Commerce Department Publishes Final Rule to Secure Connected Vehicle Supply Chain

On January 14, 2025, the U.S. Department of Commerce’s Bureau of Industry and Security (“BIS”) released its final rule (the “Final Rule”) prohibiting (1) the import of certain hardware components related to Vehicle Connectivity Systems (“VCS”) and (2) the sale or import of connected vehicles (“CVs”) that incorporate certain “Covered Software” related to VCS or Automated Driving Systems (“ADS”), in each case where the items have certain defined connections to the People’s Republic of China (“PRC”) or Russia.

The Final Rule, issued under the authority granted by Executive Order 13873 and the International Emergency Economic Powers Act (“IEEPA”), aims to mitigate risks of data exfiltration and remote manipulation of CVs by foreign adversaries. It follows an Advance Notice of Proposed Rulemaking (“ANPRM”) issued on March 1, 2024, and a Notice of Proposed Rulemaking (“NPRM”) issued on September 26, 2024 (See Covington Client Alert). While the Final Rule largely preserves the core elements set forth in the NPRM, it narrows the scope of certain key definitions and expands certain exceptions in response to public comments received in response to the NPRM.

As described further below, key changes to the NPRM include the following:

• Exemption for Legacy Software: The Final Rule will not apply to certain legacy software and software components designed, developed, manufactured, or supplied in or from the PRC or Russia prior to March 17, 2026.
• Scope of VCS: VCS has been defined more narrowly to include only hardware or software items that “directly enable” the function of transmission, receipt, conversion, or processing of radio frequency communications at a frequency over 450 megahertz and to expressly exclude certain items that exclusively support certain functions like LiDAR or vehicle access (key fobs).
• Scope of VCS Hardware/Covered Software: VCS Hardware and Covered Software now refer to hardware and software components that “directly enable” the function of VCS and ADS, as applicable. The term “directly enable” replaces the broader, ambiguous term “support” from the NPRM.
• Scope of General Authorizations: The NPRM contemplated general authorizations only for certain small producers of vehicles undertaking otherwise prohibited transactions. The Final Rule makes general authorizations available to all VCS Hardware importers and CV manufacturers who meet certain requirements or conditions that will be published on the BIS website at a later date.
• Scope of Specific Authorization: The Final Rule adopts certain changes to the specific authorization process suggesting that BIS will formally take into account the profile of the party requesting the authorization based on criteria “specifically constructed for each applicant.”

The Final Rule will go into effect on March 17, 2025, 60 days after its publication in the Federal Register. It could have broad-reaching implications for the automotive industry as it will impose a significant new compliance burden on manufacturers and importers and reshape automotive supply chains.

Background

As described in our prior client alerts, the Final Rule is issued under the authority granted by Executive Order 13873 signed by President Trump in May 2019 to prohibit certain Information and Communication Technology and Services (“ICTS”) transactions that present an unacceptable risk to U.S. national security. While the Commerce Department published final regulations governing such case-by-case reviews of transactions in 2023—and issued its first prohibition under the regulations in June 2024—the Executive Order also provided that the Commerce Department could separately develop regulations that identify and prohibit classes of transactions. It is under that authority that Commerce has issued the Final Rule. Specifically, the Commerce Department has stated that the rule is necessary because of the volume of data that can be collected by the various systems integrated into vehicles along with the expansion of “potential attack surfaces” introduced by the connectivity systems and the associated risk of malicious cyber activity by threat actors. With that said, it is an open question as to whether the incoming Trump Administration will continue to view ICTS as a tool to address supply chain risks from countries of concern (principally, China), and whether it will maintain and enforce, or amend, the Final Rule.

