  • Undefined General Authorizations: General authorizations are not specified in the Final Rule and BIS can issue them as deemed appropriate. Therefore, companies affected by this Final Rule are encouraged to monitor BIS announcements closely, as new general authorizations could potentially allow transactions that are otherwise prohibited.
  • Procedure for Specific Authorizations: BIS will evaluate applications for specific authorizations on a case-by-case basis, without predefined licensing criteria for such requests. Importantly, BIS has clarified that it will not provide preferential treatment to companies on the sole basis of being headquartered in an allied country.
  • Appropriate Due Diligence Measures: VCS hardware importers and connected vehicle manufacturers are required to certify that they have conducted due diligence into their supply chain. BIS does not mandate or suggest specific due diligence measures but requires maintenance of supporting documentation (such as HBOM or SBOM) in support of such due diligence efforts. Thus, while companies must ensure they have a comprehensive documentation process in place to support their due diligence efforts, they have some flexibility to determine appropriate due diligence measures.
Categories:
Author

Paul Amberg is a partner in Baker McKenzie’s Madrid office, where he handles international trade and compliance issues. He advises multinational companies on export controls, trade sanctions, antiboycott rules, customs laws, anticorruption laws, and commercial law matters.

Author

Madrid

Related Posts