©2024 Zhejiang Zhiben Law Firm. All rights reserved.Zhejiang
introduction
On September 23rd, the Bureau of Industry and Security (BIS) of the US Department of Commerce released a Notice of Proposed Rulemaking (NPRM) regarding "Ensuring the Information and Communications Technology and Services Supply Chain: Connected Vehicles", and officially released the text on September 26th. The NPRM proposes a rule aimed at addressing national security risks arising from the use of information and communication technologies and services (ICTS) designed, developed, manufactured, or supplied by certain foreign adversaries (such as China and Russia) for connected vehicles.
It is reported that after this round of public consultation, the NPRM may be introduced in a short period of time. For China's new energy vehicle exports to the US market, the compliance window is already very limited, and targeted compliance should be carried out to prevent risks and avoid losses to the greatest extent possible. This NPRM has a total of 119 pages, and BIS spent a lot of space introducing its considerations for formulating rules, including an analysis of the threat to China. We will focus on analyzing the main measures of NPRM and provide compliance recommendations for relevant enterprises to refer to.
1、 Preliminary solicitation of opinions
Let me explain first that ANPRM stands for "Advance Notice of Proposed Rulemaking", which means "advance notice of proposed rules". This is a formal procedure for US government agencies to solicit public opinions before formulating new regulations. By publishing ANPRM, institutions can disclose detailed information about the draft rules they are considering and invite feedback and comments from the public, stakeholders, and relevant experts to promote the rationality of the final rules. ANPRM is usually associated with NPRM (Notice of Proposed Rulemaking). NPRM was released after ANPRM, which includes more detailed draft rules and explanatory discussions, and is once again soliciting public opinions. NPRM usually considers feedback from various aspects on ANPRM based on ANPRM.
This NPRM is based on the proposed Rule Pre Notice (ANPRM) released by BIS on March 1st of this year (see previous article: To be Punished, Be Prepared - Interpretation of the US's Proposed Investigation into the Data Security of China's Intelligent Connected Vehicles), and further soliciting public opinions. The deadline is 30 days, and feedback can be provided before October 26th.
BIS raised 35 consultation questions in ANPRM, covering three aspects: definition of connected vehicles, safety risks, and other impacts. A total of 57 opinions were received, including original equipment manufacturers (OEMs), component suppliers, two foreign governments, non-profit organizations, and individuals. The feedback generally agrees with BIS's assessment of safety risks in connected vehicles, but also expresses many demands:
(1) I would like to further clarify what it means to be "owned by, controlled by, or subject to the jurisdiction or guidance of a foreign adversary", Controlled by, or subject to the judgment or direction personnel?
(2) It is necessary to consider the complexity of the global automotive industry chain, which may make it difficult to ensure the implementation of the proposed rules.
(3) Sufficient transition period is needed to find alternative suppliers.
(4) It is necessary to consider the breadth and depth of data collection through the embedded information and communication technologies (ICTs) in connected vehicles.
(5) We need to consider the long-term negative impact of the proposed rules on innovation, competition, health, and safety in the United States.
(6) There are opposing opinions on the essential information and communication technologies (ICTs) for connected vehicles, transaction risk levels, definition of connected vehicles, and risk prevention measures.
2、 What prohibitive measures will the proposed rules take?
Based on the comprehensive feedback, BIS has clarified the proposed prohibitive measures for connected vehicles in countries such as China
(1) Prohibit VCS hardware importers from importing hardware designed, developed, manufactured, or supplied by China or Russia.
(2) Prohibit manufacturers of connected vehicles from importing connected vehicle products containing related software.
(3) Prohibit manufacturers of connected vehicles from selling connected vehicles containing overlay software within the United States.
(4) It is prohibited for connected vehicle manufacturers owned, controlled, governed, or guided by China or Russia to sell connected vehicles containing VCS hardware or overlay software in the United States.
Among them, BIS has set different transition periods based on the model year (see details later), starting as early as 2027 and ending as late as 2030.
3、 How does BIS consider it?
BIS consulted up to 35 questions in ANPRM, and based on feedback, BIS responded to several key issues in NPRM.
