The United States Bureau of Industry and Security (BIS) is set to introduce a groundbreaking Notice of Proposed Rulemaking aimed at fortifying the supply chains of connected vehicles against national security threats. This move, particularly focused on countering risks posed by foreign adversaries such as China and Russia, represents a significant step toward safeguarding both the automotive industry and US national interests.

Regulatory Framework and Key Components

This initiative builds upon Executive Order 13873, which emphasizes the importance of securing the US information and communications technology supply chain. The proposed rule articulates three primary categories of prohibited transactions concerning connected vehicle systems:

1. Import Restrictions: The importing of vehicle connectivity system (VCS) hardware from companies owned or controlled by foreign entities in China or Russia will be strictly limited. This provision underscores the government’s intention to prevent potential security vulnerabilities that could arise from foreign influence in critical automotive technologies.

2. Sales of Completed Connected Vehicles: The sale of finished connected vehicles that use software developed by the aforementioned foreign adversaries will also be prohibited. By restricting these transactions, the BIS aims to mitigate risks associated with foreign software that may jeopardize vehicle security and user data.

3. Manufacturer Limitations: The proposed rule further includes constraints on vehicle manufacturers with ties to these countries, preventing them from selling connected vehicles in the US market. This measure is intended to elevate the scrutiny and accountability of manufacturers to ensure compliance with national security standards.

Furthermore, the rule mandates specific compliance mechanisms. Stakeholders will be required to submit annual Declarations of Conformity, affirming their adherence to the established regulations. These declarations must be accompanied by comprehensive documentation, which must be maintained for a decade. The regulatory stipulations also entail recordkeeping requirements that reinforce the importance of transparently tracking compliance efforts.

Timeline and Penalties

The proposed prohibitions on software are scheduled to take effect for the model year 2027, while hardware restrictions are slated to commence in 2030. This phased implementation allows stakeholders in the automotive and technology sectors to adapt to the new regulatory landscape.

The potential consequences for non-compliance are substantial. Civil penalties could reach $368,136, while criminal violations may result in fines as severe as $1 million. These penalties indicate the serious approach the US government is taking to ensure compliance and maintain the integrity of the connected vehicle supply chain.

Implications for Stakeholders

The significance of this proposed rule extends beyond mere compliance. It accentuates the need for automotive and technology stakeholders to remain vigilant as they navigate through these new regulatory waters. Companies must reassess their supply chains, ensuring they do not depend on entities that could introduce security vulnerabilities.

For instance, manufacturers will need to consider sourcing components and software from domestic providers or nations that align with US national security interests. Failure to adapt could result in lost revenue and market share as the regulatory environment becomes increasingly stringent.

Moreover, as connected vehicles become more integrated with advanced technologies such as artificial intelligence and machine learning, ensuring the security of data flowing through these systems will be paramount. The proposed rule propels stakeholders to prioritize cybersecurity measures throughout product development and supply chain management.

Conclusion

The BIS’s proposed rule aimed at securing the connected vehicle supply chain represents a pivotal moment for the US automotive sector. It highlights the pressing need for national safeguarding in an increasingly interconnected world. Automotive and technology stakeholders are called to respond proactively, aligning their practices with the evolving regulatory framework to ensure compliance and protect national interests.

Ultimately, this initiative not only seeks to prevent potential threats but also encourages industry innovation and collaboration towards more secure and resilient automotive technologies.