Evolving Regulatory Landscape for Connected Vehicles: Balancing Innovation with National Security

March 18, 2024

The US Department of Commerce’s Bureau of Industry and Security (BIS) took a potentially important step toward shaping the future of connected vehicles (CVs) by issuing an advance notice of proposed rulemaking (ANPRM) on February 29, 2024. The ANPRM describes the national security risk posed by CVs and seeks public input on potential new regulations for Information and Communications Technology and Services (ICTS) integral to CVs.

The ANPRM represents just the latest step in the US government’s ongoing efforts to address national security concerns raised by ICTS transactions involving foreign entities. This action also highlights the complexities of the autonomous vehicle landscape, in which innovation in emerging technology intersects not only with traditional vehicle safety concerns but also privacy and security considerations.

Background on the ANPRM

The ANPRM stems from Executive Order (EO) 13873, Securing the Information and Communications Technology and Services Supply Chain (May 15, 2019), which declared a national emergency regarding the ICTS supply chain. Such EO’s authority has since been repurposed by the government as the legal predication for an expanding universe of national security regulatory actions.

To implement EO 13873, BIS issued an interim final rule in January 2021 and subsequently expanded the authority to add connected software applications through a limited-scope final rule in June 2023. While BIS has conducted investigations and issued subpoenas pursuant to the ICTS regulations, it has yet to actually prohibit or mitigate any ICTS transaction.

Now that Commerce is turning its attention to CVs, potential new regulations could prohibit or mitigate ICTS transactions by or with persons who design, develop, manufacture, or supply ICTS integral to CVs and are owned by, controlled by, or subject to the jurisdiction or direction of foreign governments or foreign nongovernment persons identified at 15 CFR 7.4 (referred to as “15 CFR 7.4 entities” in the ANPRM, which currently includes China, Cuba, Iran, North Korea, Russia, and the Venezuelan Maduro Regime).

As part of the rulemaking process, BIS will gather information, including responses to a list of 35 questions posed in the ANPRM, from the industry and the public on the nature of national security risks posed by CVs from 15 CFR 7.4 entities and potential steps that could be taken to address those risks.

For example, BIS identifies several automotive software systems that are under consideration for being deemed essential to CVs and that pose significant risks: vehicle operating systems, telematics systems, advanced driver-assistance systems, automated driving systems, satellite or cellular telecommunication systems, and battery management systems. The information received by BIS during the comment period could also be used to update this list of essential automotive software systems.

It is important to understand that the ANPRM on CVs arrives against the backdrop of many other US government efforts to safeguard sensitive data. In addition to the ICTS regulations noted above, the government has increasingly sought to protect sensitive data through other national security regulatory processes including the Committee on Foreign Investment in the United States (CFIUS), the Committee for the Assessment of Foreign Participation in the United States Telecommunications Service Sector (more commonly known as Team Telecom), and Federal Communications Commission (FCC) rules.

In addition, one day before BIS issued the ANPRM on CVs, President Biden issued EO 14117, Preventing Access to Americans’ Bulk Sensitive Personal Data and United States Government-Related Data by Countries of Concern. That EO was also predicated on EO 13873’s declaration of an economic emergency regarding ICTS and was accompanied by an ANPRM issued by DOJ to gather feedback on a proposed regulatory scheme to safeguard this data by limiting or banning certain sensitive data transfers to “countries of concern” for national security reasons.

For more information on EO 14117, see our recent LawFlash Another Brick in the Wall: Regulatory Regime Established to Protect US Sensitive Personal Data From ‘Countries of Concern’.

Next Steps and Industry Engagement

The deadline for comments is 60 days following publication in the Federal Register, i.e., April 30, 2024. There are no immediately effective regulations, and the process for promulgating any final regulations is likely to take until at least late 2024, if not longer. However, this window of engagement is an invitation to the autonomous vehicle industry, including OEMs and service providers, as well as consumers and the public at large, to contribute their input to a regulatory framework that safeguards national interests without unduly stifling technological advancement.

To navigate the rulemaking proceeding, mobility stakeholders including autonomous vehicle providers will need to have a deep understanding of the geopolitical issues and national security risks that underlie the ANPRM as well as the broader regulatory landscape and in particular the government’s other efforts to regulate ICTS. US automakers and other stakeholders, in close coordination with their national security counsel, may therefore want to seriously consider actively participating in this rulemaking process, either directly or through a trade association.

There are multiple reasons why comments from industry may be useful:

  • The final definition of CVs will directly affect the regulatory environment in which US automakers and related companies operate, influencing the design, development, and deployment of CVs.
  • By engaging in the rulemaking procedure, automakers and autonomous vehicle market participants can share their own insights on securing the ICTS supply chain, mitigating risks from hostile actors, and ensuring the resilience and integrity of their products.
  • Participation allows automakers to contribute to identifying vulnerabilities and shaping the strategies to address them, ensuring that regulatory measures are practical, narrowly tailored to avoid unintended consequences and not impose undue burden, and enhance security without stifling innovation.
  • Early involvement in the regulatory process enables stakeholders to better understand and prepare for upcoming compliance requirements, reducing the risk of future disruptions.

As the automotive industry evolves with the advent of electric and connected vehicles, the US government has identified a need for a regulatory framework that appropriately balances innovation with security concerns. Continued development and deployment of autonomous vehicles will need to take these security concerns into account, including not only compliance with any new regulations but also active engagement with the government in developing such regulations.

How We Can Help

Our team has a command of the full spectrum of issues our clients face in the industry, including one of our lawyers, David Plotinsky, having been the original drafter of EO 13873 discussed in this LawFlash. We stand ready to assist companies with issues in this space or to help address and overcome other industry challenges.