Proposed Rule Targeting Connected Vehicles Will Impose Major New Supply Chain Compliance Requirements on Automotive Companies that Source from Russia or China
On September 26, 2024, the Department of Commerce’s Bureau of Industry and Security (BIS) published a Notice of Proposed Rulemaking that, if finalized, would prohibit the sale or import of certain automotive hardware and software, as well as “connected vehicles” incorporating this technology, from or linked to the People’s Republic of China or Russia. We anticipate this rule will be implemented in substantially similar form and recommend that automotive-sector companies that rely on parts and components from Russia or, especially, China take steps now to prepare for these potentially sweeping restrictions on imported automotive parts and components.
To help the wide range of impacted companies prepare for the likely impact of these rules, the Foley Automotive, Supply Chain, and International Trade teams have put together this article to outline the requirements of these far-reaching proposed new rules, which will impact the supply chains for nearly every vehicle that will be sold in the United States as soon as Model Year 2027. The following alert is organized around the key questions that every automotive-sector company needs to consider in light of this new proposed rule. We also invite readers to review the text of the rule as well as the accompanying BIS Press Release.
Why is the U.S. Government Putting Out New Connected Vehicle Supply Chain Requirements?
For several years, there has been a bipartisan consensus that the use of Chinese parts and components, including software, represents a potential vulnerability to U.S. competition in the automotive industry. Concerns have ranged from jobs on the UAW assembly line to the potential collection by the Chinese government of sensitive personal data, such as where vehicles are driven and personally identifiable information or even the ability to potentially take over the operation of a vehicle. As vehicles move closer to a future where connected vehicles are filling the roadways, these concerns have received increasing attention at multiple federal agencies.
Against this backdrop, the BIS Office of Information and Communications Technology and Services (OICTS) has proposed a new rule regarding parts and components to be used in “vehicle connectivity systems” (VCS) and “automated driving systems” (ADS). This proposed new rule is authorized pursuant to Executive Order 13873, which requires BIS to mitigate national security risks associated with information and communications technology and services. Notably, the proposed rule broadly defines what is a “connected” vehicle to include not just vehicles that communicate with each other but any vehicles that include components that use Bluetooth, cellular, satellite, and Wi-Fi technologies, as well as systems that enable vehicles to operate autonomously.
The rationales behind the proposed rule are largely centered on national security and privacy concerns. U.S. Secretary of Commerce Gina Raimondo noted, “Cars today have cameras, microphones, GPS tracking, and other technologies connected to the internet. It doesn’t take much imagination to understand how a foreign adversary with access to this information could pose a serious risk to both our national security and the privacy of U.S. citizens.” The BIS further states that “[m]alicious access to these [VCS and ADS] systems could allow adversaries to collect sensitive data and remotely manipulate cars on American roads.”
What Does the Proposed Rule Cover?
The proposed rule, which would start to take effect beginning with Model Year 2027 vehicles, would affect the entire automotive industry, as BIS predicts that all new vehicles would be considered “connected vehicles.” The key items to know about the new rule include the following:
Covered Vehicles: BIS defines a “connected vehicle” as an on-road vehicle that “integrates onboard networked hardware with automotive software systems to communicate via dedicated short-range communication, cellular telecommunications connectivity, satellite communication, or other wireless spectrum connectivity with any other network or device.” There are no limitations on the type of vehicles, so the rule extends broadly to cover passenger vehicles, motorcycles, small and medium trucks, many commercial trucks, recreational vehicles, and busses. According to BIS, the aim is to cover “all new vehicles sold in the United States.”
While the rule would apply to parts from China or Russia used in on-road vehicles, it excludes certain off-road vehicles such as agricultural and mining equipment, and vehicles that are only operated on a rail line. The proposed rule also allows for some relaxation of coverage in limited circumstances, such as where the total model year production is fewer than 1,000 units; where the vehicle will be used solely for display, testing, or research (and will not be used on public roadways); or where the vehicle is imported sole for purposes of repair, alteration, or competition in off-public roads and will be reexported within one year. The proposed rule also outlines procedures for buyers and manufacturers to seek specific authorizations from BIS, to engage in otherwise prohibited transactions.
Covered Hardware and Software: The proposed rule targets hardware and software for VCS using radio frequency communications over 450 megahertz and software for automated driving systems. According to BIS, these systems most directly facilitate communication to and from connected vehicles and are of concern because they can control subordinate systems within the vehicles, making them potential targets for data harvesting or remote vehicle manipulation. The proposed rule also targets software that supports these functions and specifically calls out “covered software” where there is a “foreign interest,” which is broadly defined as “any interest in property of any nature whatsoever, whether direct or indirect, by a non-U.S. person.” Basically, this definition covers any software not wholly developed by a U.S.-owned company within the United States.
Prohibited or Restricted Activities: The proposed rule would prohibit:
- Knowingly selling completed connected vehicles in the United States that incorporate VCS hardware or covered software if the seller is linked to China or Russia, even if the vehicle is manufactured or assembled in the United States.
- Knowingly importing VCS hardware that is designed, developed, manufactured, or supplied by persons linked to China or Russia.
- Knowingly importing into or selling within the United States connected vehicles that incorporate covered software designed, developed, manufactured, or supplied by persons linked to China or Russia.
Notably, BIS commentary on the proposed rule states that covered items that are designed, developed, or otherwise supplied in whole or in part by persons linked to China or Russia can trigger the rule’s prohibitions. This leaves open the possibility of broad interpretation of the rule, potentially imposing restrictions on any company that has hardware or software development teams in China or Russia. Any involvement of these non-U.S. persons, such as providing or improving software code, could trigger the rule’s prohibitions.
