Regulators are drawing a line in the sand: connected vehicles sold in the U.S. must no longer include components or software that could compromise national security. The U.S. Department of Commerce’s Connected Vehicle Rule (CVR), originally proposed in 2024, represents a significant shift in how automotive OEMs, Tier 1s, and technology suppliers must approach supply chain transparency and cyber risk management.
This isn’t just about ticking compliance boxes. The CVR is a response to increasing concerns that software and hardware tied to foreign adversaries, specifically the People’s Republic of China (PRC) and Russia, could be used to exfiltrate data, introduce vulnerabilities, or exert control over connected vehicle systems.
With the rule’s software prohibitions taking effect on model year 2027 cars (generally set for release in mid-2026), OEMs have only a few months to ensure that their vehicles are compliant.
The modern vehicle is effectively a mobile data center. With 5G connectivity, over-the-air (OTA) updates, telematics, and autonomous driving systems, vehicles now generate and transmit enormous volumes of data, much of it sensitive, proprietary, or safety-critical.
The CVR aims to prevent this data and control over vehicle systems from falling into the hands of foreign entities that could exploit it. Specifically, the rule would ban U.S. companies from using components (hardware, software, or services) in connected vehicles if the companies that design, develop, manufacture, or supply those components are owned, controlled by, or otherwise tied to China or Russia.
At a time when global automotive supply chains span dozens of countries and hundreds of vendors, this will introduce a massive operational challenges for most OEMs and suppliers.
While the initial headlines focus on automakers, the true reach of the rule is broader. It applies to:
The CVR zeroes in on any component that directly enables or supports vehicle connectivity. This includes:
Even low-level software or middleware components—like bootloaders, drivers, or protocol stacks—could fall within scope if they facilitate data access or remote control functions.
The complication? Many of these components are supplied via multi-tiered chains, with opaque licensing and outsourced development, making it difficult to assess origin or ownership without intensive SBOM and supplier diligence.
Non-compliant vehicles may be blocked from import or sale in the United States, and that risk extends upstream. If a Tier 2 supplier is using software licensed from a PRC-controlled entity, and that software flows into a covered component delivered to a Tier 1, which then goes into a production vehicle, the entire chain is prohibited under the CVR.
This is why the rule doesn’t merely encourage due diligence. It demands it.
The Department of Commerce recognizes that adjusting supply chains to the requirements of the CVR may take time. To that end, the CVR includes a “legacy carve-out” for software developed by a covered entity prior to March 17, 2026, provided that the software is not “maintained, augmented, or otherwise altered” by a covered entity following the cutoff date.
While this presents some helpful flexibility to OEMs and suppliers, this means that no covered entity can contribute a software updates or even a single line of code to the covered software.
At a minimum, manufacturers and suppliers will need to maintain a full inventory of hardware and software components used in any product connected to a CVR-regulated system. This includes:
All of this must be available for review by regulators, and may be subject to audit, especially for suppliers claiming carve-out status or pursuing authorizations.
The lead time required to map your supply chain, generate SBOMs, assess third-party risk, and identify problematic components can be measured in months, not weeks.
To prepare effectively:
The Connected Vehicle Rule represents a new era of supply chain accountability in the automotive sector. For companies that embrace it early, this is an opportunity to modernize software practices, eliminate hidden risks, and future-proof access to key markets.
But for those who wait? The cost may be non-compliance, market exclusion, and reputational damage.
At Finite State, we’re already helping OEMs and suppliers get ahead of the curve, mapping complex software supply chains, generating validated SBOMs, and enabling proactive compliance with the CVR and other global regulations.
Whether you're building your compliance roadmap or racing to remediate third-party risk, Finite State is here to support you. Talk to our services team for hands-on guidance, or book a demo to see how our platform can streamline compliance and reduce cyber risk across your connected vehicle ecosystem.
Hear directly from experts at Akin, Alliance for Automotive Innovation, and Finite State on how to prepare your organization for compliance, mitigate supplier risk, and future-proof your connected vehicle platforms.