The U.S. fears that software from Chinese automakers could open the door to espionage and cybercrime.Robert - Adobe.Stock
The United States has introduced new regulations prohibiting the use of Chinese software and hardware components, a move that has major global implications for the automotive industry. In Europe, this drastic measure has sparked criticism.
In mid-January, the U.S. Department of Commerce issued a
final rule on hardware and software components in connected vehicles, banning
their use in the United States if the technology originates from adversarial
nations such as China and Russia. The U.S. government, under Joe Biden, cited
national security concerns as the reason for the ban.
The software bans will take effect in 2027, while hardware
bans will apply from model year 2030 (or 2029 for vehicles without a designated
model year). The ban on selling connected vehicles by manufacturers with
significant ties to China or Russia will take effect in 2027, even if those
vehicles are manufactured in the U.S. As a result, automakers worldwide will be
forced to remove Chinese hardware and software from vehicles they plan to sell
in the U.S. in the coming years. The Final Rule will officially take effect 60
days after publication, meaning it will be enforceable by mid-March.
In an interview with Reuters, U.S. Secretary of Commerce
Gina Raimondo stated: "This is really important because we don’t want
two million Chinese cars on the road and then realize that we are being
threatened." In a press release, she added: "Today’s cars are
not just steel on wheels; they are computers. They have cameras, microphones,
GPS tracking, and other technologies that are connected to the internet. With
this rule, the Department of Commerce is taking a necessary step to safeguard
U.S. national security and protect Americans’ privacy by preventing foreign
adversaries from exploiting these technologies to access sensitive or personal
information."
Advertisement
This move is a targeted effort to keep Chinese and Russian
technology off U.S. roads and secure the supply chains of connected vehicles in
the United States. The Bureau of Industry and Security (BIS) at the Department
of Commerce explained: "Malicious access to these critical supply
chains could allow our foreign adversaries to extract sensitive data, including
personal information about vehicle drivers or owners, and remotely manipulate
vehicles."
Which systems are banned under the Final Rule?
The Final Rule prohibits the import of:
Hardware for Vehicle Connectivity Systems (VCS)
Connected vehicles containing such hardware
The import and sale of vehicles that include VCS or Automated Driving System (ADS) software with any ties to China or Russia
The rule defines VCS as systems that enable external
communication, including telematics control units, Bluetooth, cellular,
satellite, and WiFi modules. Some of these systems use cameras and microphones
for facial recognition or voice command activation. ADS (Automated Driving
Systems) includes components that allow a highly autonomous vehicle to operate
without a driver.
Additionally, the rule prohibits manufacturers with
significant ties to China or Russia from selling new connected vehicles in the
U.S. if they contain VCS hardware, VCS software, or ADS software, even if those
vehicles are assembled in the U.S. Chinese automakers are also banned from
testing their autonomous vehicles on U.S. roads.
The Final Rule follows the Notice of Proposed Rulemaking
(NPRM) titled “Connected Vehicles”, which was released in September 2024—an
unusually fast regulatory process. The final version of the rule does not cover
software developed before the March 2025 enforcement date, as long as it is not
maintained by a Chinese company. Additionally, commercial vehicles have now
been exempted from the ban due to complex compliance concerns. The Department
of Commerce has stated that it will make further regulatory adjustments,
including exemptions for vehicles weighing over five tons. A separate set of
rules for banning Chinese software and hardware in large commercial vehicles
such as trucks and buses is expected. However, it remains uncertain whether the
Trump administration would implement these additional measures.
The German Association of the Automotive Industry (VDA)
criticized the proposal as soon as the NPRM was announced. The organization
fears severe consequences for Germany’s export sector and European
manufacturers, as the U.S. is Germany’s most important trade partner for
automotive products. In 2023, German auto exports to the U.S. totaled €36
billion. VDA Managing Director Marcus Bollig stated: "These regulations
and bans will have a significant impact on supply chains and may lead to delays
in the development of new models, temporary unavailability of certain features,
and higher costs for customers."
Bollig also criticized the early enforcement of the software
ban in 2027, arguing that it is overly ambitious: "The introduction of
regulations for software in model year 2027 is too aggressive. Hardware and
software regulations should take effect simultaneously in model year 2030.
Separating the deadlines for hardware and software components makes no sense,
as they are closely interlinked. Aligning both timelines would significantly
reduce the risks associated with the transition."
Furthermore, Bollig dismissed the U.S. government’s
justification that China and Russia pose a national security threat: "The
components used in our vehicles do not pose a risk to personal or national
security. European and German regulations already enforce the highest
cybersecurity standards. The cybersecurity management systems required under
UNECE Regulation 155 ensure the security of vehicles, regardless of where their
components originate."
The EU Commission remains silent
Similar concerns were voiced by management and IT consulting
firm MHP, which has offices in Germany, the U.S., and China. "Cybersecurity
is already highly regulated, for example, through the EU Cyber Resilience Act.
Cybersecurity regulations should not target specific countries. I support a
politically neutral risk assessment," said Marcus Klische, an
associate partner at MHP responsible for cybersecurity.
Klische, who is also a member of the UN Task Force on
Software Updates and Cybersecurity, criticized the vague language of the new
U.S. regulations, warning that audits could yield inconsistent results due to
interpretation issues. He also pointed out that some technologies are difficult
to classify in terms of their security risks.
Meanwhile, the European Commission is discussing
measures to counter cybersecurity risks from Chinese automotive technology in
European vehicles, but so far, no decisions have been made. When contacted by
automotiveIT, the European Commission declined to comment on the issue. Instead,
a spokesperson requested written questions, but despite multiple follow-ups, no
responses were provided.
