TL;DR: For years, the software linking American cars to the internet has quietly relied on Chinese code. Now, that hidden dependency is forcing one of the auto industry's most complex overhauls in decades. Beginning March 17, automakers selling connected vehicles in the US must certify that their systems are free of Chinese software – a mandate that extends from infotainment controls and onboard cameras to advanced driver-assistance systems.
The rule, issued by the Commerce Department's Bureau of Industry and Security, bans code written in China or by Chinese-owned firms from vehicles that connect to the cloud. By 2029, even their connectivity hardware will be covered under the same restrictions.
The new regulation is aimed at blocking potential security risks – microphones, GPS modules, and cameras that could be exploited to send data abroad – but it has also triggered a race to locate, audit, and replace lines of code buried deep within modern cars' supply chains.
Hilary Cain, head of policy at the Alliance for Automotive Innovation, calls the rule "one of the most consequential and complex auto regulations in decades." Automakers must not only prove compliance to the US government but also trace the digital origins of code that filters through multiple layers of suppliers.
Many of those suppliers, particularly in China, are reluctant to share details, and in some cases, the code is locked down as proprietary intellectual property. This secrecy leaves automakers scrambling to verify code they don't even fully control. "The suppliers don't want to share source code. That's their IP," Brandon Barry, founder of Detroit-based Block Harbor Cybersecurity, told The Wall Street Journal.
The effort to disentangle from Chinese software comes after years of supply chain shocks that began during the pandemic and deepened amid rising geopolitical tensions. Tesla has reportedly stopped using China-based parts suppliers for US-bound vehicles, part of the industry's shift toward localization.
But for other automakers, the bigger technical challenge isn't hardware origin – it's ensuring that the data collected by their vehicles never crosses into Chinese networks. In short, verifying chip sources is easy; guaranteeing data isolation is not.
Manufacturers are lobbying for flexibility, and cybersecurity experts expect that some companies may win temporary exemptions if they can demonstrate alternative safeguards. Still, few expect an easy fix. Automotive software is often custom-built, making replacements risky and expensive. Even clearly identified Chinese code can't simply be "swapped out" without disrupting systems already deployed on cars in the field.
The Bureau of Industry and Security has introduced limited exceptions to soften the blow of the deadline. Software can remain in use if its ownership is transferred to a non-Chinese entity before March 17 – a loophole that has already triggered a wave of corporate restructuring.
Global suppliers are relocating China-based engineering teams, while Chinese firms rush to sell or spin off operations tied to their Western customers. Pirelli, the Italian tiremaker whose cloud-connected "smart tires" fall under the rule, is one prominent example. Its largest shareholder, Chinese chemicals giant Sinochem, may reduce its 34% stake or ringfence Pirelli's US operations as part of compliance talks involving the Italian government.
The rule has also created openings for US startups. Ohio-based Eagle Wireless is building a domestic pipeline for cellular modules – the devices that provide connectivity to internet-linked cars and other smart systems. The company acquired code from China's Quectel, the world's top cellular-module supplier, and is working with automakers to migrate existing deployments off Chinese-controlled platforms.
For now, Eagle's modules cost about 10% more than the Chinese-made versions, but the company's co-founder, Mark Kvamme, sees long-term benefits: a new American foothold in both software and manufacturing.
Those modules are more than a niche product. According to Counterpoint Research, Chinese suppliers controlled 87% of the global cellular-module market in the first half of last year, compared with 69% in 2019.
Analysts warn that this near-monopoly could become as strategically fraught as the US dependence on Chinese rare-earth minerals – or Huawei's former dominance in telecommunications. "If you think rare earths is a bad dependency to have on China, wait till you're dependent on cellular modules," former British diplomat Charles Parton told a US congressional panel in December.
Whether the clampdown expands beyond cars remains unclear. The Bureau had signaled interest in targeting Chinese components in commercial vehicles and drones, but recent leadership changes within the Trump administration have cast doubt on next steps. Still, the agency insists the connected-vehicle regulation strikes a balance between national security and industrial feasibility.
For the auto sector, however, that balance has become a high-stakes equation: how to maintain safety, performance, and connectivity in cars that are suddenly expected to prove their digital independence.