The new capability is designed to give organizations the tools and automation they need to meet regulatory requirements quickly, confidently, and without slowing innovation
Jerusalem, Israel, September 17, 2025 – C2A Security, the only context-driven product security orchestration platform that addresses the specific needs of software-defined products and cyber-physical systems, today announced the availability of Q2.2025 Software Update of its industry-first DevSecOps product security platform, including a dedicated compliance solution for the newly issued U.S. Department of Commerce (DoC) Rule under 15 C.F.R. Part 791D. This regulation prohibits certain transactions involving Vehicle Connectivity System (VCS) hardware and covered software originating from restricted regions, specifically China, the Hong Kong Special Administrative Region, the Macau Special Administrative Region, and Russia.
The Q2.2025 software release of the EVSec Platform also introduces two new modules: Threat Intelligence which was announced a few months ago, and the Compliance Center. The new release expands on the BOM & Vulnerability Management, threat analysis, and risk assessment capabilities, includes UI & UX improvements, and streamlines integration with the BI & Reports module.
As the automotive and mobility industries accelerate toward connected, software-defined vehicles, the integrity and transparency of the software supply chain have never been more critical. The new DoC rule reflects growing geopolitical and security concerns over foreign-sourced technologies embedded in connected vehicle ecosystems. For organizations building, supplying, or integrating VCS technologies, compliance is now a matter of both operational continuity and market access.
A New Compliance Landscape for Connected Vehicles
The DoC’s 791D regulation introduces stringent requirements for identifying, assessing, and managing software and hardware components based on their geographic origin. Failure to comply can result in penalties, disrupted operations, and reputational damage.
“Rule 791D is more than a regulatory change, it’s a shift in how organizations must think about their technology supply chain,” said David Mor-Ofek, head of product, C2A Security. “It’s no longer enough to know what you’re using; you must know where it’s from, prove it, and continuously monitor it. That’s exactly what our platform enables.”
Proactive Compliance Built Into the Development Process
The new Compliance Center module automates validation and reporting against cybersecurity regulations using EVSec data, AutoSynth AI automation, and flexible templates, serveing as a comprehensive compliance hub for each project. The new module offers a centralized page where teams can manage, track, and demonstrate adherence to relevant cybersecurity and regulatory standards, such as ISO 21434, US DoC 791D, UN R155, GB Standards, ISA/IEC 62443, and more. Organizations can also define and maintain custom compliance frameworks, tailoring them to their policies or project-specific needs.
EVSec Platform provides a dedicated framework for continuous assessment and automated tracking of both software and hardware components across the supply chain, continuously tracking compliance coverage and process status, offering real-time visibility into how each project progresses toward complete regulatory alignment.
Key capabilities include:
- Automated Vendor & Origin Mapping
The Platform automatically maps all third-party and open-source components to their vendors and geographic origins. This real-time visibility makes it easy to identify high-risk or restricted-origin components before they are integrated into the product. - Early Risk Detection
Components of concern – whether due to geographic restrictions, licensing, or security vulnerabilities, are flagged early in the development lifecycle, minimizing costly late-stage changes or production delays. - Streamlined Declaration of Conformity (DoC) Submissions
The platform generates accurate, up-to-date compliance records that form the basis of a Declaration of Conformity. Filing is fast, repeatable, and efficient, with regenerated submissions whenever the software composition or supplier base changes.
Dynamic Post-Submission Monitoring
Compliance is not a one-time activity. Even after a Declaration of Conformity is filed, ongoing vigilance is required to ensure that later updates, patches, or supplier changes do not inadvertently introduce restricted-origin components.
With EVSec Platform:
- Continuous Monitoring
Every time a component is updated, replaced, or reclassified, the platform automatically triggers a new compliance assessment. - Origin, Licensing, and Metadata Checks
The platform re-validates origin, licensing terms, and component metadata to ensure that no silent compliance violations are introduced. - Auditable, Transparent Workflow
Every compliance action is logged and stored, creating a clear audit trail for internal teams, regulators, and partners.
Benefits for our Automotive and Mobility Customers
By integrating the Compliance Center into the development process, customers can:
- Avoid costly last-minute redesigns caused by late detection of restricted-origin components
- Accelerate regulatory approvals with accurate, ready-to-file Declarations of Conformity
- Reduce operational risk with proactive, automated monitoring and reporting
- Enhance trust and transparency across the entire supply chain
Addressing the Bigger Picture: Supply Chain Trust
The introduction of Rule 791D underscores a larger industry challenge: securing the global software supply chain in an era of increasing geopolitical tension and cyber risk. Connected vehicle systems – from infotainment to advanced driver assistance, are highly dependent on complex network of suppliers and open-source vendors.
Without robust visibility and control, organizations face both regulatory non-compliance and elevated cybersecurity exposure. EVSec Platform closes this gap by unifying supply chain intelligence, compliance workflows, and continuous monitoring in a single solution.
“This is about more than passing an audit,” added David Mor Ofek. “It’s about ensuring that every line of code and every hardware component in your connected vehicle ecosystem meets both your performance and security standards, and that you can prove it at any moment.”
The new regulatory coverage for US DoC 791D is available immediately to EVSec customers as part of the Q2.2025 software release. Your account executive will contact you to schedule a dedicated training session.