Key Elements of the Final Rule

Key Definitions

• Automated Driving Systems (“ADS”) means “hardware and software that, collectively, are capable of performing the entire dynamic driving task for a completed connected vehicle on a sustained basis, regardless of whether it is limited to a specific operational design domain (ODD).”
• Connected Vehicle means a “a vehicle driven or drawn by mechanical power and manufactured primarily for use on public streets, roads, and highways, that integrates onboard networked hardware with automotive software systems to communicate via dedicated short-range communication, cellular telecommunications connectivity, satellite communication, or other wireless spectrum connectivity with any other network or device. A vehicle operated only on a rail line is not included in this definition. A connected vehicle with a gross vehicle weight rating of more than 4,536 kilograms (10,000 pounds) is not included in this definition.”
• Connected Vehicle Manufacturer means a “U.S. person who: manufactures or assembles completed CVs in the United States for sale in the United States; imports completed connected vehicles for sale in the United States; and/or integrates ADS software on a completed connected vehicle for sale in the United States. ACV manufacturer may also be a VCS Hardware importer if VCS Hardware has already been installed in a connected vehicle when the CV manufacturer imports it.”
• Covered Software means the “software-based components, including application, middleware, and system software, in which there is a foreign interest, executed by the primary processing unit or units of an item that directly enables the function of Vehicle Connectivity Systems or Automated Driving Systems at the vehicle level. Covered Software does not include firmware, which is characterized as software specifically programmed for a hardware device with a primary purpose of directly controlling, configuring, and communicating with that hardware device. Covered Software also does not include open-source software, which is characterized as software for which the human-readable source code is available in its entirety for use, study, re-use, modification, enhancement, and redistribution by the users of such software, unless that open-source software has been modified for proprietary purposes and not redistributed or shared. Covered Software also does not include software subcomponents that were designed, developed, manufactured, or supplied prior to March 17, 2026, as long as those software subcomponents are not maintained, augmented, or otherwise altered by an entity owned by, controlled by, or subject to the jurisdiction or direction of a foreign adversary after March 17, 2026.”
• Foreign interest means “any interest in property of any nature whatsoever, whether direct or indirect, by a non-U.S. person.” According to BIS’s explanation of the rule, a foreign interest can include, but is not limited to, “an interest through ownership, intellectual property, contract—e.g., ongoing supply commitments such as maintenance, any license agreement related to the use of intellectual property—profit-sharing or fee arrangement, as well as any other cognizable interest.” Moreover, according to BIS, “ADS and VCS software is frequently designed, developed, or supplied by foreign persons, and those persons frequently retain a legally cognizable interest in the underlying software, even after it has been integrated into the connected vehicle. For example, foreign software developers may earn profits from use of their software; retain data access and sharing rights to the software; or have obligations to maintain and update the software.” BIS notes, however, that a foreign interest must be an interest in property, and the sole fact a foreign individual worked on a software development team would not meet this requirement unless additional factors (such as ongoing financial or beneficial interests or contractual rights) are present.
• Person owned by, controlled by, or subject to the jurisdiction or direction of a foreign adversary means:
  • “Any person, wherever located, who acts as an agent, representative, or employee, or any person who acts in any other capacity at the order, request, or under the direction or control, of a foreign adversary or of a person whose activities are directly or indirectly supervised, directed, controlled, financed, or subsidized in whole or in majority part by a foreign adversary;
  • Any person, wherever located, who is a citizen or resident of a foreign adversary or a country controlled by a foreign adversary, and is not a United States citizen or permanent resident of the United States;
  • Any corporation, partnership, association, or other organization with a principal place of business in, headquartered in, incorporated in, or otherwise organized under the laws of a foreign adversary or a country controlled by a foreign adversary; or
  • Any corporation, partnership, association, or other organization, wherever organized or doing business, that is owned or controlled by a foreign adversary, to include circumstances in which any person identified in (1) through (3) of this definition possesses the power, direct or indirect, whether or not exercised, through the ownership of a majority or a dominant minority of the total outstanding voting interest in an entity, board representation, proxy voting, a special share, contractual arrangements, formal or informal arrangements to act in concert, or other means, to determine, direct, or decide important matters affecting an entity.”
• VCS means a “hardware or software item installed in or on a completed connected vehicle that directly enables the function of transmission, receipt, conversion, or processing of radio frequency communications at a frequency over 450 megahertz. VCS does not include a hardware or software item that exclusively:

1. enables the transmission, receipt, conversion, or processing of automotive sensing (e.g., LiDAR, radar, video, ultrawideband);
2. enables the transmission, receipt, conversion, or processing of ultrawideband communications to directly enable physical vehicle access (e.g., key fobs);
3. enables the receipt, conversion or processing of unidirectional radio frequency bands (e.g., global navigation satellite systems (GNSS), satellite radio, AM/FM radio); or
4. supplies or manages power for the VCS.”

