The U.S. Department of Commerce’s Bureau of Industry and Security (BIS) has issued a sweeping final rule to safeguard America’s national security by regulating the use of certain foreign-controlled wireless technologies in “connected” vehicles. The rule, which directly targets technology linked to China and Russia, follows months of public feedback and reflects a growing focus on protecting critical infrastructure from foreign threats.
This is the latest in a series of regulations requiring U.S. importers and manufacturers to conduct denied party screening to ensure their suppliers comply with restricted party lists. Notably, on July 10, 2024, BIS issued new guidance recommending that exporters, re-exporters, and transferors of Common High Priority List (CHPL) items—such as microelectronics and other sensitive goods—screen transactions using the Trade Integrity Project (TIP) database. This database identifies third-country suppliers with a history of exporting CHPL items to Russia, thereby aiding in the detection of potential diversion risks.
Furthermore, the Uyghur Forced Labor Prevention Act (UFLPA), effective since June 21, 2022, mandates that U.S. importers screen their suppliers against the UFLPA Entity List to ensure compliance with U.S. laws prohibiting the importation of goods produced, wholly or in part, with forced labor from the Xinjiang Uyghur Autonomous Region (XUAR) or by entities on the list.
This underscores the crucial role of denied party screening in compliance programs. Automakers must likewise embed denied party screening at the earliest stages of supplier qualification.
Here’s what automakers, suppliers, and tech firms need to know about the Final Rule and how to ensure they maintain compliance.
Key Takeaways
- Broad Ban on Imports and Sales: The BIS final rule prohibits the import and sale of connected vehicle systems (VCS) and autonomous driving software sourced from People’s Republic of China (PRC)- or Russia-linked entities.
- Regulatory Action to Safeguard U.S. Supply Chains: The new rule seeks to strengthen national security and protections of the U.S. information and communications technology and services (ICTS) supply chain by blocking unauthorized access and preventing sabotage.
- Denied Party Screening is Key: Businesses in the automotive supply chain must implement rigorous denied party screening protocols to prevent transactions with restricted entities and ensure adherence to the rule.
- Strict Compliance Enforcement and Penalties: Annual declarations, audits, and recordkeeping are required. Violations can lead to fines up to $368,136 per infraction or criminal penalties up to $1 million.
- Comprehensive Trade Compliance Solutions Ensure Thorough Due Diligence: With advanced denied party screening tools, export classification, audit support, and risk management capabilities, Descartes provides a centralized approach to help automakers and suppliers meet BIS regulations efficiently.
Essential Elements of the BIS Final Rule
The new rule underscores why robust denied party screening is no longer optional—it’s essential. With a sweeping ban on importing or selling connected vehicle systems (VCS) and autonomous driving software sourced from PRC- or Russia-linked entities, businesses across the automotive supply chain face heightened compliance risk. Importers, original equipment manufacturers (OEMs), and suppliers must now implement rigorous screening protocols to avoid inadvertently engaging with restricted parties tied to foreign adversaries.
- Effective March 17, 2025 under E.O. 13873: BIS to block foreign-controlled information and communications technology and services in connected vehicles to protect U.S. supply chains from PRC/Russia threats.
- Broad Import/Sale Ban: Prohibits VCS hardware (e.g., telematics units, modems, antennas) and “covered” VCS/ADS software sourced from PRC- or Russia-linked entities.
- Denied Party Screening Requirement: Importers, OEMs, and suppliers must implement robust denied party screening to prevent transactions with restricted entities linked to foreign adversaries.
- Annual Declarations: Importers and OEMs must file attestations 60 days before first import/sale, certify no adversary-owned components, and keep records for 10 years.
- Phased Exemptions: Grandfathers vehicles < 2027 model-year and hardware imported before Jan 1, 2029 (or used in ≤ 2030 models); repair/warranty parts for older vehicles also exempt.
- Enforcement & Penalties: BIS can subpoena documents, mandate independent audits, levy civil fines up to $368,136 per violation, and impose criminal penalties up to $1 million (plus prison).
- Flexibility Mechanisms: Provides general authorizations (criteria on BIS’s website), specific authorizations upon application, and advisory opinions with a 60-day response goal.
Why this Rule Matters
Connected vehicles, those with integrated software and hardware enabling wireless communication, are increasingly central to modern transportation. But the same features that enable convenience and innovation also introduce national security vulnerabilities, especially when critical components come from foreign adversaries.
