BIS Prohibits Import of Connected Vehicles from PRC and Russia
Severity: High (Score: 60.0)
Sources: www.bis.gov
Published: · Updated:
Keywords: connected, protect, security, vehicle, supply, chain, released
Severity indicators: ot, supply chain
Summary
On May 29, 2026, the Bureau of Industry and Security (BIS) announced a final rule restricting the import and sale of certain connected vehicles (CV) and related technologies linked to China and Russia. This rule, effective since March 17, 2025, was implemented due to national security concerns that these countries could access or control connected vehicles in the U.S. The regulation specifically targets vehicles under 10,001 pounds and requires importers and manufacturers to submit annual Declarations of Conformity if not engaging in prohibited transactions. The BIS's actions reflect ongoing tensions regarding cybersecurity and supply chain vulnerabilities associated with foreign technologies. Key Points: • BIS prohibits imports of connected vehicles linked to China and Russia due to security risks. • The rule affects vehicles under 10,001 pounds and requires annual compliance declarations. • The regulation aims to mitigate potential remote access threats to U.S. connected vehicles.
Detailed Analysis
**Impact** The rule affects importers, manufacturers, and sellers of connected vehicles (CV) and related hardware/software in the United States, specifically targeting vehicles under 10,001 pounds with links to the PRC or Russia. The prohibition aims to mitigate national security risks posed by potential foreign access or data exfiltration from these vehicles. The scope includes the entire U.S. market for affected CVs, impacting supply chains involving Chinese and Russian entities. Importers and manufacturers must submit annual Declarations of Conformity to BIS if not engaging in prohibited transactions. **Technical Details** The rule addresses risks from connected vehicles that may be subject to remote access or compelled data sharing by companies in China or Russia. No specific attack vectors, TTPs, malware, CVEs, or infrastructure details are provided in the source materials. The focus is on controlling hardware and software components with a nexus to these countries to prevent exploitation during the supply chain or operational phases. **Recommended Response** Organizations should ensure compliance with BIS regulations by ceasing import or sale of covered connected vehicles and technologies linked to the PRC or Russia. They must submit annual Declarations of Conformity if applicable. Defenders should monitor supply chains for unauthorized components and maintain vigilance for unauthorized remote access attempts, although no specific detection signatures or patches are detailed in the available information.
Source articles (2)
- 22645 — www.bis.gov · 2026-05-27
To protect the security of the connected vehicle (CV) supply chain, BIS released a final rule prohibiting the import or sale of certain CV and CV technologies in the United States when those products… - Connected Vehicles — www.bis.gov · 2026-05-29
To protect the security of the connected vehicle (CV) supply chain, BIS released a final rule prohibiting the import or sale of certain CV and CV technologies in the United States when those products…
Timeline
- 2025-01-14 — BIS issues rule restricting CV imports: The U.S. Department of Commerce's BIS announced restrictions on certain connected vehicles and technologies linked to PRC and Russia due to national security concerns.
- 2025-03-17 — Rule goes into effect: The BIS's final rule on connected vehicles became effective, prohibiting imports and sales of affected products.
- 2026-05-29 — BIS announces final rule details: BIS released further details on the enforcement of the final rule regarding connected vehicles and compliance requirements.
Related entities
- China (Country)
- Russia (Country)
- United States (Country)