• VCS Hardware means “software-enabled or programmable components if they directly enable the function of and are directly connected to Vehicle Connectivity Systems, or are part of an item that directly enables the function of Vehicle Connectivity Systems, including but not limited to: microcontroller, microcomputers or modules, systems on a chip, networking or telematics units, cellular modem/modules, Wi-Fi microcontrollers or modules, Bluetooth microcontrollers or modules, satellite communication systems, other wireless communication microcontrollers or modules, external antennas, digital signal processors, and field-programmable gate arrays. VCS Hardware does not include component parts that do not contribute to the communication function of VCS Hardware (e.g., brackets, fasteners, plastics, and passive electronics, diodes, field-effect transistors, and bipolar junction transistors).”
• VCS Hardware importer means a “U.S. person who imports: (1) VCS Hardware for further manufacturing, incorporation, or integration into a completed connected vehicle that is intended to be sold or operated in the United States; or (2) VCS Hardware that has already been installed, incorporated, or integrated into a connected vehicle, or a subassembly thereof, that is intended to be sold as part of a completed connected vehicle in the United States.”

Prohibitions

While the Final Rule itself will take effect on March 17, the prohibitions on the import or sale of CVs that incorporate Covered Software will take effect for vehicle Model Year 2027, and the prohibitions on the import of VCS Hardware will take effect for vehicle Model Year 2030 (or January 1, 2029, for hardware not associated with a specific model year). Consistent with the framework proposed in the NPRM, the Final Rule, absent a general or specific authorization:

1. Prohibits VCS Hardware Importers from importing into the United States VCS Hardware designed, developed, manufactured, or supplied by persons owned by, controlled by, or subject to the jurisdiction or direction of the PRC or Russia;
2. Prohibits CV manufacturers from knowingly importing into the United States completed CVs that incorporate certain software that directly enables the function of VCS or ADS (VCS and ADS software are collectively referred to as “Covered Software,” as defined above), if it is designed, developed, manufactured, or supplied by persons owned by, controlled by, or subject to the jurisdiction or direction of the PRC or Russia;
3. Prohibits CV manufacturers from knowingly selling within the United States completed CVs that incorporate Covered Software designed, developed, manufactured, or supplied by persons owned by, controlled by, or subject to the jurisdiction or direction of the PRC or Russia; and
4. Prohibits CV manufacturers who are owned by, controlled by, or subject to the jurisdiction or direction of the PRC or Russia from knowingly selling in the United States completed CVs that incorporate VCS Hardware or Covered Software regardless of whether such VCS Hardware or Covered Software is designed, developed, manufactured, or supplied by persons owned by, controlled by, or subject to the jurisdiction or direction of the PRC or Russia. Such manufacturers are also prohibited from offering commercial services in the United States that utilize completed CVs that incorporate ADS.

Other Compliance Requirements

Declaration of Conformity

A VCS Hardware importer must submit a “Declaration of Conformity” to BIS prior to importing any VCS Hardware, certifying that the VCS Hardware to be imported was not designed, developed, manufactured, or supplied by persons owned by, controlled by, or subject to the jurisdiction or direction of the PRC or Russia, along with a certification that the declarant has conducted due diligence (with or without the use of third-party assessments) to inform the certification. The declarant will also have to certify that all possible measures, either contractually or otherwise, have been taken to ensure any necessary documentation and assessments from suppliers will be furnished to BIS upon request.

Similarly, all CV manufacturers must submit a Declaration of Conformity to BIS prior to importing or selling in the United States completed CVs that incorporate Covered Software, certifying that any such Covered Software was not designed, developed, manufactured, or supplied by persons owned by, controlled by, or subject to the jurisdiction or direction of the PRC or Russia. The deadline for Declarations of Conformity in either circumstance will be at least 60 days prior to the first import or first sale of each model year of completed CVs that incorporate applicable Covered Software, and for VCS Hardware, the first import of VCS Hardware for each model year for units associated with a vehicle model year, or calendar year for units not associated with a vehicle model year.

On an annual basis, as applicable, CV manufacturers and VCS Hardware importers will be required to submit a confirmation that the prior Declaration of Conformity remains accurate and that associates the relevant new model year of vehicles (if known) in lieu of submitting a new Declaration of Conformity, or to submit a revised Declaration of Conformity reflecting any material changes.

Recordkeeping

VCS Hardware importers, CV manufacturers, and/or third-party assessors, as applicable, will be required to maintain “all primary business records related to the execution of each transaction” for which a Declaration of Conformity, general authorization, or specific authorization would be required, for a period of at least 10 years from such transaction. Third-party assessors specifically will be required to maintain all records relating to third-party verification or assessment of a U.S. person’s compliance with this rule.