These concerns are reinforced by how broadly the proposed rule defines persons who have sufficient connections to China or Russia to trigger application of the proposed rule, i.e., those “owned by, controlled by, or subject to the jurisdiction or direction of a foreign adversary.” The proposed rule defines these persons as:
- Any citizens or residents of China or Russia who are non-U.S. persons within the meaning of the export control laws (i.e., not U.S. citizens or permanent residents).
- Any persons acting on behalf of, or persons whose activities are supervised, directed, financed, or subsidized by, Russia or China.
- Any organizations with a principal place of business headquartered in, incorporated in, or organized under the laws of China or Russia. Notably this would include subsidiaries and joint ventures of U.S. companies, thus extending the reach of the prohibitions to many automotive-sector companies.
- Any organizations in which any of the above-described persons has the power, direct or indirect, to “determine, direct, or decide important matters” affecting the organization. These prohibitions can be triggered by majority or even minority ownership of the company or through voting interests that give substantial control or input as well as board representation, proxy voting, special or voting shares, or even contractual arrangements or formal or informal means to act in concert to effectuate such control.
When Does the Proposed Rule Go into Effect?
Currently, the rule is only a proposal and is open for public comment until October 28, 2024; the BIS press release announcing the rule ends with instructions regarding how to submit comments. Following this period, the Department is expected to issue a proposed final rule, which may differ from the initial version, before submitting it for approval. The Biden administration is striving to finalize the rule by January 2025. If enacted as proposed, the prohibitions on software from China or Russia would take effect for Model Year 2027 vehicles, while hardware prohibitions would apply to Model Year 2030 units. For vehicles without a designated model year, the prohibitions would commence on January 1, 2029.
What Compliance Obligations Are Imposed?
The proposed rule would impose compliance obligations on VCS hardware importers and connected vehicle manufacturers. These include a declaration of conformity for vehicles using VCS hardware or vehicles incorporating covered software. The proposed rule would require that importers and manufacturers must file certifications of compliance prior to importing or selling covered items in the United States, including a requirement that the declarant certify that it has not knowingly engaged in a transaction prohibited under the rule, along with detailed information regarding the hardware and/or software being imported. The declarant also would be required to provide documentation of due diligence used as a basis for the declaration.
The true state of the due diligence requirements is not yet known. Beyond the declaration, the type of due diligence required is not stated in the rule. Nonetheless, to satisfy the requirement to file a declaration of conformity, the declarant would need to conduct sufficient supply chain due diligence, supply chain mapping, and tracing to allow it to certify completely and accurately. Because the proposed rule uses a knowledge standard, we would expect the U.S. government to use the type of “knew or should have known” standard that is generally imposed for international regulatory responsibilities. This is consistent with the general goal of the U.S. government, which is to impose extensive and growing responsibilities on U.S. companies, or companies selling into the U.S., to take responsibility for the full operation of their supply chains, right down to the last sub-supplier.
The proposed rule also would require companies to maintain records related to the declaration of conformity and related documents for 10 years. The proposed rule also would require that records should be tied to each relevant transaction, including supporting documentation such as contracts, import records, bills of sale, and other pertinent documents.
It is anticipated that there will be a lot of gray areas when the proposed rule goes into effect. To deal with these, the proposed rule indicates that BIS likely will establish an advisory opinion process, similar to the one used for advisory opinions under the Export Administration Regulations (which also are overseen by BIS). BIS also proposed publishing advisory opinions of broader public interest on its website.
Will the Proposed Rule Go into Effect Substantially as Written?
We expect that any tinkering with the rule will be around the edges rather than including wholescale changes to the rule. This proposed rule is part of a broader U.S. Government initiative to limit trade with China and to restrict the ability of China to be involved in critical areas of the U.S. supply chain and to limit the potential ability of the Chinese government to gain sensitive personal data on U.S. persons. The push for trade limitations with China has garnered bipartisan support, suggesting the proposed rule is unlikely to be significantly affected by the November 2024 elections. Further, the proposed rule represents a thorough consideration of areas of potential supply chain vulnerability. Thus, while we expect that comments will be important in laying out certain edge cases and unanticipated impacts, we expect that the proposed rule will go into place substantially as written.
What Will Be the Impact of the Proposed Rule?
If implemented, this rule would profoundly impact the U.S. automotive supply chain and manufacturing sector. Original equipment manufacturers and component suppliers will need to reassess their hardware and software supply chains to identify components with a sufficient nexus to China or Russia, taking into account the broad rules on coverage of who is a foreign person and the extension of the rules to subsidiaries and joint ventures of U.S. companies. This may necessitate the elimination of certain parts or the identification of replacement suppliers, potentially driving up costs. Such re-sourcing could disrupt existing supply agreements and lead to litigation among suppliers. Additionally, the proposed rule would require manufacturers to maintain and provide documentation to demonstrate compliance with the new regulations and to conduct sufficient due diligence and supply chain compliance management to allow for an accurate certification of the same.
The proposed rule is a significant development in U.S. trade policy, particularly concerning the automotive sector. As the industry prepares to navigate these forthcoming changes, manufacturers and suppliers should proactively adapt their strategies to ensure compliance and mitigate disruptions to their supply chains. The implications of this rule extend far beyond regulatory requirements, impacting costs, partnerships, and ultimately consumer choices. As public comments are gathered and the rule progresses, stakeholders will need to stay informed and engaged to effectively respond to the evolving landscape of automotive manufacturing and trade in the face of national security concerns.
If you have any questions about the Department of Commerce’s proposed rule impacting connected vehicles or supply chain requirements for companies that source from China or Russia, contact any of the authors of this article or your Foley & Lardner attorney.