1. Connected vehicles
ANPRM believes that connected vehicles are vehicles that integrate in vehicle network hardware and software systems, and can communicate through dedicated short-range communication, cellular network communication, satellite communication, or other wireless communication technologies. These cars include those that can use Global Navigation Satellite Systems (GNSS) for positioning, those that can communicate with intelligent transportation systems, those that can be remotely accessed or controlled, those that can perform wireless software and firmware upgrades, or those that can provide on device roadside assistance, regardless of whether they are personal or commercial.
The feedback does not agree with this definition, stating that it is too broad and cannot identify specific vehicle types. At the same time, connected vehicles are also an existing term in the automotive industry - referring to vehicles with external communication capabilities (especially those with short-range communication). Some opinions suggest using "networked vehicles" or "software defined vehicles" as alternatives.
However, BIS still insists on using the term "connected vehicles", but narrows down the scope of the definition and modifies it to "vehicles driven or towed by mechanical power, mainly used for public streets, roads, and highways, integrating in vehicle network hardware and software systems for communication through dedicated short-range communication, cellular telecommunications connections, satellite communication, or other wireless spectrum connections with any other network or device. This does not include vehicles that operate only on railway lines". BIS pointed out that this definition more accurately reflects the vehicles that the proposed rules will regulate, including passenger cars, motorcycles, buses, small and medium-sized trucks, traditional 8-seater commercial trucks, recreational vehicles, and this definition will also be able to cover future new types of vehicles. BIS explicitly states that it does not include all rolling stock and drones.
Regarding 'subject to the jurisdiction or direction'
Regarding what constitutes an entity subject to the jurisdiction or direction of a foreign adversary, feedback is sought to clarify, such as whether a US company's subsidiary in a foreign adversary or a foreign citizen working in the US falls within the definition.
BIS defines a person owned by, Controlled by, or subject to the judgment or direction of a foreign opponent "has been explained as follows: ① refers to any person, wherever they are, acting as an agent, representative, or employee, or acting in any other capacity under the command, requirement, guidance, or control of a foreign opponent, or whose activities are directly or indirectly supervised, guided, controlled, funded, or subsidized by a foreign opponent; ② It refers to any person, regardless of their location, who is a citizen or resident of a foreign opponent or a country controlled by a foreign opponent, and is not a citizen or permanent resident of the United States Any company, partnership, association, or other organization that has its principal place of business, headquarters, registration, or other organization in a country controlled by a foreign competitor or foreign counterparty; ④ Any company, partnership, association, or other organization owned or controlled by a foreign counterparty, regardless of where it is organized or conducting business, including any person directly or indirectly holding power as described in sections ① to ③, whether exercised or not, to determine, direct, or determine important matters affecting the entity through ownership of a majority or dominant minority of the total outstanding voting interests in the entity, board representatives, proxy voting, special shares, contractual arrangements, formal or informal arrangements for concerted action, or other means.
3. ICTs supply chain for connected cars
BIS inquired about the ICT supply chain situation in ANPRM: Please describe the information and communication technology supply chain of connected vehicles in the United States, especially the following information: the categories of information and communication technology (including software or hardware) necessary for connected vehicles operating in the United States; Market leaders in the supply chain of information and communication technology necessary for connected vehicles at different stages (such as design, development, manufacturing, or supply), including but not limited to original equipment manufacturers (OEMs), first, second, and third tier suppliers, and service providers; The geographic location where information and communication technology related components are designed, developed, manufactured, or supplied, including software (such as in vehicle operating systems), hardware (such as optical ranging and LiDAR sensors), etc; The participation of personnel owned, controlled, or directed by foreign adversaries in any department or sub department of the US information and communication technology supply chain; The geographical location where data from State Grid connected vehicles is transmitted, stored, or analyzed.
BIS discussed feedback from various aspects in NPRM, mainly including: ① The supply chain of ICTs is very complex and covers a wide range, including microcontrollers, application processors, analog products, automotive software operating systems, automotive vision, light detection systems, LiDAR systems, etc., which imposes high compliance obligations on manufacturers and suppliers; ② Original equipment manufacturers (OEMs) believe that it is unlikely to have complete knowledge of all hardware and software suppliers, and suppliers can update their own firmware, making it difficult for OEMs to determine which entities have access to the software.
BIS believes that the feedback indicates the complexity of the ICTs supply chain, but also demonstrates the importance of protecting US national security. Therefore, it will not immediately establish specific due diligence requirements and will provide a timeline for delaying implementation, giving industry space to adjust the supply chain.
