Executive Summary

The United States government has finalized stringent new regulations to prohibit the use of technology originating from China and Russia in connected vehicles sold within the country. The rules, issued by the Department of Commerce's Bureau of Industry and Security, are a direct response to growing national security concerns that foreign adversaries could exploit vehicle connectivity to conduct espionage or even sabotage. The regulations will force a monumental and complex overhaul of the global automotive supply chain. The ban will be phased in, starting with software and certain components in the 2027 model year and expanding to include a wider range of hardware by 2029, presenting a significant challenge for automakers and their suppliers.

Regulatory Details

The new rules are designed to secure the increasingly complex ecosystem of connected vehicles, which are often referred to as 'computers on wheels.' Modern cars contain numerous systems—such as cameras, GPS, microphones, and advanced driver-assistance systems (ADAS)—that collect vast amounts of data and can often be controlled remotely.

Phased Implementation:

• Starting with 2027 Model Year: Automakers must certify that vehicles sold in the U.S. are free of software and certain connected components originating from 'countries of concern,' specifically China and Russia. This covers everything from infotainment systems to critical ADAS functions.
• By 2029: The prohibition will expand to include the underlying hardware components that support these connected features.

Affected Organizations

The regulations will have a profound impact on the entire global automotive industry.

• Automakers: All major car manufacturers selling vehicles in the U.S. will need to undertake a massive effort to audit their supply chains and re-source or re-engineer components and software.
• Tier 1 & 2 Suppliers: Global parts and software suppliers will be directly affected. Many are already restructuring operations, such as relocating China-based software development teams, to ensure compliance.
• Chinese and Russian Tech Firms: These companies will be effectively locked out of the U.S. automotive market's connected vehicle segment.

Compliance Requirements

Automakers face the daunting task of tracing the digital lineage of every line of code and every microchip in their vehicles. This is what Hilary Cain of the Alliance for Automotive Innovation describes as "one of the most consequential and complex auto regulations in decades."

Key Challenges:

• Software Bill of Materials (SBOM): Manufacturers will need to develop and maintain a comprehensive SBOM for their vehicles to prove the origin of all software components.
• Supplier Transparency: A major hurdle is the reluctance of many suppliers, particularly in China, to share proprietary source code, which they view as intellectual property.
• Corporate Restructuring: The regulations are forcing companies to make significant structural changes. For example, Pirelli, whose largest shareholder is the Chinese firm Sinochem, is reportedly exploring options to reduce the shareholder's stake or divest its U.S. smart-tire business to comply.

Impact Assessment

• National Security: The primary goal is to mitigate the risk of foreign adversaries using connected vehicles to spy on U.S. citizens, collect data on critical infrastructure, or potentially disable vehicles remotely.
• Economic Impact: The regulations will increase costs for automakers and suppliers due to the need for supply chain audits, re-engineering, and sourcing of new components. These costs may ultimately be passed on to consumers.
• Industry Transformation: The rules will accelerate the trend of 'decoupling' or 'de-risking' supply chains from China, forcing a realignment of global manufacturing and software development hubs.
• Exemptions: The possibility of temporary exemptions exists for companies that can demonstrate they are effectively managing the risks through other security measures, though the criteria for such exemptions are not yet fully clear.

Compliance Guidance

Automakers and suppliers must take immediate action:

1. Supply Chain Mapping: Initiate a comprehensive, multi-tier audit of both software and hardware supply chains to identify any exposure to Chinese or Russian technology.
2. Vendor Risk Management: Enhance vendor risk management programs to include specific requirements regarding the origin of components and software code.
3. Engage with Regulators: Actively engage with the Department of Commerce to understand the specifics of the rules and the process for obtaining any potential exemptions.
4. Strategic Re-sourcing: Begin the long-term strategic process of identifying and qualifying new suppliers to replace those from prohibited countries.