2024-2025 Global AI Trends Guide
The proposed rule builds on the March 2024 Advance Notice of Proposed Rulemaking and responds to comments received from interested parties.
On 23 September 2024, the Bureau of Industry and Security (BIS) issued a Notice of Proposed Rulemaking (NPRM) that would prohibit the sale in or import into the United States of Connected Vehicles integrating specific hardware and software, or those components or software if sold or imported separately, with a sufficient nexus to certain foreign adversaries including the People’s Republic of China (China) and The Russian Federation (Russia) (Proposed Rule). The Proposed Rule, which has been expected for several weeks, builds on BIS’s Advance Notice of Proposed Rulemaking (ANPRM) issued in March 2024 similarly related to the national security risks posed by connected vehicle technology. Please see our alert on the ANPRM. BIS received 57 comments from original equipment manufacturers (OEMs), equipment manufacturers, non-governmental organizations (NGOs), foreign governments, and other interested stakeholders in response to the ANPRM.
The Proposed Rule is implemented under BIS’s Information and Communications Technology and Services (ICTS) authorities, as provided for under Executive Order 13873, “Securing the Information and Communications Technology and Services Supply Chain,” issued on 15 May 2019, which declared a national emergency concerning the threats posed by foreign adversaries to the ICTS supply chain, and related regulations implemented by BIS. Like the ANPRM, this Proposed Rule identifies significant national security concerns associated with Connected Vehicles and related connect components and software designed, developed, manufactured or supplied by companies located in or headquartered in China or Russia, and is expected to have a major impact on the automotive and ICTS sectors. Specifically, the Proposed Rule bans the importation and sale of hardware and software components integrated into Vehicle Connectivity Systems (VCS) (largely technology that connects the vehicle to the internet) and software integrated into Automated Driving Systems (ADS) (technology related to autonomous driving) absent a general or specific authorization. It also prohibits Connected Vehicle Manufacturers that are owned by, controlled by, or subject to the jurisdiction of China or Russia from selling Connected Vehicles that incorporate VCS hardware or Covered Software in the United States. If adopted, prohibitions on software would go into effect for Model Year 2027 vehicles and hardware prohibitions would take effect for Model Year 2030 vehicles, or 1 January 2029 for units without a model year.
The Proposed Rule establishes a requirement that Connected Vehicle Manufacturers (which would be most OEMs and all importers) submit Declarations of Conformity, sets out the conditions for general and specific authorizations, establishes a process for industry stakeholders to seek an advisory opinion from BIS with respect to specific transactions, and establishes a process to inform VCS Hardware Importers and Connected Vehicle Manufacturers that a specific authorization may be required. Supporting information also is included, such as findings related to the national security risks associated with covered technology and illustrative hypotheticals of what the Proposed Rule covers.
BIS is soliciting comments on this proposed rule, which will impact the entire automotive industry. Comments must be received on or before 28 October 2024. Once finalized, the final rule will go into effect 60 days after publication in the Federal Register.
The key elements of the Proposed Rule are summarized below:
The Proposed Rule would, absent a General or Specific Authorization, prohibit:
In the ANPRM, BIS sought comments on the definition of certain terms. After full consideration of the submitted comments, BIS has proposed updated definitions for certain key terms, which are summarized below along with BIS's considerations.
BIS proposes to define “Automated Driving System” as hardware and software that, collectively, are capable of performing the entire dynamic driving task for a completed connected vehicle on a sustained basis, regardless of whether it is limited to a specific operational design domain (ODD). According to BIS’s explanatory note, this definition aligns with industry terminology for advanced autonomous driving systems and is consistent with definitions from the National Highway Traffic Safety Administration (NHTSA). Specifically, it corresponds to automation levels 3, 4, and 5, as outlined in the SAE International standard J3016 (Levels of Driving Automation).
BIS proposes to define a “completed connected vehicle” as a connected vehicle that requires no further manufacturing operations to perform its intended function. This definition aligns with NHTSA’s definitions. Additionally, BIS clarifies that integrating an ADS into a Connected Vehicle constitutes a manufacturing operation for a "Completed Connected Vehicle." Therefore, any entity under the control or jurisdiction of China or Russia that solely integrates ADS into an otherwise completed vehicle would be subject to the rule’s prohibitions and would need a Specific Authorization to import or sell such vehicles in the U.S.
BIS proposes to define a “connected vehicle” as a vehicle driven or drawn by mechanical power and manufactured primarily for use on public streets, roads, and highways, that integrates onboard networked hardware with automotive software systems to communicate via dedicated short-range communication, cellular telecommunications connectivity, satellite communication, or other wireless spectrum connectivity with any other network or device. Vehicles operated exclusively on rail lines are excluded from this definition. This proposal reflects suggestions from ANPRM commenters, many of whom requested greater clarity with respect to covered vehicles. The explanatory note states that this definition “captures the vehicles that would be subject to the rule (e.g., passenger vehicles, motorcycles, buses, small and medium trucks, class 8 commercial trucks, recreational vehicles), while excluding those that pose a less acute risk of data exfiltration, modification, or sabotage by foreign adversaries.”
