Software Showdown: China Out, Compliance In

A federal deadline bans Chinese and Russian vehicle software, forcing automakers to overhaul their connected-car supply chains

26 Mar 2026

Time ran out on March 17. Automakers still running Chinese or Russian-linked software in their connected vehicles hit a hard federal wall that day, as a one-year exemption under the Commerce Department's Connected Vehicles rule expired. Legacy software developed by foreign adversary entities can no longer be maintained, updated, or modified without triggering a prohibition.

The rule, administered by the Bureau of Industry and Security, targets software enabling vehicle connectivity and automated driving functions. From March 17 forward, any such software with ties to China or Russia is classified as prohibited. With model year 2027 approaching fast, automakers and importers have a shrinking window to reach full compliance before the ban on selling non-compliant vehicles kicks in.

The obligations are concrete and immediate. Companies must file annual Declarations of Conformity certifying their software supply chains are free of prohibited foreign involvement, and must retain detailed due diligence records for regulators on request. Violations carry civil penalties. The most serious cases face criminal exposure. About 215 companies fall directly under the rule.

Software-defined vehicle programs face the steepest climb. Modern connected vehicles layer connectivity middleware, automated driving stacks, and other systems that may have been built or maintained by engineering teams in China. Untangling those dependencies takes time, technical resources, and contract restructuring. The industry had a full year to prepare.

The Bureau of Industry and Security has signaled this is not the finish line. A separate rule covering commercial vehicles is in development, and a broader administration review is weighing whether controls should reach further still. The message to the US automotive software ecosystem is unambiguous: supply chain security is now a federal compliance mandate, not a voluntary best practice.

For automakers building the next generation of connected vehicles, clearing this bar is about more than avoiding fines. It is about constructing the resilient, trusted software foundations that the future of mobility will depend on.