The modern automobile is no longer simply a machine of steel, rubber, and glass. It is a rolling data center, bristling with internet-connected sensors, cameras, microphones, and GPS systems—many of which rely on technology developed in or sourced from China. Now, with a hard regulatory deadline bearing down, the global auto industry faces one of its most complex compliance challenges in decades: identifying, isolating, and replacing every strand of Chinese code embedded in the vehicles Americans drive.

New U.S. regulations, introduced by the Commerce Department’s Bureau of Industry and Security, will ban Chinese software in vehicle systems that connect to the cloud effective March 17. Hardware restrictions will follow in 2029. Connected cars manufactured by Chinese or China-controlled companies are also prohibited, regardless of where their software originates. The rules are rooted in national-security concerns—specifically, the fear that cameras, microphones, and location-tracking capabilities in modern vehicles could be exploited by foreign adversaries, as reported by the Wall Street Journal.

A Regulatory Earthquake Reverberating Through Detroit and Beyond

Hilary Cain, head of policy at the Alliance for Automotive Innovation, a major trade group, has described the regulation as “one of the most consequential and complex auto regulations in decades.” She added that “it requires a deep examination of supply chains and aggressive compliance timelines.” That assessment is no exaggeration. Automakers must now attest to the U.S. government that core elements of their connected-vehicle systems do not contain code written in China or by a Chinese-owned company. The rule also extends to software powering advanced autonomous driving features—a domain where Chinese firms have made significant inroads in recent years.

The deadline is injecting fresh urgency into an industrywide effort that began during the pandemic, when supply-chain disruptions exposed the depth of the auto sector’s dependence on Chinese components. Geopolitical tensions between Washington and Beijing have only accelerated the push. Tesla, for example, decided last year to stop using China-based suppliers for vehicles manufactured in the United States. But for most automakers, the challenge is far more tangled than simply switching vendors.

The Hidden Layers of a Sprawling Supply Chain

The fundamental difficulty lies in the structure of automotive supply chains. Carmakers typically purchase electronic components from large Tier 1 suppliers, which in turn may source software from smaller Tier 2 or Tier 3 suppliers—or from joint ventures based in China. This multi-layered architecture means that Chinese-origin code can be buried deep within a vehicle’s systems, invisible to the automaker that ultimately puts its badge on the car. And the supply chain has little incentive to volunteer the information automakers now desperately need.

“The suppliers don’t want to share source code,” said Brandon Barry, founder of Detroit-based Block Harbor Cybersecurity. “That’s their IP.” This proprietary wall creates a significant obstacle. Even when Chinese software is clearly identifiable, replacing it is fraught with risk. Automotive code is typically bespoke—custom-written for specific hardware configurations and safety-critical applications. Swapping out a software module on an existing vehicle platform is not like updating an app on a smartphone; it can introduce new bugs, compromise safety certifications, and require extensive re-testing.

Corporate Restructuring and the March 17 Carve-Out

Recognizing the enormity of the task, the Bureau of Industry and Security has built in some flexibility. Cybersecurity experts expect some automakers and suppliers to receive temporary exemptions from the software ban if they can demonstrate that they have mitigated risks through alternative means. The Commerce Department is also allowing the use of Chinese code that has been transferred to a non-Chinese entity before the March 17 cutoff date.

That carve-out has triggered a wave of corporate restructuring. According to Matt Wyckhouse, chief executive of cybersecurity firm Finite State, global suppliers are relocating China-based software development teams to other countries, while Chinese companies are actively seeking new owners for their Western operations. The goal is to create legal separation between the code and its Chinese origins—a maneuver that satisfies the letter of the regulation, even if questions linger about the spirit of it.

Pirelli’s Smart-Tire Dilemma and the Reach of the Rule

The regulation’s reach extends well beyond traditional automakers. Consider Pirelli, the iconic Italian tiremaker. Pirelli risks running afoul of the new rules because its largest shareholder is Sinochem, a Chinese state-owned chemicals conglomerate that holds a 34% stake. The connection to the regulation? Pirelli’s smart tires—equipped with sensors that connect to the cloud to monitor pressure, temperature, and wear in real time—qualify as connected-vehicle technology under the new framework.

Pirelli, its top two shareholders, and the Italian government are now engaged in urgent discussions about potential solutions. Options on the table include Sinochem reducing its stake and the ringfencing of Pirelli’s U.S. smart-tire business into a separate entity insulated from Chinese ownership influence. The case illustrates how the connected-vehicle rule is rippling far beyond Detroit, touching companies and governments across the globe that had not anticipated being caught in the crosshairs of U.S.-China tech decoupling.

