US seeks to limit China, Russia’s roles in connected vehicle supply chains

U.S. regulators on Monday unveiled a plan to ban certain connected vehicles with hardware or software linked to China or Russia, as they tighten oversight over automotive supply chains.

The ban would focus on technologies that, if exploited, regulators believe would allow foreign entities to extract sensitive data or remotely operate vehicles, per a press release by the Department of Commerce’s Bureau of Industry and Security. The proposed rule would only apply to on-road vehicles like cars, trucks and buses, and exclude those not used on public roads, like rolling stock on trains or agricultural vehicles.

The new proposal comes after the Biden administration signaled in February that it would investigate the risks connected vehicle supply chains pose to national security. At the time, the agency formally asked industry stakeholders to help it determine the most effective way to regulate connected vehicles, including which technologies to target specifically.

As a result, the agency honed its rule to focus oversight on two technology categories: hardware and software related to the vehicle connectivity system; and software involved in the automated driving system.

The two categories cover a wide range of components and technologies, including, for example, fleet tracking telematics or the software that powers autonomous vehicles. It does not include technologies like lidar or keyless entry fobs that present a low-risk for sensitive data extraction or remote control of vehicles.

“Connected vehicles provide many benefits — from promoting vehicle safety to assisting drivers with navigation — but they also pose new and growing threats,” the White House wrote in a fact sheet. “These technologies include computer systems that control vehicle movement and collect sensitive driver and passenger data as well as cameras and sensors that enable automated driving systems and record detailed information about American infrastructure.”

The rule also further defined what it means for a component to have significant links to China or Russia. The definition applies to products “designed, developed, manufactured, or supplied by persons owned by, controlled by, or subject to the jurisdiction or direction of the [People’s Republic of China] or Russia.”

Automakers will have several years to alter their supply chains to avoid components with significant links to China or Russia, per the press release.

Prohibitions on covered software would take effect as of model year 2027, while the ban on certain hardware imports and sales would begin model year 2030, or as of Jan. 1, 2029, for units without a model year.

The delayed timeline seeks to give automakers time and flexibility to come into compliance, while also sending a clear signal of what suppliers would be permitted for the nascent supply chain, according to the proposed rule. In addition, the agency is allowing automakers to request exceptions and self-certify their compliance, in an effort to encourage connected vehicle supply chain transparency, while the industry is still nascent.

In the proposal, the agency clarified that there is a “relatively limited amount” of hardware and software linked to China or Russia in U.S. vehicles today. However, the proposal also acknowledged that automakers often do not have full visibility into their supply chains.

“The Department of Commerce will continue to take a proactive approach to address this national security risk before Chinese and Russian suppliers proliferate within the U.S. automotive ecosystem,” Under Secretary of Commerce for Industry and Security Alan Estevez said in a statement.

Regulators are seeking comments on the proposed rule over the next month, before the rule is finalized. Industry stakeholders can submit their feedback using the Federal eRulemaking Portal, or by emailing [email protected] with “RIN 0694-AJ56” included in the subject line.