BIS's Connected Vehicle Template Runs on Unpublished Terms
Primary lensExport controls
Sub-topicLicensing regime
Evidence base9 records used
Use caseExport-control exposure
The reusable part is conditional market access
On July 14, U.S. House of Representatives hearing testimony by BIS Under Secretary Jeffrey Kessler, July 14, 2026 stated that the Office of Information and Communications Technology and Services is focused on implementing the Connected Vehicles Rule and that BIS will consider new regimes for other sectors once administration becomes more routine. The BIS under secretary named no sector and promised no new rule.
The vehicle process shows the mechanism another regime could adopt. Its public prohibitions set the baseline, while lets BIS permit named parties to conduct otherwise prohibited transactions. Recipients must retain records for ten years and submit specified reports, and BIS may impose additional auditing or verification conditions. Because BIS does not publish specific-authorization decisions, conditional market access can turn on terms that later applicants cannot study.
The transferable lesson is therefore procedural, not predictive. Any future ICTS regime could combine a categorical restriction with a route for firms that can prove a particular transaction's risk is manageable. The public regulation would define the gate. The practical standard for getting through it could develop inside authorization files that competitors, suppliers, and investors cannot read.
Volvo and Polestar reveal the benchmark gap
Two company disclosures show why that matters. In its Volvo Cars statement on BIS Connected Vehicles specific authorization, May 26, 2026, the company said it had received permission to continue importing and selling connected vehicles in the United States. It described discussions with Commerce and other officials concerning governance, technology, and data security. Volvo did not publish the authorization, its conditions, or the government's reasoning.
In its Polestar statement on BIS Connected Vehicle Rule authorization decision, June 25, 2026, the company said BIS had not granted it an authorization to sell vehicles in the United States from model year 2027 onward. It said existing inventory could still be sold and current customers supported. Polestar did not publish a decision memorandum or explain the agency's basis.
The public record is too thin for a causal comparison. It cannot establish that ownership decided the cases, that the companies proposed equivalent controls, or that BIS applied the same factual record differently. One outcome is positive and the other negative, but the information needed to benchmark either file is missing. Companies preparing the next application can read the rule. They cannot study a successful set of conditions or a failed mitigation package.
The two outcomes document a deliberately applicant-specific process with a thin public feedback loop, without proving arbitrary treatment. If BIS carries that process into another sector, early applicants may have to learn the workable standard through private engagement rather than published precedent.
Part 791 makes mitigation part of the permission
The Connected Vehicles Final Rule, 90 FR 5360 bars specified transactions involving covered vehicle-connectivity hardware and software linked to China or Russia. The covered-software restrictions begin with model year 2027. The covered-hardware restrictions begin with model year 2030, or January 1, 2029 for hardware not associated with a model year. Separate provisions apply to vehicle manufacturers owned by, controlled by, or subject to the jurisdiction or direction of China or Russia. A firm should map the exact prohibition before it assumes an authorization is needed.
For an otherwise prohibited transaction, Section 791.307 says BIS may grant a specific authorization after a complete application. Permission is discretionary. The applicant must wait for a written decision before proceeding. BIS will provide a decision within 90 days unless, in its sole discretion, it notifies the applicant within that period that additional time is required.
The application itself reaches well beyond a component list. It identifies the parties and ultimate beneficial ownership, the hardware or software and its suppliers, the relevant vehicle and function, the applicant's ability to limit Chinese or Russian government access or influence, the security standards used, and proposed technical or operational controls. BIS may ask for third-party assessments, software or hardware bills of materials, auditing, and verification.
The authorization is normally confined to its named parties, described transaction, and stated conditions. Conditions may vary with the risk. That makes mitigation part of the legal permission rather than a side promise. A control that looks persuasive in a policy presentation still needs evidence, an accountable owner, and a way to show that the condition remained true after approval.
Confidentiality needs an anonymized guidance layer
Part 791 states that specific-authorization decisions will not be made publicly available. BIS can also modify, suspend, or rescind an authorization under the rule's terms. The public can see the governing criteria, but not the agency's final balance of risk, safeguards, and residual exposure in a particular file.
That design has a defensible purpose. An application may contain supply agreements, ownership documents, network architecture, source-code locations, security assessments, and remediation plans. Publishing those materials could expose business confidential information or security weaknesses. Yet confidentiality carries a cost when authorization becomes a meaningful route to market. Other firms cannot tell whether or how governance commitments, supplier-replacement plans, or verification rights affected a particular decision.
The gap also complicates board and investor oversight. A public company can announce that it received or did not receive an authorization, but outsiders may be unable to test management's account against the government's conditions or reasoning. Even a supplier shared by several manufacturers cannot assume that one customer's result controls another's transaction.
For future ICTS sectors, a usable body of anonymized guidance could cover recurring risk factors, acceptable control patterns, common evidence failures, and the kinds of changes that trigger renewed review without exposing sensitive applications. Without that layer, the rule can be public while the operational benchmark remains private.