Eagle Wireless and the Promise of American-Made Alternatives

While the regulation creates enormous challenges for incumbents, it is also generating opportunities for new entrants. One notable beneficiary is Eagle Wireless, an Ohio-based startup working to establish a domestic U.S. source of cellular modules—the small but critical components that connect smart devices, including vehicles, to the internet. Last year, Eagle acquired source code from China’s Quectel, the world’s largest supplier of cellular modules, and is now working with automakers and major suppliers to migrate software updates to its platform before the March 17 deadline.

The arrangement is symbiotic: having a compliant software partner allows Quectel to continue shipping its hardware to American clients for another three years, until the hardware ban takes effect in 2029. Meanwhile, Eagle is building up its own module manufacturing capability on U.S. soil. “The connected-vehicle rule is a major tailwind for onshoring both software development and manufacturing,” said Mark Kvamme, Eagle’s co-founder. One trade-off clients will notice immediately: Eagle’s modules carry a price premium of roughly 10% over Quectel’s Chinese-made equivalents—a cost that will ultimately be passed along to consumers.

China’s Tightening Grip on the Global Connectivity Supply Chain

The dominance of Chinese manufacturers in the cellular module market is staggering and growing. According to data from Counterpoint Research, Chinese cellular-module manufacturers held 87% of the global market share in the first half of last year, up from 69% in 2019. That concentration of supply in a single country—and a geopolitical rival, at that—has alarmed policymakers on both sides of the Atlantic. The situation has drawn comparisons to America’s dependence on Chinese rare-earth minerals and has evoked memories of the national-security battle over Huawei’s role in global telecommunications infrastructure.

Former British diplomat Charles Parton put the stakes in stark terms during testimony before a U.S. congressional committee in December. “If you think rare earths is a bad dependency to have on China, wait till you’re dependent on cellular modules. It’s much, much worse. It’s broader,” Parton warned. Unlike rare earths, which are primarily inputs for manufacturing, cellular modules are embedded in the operational fabric of critical infrastructure—from vehicle fleets and energy pipelines to asset trackers and logistics networks. A disruption or compromise at the module level could have cascading consequences across entire sectors of the economy.

Volvo’s Challenge and the Data Transmission Question

For automakers with deep ties to China, the compliance challenge is particularly acute. Håkan Samuelsson, chief executive officer of Volvo Cars—a company owned by China’s Geely Holding—addressed the issue head-on. “There should be no critical semiconductor components coming from China—that’s easy to check,” Samuelsson said. “More challenging is to be sure that no data that the car collects can ever be transmitted to China.” That distinction is critical. The regulation targets not just the origin of code but the potential for data exfiltration—the risk that a vehicle’s sensors could be weaponized to collect intelligence on American roads, military installations, or critical infrastructure.

The technical complexity of ensuring data isolation is formidable. Modern connected vehicles generate and transmit vast quantities of data—telematics, navigation patterns, voice commands, camera feeds. Ensuring that none of this information can be routed, even inadvertently, to servers accessible by Chinese entities requires not just software audits but comprehensive network architecture reviews. It is a challenge that sits at the intersection of cybersecurity, geopolitics, and automotive engineering.

Uncertain Futures: Political Winds and Regulatory Momentum

The Bureau of Industry and Security team that crafted the connected-vehicle rule had signaled ambitious plans to expand its clampdown on Chinese technology to other product categories, including commercial vehicles and drones. However, that broader effort is now clouded by uncertainty. The Trump administration recently pushed out two officials who had been focused on tackling technological threats from China, and the drone investigation was shelved in January, according to the Wall Street Journal’s reporting.

A spokesperson for the Bureau of Industry and Security said the agency remained “committed to ensuring the connected-vehicle rule addressed national-security risks while creating a workable framework for industry.” But the departure of key personnel raises questions about whether the regulatory momentum will be sustained—or whether the connected-vehicle rule will stand as an isolated action rather than the first step in a comprehensive strategy to reduce America’s technological dependence on China.

What the Auto Industry’s Reckoning Means for the Broader Economy

The auto industry’s scramble to comply with the connected-vehicle rule is, in many ways, a microcosm of a much larger challenge facing the American economy. Decades of globalization have woven Chinese technology deep into the supply chains of virtually every major industry. Unwinding those dependencies—particularly in software, where provenance can be difficult to trace and code can be copied, forked, and embedded across multiple platforms—is an undertaking of extraordinary complexity and cost.

For the auto sector, the stakes are existential. The industry is simultaneously navigating the transition to electric vehicles, the integration of autonomous driving technology, and now the forced decoupling from Chinese software and hardware suppliers. Each of these shifts demands massive capital investment and engineering resources. The connected-vehicle rule adds another layer of urgency, compressing timelines and forcing companies to make difficult trade-offs between cost, speed, and security. Whether the industry can meet the March 17 deadline—and the hardware deadline in 2029—without significant disruption to production and innovation remains an open question, one that will be closely watched by policymakers, investors, and national-security officials alike.