U.S. Commerce Department Finalizes Connected Vehicle Prohibitions

On January 16, 2025, the Bureau of Industry and Security (BIS) issued a final rule to address national security concerns about information and communications technology and services (ICTS) in connected vehicles. The rule prohibits the importation and sale of certain connected vehicle hardware or software that has been designed, developed, manufactured, or supplied by entities subject to influence by the Chinese or Russian governments. It also prohibits manufacturers that are owned by, controlled by, or subject to the jurisdiction or direction of China or Russia from selling in the U.S. connected vehicles that incorporate certain software or hardware, regardless of whether such hardware or software is linked to those countries.

The final rule follows and largely resembles the September 26, 2024 proposed rule. In this final rule, which goes into effect on March 17, 2025, BIS made certain revisions in light of public feedback to define the scope of connected vehicles, identify ICTS integral to connected vehicles, and better clarify the effects of any potential prohibition. In an executive order titled “America First Trade Policy,” President Trump directed the Secretary of the U.S. Department of Commerce (Commerce) to review the final rule and recommend “appropriate action,” including whether controls should be further expanded.

Key Revisions From the Proposed Rule

Below is an overview of highlights from the final rule, which focuses on key changes from the proposed rule with respect to prohibited transactions, compliance mechanisms, and definitions.

Prohibited Transactions

The final rule largely retains the same prohibitions as the proposed rule, which include the following transactions unless otherwise permitted under a general or specific authorization:

• Vehicle Connectivity Systems (VCS) hardware importers are prohibited from knowingly importing into the U.S. any VCS hardware that is designed, developed, manufactured, or supplied by entities subject to influence by the Chinese or Russian governments.
• Connected vehicle manufacturers are prohibited from knowingly selling within the U.S., or importing into the U.S., completed connected vehicles that incorporate covered software that is designed, developed, manufactured, or supplied by entities subject to influence by the Chinese or Russian governments.
• Connected vehicle manufacturers who are owned by, controlled by, or subject to the jurisdiction or direction of China or Russia are also prohibited from knowingly selling in the U.S. completed connected vehicles that incorporate covered software or VCS hardware, regardless of whether such hardware or software is designed, developed, manufactured, or supplied by entities subject to influence by the Chinese or Russian governments. These connected vehicle manufacturers are also prohibited from offering commercial services in the U.S. that utilize completed connected vehicles that incorporate Automated Driving Systems (ADS).

The software-related prohibitions will be effective starting with model year 2027. Meanwhile, the hardware-related prohibitions will be effective for model year 2030 or January 1, 2029 for hardware not associated with a particular vehicle model year. The prohibitions on the sale by connected vehicle manufacturers who are owned by, controlled by, or subject to the jurisdiction or direction of China or Russia are effective for model year 2027.

BIS noted that the third restriction may be duplicative of the first two restrictions in many cases, but the final rule clarified that the third restriction applies even if connected vehicle manufacturers subject to influence by the Chinese or Russian governments are not involved in the design or development of the VCS hardware and covered software.

In addition to revisions with respect to prohibited transactions, the final rule further outlined the following changes from the proposed rule:

• Scope of VCS: BIS narrowed the definition of VCS by excluding certain functions such as “automotive sensing (which includes LiDAR, radar, cameras, and ultrawideband); global navigation satellite system (GNSS); and satellite, AM, and FM radio.” These functions have been excluded because they are considered low-risk uses.
• Scope of VCS Hardware and Covered Software: BIS narrowed the definitions of “covered software” and “VCS hardware” to include only those items that “directly enable” the function of those systems as opposed to “supports” those systems. In other words, the previous language of “supports” has been replaced by “directly enable.” This change was made to allow industry to identify components captured by the VCS hardware definition more easily.
• Exclusion of Legacy Software: BIS excluded legacy software from the definition of “covered software.” Legacy software refers to software and software components that were designed, manufactured, or supplied prior to March 17, 2026. This change was made to lessen industry’s regulatory burden. Notably, BIS rejected adding a legacy hardware exclusion.
• Refinement of the Open-Source Software Exclusion: BIS also excluded open-source software from the definition of “covered software,” unless the open-source software has been modified for proprietary purposes and not redistributed or shared. Open-source software is characterized as software for which the human-readable source code is available in its entirety for use, study, re-use, modification, enhancement, and redistribution by the users of such software.

Compliance Mechanisms

The final rule maintains the three primary compliance mechanisms outlined in the proposed rules with some minor changes:

(1) Declarations of Conformity: The proposed rule mandated that VCS hardware importers or connected vehicle manufacturers submit to BIS annual Declarations of Conformity, attesting that they had not engaged in otherwise prohibited transactions and requested a substantial amount of information to be included in the submissions. With the final rule, BIS clarified the certification requirement, narrowed the information required to be submitted, and added a 10-year recordkeeping requirement. The final rule also extended the timeline for submitting updates or corrections to the declarations from 30 to 60 days.