The supplier registry offers a partial answer
BIS has already created a more reusable path for some supply-chain questions. BIS General Authorization No. 3, June 18, 2026 allows a VCS hardware importer to rely on listed VCS hardware, and a connected vehicle manufacturer to rely on listed covered software, when the supplier and item are listed together in the Approved Supplier Registry. The downstream company then uses the declaration process instead of seeking its own specific authorization for that item.
This shifts the unit of approval. A vetted supplier and product can support multiple downstream declarations, subject to the general authorization's conditions. BIS may require a letter of assurance, a mitigation agreement, or other conditions before listing. It may remove an entry if conditions are not met, information changes, or national-security concerns emerge. Users must monitor registry changes and retain compliance records for ten years. Within 30 days after discovering a changed circumstance, they must assess continued eligibility and, if the transaction falls outside the authorization's conditions, cease the prohibited conduct, investigate, and report to BIS.
The registry therefore creates some public reusability, but it does not erase the private benchmark problem. As of July 15, 2026, the BIS Connected Vehicles hub identified the registry location, but no registry entries were visible. More important, supplier eligibility does not necessarily answer company-level concerns about ownership, governance, remote access, cloud management, data flows, or influence over design and development. Firms owned by or controlled by specified foreign governments also face restrictions on using a general authorization unless specifically authorized.
The registry is best read as a pressure-release valve for repeatable component risk. Company-specific market access can still turn on a broader mitigation file.
Firms can build the evidence file before another sector is named
Even before another sector is named, a company can prepare the evidence architecture Part 791 requires for a complete application. BIS Connected Vehicles specific authorization guidance points toward a file that joins legal ownership, product engineering, cybersecurity, procurement, and governance rather than leaving each function with a separate answer.
Start with a transaction map. Identify the legal parties, beneficial owners, side letters, board rights, and contractual sources of control. Tie those records to the actual product, including hardware, software, firmware, cloud services, update paths, source-code custody, maintenance access, and the data each system collects or can transmit. A supplier name without function and access is not enough.
Next, turn proposed safeguards into testable claims. A technology-control plan should name who can reach source code, production systems, signing keys, vehicle data, and remote-management tools. Supplier agreements should preserve audit rights, change notice, and access limits. Security standards should connect to assessments, test results, remediation tickets, and a dated exit plan when a covered dependency is being replaced.
Finally, assign change triggers. Acquisitions, new board rights, a relocated development team, a new cloud administrator, a supplier substitution, or a software update can alter the facts that supported the original judgment. The file needs an owner who can recognize those changes before a product moves, not months later during an audit.
This work is useful even if no new sector rule appears. It shortens the distance between a policy claim and proof. If a regime does arrive, the firm will know which assertions are current, which rest on third parties, and which require a business decision rather than another legal memo.
After a denial, rebuild the record
Under 15 CFR 791.309, Appeals, an applicant may appeal a denial within 45 days. Section 791.307(k), Effect of denial separately permits reconsideration based on new material facts or changed circumstances. An applicant can also apply for a separate otherwise prohibited transaction. None of those paths supplies an automatic stay or a right to approval.
The practical question is what changed in the record. A stronger appeal or renewed request should identify a legal or factual error, new control, altered ownership right, supplier replacement, independently validated safeguard, or narrower transaction. Repeating the original assurances in more polished language does not create a new risk posture.
That is another reason to keep a versioned mitigation ledger. Each material representation should have a source, responsible executive, validation date, and refresh trigger. The company should be able to show what BIS reviewed, what management promised, what condition governs the transaction, and what later event required escalation. The ledger remains an operating record after the application is decided.
Polestar's disclosure does not establish what a successful reconsideration would require. Volvo's announcement does not reveal a model answer. The public rule only shows the categories of proof that BIS may weigh. Each applicant must convert those categories into a record the agency can test.
What would narrow the benchmark gap
Anonymized decision summaries, a populated Approved Supplier Registry, or an official proposal naming another sector would make the model easier to benchmark. Summaries could explain how governance, technical separation, data security, supplier replacement, and third-party validation affect outcomes without exposing a company's full application. A maintained registry would show how much recurring component risk can migrate from private company files to a shared route.
Kessler's testimony supports only consideration of future regimes. The next rule could use different prohibitions, evidence, or authorization mechanics. Until a proposal appears, the connected-vehicle process is a template to study, not a rule to apply by analogy.
For now, the vehicle regime has shown that market access may depend on a mitigation record whose decisive terms are unavailable to competitors. Companies in other technology-heavy supply chains should make their ownership, access, data, supplier, and change-control claims provable before BIS asks, rather than guess the next sector.
From reading to review
Run the numbers on your lane.
The duty calculator runs the current stack for any HTS code and origin. A free account opens full tool output, AD/CVD detail, Chapter 98 processing, and available exports.