BIS proposes to define a “connected vehicle manufacturer” to mean a U.S. person (1) manufacturing or assembling Completed Connected Vehicles in the United States; and/or (2) importing Completed Connected Vehicles for Sale in the United States. In other words, the manufacturer, or assembler, or importer of record.
BIS proposes to define “covered software” as the software-based components, in which there is a foreign interest, executed by the primary processing unit of the respective systems that are part of an item that supports the function of Vehicle Connectivity Systems or Automated Driving Systems at the vehicle level. This excludes firmware, which is characterized as software specifically programmed for a hardware device with a primary purpose of controlling, configuring, and communicating with that hardware device. Covered Software includes operating systems like real-time operating systems (RTOS) and general-purpose operating systems. For ADS, it could include machine learning software for tasks like object detection. Open-source software is explicitly excluded unless it is modified into proprietary software by entities under the control of China or Russia, which could bring it under the rule’s prohibitions. Notably, this definition is not limited to Chinese or Russian-origin products.
BIS proposes to define “FCC ID Number” as the unique alphanumeric code identifying a product subject to certification by the Federal Communications Commission composed of a (1) grantee code and (2) product code.
BIS proposes defining "foreign interest" as any interest in property of any nature whatsoever, whether direct or indirect, by a non-U.S. person, including ownership, intellectual property, contracts, profit-sharing, or licensing. This definition follows the sanctions framework issued by the US Department of the Treasury’s Office of Foreign Assets Control. BIS plans to regulate transactions involving VCS Hardware or Covered Software from entities controlled by China or Russia. Affected entities would need to obtain a General or Specific Authorization. Additionally, VCS Hardware importers and Connected Vehicle Manufacturers must submit an annual Declaration of Conformity, ensuring their supply chains do not involve prohibited foreign interests. The proposal also covers software interests retained by foreign developers post-integration into vehicles, making Connected Vehicle Manufacturers responsible for compliance. BIS also aims to regulate vehicle sales if foreign adversaries have data-sharing or profit-sharing agreements tied to the Connected Vehicle's VCS Hardware or Covered Software.
BIS proposes to define “Hardware Bill of Materials” (HBOM) as a comprehensive list of parts, assemblies, documents, drawings, and components required to create a physical product, including information identifying the manufacturer, related firmware, technical information, and descriptive information.
BIS proposes to define “import” in the context of this subpart, with respect to any article, the entry of such article into the United States Customs Territory. It does not include admission of an article from outside the United States into a foreign-trade zone for storage pending further assembly in the foreign-trade zone or shipment to a foreign country.
BIS proposes to define “item” as a component or set of components with a specific function at the vehicle level. A system may also be considered an item if it implements a function.
BIS proposes to define “model year,” consistent with NHTSA’s definition, as the year used to designate a discrete vehicle model, irrespective of the calendar year in which the vehicle was actually produced, provided that the production period does not exceed 24 months. The rule refers to both calendar year and model year when discussing the import of VCS Hardware, particularly regarding Declarations of Conformity (791.305) and the implementation timeline (791.308 Exemptions). BIS notes that most VCS Hardware is imported for a known vehicle model year but recognizes that some units may not be associated with a specific model year. The Proposed Rule provides separate timelines for these cases to accommodate business operations.
BIS proposes to define a “person owned by, controlled by, or subject to the jurisdiction or direction of a foreign adversary” as:
This broad definition aims to cover entities that could potentially be influenced or controlled by foreign adversaries whether located in or outside of China and Russia. Reference to “majority or dominant minority” and “direct or indirect” control could be read to cover a broad scope of corporate and investment structures.
BIS proposes to define “sale” in this subpart as distributing for purchase, lease, or other commercial operations a new Completed Connected Vehicle for a price, to include the transfer of Completed Connected Vehicles from a Connected Vehicle Manufacturer to a dealer or distributor, as those terms are defined in 49 U.S.C. 30102. This definition also extends to related terms such as "sell" or "selling," and includes direct-to-consumer sales from the manufacturer to the final purchaser.
BIS proposes to define “Software Bill of Materials” (SBOM) as a formal and dynamic, machine-readable inventory detailing the software supply chain relationships between software components and subcomponents, including software dependencies, hierarchical relationships, and baseline software attributes, including author’s name, timestamp, supplier name, component name, version string, component hash package URL, unique identifier, and dependency relationships to other software components. BIS notes that this definition aligns with industry standards but is specifically seeking feedback on the feasibility, technical burden, cost, and effectiveness of identifying and reporting these SBOM attributes to BIS.