• The final rule requires a certification statement that the hardware or software at issue in the declaration was not designed, developed, manufactured, or supplied by entities subject to influence by the Chinese or Russian governments.
• The declarations also require importers and manufacturers to (1) certify to BIS, annually or whenever “material changes” occur, that they are not engaging in prohibited transactions (and entities may submit a confirmation in lieu of a new declaration) and (2) provide relevant information on the import of VCS hardware and/or the import or sale of completed connected vehicles. Here, “material change” means “discovery, by the declarant, of an omission, inaccuracy, or error in the information provided to the Department in a prior Declaration that could reasonably mislead as to the true source of VCS hardware or covered software in question.”
• The final rule further requires entities to submit to BIS the name and contact information of the importer or manufacturer, as well as additional information based on whether the entity is engaging in a covered software or VCS hardware transaction. Entities must also certify that they have conducted due diligence into their supply chain, and primary business records documenting such due diligence efforts must be maintained by the declarant or a third-party and made available to BIS upon request. In response to comments, BIS also removed reporting requirements related to third-party external endpoints from the final rule.
• Hardware Bill of Materials (HBOM) and Software Bill of Materials (SBOM), as well as a list of third-party external VCS hardware connection endpoints, are no longer required as part of the declarations in an effort to address concerns related to the submission of sensitive information in the declarations.
• Finally, the final rule includes a “foreign interest” exemption to the declarations requirement for circumstances where the only foreign interest arises when a foreign person owns equity of a public company but does not affect the company’s management or control.

(2) General Authorizations: VCS hardware importers and connected vehicle manufacturers are permitted to engage in otherwise prohibited transactions without the need to notify BIS prior to engaging in the transaction. Under the amended provisions, importers and manufacturers using general authorizations must monitor their use of such authorizations, and, within 30 days of discovering a change in circumstance, conduct an inquiry as to whether the authorization still applies. Should the entity determine that the authorization no longer applies, it must, within an additional 30 days, cease all prohibited conduct and submit a report to BIS. BIS will issue general authorizations through its website and the Federal Register.

(3) Specific Authorizations: VCS hardware importers and connected vehicle manufacturers who do not otherwise qualify for a general authorization may request specific authorization from BIS. The final rule lists several examples of documentation that could be used to support the information contained in a specific authorization application. The final rule also notes that specific authorizations will generally be approved for a duration of no less than one model or calendar year. BIS will advise specific authorization applicants about the duration of any approved specific authorizations when issued. However, BIS clarifies that exceptions may apply for BIS to approve a specific authorization for less than one model or calendar year if supply chains are affected by force majeure events, or due to an unexpected change in the supply chain during model year production.

BIS noted that, depending on the product, VCS hardware importers and connected vehicle manufacturers could be required to use a combination of the three compliance mechanisms to meet their obligations under the final rule.

Recordkeeping Requirements

As previously noted, BIS eliminated in the final rule the requirements to submit SBOMs, HBOMs, and the list of third-party external VCS hardware connection endpoints. These requirements have been replaced with certification and recordkeeping requirements with submissions to BIS required only upon request. According to the final rule, all regulated entities must (1) retain all primary business records related to “any transaction for which a Declaration of Conformity, general authorization, or specific authorization would be required,” for 10 years (i.e., “recordkeeping requirements”), and (2) submit reports and statements according to the instructions of each specific authorization (i.e., “certification requirements”). In addition, third-party assessors must also comply with all recordkeeping requirements.

Penalties

Persons who violate, attempt to violate, conspire to violate, or knowingly cause a violation of the final rule will be subject to civil and/or criminal penalties. The maximum civil penalty for violations is $377,700.17 per violation (adjusted for inflation) and the maximum criminal penalty is $1 million and/or 20 years in prison. BIS will consider applying a reduction of potential penalties for those voluntarily disclosed.

Advisory Opinions and Is-Informed Notices

VCS hardware importers and connected vehicle manufacturers may seek an advisory opinion from BIS to provide guidance on whether a prospective transaction is prohibited. In the final rule, BIS added a 60-day timeline for BIS to respond to advisory opinion requests and clarified procedural requirements of submitting an appeal request. As with the Declaration of Conformity, SBOM and HBOM submissions are no longer required for advisory opinion requests. In addition, interested parties may submit information directly to BIS in support of an advisory opinion request.

The final rule also made no changes to the proposed rule details about is-informed notices, which BIS may send through direct letters or Federal Register notices to notify an importer or manufacturer that a specific transaction may require a specific authorization because the transaction would be prohibited under the final rule.

