US Proposes Ban on Connected Vehicle Systems from Russia and China and Declaration of Conformity for All Systems

This blog was originally posted on 15th October, 2024. Further regulatory developments may have occurred after publication. To keep up-to-date with the latest compliance news, sign up to our newsletter.

AUTHORED BY AARON GREEN, SENIOR REGULATORY COMPLIANCE SPECIALIST, COMPLIANCE & RISKS

Introduction

On 26 September 2024, the US Bureau of Industry and Security (BIS) issued a proposal to prohibit the import of vehicle connectivity systems (VCS), including hardware and software, from Russia and China (PRC). 

The proposed rule would require all VCS hardware and software importers to submit a Declaration of Conformity stating that the VCS does not come from and cannot be controlled by any person subject to the jurisdiction or direction of the PRC or Russia. 

BIS is requesting comments on the proposed rule by the 28th of October, 2024.

Implications of the Proposed Rule

The proposed declaration of conformity for VCS hardware would require the following information:

• The name and address of VCS hardware importer;
• A certification that the declarant has not knowingly engaged in a prohibited VCS hardware transaction;
• The FCC ID Number associated with the VCS hardware and, if applicable, of the subcomponents contained therein;
• A list of third-party external endpoints to which the VCS hardware connects, including the country where each endpoint is located and/or the identity and location of the service provider;
• If known, the make, model, and trim of the completed connected vehicles for which the VCS hardware is intended;
• A HBOM for the VCS hardware that is the subject of the Declaration of Conformity;
• Documentation of the VCS hardware importer’s due diligence efforts, to include independent or hired third-party research, to ensure the VCS hardware listed in the HBOM is not designed, developed, manufactured, or supplied by persons owned by, controlled by, or subject to the jurisdiction or direction of the PRC or Russia;
• If applicable, an indication of whether the submission is an update to a prior Declaration of Conformity and the date of the last submission;
• Identifying information for an individual point of contact (including name, email address, and phone number).

In addition to the hardware restriction, the regulations would prohibit the import or sale of connected vehicles that incorporate “covered software”, which is defined to mean the software-based components, in which there is a foreign interest, executed by the primary processing unit of the respective systems that are part of an item that supports the function of VCS or ADS [automated driving systems] at the vehicle level. Covered software does not include firmware, which is characterized as software specifically programmed for a hardware device with a primary purpose of controlling, configuring, and communicating with that hardware device. At a minimum, this definition of covered software would include operating systems such as a real-time operating system (RTOS), and general-purpose operating systems. An example of covered software within the ADS is, if included in the system, the machine learning software that performs the functions of object detection, classification, and decision making.

The proposed declaration of conformity to be submitted by manufacturers and importers of completed vehicles containing covered software would include the following information:

• The name and address of the connected vehicle manufacturer;
• A certification that the declarant has not knowingly engaged in a prohibited covered software transaction;
• The make, model, trim, and Vehicle Identification Number (VIN) series applicable to the completed connected vehicles;
• A SBOM for the covered software that is the subject of the Declaration of Conformity. At a minimum, the SBOM must include author’s name, timestamp, supplier name, component name, version string, component hash, package URL, unique identifier, and dependency relationships to other software components.
• Documentation of the connected vehicle manufacturer’s due diligence efforts, to include independent or hired third-party research, to ensure that the covered software listed in the SBOM is not designed, developed, manufactured, or supplied by persons owned by, controlled by, or subject to the jurisdiction or direction of the PRC or Russia;
• If applicable, an indication of whether the submission is an update to a prior Declaration of Conformity and the date of the last submission;
• Identifying information for an individual point of contact (including name, email address, and phone number).

BIS anticipates that this rule would primarily impact market participants who could be considered VCS Hardware Importers or connected vehicle manufacturers, such as OEMs and importers of completed connected vehicles, as well as Tier 1 and Tier 2 suppliers of VCS Hardware. For these entities, three compliance mechanisms—Declarations of Conformity, general authorizations, and specific authorizations—are available, depending on whether the VCS hardware importer or connected vehicle manufacturer wishes to engage in an otherwise prohibited transaction. Importantly, because VCS hardware importers and connected vehicle manufacturers frequently offer many different types of products, any one of the three mechanisms may not be available for their entire business. Rather, depending on the product, VCS hardware importers and connected vehicle manufacturers could be required to use a combination of these three mechanisms to meet their obligations under the rule.

Declarations of Conformity would have to be submitted to BIS by VCS hardware importers and connected vehicle manufacturers who have not engaged in a prohibited transaction, unless otherwise specified. Such VCS hardware importers and connected vehicle manufacturers would, in this Declaration of Conformity, certify, once per calendar year or model year (or whenever material changes occur) to BIS that the submitter has not engaged in a prohibited transaction and provide certain information on the import of VCS hardware and/or the import or sale of completed connected vehicles.

Source: Securing the Information and Communications Technology and Services Supply Chain: Connected Vehicles

Stay on Top of Regulatory Changes in Vehicle Connectivity Systems

Want to stay ahead of evolving regulatory developments in vehicle connectivity systems?

Accelerate your ability to achieve, maintain & expand market access for all products in global markets with C2P – Your key to unlocking market access, trusted by more than 300 of the world’s leading brands.
C2P is an enterprise SaaS platform providing everything you need in one place to achieve your business objectives by proving compliance in over 195 countries.

C2P is purpose-built to be tailored to your specific needs with comprehensive capabilities that enable enterprise-wide management of regulations, standards, requirements and evidence.
Add-on packages help accelerate market access through use-case-specific solutions, global regulatory content, a global team of subject matter experts and professional services.

• Accelerate time-to-market for products
• Reduce non-compliance risks that impact your ability to meet business goals and cause reputational damage
• Enable business continuity by digitizing your compliance process and building corporate memory
• Improve efficiency and enable your team to focus on business critical initiatives rather than manual tasks
• Save time with access to Compliance & Risks’ extensive Knowledge Partner network

Harnessing AI for Smarter Compliance: Revolutionizing Product Compliance & Risk Management

Explore how AI is transforming product compliance processes across industries and discover how advanced AI tools streamline regulatory adherence, mitigate risks, and enhance decision-making.

watch NOW