BIS proposes to define “Vehicle Connectivity System” as a hardware or software item for a completed connected vehicle that has the function of enabling the transmission, receipt, conversion, or processing of radio frequency communications at a frequency over 450 megahertz. This definition would exclude most remote keyless entry fobs, immobilizers, and certain internal wireless sensors and relays. VCS software is also included in the definition of Covered Software.
BIS proposes to define “VCS hardware” as the following software-enabled or programmable components and subcomponents that support the function of Vehicle Connectivity Systems or are part of an item that supports the function of Vehicle Connectivity Systems: microcontroller, microcomputers or modules, systems on a chip, networking or telematics units, cellular modem/modules, Wi-Fi microcontrollers or modules, Bluetooth microcontrollers or modules, satellite navigation systems, satellite communication systems, other wireless communication microcontrollers or modules, and external antennas. It excludes parts that do not contribute to VCS communication functions, like brackets, fasteners, plastics, and passive electronics. The definition also applies to aftermarket devices that can be integrated into or attached to a vehicle to perform VCS functions.
BIS proposes to define a “VCS hardware importer” as a U.S. person importing VCS hardware for further manufacturing, integration, resale, or distribution. This definition includes Connected Vehicle Manufacturers if they import vehicles with pre-installed VCS Hardware. The scope covers OEMs as well as tier 1 and tier 2 suppliers who import VCS Hardware into the United States.
BIS proposes requiring VCS Hardware Importers and Connected Vehicle Manufacturers to submit Declarations of Conformity, certifying they have not engaged in prohibited transactions. The declaration must include documentation from suppliers of VCS Hardware components and Covered Software to verify compliance, including obtaining and analyzing Hardware Bills of Materials (HBOMs) and Software Bills of Materials (SBOMs), who are not owned by, controlled by, or subject to the jurisdiction of China or Russia. In the Proposed Rule BIS does not mandate specific due diligence but allows companies to provide specific documented evidence of efforts tailored to their operations.
Declarations of Conformity would be required in three instances:
by VCS Hardware Importers;
by Connected Vehicle Manufacturers importing Completed Connected Vehicles with Covered Software; and
by Connected Vehicle Manufacturers that manufacture or assemble Completed Connected Vehicles for Sale in the United States.
Declarations must be submitted annually, once per model or calendar year, and may cover multiple transactions.
BIS proposes a phased approach for exempting transactions involving VCS Hardware and Covered Software from the prohibitions under the new rule, allowing time for market participants to adjust their supply chains.
For VCS Hardware, importers would be exempt from the prohibitions until January 1, 2029, for hardware not tied to a specific model year, or for hardware integrated into vehicles with model years prior to 2030. After January 1, 2029, importers would need to obtain specific authorization for any prohibited transactions and submit an annual Declaration of Conformity for any continued imports.
For Covered Software, Connected Vehicle Manufacturers would be exempt from the prohibitions until model year 2027. Beginning with model year 2027, manufacturers would need to obtain specific authorization for transactions involving prohibited Covered Software and submit Declarations of Conformity for imports and sales of Completed Connected Vehicles.
Connected Vehicle Manufacturers owned or controlled by entities from China or Russia would also be permitted to engage in otherwise prohibited transactions for vehicles with model years prior to 2027. Starting with model year 2027, these manufacturers would be required to obtain specific authorization for transactions prohibited by the Proposed Rule.
General Authorizations
BIS proposes allowing certain VCS Hardware Importers and Connected Vehicle Manufacturers to engage in otherwise prohibited transactions under General Authorizations without needing to notify BIS beforehand. Eligibility includes manufacturers producing fewer than 1,000 units per calendar year or vehicles used on public roads for fewer than 30 days annually. General Authorizations also cover vehicles used solely for testing, display, or research, as well as hardware imported for repair or competition and reexported within a year.
Entities using General Authorizations must self-certify compliance and maintain records for 10 years, without submitting documentation to BIS. However, they must monitor for changes that would disqualify them and apply for a specific authorization if necessary. Entities under the ownership or control of China or Russia are ineligible for General Authorizations and must apply for specific authorizations before engaging in prohibited transactions.
Specific authorizations
VCS Hardware Importers and Connected Vehicle Manufacturers ineligible for a general authorization or exemption must apply for a Specific Authorization to engage in otherwise prohibited transactions. BIS reviews these applications on a case-by-case basis to assess the national security risks involved, particularly the extent of foreign adversary involvement. Applicants cannot proceed with the transaction until BIS grants the authorization, and engaging in the transaction without approval would be a violation.
Applications must include detailed information about the transaction, including the parties involved, the VCS Hardware or Covered Software, and documentation to support the application. BIS will typically provide a response or request further information within 90 days of the application.
