1. Summary and Overview of the Proposed Rule
Summary
The Biden administration released a Notice of Proposed Rulemaking (the “Proposed Rule”) that aims to prevent the use of certain “foreign adversary-controlled technology” in U.S. automotive supply chains – foreign adversary currently is limited to China and Russia. The Proposed Rule targets specific hardware and software integrated into Vehicle Connectivity Systems (VCS) and Automated Driving Systems (ADS) as well as completed vehicles with such components sold by companies with a China or Russia nexus. The Proposed Rule applies to wheeled on-road vehicles, including cars, trucks, and buses.
Overview
The Proposed Rule prohibits importers and vehicle manufacturers from knowingly importing or selling completed connected vehicles that incorporate either: (1) VCS[1] hardware such as telematics control units, Bluetooth, cellular, satellite, and Wi-Fi modules or (2) ADS[2] software that allows for autonomous driving, with a People’s Republic of China (PRC) or Russia nexus.
The Proposed Rule’s software prohibitions would apply to vehicles starting with Model Year 2027, and its hardware prohibitions would apply for Model Year 2030 (January 1, 2029, for non-model year units).
Not only would certain imports and sales be banned, but under the Proposed Rule, there would be an annual compliance certification obligation for those subject to the rule. Specifically, VCS hardware importers and certain connected vehicle manufactures would be required to comply with the Rule and also annually certify compliance with the regulations through a Declaration of Conformity to the Department of Commerce’s (Commerce) Bureau of Industry and Security (BIS).
As currently contemplated, the Proposed Rule provides that a party could apply for a general or specific authorization to permit importation of otherwise banned items. The Proposed Rule allows parties to appeal denials for specific authorizations, suspensions, or revocations of issued specific authorizations, as well as determinations of ineligibility for a general authorization. Under the Proposed Rule, parties are also allowed to seek advisory opinions, and it empowers BIS to issue “Is-Informed” notices to parties that specific authorization is required because of activity that could constitute a prohibited transaction.
The Proposed Rule imposes a record keeping requirement that would compel VCS hardware importers and connected vehicle manufactures to keep a full and accurate record of each transaction for which a Declaration of Conformity or authorization (either general or specific) is required for 10 years. These reports must be provided to BIS upon demand.
Violations would be subject to civil, and in some instances, criminal penalties.
2. Key Takeaways
The Proposed Rule is part of a broader regulatory effort to secure U.S. Information and Communications Technology and Services (ICTS) supply chains with other related regulations already in effect (see 15 C.F.R. 791 implementing Executive Order 13873) that were recently used for example to prohibit the provision of Kaspersky Lab, Inc.’s antivirus software and cybersecurity products in the United States or to U.S. persons.
If adopted as a final rule, the Proposed Rule would have a host of downstream implications for automotive manufacturers and suppliers, M&A transaction parties, and corporate compliance efforts. Some key considerations for affected parties are addressed below.
A. Impact on Automotive Manufacturers and Suppliers
- Consider the supply chain implications now: Manufacturers, suppliers, and those considering mergers and acquisitions in the automotive industry should assess their current technology supply chains for components with a nexus to the PRC or Russia. Given the long lead times in automotive development, early action to adjust supply chains is important to avoid production disruptions. A thorough supply chain assessment will be essential for determining the potential impact of the Proposed Rule, cultivating supply-chain resiliency, and preparing for new reporting and compliance requirements.
- Potentially broad impact on software developers: Companies that are not otherwise owned our controlled by a PRC or Russian person could still be impacted by the Proposed Rule’s prohibitions if they are engaging in software development or any of the code used in their software is developed in China or Russia. Companies developing software used in connected vehicles should assess where they develop software and determine whether any code for their software was developed in China or Russia. If so, such companies may need to consider moving where they develop code or removing legacy code from its software that was developed in China or Russia.
- Evaluate alternative suppliers: As the Proposed Rule’s prohibitions would not take effect until 2027 (for software) and 2030 (for hardware), there is time to establish relationships with alternative suppliers for affected parties. However, these timelines are relatively short in the context of vehicle development cycles, so proactive planning is critical. Moreover, if the U.S. automotive market simultaneously moves in search of non-PRC or Russian suppliers, market capacity currently available today may be quickly absorbed.
B. Considerations for Mergers, Acquisitions, and Divestitures
- Due diligence in corporate transactions: Companies considering purchasing or selling businesses or divisions in the connected vehicle space should conduct thorough due diligence to ensure compliance with the Proposed Rule. Failing to identify prohibited components or suppliers could expose buyers to unanticipated compliance risks and future liabilities.
- Potential for reduced valuation: Companies with significant reliance on PRC- or Russia-sourced technology in their connected vehicle systems may face reduced valuations, as buyers will likely factor in potential costs of the Proposed Rule, ranging from replacement of non-compliant components to diminished market opportunities.
C. Legal and Compliance Risks
- Compliance monitoring: Companies in the U.S. automotive supply chain should consider beginning to develop compliance monitoring framework that tracks both the origin and potential rebranding of prohibited components. As enforcement dates approach, compliance programs will need to be structured and revamped to ensure that no prohibited technologies slip through, particularly with potential component re-labeling from third-party suppliers.
- Penalties for non-compliance: Failure to comply with the Proposed Rule, once finalized, could result in significant legal, financial, and reputational penalties, including potential bans from the U.S. market.
3. Intersection with Broader Regulatory Trends
- Model for future ICTS regulations in other sectors: Commerce may consider adopting similar restrictions for connected software and equipment in critical infrastructure sectors such as energy generation and distribution, battery storage systems, and 5G telecommunication networks (that would go beyond bans on specific companies and apply broadly to companies with a nexus to China and Russia). Therefore, companies in critical infrastructure sectors may also be impacted by future regulations under EO 13873, meaning businesses should stay abreast of broader Commerce Department actions.
- Broader national security implications: While this proposed regulation specifically targets connected vehicles, it reflects a larger national security concern around technologies in the United States that could be manipulated by foreign adversaries. This concern has spawned a series of new regulations implicating bulk sensitive and government personal data, FCC bans targeting cutting-edge Chinese technologies, new reporting requirements for frontier AI development, and a soon-to-be-enacted, novel outbound investment regime. Businesses across the information and technology sectors should be mindful of potential future rulemakings in their respective industries.
4. Conclusion
The Proposed Rule represents the latest in an ongoing effort by the U.S. government to guard U.S. consumers against the potential manipulation or misuse of information technologies by foreign adversaries, particularly China and Russia. As we have highlighted, potentially affected parties will benefit from proactive planning and development of compliance procedures to mitigate potential risks associated with the Proposed Rule as it proceeds through the rulemaking process.
[1] The Proposed Rule defines VCS to mean either “a hardware or software item for a complete connected vehicle that has the function of enabling the transmission, receipt, conversion, or processing of radio frequency communications at a frequency over 450 megahertz.”
[2] The Proposed Rule defines ADS to mean “hardware and software that, collectively, are capable of performing the entire dynamic driving task for a complete connected vehicle on a sustained basis, regardless of whether it is limited to a specific operational design domain.”