Processes: General Authorization, Specific Authorization, and Advisory Opinions

The Final Rule affirms that BIS will issue general authorizations to allow certain parties (e.g., small businesses) to undertake otherwise prohibited transactions, provided that they meet certain conditions or criteria that will be published on its website. In addition, the Final Rule also affirms that BIS will issue specific authorizations, which, following an application to and approval by BIS, grant VCS Hardware importers and CV manufacturers the ability to engage in otherwise prohibited transactions, including because the associated undue or unacceptable risks have been, or can be, mitigated. The Final Rule also establishes an advisory opinion process whereby VCS Hardware importers or connected vehicles manufactures will be able to request an advisory opinion from BIS to determine whether a prospective transaction is subject to a prohibition, which BIS notes, could also help inform a specific authorization request. BIS has implemented a 60-day deadline for advisory opinion requests, and a 90-day deadline for specific authorization requests, subject to extensions if additional time is required to reach a determination.

Penalties

The Final Rule largely retains the penalty provisions set forth in the NPRM. Persons who violate, attempt to violate, conspire to violate, or knowingly cause a violation of the rule, once finalized, may be subject to civil and/or criminal penalties under IEEPA (50 U.S.C. 1705), depending on the circumstances of the violation. Potential violations of the Final Rule that would be subject to penalties include engaging in a prohibited transaction without an applicable general authorization or specific authorization, or failure to abide by the conditions enumerated in a specific authorization. At the time of publishing of the Final Rule, the maximum civil penalty for violations of IEEPA is $368,136 per violation and the maximum criminal penalty is $1,000,000. Under the Final Rule, should BIS have reason to believe that a violation has occurred and intends to issue a civil monetary penalty, it will inform the alleged violator through a written notice of the intent to impose a penalty (“Pre-Penalty Notice”). Recipients of a Pre-Penalty Notice will have the opportunity to respond in writing and provide additional information to contest the penalty within 30 days for the transmission of the original Pre-Penalty Notice.

Key Changes

Key changes, relative to the NPRM, include the following:

• Exemption for Legacy Software: Covered Software subject to the Final Rule will not include software subcomponents that were designed, developed, manufactured, or supplied prior to March 17, 2026, as long as those software subcomponents are not maintained, augmented, or otherwise altered by an entity owned by, controlled by, or subject to the jurisdiction or direction of a foreign adversary after March 17, 2026.
• Scope of VCS: VCS now means hardware or software item installed in or on a completed CV that “directly enables” the function of transmission, receipt, conversion, or processing of radio frequency communications at a frequency over 450 megahertz and specifically does not include hardware or software items that exclusively: (1) enable the transmission, receipt, conversion, or processing of automotive sensing (e.g., LiDAR, radar, video, ultrawideband); (2) enable the transmission, receipt, conversion, or processing of ultrawideband communications to directly enable physical vehicle access (e.g., key fob); (3) enable the receipt, conversion, or processing of unidirectional radio frequency bands (e.g., global navigation satellite systems (“GNSS”), satellite radio, AM/FM radio); or (4) supply or manage power for the VCS.
• Scope of VCS Hardware: VCS Hardware now refers to software-enabled or programmable components that directly enable the function of, or are directly connected to VCS, or are part of an item that directly enables the function of VCS. The terms “directly enable” and “directly connected” narrow the scope of components that would be deemed VCS Hardware, relative to the NPRM, which used the broader term “support.”
• Scope of Covered Software: Likewise, “Covered Software” now refers to software-based components, including application, middleware, and system software, in which there is a foreign interest, executed by the primary processing unit or units of an item that “directly enables” the function of VCS or ADS at the vehicle level.
• Scope of General Authorizations: The NPRM contemplated general authorizations only for certain small producers of vehicles undertaking otherwise prohibited transactions. The Final Rule makes general authorizations available to all VCS Hardware importers and CV manufacturers who meet certain requirements or conditions that will be published on the BIS website at a later date (e.g., for small businesses, for CVs used infrequently on public roads, etc.), provided that the VCS Hardware importer or CV manufacturer is not owned by, controlled by, or subject to the jurisdiction or direction of the PRC or Russia.
• Scope of Specific Authorization: The Final Rule adopts certain changes to the specific authorization process suggesting that BIS will formally take into account the profile of the party requesting the authorization, and specifically, that BIS will grant specific authorizations for certain otherwise prohibited transactions based on criteria and conditions that are “specifically constructed for each applicant.” In that regard, BIS has noted that a “combination of security controls” could successfully mitigate the national security risk relating to CVs.

If you have any questions concerning the material discussed in this client alert, please contact the members of our CFIUS practice.