Definitions

In response to public feedback, BIS amended or clarified the definitions for the following terms in the final rule (the terms mentioned in the final rule but were not modified in the final rule are not included below):

• Connected Vehicle: “a vehicle driven or drawn by mechanical power and manufactured primarily for use on public streets, roads, and highways, that integrates onboard networked hardware with automotive software systems to communicate via dedicated short-range communication, cellular telecommunications connectivity, satellite communication, or other wireless spectrum connectivity with any other network or device.” Vehicles operated only on a rail line are not included in this definition, and BIS also narrowed the scope by adding that a connected vehicle that is more than 10,000 pounds is not included in this definition.
• Connected Vehicle Manufacturer: “a U.S. person who: (1) manufactures or assembles completed connected vehicles in the U.S. for sale in the United States; (2) imports connected vehicles for sale in the U.S.; and/or (3) integrates ADS software on a completed connected vehicle for sale in the U.S.” The amended definition clarifies that the integration of ADS into an otherwise completed connected vehicle is subject to this final rule, and that (1) applies only if the vehicles are intended for sale in the U.S.
• Covered Software: “the software-based components, including application, middleware, and system software, in which there is a foreign interest, executed by the primary processing unit or units of an item that directly enables the function of VCS or ADS at the vehicle level.” BIS specified the definition in the final rule to explicitly include application, middleware, and system software. The definition also excludes firmware, open-source software, and software subcomponents “designed, developed, manufactured, or supplied prior to March 17, 2026, as long as [they] are not maintained, augmented, or otherwise altered by an entity owned by, controlled by, or subject to the jurisdiction or direction of a foreign adversary after [the said date].”
• Declarant: “the U.S. person submitting a Declaration of Conformity to BIS.” BIS included this new definition to clarify the final rule, where the term is used throughout.
• HBOM: “a formal record of the supply chain relationships of parts, assemblies, and components required to create a physical product, including information identifying the manufacturer, and related firmware.” Notably, BIS will not require HBOMs as part of Declarations of Conformity.
• SBOM: “a formal record containing the details and supply chain relationships of various components used in building software.” Notably, BIS removed several SBOM elements from requirements to apply for a Declaration of Conformity or specific authorization.
• VCS: “a hardware or software item installed in or on a completed connected vehicle that directly enables the function of transmission, receipt, conversion, or processing of radio frequency communications at a frequency over 450 MHz.” BIS modified the definition to include explicit hardware and software exclusions, as well as function-based exclusions.
• VCS Hardware: “software-enabled or programmable components if they directly enable the function of VCS, or are part of an item that directly enables the function of VCS, including but not limited to: microcontroller, microcomputers or modules, systems on a chip, networking or telematics units, cellular modem/modules, Wi-Fi microcontrollers or modules, Bluetooth microcontrollers or modules, satellite communication systems, other wireless communication microcontrollers or modules, external antennas, digital signal processors, and field-programmable gate arrays.” BIS replaced “support the function of” with “directly enable the function of” in response to the commenters’ suggestions.
• VCS Hardware Importer: a U.S. person who imports: (1) VCS hardware for further manufacturing, incorporation, or integration into a completed connected vehicle that is intended to be sold or operated in the U.S.; or (2) VCS hardware that has already been installed, incorporated, or integrated into a connected vehicle, or a subassembly thereof, that is intended to be sold as part of a completed connected vehicle in the U.S. BIS clarified the definition to include only entities who are importing VCS hardware components that are for use in completed connected vehicles or are already incorporated in a connected vehicle (incomplete or completed).

Conclusion

Given its scope, the final rule will have broad impact on VCS hardware importers, connected vehicle manufacturers, and other participants in the connected vehicle supply chain. Interested parties are encouraged to review the restrictions in detail to determine what impact they may have on their business.

As noted above, there is a phased approach to implement the new prohibitions. The software-related prohibitions and prohibitions on the sale by connected vehicle manufacturers subject to influence by the Chinese or Russian government will be effective starting with model year 2027. The hardware-related prohibitions will be effective for model year 2030 or January 1, 2029 for hardware not associated with a particular vehicle model year.

Going forward, BIS anticipates issuing a set of general authorizations, which will include general authorizations for small businesses; for connected vehicles used infrequently on public roads; for display, testing, or research purposes; and for repair, alteration, or competition. BIS also anticipates posting guidance and responses to frequently asked questions on its website to assist industry. In light of the substantial national security concerns and the comments received regarding the commercial vehicle market in connection with the definition of completed connected vehicles, BIS plans to issue a new proposed rule specifically for the commercial vehicle sector and will also supplement the definition of connected vehicles in this final rule with an additional rule to address vehicles over 10,000 pounds.

On January 20, 2025, President Trump issued an executive order titled “America First Trade Policy,” under which the Secretary of Commerce “shall review and recommend appropriate action” with respect to this final rule. Given that this executive order directed Commerce to consider whether controls on ICTS transactions should be expanded to account for additional connected products, there will likely be additional rulemaking to enhance these prohibitions. Industry should continue to monitor for any further regulatory actions that may be announced. Please contact any author of this Advisory or your Arnold & Porter relationship attorney if you have any questions or to seek further guidance or advice.

© Arnold & Porter Kaye Scholer LLP 2025 All Rights Reserved. This Advisory is intended to be a general summary of the law and does not constitute legal advice. You should consult with counsel to determine applicable legal requirements in a specific fact situation.