Rule 791D has officially arrived. Earlier this year, we covered the proposed ban on connected vehicle software and hardware manufactured in China and Russia. The ban is now live.

The U.S. Department of Commerce’s Connected Vehicles Rule (791D) protects global supply chains and sensitive data from adversarial attacks by foreign actors and nation-sponsored threats. The deadlines are rapidly approaching, with software prohibitions taking effect in Model Year 2027 (MY2027) and hardware restrictions following in Model Year 2030 (MY2030).

This article outlines the actionable steps OEMs and suppliers must take to prepare for the new rule to reduce risk and build long-term trust with regulators, partners, and customers.

Increasing Cybersecurity Measures for the Next Generation of Connected Vehicles

The new rule comes into effect not long after Volkswagen suffered a massive breach in December 2024, which impacted over 800,000 electric vehicles (EVs). The incident exposed the GPS locations of roughly 460,000 vehicles, enabling threat actors to map driver routes and potentially exploit sensitive patterns such as commuting habits and residential details. More recently, Nissan was targeted by the Qilin ransomware group, which leaked over 378TB of backup data, including encryption keys, hashed passwords, internal documents, and emails.

Connected vehicles are forecasted to make up 95% of all vehicles on the road by 2030, with each one generating an estimated 25 gigabytes of data per hour. This scale of data generation amplifies the need for security automation, traceability, and compliance-by-design.

Over-the-Air (OTA) pipelines remain prime attack surfaces for ransomware groups if routine patches and updates are ignored. OTA pipelines may contain firmware from multiple suppliers and third parties, which can inadvertently introduce malicious dependencies into the supply chain, providing attackers a direct path to infiltrate connected vehicles at scale. A malicious OTA update could disable braking systems, manipulate steering wheel controls, and disrupt driver communication channels.

OEMs also meet stringent compliance requirements that add to the complexity of securing these systems. Regulations such as ISO 24089 have pressured OEMs and tiered suppliers to implement comprehensive cybersecurity measures, including secure software development practices, supply chain risk management, and continuous monitoring of connected vehicle systems. 
When viewed strategically, these exact requirements also create an opportunity to standardize processes and reduce fragmented security efforts across suppliers.

What the New Rule Means for OEMs and Suppliers

OEMs and suppliers must address many considerations under Rule 791D. These include conducting supplier audits, validating suppliers, adjusting procurement strategies, implementing engineering rework, and managing additional compliance reporting requirements. 

Cost is another driving factor. 

OEMs will also have to reevaluate the cost savings from outsourcing parts from foreign suppliers and balance them against the estimated costs of potential recalls and compliance penalties. A defective third-party sensor or controller in an embedded system could require months of engineering redesign, firmware updates, rollback mechanisms, and complete system validation before the vehicle can return to production.

Toyota recently issued a recall for more than 95,000 electric vehicles, including the Toyota bZ4X and Lexus RZ300e and RZ450e models, due to a software malfunction in the windshield defroster’s electrical control unit. This malfunction could potentially impact driving visibility and lead to serious roadside safety risks. OEMs looking to adapt to the new rule must conduct their due diligence and procurement more thoroughly as they vet suppliers more cautiously.

The new rule further emphasizes the importance of manufacturers verifying the origin of all hardware through a Hardware Bill of Materials (HBOM) and all software components through a Software Bill of Materials (SBOM). This ensures full visibility and accountability across connected vehicle control systems (VCS), allowing security risks to be identified and mitigated early in the vehicle development lifecycle.
SBOM/HBOM automation is no longer optional — it is the foundation for compliance and operational resilience.
It also reinforces supplier checks to ensure third parties are held accountable for compliance with industry-specific regulations. These proactive security measures are now mandatory when issuing a Declaration of Conformity (DoC).

From Burden to Strategic Advantage: How Leading OEMs Are Embracing the New Rule

Some OEMs already embed compliance checks in supplier onboarding, while others have begun leveraging OTA/observability to prove lifecycle security to regulators and insurers. An SBOM can provide regulators with unquestionable proof that every software component and third-party supplier is accounted for, with direct ownership and attribution, potentially winning a contract with a major vendor.

This is where a shift in mindset becomes essential.

Rather than focusing solely on the challenges of adapting to the new rule, OEMs and tiered suppliers should embrace the benefits of improved supply chain security, enhanced software and hardware integrity, and the opportunity to turn compliance into a strategic competitive advantage and trust differentiator. The incentive becomes clear. 
The winners will be those who demonstrate readiness early — transforming regulatory pressure into a differentiating capability.

C2A Security: Guiding OEMs and Suppliers for Success with the DoC’s Rule 791D 

Rule 791D isn’t part of any proposed legislation discussion. It’s officially here.

C2A Security helps OEMs and suppliers proactively prepare for the new changes imposed by the U.S. Department of Commerce.

EVSec provides OEMs and suppliers with a dedicated framework for continuous assessment and automated tracking of software and hardware components across the supply chain, offering real-time visibility throughout the product lifecycle.

Here’s how EVSec helps achieve readiness: 

  • Supplier Risk Visibility – Automate SBOM/HBOM validation against restricted entities, with continuous monitoring and 10-year DoC traceability.
  • OTA Assurance – Enforce secure update campaigns with rollback, anomaly detection, and supplier accountability.
  • Audit-Ready Reporting – Instantly generate documentation aligned to Rule 791D and cross-map to other regulations.
  • Lifecycle Monitoring – Maintain observability mapped to global frameworks, including ISO 21434, US DoC 791D, UN R155, GB Standards, and ISA/IEC 62443.

Avoid costly last-minute redesigns and accelerate regulatory approvals with EVSec. 
The new regulatory coverage for US DoC 791D is available immediately to EVSec customers as part of the Q2.2025 software release.

Schedule a demo to learn how C2A Security can help prepare you for the DoC’s new rule and enhance transparency across the supply chain.