4. The ICTs are most integral to connected vehicles, which are indispensable for connected vehicles
BIS believes in ANPRM that the indispensable information and communication technology for connected vehicles includes six types of systems: ① In vehicle operating system (OS); ② Advanced Driver Assistance System; ③ Advanced Driver Assistance Systems (ADAS); ④ Auto drive system (ADS); ⑤ Satellite or cellular telecommunication systems; ⑥ Battery Management System (BMS).
Feedback indicates that its scope is too broad, such as ADAS systems and LiDAR systems not having external connectivity capabilities or not directly accessing data. BIS has decided to balance industrial impact and national security, and will limit the information and communication technology essential for connected vehicles to two categories: VCS system and ADS system (based on their different characteristics, BIS points out that ADS system focuses more on regulating software rather than hardware). Meanwhile, RF communication technologies below 450 MHz frequency are also not included. Therefore, the OS, ADAS, and BMS systems mentioned in ANPRM are excluded unless they have VCS components.
Among them, BIS has newly proposed VCS (Vehicle Connectivity Systems) in NPRM, which includes hardware and software systems such as remote information processing control units (TCUs), cellular modems and antennas, and other automotive components. These systems integrate various RF communication technologies, enabling connected vehicles to access external data sources, facilitate vehicle to vehicle communication, and provide enhanced services to users through seamless connectivity options.
5. Cybersecurity Best Practices and Authorizations and Mitigations
In the 29th question of ANPRM, BIS asked, what specific standards, mitigation measures, or network security best practices should BIS consider when evaluating the appropriateness of authorization requests? BIS has received a large number of best practice cases, standards, or guidelines in the field of cybersecurity, but it believes that these existing best practices do not meet the expectations of the proposed rules and are only reinforcing automotive systems. A single cybersecurity standard or guideline is not sufficient to reduce security risks. Therefore, BIS will not establish cybersecurity standards or best practices in the proposed rules.
For authorization and mitigation measures, feedback has proposed three options: consultation mechanism, trusted trader mechanism, and compliance declaration mechanism. After comprehensive consideration, BIS plans to adopt: ① consultation mechanism; ② For the compliance declaration mechanism of VCS hardware importers and connected car manufacturers, OEMs and suppliers are allowed to prove their compliance with regulations on their own; ③ General authorization and specific authorization mechanisms to determine the qualifications of VCS hardware importers and connected car manufacturers. However, due to the complexity, scale, and opacity of the existing connected vehicle supply chain, BIS does not currently plan to consider a trusted trader mechanism.
6. Economic Impact - Proposed Transition Period
Feedback concerns that the proposed rules may increase compliance costs and pass them on to consumers, reduce the long-term competitiveness of US companies, affect the R&D investment of car companies, lead to future employment in the US automotive industry, as well as the safety and quality of connected cars in the US. BIS plans to establish a transition period for this: ① By 2027 (Model Year), manufacturers of connected vehicles should achieve compliance with software coverage; ② By 2030 (or January 2029, Moder Year), VCS hardware importers should achieve VCS hardware compliance; ③ In 2027 (Model Year), connected car companies owned, controlled, governed, or guided by China or Russia should achieve compliance.
4、 Punishment measures
BIS explicitly states in NPRM that after the proposed rules are introduced, violators will be held criminally responsible (including criminal fines and imprisonment) and subject to civil fines. According to federal civil penalty laws, the upper limit of civil fines is adjusted annually, and currently the maximum fine for each violation is $368136.
5、 Compliance measures
NPRM has proposed corresponding compliance measures and hopes to receive further feedback from the public.
1. Declaration of Conformity
BIS recommends requiring VCS hardware importers and connected vehicle manufacturers engaged in specific transactions to submit compliance statements to BIS, proving that they have not engaged in prohibited transactions. According to the proposed rules, the applicant should submit information to BIS, including documents collected from VCS hardware component suppliers and protected software suppliers. These requirements include obtaining and analyzing the Hardware Bill of Materials (HBOM) and Software Bill of Materials (SBOM) for VCS, and providing records of the measures taken by the declarant to verify that the transaction complies with regulatory requirements. BIS has elaborated on the conformity declaration mechanism in NPRM, including the import of VCS hardware, the import of Completed Connected Vehicles, the production and assembly of vehicles for sales purposes in the United States, and the procedures for submitting conformity declarations.
