The US Commerce Department Finalizes The New Cyber Rule, Reshaping Automotive Supply Chains

In a landmark decision to bolster national security, the US Department of Commerce has finalized a new rule aimed at safeguarding the supply chains of connected vehicle technologies. The finalized rule was published on January 15, 2025. Building upon earlier initiatives to address risks posed by foreign adversaries, this regulation is a critical step in mitigating vulnerabilities in the automotive ecosystem. The rule takes direct aim at the presence of Vehicle Connectivity System (VCS) and Automated Driving System (ADS) technologies with ties to China and Russia, setting the stage for significant transformations in the connected vehicle landscape.

Following our analysis from September 2024, the newly issued rule establishes strict prohibitions against the import and sale of connected vehicle components or complete vehicles that contain VCS or ADS technologies with a sufficient nexus to China or Russia. These measures are designed to curb potential security threats associated with connected vehicle technologies, which serve as the backbone of modern mobility. Key highlights include:

1. Definition of Restricted Technologies
   • VCS (Vehicle Connectivity System): This encompasses telematics control units, Bluetooth, cellular, satellite, and Wi-Fi modules that enable external communication for vehicles.
   • ADS (Automated Driving Systems): The integrated components that facilitate driverless operation in highly autonomous vehicles.
2. Phased Implementation Timeline
   • Software Prohibitions: Effective for Model Year 2027, these restrictions will limit the use of ADS and VCS software with ties to China or Russia.
   • Hardware Prohibitions: Effective for Model Year 2030, or January 1, 2029, for units without a model year, these measures target VCS and ADS hardware.
   • Connected Vehicle Sales: Starting with Model Year 2027, manufacturers with ties to foreign adversaries will be prohibited from selling passenger vehicles in the US, even if the vehicles are manufactured domestically.
3. Focus on Passenger Vehicles
   The rule specifically targets passenger vehicles weighing under 10,001 pounds. A separate rule addressing connected commercial vehicles, such as trucks and buses, is anticipated, reflecting the complexities of supply chains in these segments.

Expansive Attack Surfaces Require Deep Regulatory Initiatives

The rule underscores the US government’s commitment to addressing emerging cybersecurity threats in the connected vehicle ecosystem. As vehicles become increasingly reliant on software and connectivity, the potential attack surface for malicious actors expands exponentially. By targeting VCS and ADS technologies linked to China and Russia, the rule aims to:

• • Strengthen National Security: Reducing the influence of foreign adversaries in critical technologies ensures greater control over potential security vulnerabilities.
  • Mitigate Supply Chain Risks: Establishing clear regulations for connected vehicle components enhances resilience against tampering, data breaches, and other cybersecurity risks.
  • Foster Technological Sovereignty: Encouraging domestic innovation and sourcing within allied nations reduces dependency on potentially adversarial suppliers.
    

The regulation’s phased approach provides manufacturers with a timeline to adapt, but it also signals a profound shift in global automotive supply chains. Key impacts include:

1. Strategic Realignments: OEMs and suppliers will need to reevaluate partnerships and sourcing strategies to comply with the new rule.
2. Technology Innovation: The restrictions are likely to spur advancements in secure, US-based VCS and ADS solutions.
3. Market Dynamics: Manufacturers with existing ties to China or Russia may face significant challenges in accessing the US market, driving competitive realignments.

While the final rule focuses on passenger vehicles, the forthcoming regulation for connected commercial vehicles will be equally consequential. By addressing the distinct supply chain complexities of trucks and buses, the Commerce Department aims to provide a comprehensive framework for connected vehicle security.

The US decision to restrict technologies tied to foreign adversaries highlights the growing intersection of national security and automotive innovation. For automakers and suppliers, this marks both a challenge and an opportunity to redefine their approach to connected vehicle technologies, ensuring resilience and security in a rapidly evolving mobility ecosystem.

Our colleagues at Reimagined Mobility provided detailed comments on this important new regulation. We strongly recommend reviewing their insights.