BIS evaluates several factors when reviewing applications, such as the applicant's ability to limit foreign adversary influence, security standards, and proposed mitigations. BIS's decision applies only to the specific transaction and may include conditions, such as technical or operational controls, to mitigate risks. The duration of the authorization will be determined on a case-by-case basis.
If an application is denied, the applicant can reapply with a different transaction or demonstrate a material change in circumstances for reconsideration.
BIS proposes establishing an appeal mechanism for any person whose application for a Specific Authorization is denied, suspended, revoked, or who has been deemed ineligible for a general authorization. Appeals must be submitted in writing (via email or mail) to the Office of the Under Secretary within 45 days of the notice of adverse action. The appeal should outline how the appellant has been adversely affected and provide reasons for reversing or modifying BIS’s decision.
The Under Secretary may delegate the appeal review to the Deputy Under Secretary or another BIS official. The designated official can, at their discretion, arrange informal hearings with relevant parties. Appellants may submit additional information in support of their appeal but typically no later than 30 days after the original submission. If supplementary information is requested, appellants have 30 calendar days to respond. Appellants can also request an informal hearing in writing, though hearings are not required and are granted at the discretion of the Under Secretary or designated official.
In response to public comments on the ANPRM, BIS proposes establishing a mechanism for issuing advisory opinions, similar to the process in the Export Administration Regulations (EAR). This process aims to provide clarity to Connected Vehicle Manufacturers, VCS Hardware Importers, and other stakeholders on complying with the proposed rule. However, BIS notes that these advisory opinions would not confirm that the ICTS transaction falls outside the jurisdiction of other U.S. Government agencies.
BIS may publish advisory opinions of broad public interest on its website, with necessary redactions to protect Confidential Business Information. To request an advisory opinion, parties must submit a written request via email or a portal on the BIS website (mail submissions will not be accepted). The request must include contact details and complete information about the prospective transaction, including technical details on VCS Hardware or Covered Software, SBOM and/or HBOM, and any other relevant materials.
BIS will only provide advisory opinions for actual transactions, not hypothetical scenarios, and all parties must be identified. Advisory opinions can only be relied upon if the information submitted was complete and remains accurate throughout the process.
BIS may notify Connected Vehicle Manufacturers or VCS Hardware Importers, either through direct letters or via a Federal Register notice, that a transaction involving specific Covered Software, VCS Hardware, or entities requires a Specific Authorization. This notification, known as an “Is-Informed” notice, indicates that the transaction would be classified as a Prohibited Transaction under the proposed rule. Any person who engages in a transaction covered by such a notice without first obtaining a Specific Authorization from BIS would be in violation of the proposed rule as they would have knowledge that such transaction is prohibited.
"Is-Informed" notices can only be issued by, or at the direction of, the Under Secretary or a BIS employee designated by the Under Secretary. BIS is seeking feedback on the use of these notices to ensure compliance with the rule.
BIS proposes requiring Connected Vehicle Manufacturers and VCS Hardware Importers to maintain complete records for any transaction subject to a Declaration of Conformity, general authorization, or specific authorization under this rule, for a period of at least ten years. This recordkeeping requirement applies whether or not the transaction was conducted with authorization, and even if the authorization has not yet been sought.
Records must include all pertinent information related to a general or specific authorization, as well as business documents such as contracts, import records, bills of sale, and relevant correspondence. These records, as outlined in sections 791.312 and 791.313, would help BIS assess compliance with the rule.
Additionally, BIS may request these records at any time—before, during, or after a transaction. This requirement ensures that manufacturers and importers maintain documentation that can be reviewed by BIS to confirm compliance with the proposed regulations.
IEEPA authorizes this rulemaking, and violations of the rule, if finalized, may result in civil or criminal penalties under IEEPA. This includes engaging in prohibited transactions without proper authorization or failing to comply with authorization conditions. Penalties may include fines up to $368,136 per violation and criminal penalties up to $1,000,000 or imprisonment. BIS will issue a Pre-Penalty Notice for potential violations, giving the recipient 30 days to respond or contest. If no settlement is reached, BIS will issue a final penalty notice, which can be contested in U.S. District Court.
Under the proposed rule, BIS may determine that a violation has occurred but that a civil monetary penalty is not warranted. In such cases, BIS would issue a "finding of violation," identifying the violation and possibly including an administrative response, such as a cease-and-desist order. Recipients of this finding can contest it by submitting a response within 30 days. BIS will review any new information and then make a final decision. If no response is submitted within 30 days, the right to contest is waived. The finding of violation constitutes a final agency action and is not subject to appeal.
Please reach out to any of the listed contacts for assistance in assessing the potential impact of the Proposed Rule on your business, in preparing comments, or if you have any questions about the Proposed Rule.
Authored by Jane Chen, Kelly Ann Shaw, Ajay Kuntamukkala, William Yavinsky, and Andrea Fraser-Reid.