On April 29, 2026, Sens. Bernie Moreno (R-OH) and Elissa Slotkin (D-MI) introduced the bipartisan Connected Vehicle Security Act of 2026 (the CV Security Act), which would restrict the importation, manufacture, sale, resale or introduction into U.S. interstate commerce of connected vehicles and certain related components tied to China, Russia, Iran or North Korea. On May 11, 2026, Congressman John Moolenaar (R-MI) and Congresswoman Debbie Dingell (D-MI) introduced an identical bill in the House of Representatives. If enacted, the CV Security Act would build on, codify and, in several respects, expand or alter the existing connected vehicle regulations administered by the U.S. Department of Commerce under the Securing the Information and Communications Technology and Services Supply Chain (ICTS) authority in 15 C.F.R. Part 791 Subpart D (the CV Regulations). The bill is expected to evolve as it moves through the legislative process.

Key Points

• Although the bill tracks aspects of the existing CV Regulations, it diverges in several significant ways, including with respect to the activities, products and actors covered. Key differences include:
  • Covered countries under the CV Security Act include China, Russia, Iran and North Korea; the CV Regulations apply only to China and Russia.
  • Like the CV Regulations, the bill covers “connected vehicles” and related “Vehicle Connectivity System (VCS) hardware” and “covered software,” but expands the scope of these terms. For example, the proposed definition of VCS hardware covers certain battery electronics, airbags, airbag inflators and seatbelts, which are currently not subject to the CV Regulations.
  • While the existing CV Regulations focus on whether a covered product is designed, developed, manufactured, or supplied by a person owned by, controlled by, or subject to the jurisdiction or direction of China or Russia, the CV Security Act instead focuses on a covered product’s country of origin and a manufacturer/developer’s principal place of business, place of incorporation, and ownership and control structure. The proposed legislation also identifies specific numerical thresholds that apply to ownership and control, which is not a feature of the current regulations.
  • Notably, the bill prohibits the importation, manufacture, sale, resale or introduction into U.S. interstate commerce of a connected vehicle if such vehicle’s country of origin is a covered country or the vehicle is “designed within a covered country,” a concept that Commerce could interpret broadly.
  • The CV Security Act’s prohibitions are broader in scope than the CV Regulations: it covers import, manufacture, sale, resale and introduction into interstate commerce of connected vehicles and related software and hardware, whereas the current rules prohibit the import and sale, as applicable, of VCS hardware and covered software and certain connected vehicles.
  • The bill would also require the Secretary of Commerce, by January 1, 2027, to publish a list of authorized items, identified to the extent possible by product name and manufacturer. The CV Regulations do not contemplate such a public list.
• If enacted, the CV Security Act’s ultimate effect will depend heavily on how the bill is modified through the legislative process and how Commerce interprets and implements it, including through additional rulemaking.

Background

The CV Regulations, which took effect on March 17, 2025 and are administered through the Department of Commerce’s Office of Information and Communications Technology and Services (OICTS) within the Bureau of Industry and Security (BIS), restrict the import and sale of certain connected vehicles and related VCS hardware and covered software tied to China and Russia. The final rule is available here. For additional background, please see our client alert on the final rule.

The introduction of the CV Security Act is a significant milestone in the effort to codify the CV Regulations. While the CV Security Act mirrors the CV Regulations in many respects, it contains significant differences and, in some cases, expands the scope of the CV Regulations, as highlighted below.

Overview of the Proposed CV Security Act

Products Potentially Subject to the Restrictions

The proposed CV Security Act covers a broader set of products than the CV Regulations.

Under the CV Regulations:

• VCS hardware captures software enabled or programmable components that directly enable the function of and are directly connected to Vehicle Connectivity Systems (VCS), subject to certain exclusions. A VCS includes a hardware or software item installed in or on a completed connected vehicle that directly enables the transmission, receipt, conversion or processing of radio-frequency communications above 450 megahertz, subject to specified exclusions.
• Covered software applies to software-based components, including application, middleware and system software, in which there is a foreign interest, executed by the primary processing unit or units of an item directly enabling a VCS or Automated Driving System (ADS) at the vehicle level, subject to exclusions, such as open-source software and firmware.

Under the CV Security Act:
The legislation likewise captures connected vehicle hardware (which includes VCS and VCS hardware) and covered software, but its definitions add certain components that are not currently covered by the CV Regulations.

Key differences include:

• Its VCS hardware definition adds electronic systems integrated into a battery that directly enable or control the monitoring, management, security or external communication of battery performance or operation, including any transmitter or interface component that performs such functions, and safety equipment, including airbags, airbag inflators and seatbelts.
• Its covered software definition expressly includes any machine-learning model or other artificial intelligence component that directly enables decision making or control of an automated driving system at the vehicle level, removing any ambiguity about whether such components are in scope.

The bill would also require the Secretary of Commerce, by January 1, 2027, to publish a list of authorized items, identified to the extent possible by product name and manufacturer. The CV Regulations do not contemplate such a public list.

The bill also contains an important transition provision for certain covered software and connected vehicle hardware that would be subject to the bill’s prohibitions but are not already subject to the CV Regulations. For those items, the Secretary must implement the prohibition after January 1, 2030 and before January 1, 2032.  In addition, current regulatory exclusions and exceptions will remain in effect, subject to rulemaking beginning January 1, 2030 to determine whether those exclusions or exceptions should be continued, modified, or terminated. These transitional provisions may delay the practical effect of some aspects of the bill’s expanded scope relative to the current CV Regulations.

Expanded Prohibitions

Both the CV Regulations and the CV Security Act impose restrictions involving connected vehicles, VCS hardware and covered software.