The new rule seeks to close that gap by:
- Preventing foreign access to sensitive data from U.S. vehicles
- Blocking adversaries from exploiting vehicle systems for sabotage or surveillance
- Strengthening the integrity of the U.S. ICTS supply chain
To enforce these protections, the rule mandates denied party screening as a frontline defense—ensuring that no supplier, component, or software linked to restricted entities and foreign threats makes its way into U.S. vehicles.
Key Mechanisms: How the BIS Rule Works
To effectively secure connected vehicle ecosystems from foreign threats, the BIS Final Rule introduces a series of targeted mechanisms designed to block unauthorized access to sensitive vehicle technologies and data. These measures go beyond general restrictions, providing a clear framework for identifying, controlling, and auditing high-risk components and software. For automakers, suppliers, and technology providers, understanding how these mechanisms function is critical to maintaining compliance and safeguarding supply chain integrity. Here’s a closer look at the core elements of the rule:
- Protecting the ICTS Supply Chain
- The rule prohibits the integration of ICTS components into U.S. vehicles if those components are linked to China or Russia. This includes both hardware (e.g., modems, antennas) and certain types of software.
- Securing Connected Vehicle Functions
- Modern vehicles are more than machines; they’re data hubs with multiple entry points. This rule narrows those access routes by:
- Barring imports of VCSj hardware from adversary-controlled sources
- Restricting sales of connected vehicles that include “covered software” from those sources
- Blocking vehicles from foreign-controlled manufacturers—even if U.S. parts are used
- Modern vehicles are more than machines; they’re data hubs with multiple entry points. This rule narrows those access routes by:
In each of these mechanisms, denied party screening plays a critical role in ensuring restricted entities are identified and blocked before they can compromise the supply chain.
Definitions Matter: Clarity for Compliance
Clear, precise definitions are the foundation of effective compliance. The BIS Final Rule avoids ambiguity by specifying what constitutes a “Connected Vehicle,” “Automated Driving System (ADS),” and “Covered Software.” Understanding these definitions is crucial for automakers and suppliers, as they directly impact which products and technologies are subject to regulatory control. Misinterpreting these terms can lead to compliance gaps, enforcement actions, or supply chain disruptions. The following definitions provide critical clarity for organizations navigating the new rule:
- Connected Vehicle: Any vehicle under 10,000 pounds equipped for wireless communication (e.g., satellite, cellular, Wi-Fi)
- Automated Driving System (ADS): All hardware and software that can perform dynamic driving tasks within a specific operational design domain
- Covered Software: Excludes open-source code (unless modified) and older software (pre-March 17, 2026), unless later altered by adversary-linked entities
But clarity alone isn’t enough. These fine-tuned definitions must be reinforced with rigorous denied party screening to ensure suppliers and software sources align with regulatory expectations. Screening provides the operational filter needed to apply these definitions in practice—preventing unauthorized access, flagging restricted entities, and safeguarding compliance across the connected vehicle ecosystem.
Export Compliance Process: Streamlined but Serious
Compliance with the BIS Final Rule is not just about understanding its requirements—it’s about integrating them seamlessly into operational processes. The rule outlines a clear compliance workflow that balances rigor with practicality, ensuring that automakers, suppliers, and technology providers can meet their obligations without unnecessary complexity. Yet, the streamlined approach does not diminish the importance of strict adherence. Proper documentation, proactive supplier denied party screening, and prompt updates are essential to avoid penalties and maintain regulatory standing. Here’s a breakdown of the key compliance steps:
Declaration of Conformity
- VCS Hardware Importers: Must file annual declarations (60 days in advance) detailing component origins and uses
- Vehicle Manufacturers: Must certify that embedded software is not sourced from foreign adversaries
- Updates: Required within 60 days if errors or changes are identified
- Carryovers: Companies can extend previous declarations to new model years, reducing paperwork
Limited Exemptions to Ease Transition
Recognizing the challenges of immediate compliance, the BIS Final Rule includes carefully defined exemptions to help automakers and suppliers’ transition smoothly. These exemptions are designed to minimize disruption without compromising national security objectives, providing flexibility for existing products and legacy systems. However, even for exempted items, companies should maintain rigorous denied party screening and export compliance practices to avoid inadvertently introducing high-risk components into their supply chains. The following are the key exemptions outlined in the rule:
- Vehicles using covered software before model year 2027 are allowed
- VCS hardware imported before January 1, 2029, or used in model year 2029 or earlier, is exempt
- Repairs and warranty parts for older vehicles are permitted
Stronger Enforcement Powers
The BIS Final Rule on connected vehicles grants broad enforcement powers to ensure compliance with the new restrictions on imports and sales of foreign-controlled VCS and ADS. Key enforcement mechanisms include:
- Recordkeeping: 10-year retention requirement for regulated transactions
- Audits: Third-party audits may be required for sensitive transactions—auditors must be independent from foreign adversaries
- Penalties: Civil fines can reach $368,136 per violation, with additional penalties for ongoing non-compliance; criminal penalties can climb to $1 million and potential prison sentences for responsible parties.
