A Supply Chain Nobody Has Fully Mapped
“This is one of the most consequential and complex auto regulations in decades,” said Hilary Cain, head of policy at the Alliance for Automotive Innovation, a trade group representing the major carmakers. Automakers must not only attest to regulators that they are in compliance; they must also trace the origins of code that passes through layers of vendors, subcontractors, and licensed repositories — a digital supply chain that few companies have ever fully mapped.
The regulation stems from years of growing anxiety in Washington over what Beijing could theoretically do with the data modern vehicles collect. Cameras and microphones capable of streaming audio and imagery. GPS systems logging precise travel patterns. Cloud connections that, in the wrong hands, could become surveillance infrastructure. Officials from the Commerce Department have warned publicly that foreign adversaries with sufficient access could, in an extreme scenario, remotely interfere with vehicles moving through American neighborhoods. “Cars today aren’t just steel on wheels — they’re computers,” Commerce Secretary Gina Raimondo said when the rule was first proposed.
What the Rule Actually Covers
The final rule prohibits Chinese-origin software in Vehicle Connectivity Systems — the telematics units, Bluetooth modules, cellular connections, and Wi-Fi antennas that link cars to the internet — as well as in Automated Driving Systems, the software backbone of semi-autonomous and self-driving vehicles. Hardware restrictions follow on a longer timeline, taking effect with 2030 model year vehicles. But the software deadline arrived this month, and the industry was not entirely ready.
The core problem is one of complexity. Modern vehicles can contain tens of millions of lines of code, contributed by dozens — sometimes hundreds — of outside vendors. Much of that code is proprietary, and suppliers are often reluctant to open it up for inspection. “The suppliers don’t want to share source code,” said Brandon Barry, founder of Detroit-based Block Harbor Cybersecurity, a firm that helps automakers navigate vehicle cybersecurity. “That’s their IP.” That secrecy puts automakers in an uncomfortable position: responsible for code they do not fully control, written by vendors they cannot always compel to cooperate.
A Scramble to Comply
The rule has also exposed how deeply entangled American automaking has become with Chinese technology. General Motors appears to have anticipated the shift, having already instructed suppliers to begin phasing out Chinese-made components on the path to 2027.
Ford, meanwhile, has been in discussions with Chinese electric vehicle maker BYD over next-generation hybrid technologies — a collaboration that now faces potential regulatory scrutiny. Across the industry, a wave of restructuring has followed the rule’s approach. Global suppliers are relocating engineering teams out of China.
Some Chinese technology firms are seeking to sell or spin off their Western-facing operations in order to satisfy the ownership requirements baked into the regulation. Pirelli, the Italian tiremaker whose cloud-connected smart tires fall under the mandate, became an unlikely symbol of the rule’s reach: its largest shareholder, the Chinese chemicals conglomerate Sinochem, is considering reducing its 34 percent stake or ring-fencing Pirelli’s American business entirely.
The rule does allow one narrow form of flexibility. Chinese-developed software can remain in use if its ownership is transferred to a non-Chinese entity before the March 17 deadline — a provision that has already triggered a scramble of corporate maneuvering. Critics note that such arrangements can be difficult to verify and may create the appearance of compliance without the substance.
Filling the Gap — At a Price
Meanwhile, domestic startups are beginning to fill the gap. Eagle Wireless, an Ohio-based company, is building an American pipeline for cellular modules — the devices that give connected cars their internet access. The company acquired code from China’s Quectel, the world’s dominant cellular-module supplier, and is working to migrate automaker clients onto domestically controlled platforms. Eagle’s modules currently cost roughly 10 percent more than their Chinese-made counterparts, a premium that is expected to find its way into vehicle sticker prices.
For consumers, the near-term effects are likely to be subtle but real. Feature rollouts may slow as engineering teams redirect resources toward compliance. New model launches could face delays. And as domestic alternatives to Chinese software mature, the cost of connected car technology may rise, at least temporarily.
Supporters of the rule argue the trade-offs are worth making, contending that years of dependence on Chinese technology infrastructure left the United States exposed, and that the disruption of reconfiguring automotive supply chains now is preferable to the vulnerabilities of leaving them unchanged.
Whether the industry can pull it off — on the timeline regulators have set — is a question that automakers, suppliers, lawyers, and cybersecurity experts are racing to answer.