Under the CV Regulations:

• Covered software: The rules prohibit the import and sale of connected vehicles incorporating covered software designed, developed, manufactured or supplied by persons owned by, controlled by or subject to the jurisdiction or direction of China or Russia.
• VCS hardware: The rules prohibit the import of VCS hardware designed, developed, manufactured or supplied by persons owned by, controlled by or subject to the jurisdiction or direction of China or Russia, as well as connected vehicles incorporating such VCS hardware.
• Connected vehicle manufacturers: The rules also bar the sale in the United States of connected vehicles that are manufactured by entities that are owned by, controlled by or subject to the jurisdiction or direction of China or Russia. These connected vehicle manufacturers are also prohibited from offering commercial services in the United States that utilize completed connected vehicles that incorporate ADS.

Under the proposed CV Security Act:

• Connected vehicles (effective January 1, 2027): The bill would prohibit the importation, manufacture, sale, resale or introduction into U.S. interstate commerce of a connected vehicle if:
  • The vehicle’s country of origin is a covered country, or the vehicle is designed within a covered country; or
  • The manufacturer is an entity in which more than 15% of the equity interest, voting interest, board representation or other indicia of control, directly or indirectly, is owned or controlled by an entity, or combination of entities, organized under the laws of, or with a principal place of business in a covered country.
• Covered software (effective January 1, 2027): The bill would prohibit integrating covered software into a connected vehicle that is imported, manufactured, sold, resold or introduced into U.S. interstate commerce if:
  • The software’s country of origin is a covered country; or
  • The developer:
    • Is organized under the laws of, or has its principal place of business in, a covered country; or
    • Is an entity in which more than 25% of the equity interest, voting interest, board representation or other indicia of control, directly or indirectly, is owned or controlled by an entity, or combination of entities, organized under the laws of, or with a principal place of business in a covered country.
• Connected vehicle hardware (including VCS and VCS hardware) (effective January 1, 2030): The bill would prohibit the importation, manufacture, sale, resale or introduction into U.S. interstate commerce of connected vehicle hardware if:
  • The hardware’s country of origin is a covered country; or
  • The manufacturer:
    • Is organized under the laws of, or has its principal place of business in a covered country; or
    • Is an entity in which more than 25% of the equity interest, voting interest, board representation or other indicia of control, directly or indirectly, is owned or controlled by an entity, or combination of entities, organized under the laws of, or with a principal place of business in a covered country.

The bill also contains a limited exception for the sole purpose of testing and evaluation for certain U.S. entities without specified ties to a covered country. This limited exception is directionally similar and likely covered by the existing General Authorization No. 1, which authorizes connected vehicle manufacturers to import completed connected vehicles that incorporate covered software or VCS hardware designed, developed, manufactured, or supplied by persons owned by, controlled by, or subject to the jurisdiction or direction of the PRC or Russia if such completed connected vehicles are used solely for the purpose of display, testing, or research.

Framework Shift: Requisite Nexus to a Covered Country

The CV Regulations prohibit certain imports and sales involving connected vehicles, VCS hardware or covered software that are “designed, developed, manufactured, or supplied” by a “person owned by, controlled by, or subject to the jurisdiction or direction of a foreign adversary,” which for these purposes means China or Russia.

By contrast, the CV Security Act would apply where, depending on the item at issue, (1) the connected vehicle’s country of origin is a covered country or the vehicle is designed within a covered country; (2) the covered software developer or connected vehicle hardware manufacturer is organized under the laws of, or has its principal place of business in, a covered country; or (3) the relevant connected-vehicle manufacturer, software developer, or hardware manufacturer is an entity in which more than 15% of the equity interest, voting interest, board representation or other indicia of control (for connected vehicles), or more than 25% of the equity interest, voting interest, board representation or other indicia of control (for covered software and connected vehicle hardware), directly or indirectly, is owned or controlled by an entity, or combination of entities, organized under the laws of, or with a principal place of business in a covered country.

The focus on country of origin diverges from the CV Regulations. Under the CV Security Act, “country of origin” means the country (A) in which the item is manufactured; or (B) the government of which owns or controls, or has jurisdiction or direction over (i) the entity manufacturing the item; or (ii) the entity supplying the item.

Furthermore, although the implementing regulations will determine the bill’s practical effect, the proposed framework appears narrower in some respects than the current CV Regulations. For example, the CV Regulations can reach companies owned or controlled by citizens of a foreign adversary country or individuals deemed subject to a foreign adversary country’s direction, regardless of where the applicable company is incorporated or headquartered. In the current version of the CV Security Act, whether a citizen or resident of a foreign adversary owns or controls an entity does not factor into the analysis, though this remains subject to change as the bill moves through the legislative process. At the same time, the bill’s definition of “country of origin” is broad and could itself produce expansive results.

Other Provisions

The CV Security Act would require Commerce to establish procedures for advisory opinions, specific and general authorizations, and declarations of conformity, all concepts already established in the CV Regulations. General and specific authorizations issued under the CV Regulations would remain effective until January 1, 2032, unless modified, suspended or revoked. Advisory opinions issued before January 1, 2027, would likewise remain effective unless modified, suspended or revoked because of changed circumstances.

Notably, the bill would also make the issuance of general or specific authorizations more demanding than under the current CV Regulations by requiring, among other things, 60 days’ advance notice to Congress, and the absence of an enacted joint resolution of disapproval before an authorization can take effect.

Finally, the bill would also impose substantial civil penalties for each transaction that is a violation of the prohibitions that materially raises the stakes of compliance, recordkeeping and diligence: the greater of $1,500,000 or five times the value of the transaction, and in the case of a violation that occurs on more than one day, each day on which the violation continues is treated as a separate violation.