2. General Authorizations
General authorization will allow certain VCS hardware importers and connected vehicle manufacturers to engage in other prohibited transactions without notifying BIS prior to conducting the transaction. If a connected car manufacturer or VCS hardware importer produces a small number of cars or VCS hardware, i.e. less than 1000 vehicles per year, they will be eligible for general authorization.
3. Specific Authorizations
VCS hardware importers and connected vehicle manufacturers who wish to engage in other prohibited transactions but have not obtained exemptions or general authorizations must apply for and obtain specific authorizations to engage in other prohibited transactions. The specific purpose of authorization is to allow BIS to determine, on a case by case basis, the nature and scope of undue or unacceptable risks to US national security posed by transactions involving VCS hardware and covered software, including the degree of foreign counterparty involvement in the transaction and corresponding mitigation measures.
4. Exemptions
Transactions between VCS hardware importers and connected car manufacturers will not be subject to the proposed ban for a limited period of time. BIS suggests shortening the implementation cycle for transactions involving software and extending the implementation cycle for transactions involving VCS hardware, so that market participants have sufficient time to establish alternative supply chains when necessary.
5. Appeals
BIS suggests establishing a mechanism where anyone who applies for a specific authorization but is refused, suspended or revoked, or receives written notice that they do not meet the general authorization qualifications, can appeal to the Deputy Director within 45 days.
6. Advisory Opinions
Based on feedback, BIS suggests establishing a consultation mechanism similar to the Export Administration Regulations (EAR). BIS expects that this mechanism will provide clearer information for connected car manufacturers, VCS hardware importers, and other stakeholders on how to comply with the proposed rules as needed.
7. Government Notices ("Is Informed" Notices)
BIS can notify connected car manufacturers or VCS hardware importers directly by letter, or through the Federal Register (if involving a large number of companies), to inform them that certain transactions involving software, VCS hardware, or entities require specific authorization.
8. Recording Keeping and Reporting Requirements
BIS recommends requiring connected vehicle manufacturers and VCS hardware importers to maintain complete records of any transactions related to compliance statements, general authorizations, or specific authorizations required by these rules for a period of ten years. Regardless of whether the transaction requires general authorization, specific authorization, or whether the connected car manufacturer or VCS hardware importer has applied for authorization, relevant information should be recorded.
Suggestions for Corporate Compliance
NPRM still has a 30 day feedback period, but considering the attitude of BIS in NPRM and the feedback from the United States, the proposed rules may be introduced in a short period of time. For Chinese new energy vehicle companies, they are already one of the key targets of NPRM. It is recommended to actively participate in BIS investigation activities through channels in the United States, fully respond and express attitudes and demands, especially prepare comprehensive and targeted materials on key issues such as the definition scope and risk considerations of connected vehicles and related supply chains, and respond to key points. Specifically, it includes the following points:
(1) Data processing records: In addition to obvious personal data, enterprises should keep complete and accurate records of the overall data processing of overseas connected vehicles, sort out and collect information about individuals, entities, geographic locations, and infrastructure in the United States, as well as the interaction between vehicles and external data, and adjust the scope, frequency, scale, etc. of data collection according to the principle of necessity.
(2) Regional operation: In cases where technology development, operation, and maintenance within China are deemed potentially risky by the United States, enterprises may have to consider regional management and operation strategies, establishing barriers from the perspectives of company management, software ownership, data centers, access rights, etc. to try to reduce local government concerns.
(3) Proactively plan for compliance: Actively communicate closely with relevant domestic industry regulatory authorities, industry associations, third-party professional organizations, etc., form a joint force based on comprehensive considerations of national and corporate interests, jointly track the next NPRM trend, and proactively plan and implement response measures after implementation.
(4) Attention to Cross border Data Flow: It should be noted that in accordance with NPRM requirements, it is necessary to take corresponding compliance measures and submit data to US regulatory agencies, which involves cross-border data flow regulatory requirements such as the Cybersecurity Act, Data Security Act, and Personal Information Protection Act. Chinese laws and regulations have more direct and appropriate binding force. In the process of formulating compliance strategies, it is necessary to consider the provisions of Chinese laws and establish a reasonable and appropriate compliance system.