- Transaction Blocking: BIS may block transactions, suspend imports, or restrict future trade activity if companies are found in violation or fail to certify their compliance.
These enforcement powers emphasize the need for robust trade compliance programs, including denied party screening, documentation, and supply chain diligence.
Avenues for Flexibility
While the BIS Final Rule establishes strict controls on connected vehicle technologies, it also provides mechanisms for flexibility, recognizing that not all scenarios can be addressed by rigid rules. Companies can leverage these avenues to seek authorization for specific transactions, request advisory opinions for complex situations, and adapt compliance strategies without sacrificing security. These flexibility mechanisms offer a pathway for businesses to maintain innovation while ensuring adherence to regulatory requirements. Here are the primary options available:
- General Authorizations: Could be issued via the BIS website or Federal Register
- Specific Authorizations: Available by application for restricted transactions
- Advisory Opinions: BIS will provide guidance within 60 days (in most cases)
What Comes Next? Denied Party Screening and Compliance Steps to Avoid Enforcement Risks
The BIS rule reflects a broader U.S. policy pivot toward de-risking supply chains and safeguarding emerging automotive technologies. It signals to the industry: if your product touches the digital heart of a vehicle, its origins matter more than ever.
To help reduce enforcement risks under this rule, businesses involved in importing, selling, or supplying connected vehicle technology should take the following compliance steps:
- Implement Robust Denied Party Screening
- Regularly screen suppliers, subcontractors, and transaction partners against restricted party lists.
- Use automated denied party screening tools to flag potential violations before completing transactions.
- Ensure your denied party screening software solution has detailed audit history and recordkeeping capabilities to easily meet reporting requirements.
- Maintain Comprehensive Records
- Begin preparing declarations and compliance documentation
- Store supplier attestations and sourcing documentation for at least 10 years, as required.
- Keep detailed logs of trade compliance checks and import/export licensing applications.
- Conduct Internal & Third-Party Audits
- Audit your supply chain for ICTS vulnerabilities.
- Perform regular compliance reviews to identify and correct any gaps.
- If required, undergo independent audits to ensure adherence to new BIS restrictions.
- Understand Import / Export Licensing & Exemptions
- Verify whether transactions qualify for general or specific authorizations outlined by BIS.
- Apply for necessary export licenses and monitor updates to exemption criteria.
- Watch for further BIS guidance and clarification.
- Prepare for Enforcement Actions
- Train legal and compliance teams on how to respond to subpoenas and audit requests.
- Establish contingency plans to mitigate penalties, including alternative sourcing strategies.
- Ensure Supply Chain Transparency
- Require suppliers to certify that components are free from adversary-linked entities
- Conduct risk assessments for new vendors before onboarding them into the supply chain.
- Implement supply chain compliance software to achieve transparency and resilience.
How Descartes Denied Party Screening Safeguards Your Connected Vehicle Supply Chain
As the BIS Final Rule reshapes the connected vehicle landscape, Descartes empowers companies to stay ahead of evolving regulatory demands with a suite of advanced supply chain compliance solutions. Through robust Denied Party Screening with AI-powered efficiency, businesses can accurately screen and prevent engagement with restricted foreign entities linked to adversarial nations. Export Classification tools help identify and manage controlled vehicle components and embedded software, ensuring proper classification and compliance with U.S. export laws. With Audit and Resolution capabilities, organizations can maintain detailed records, flag issues accurately, and respond quickly to regulatory changes.
Combined with comprehensive Risk Management features, Descartes provides a centralized, automated solution to help automakers and suppliers safeguard their supply chains and meet their obligations under the new rule—confidently and efficiently.
Schedule a demo to see how our trade compliance solutions can help you proactively manage supply chain risks, meet BIS requirements, and prevent costly penalties. Don’t wait for enforcement risks to disrupt your operations.
Read what customers are saying about Descartes Denied Party Screening on G2 – an online third-party business software review platform. You can also check out this must-have buyer’s guide to denied party screening to help you choose the right solution for your business.
