SB2040 adds a new Part IV to the Export Control Reform Act of 2018 to create an Office of Information and Communications Technology and Services inside the Bureau of Industry and Security (BIS). The Office is charged with reviewing “covered transactions” that involve ICTS used in connected vehicles and with mitigating or prohibiting transactions that pose an “undue risk” to U.S. national security or critical infrastructure.
The bill centralizes a transaction-screening regime at Commerce with civil and criminal penalties, a new investigatory and subpoena authority, an ICTS technical advisory committee, and a requirement that the Director of National Intelligence produce annual risk assessments. For industry, the statute creates a formal mechanism to restrict or condition vehicle-related supply-chain deals tied to entities or jurisdictions of concern and removes several procedural hurdles that typically constrain rapid regulatory action.
At a Glance
What It Does
Creates an Office in BIS that may review, negotiate mitigation measures for, or forbid transactions involving ICTS used in connected vehicles; authorizes regulations to define classes of transactions warranting categorical treatment. It preserves and extends earlier executive-order authorities while codifying investigative, subpoena, and enforcement powers.
Who It Affects
Automakers, Tier 1 and smaller suppliers, telecommunications and software vendors that supply vehicle connectivity components, foreign entities on the Commerce Entity List, and any U.S. person engaging in cross-border transfers, exports, reexports, or in‑country transfers of covered items for connected vehicles.
Why It Matters
It shifts ad hoc executive authorities into statutory law, giving Commerce explicit authority to police vehicle ICT supply chains, impose binding mitigation conditions, and seek criminal and civil penalties — a structural change for how vehicle-related ICT risks are managed at scale.
More articles like this one.
A weekly email with all the latest developments on this topic.
What This Bill Actually Does
SB2040 inserts a new statutory part into the Export Control Reform Act to focus U.S. export-control style review specifically on information and communications technology and services (ICTS) used in connected vehicles. The text defines core terms — including a working definition of “connected vehicle,” “entity of concern,” “jurisdiction of concern” (China, Russia, Iran, DPRK), and “covered transaction” — and makes those definitions the trigger for Commerce’s review authority.
The bill establishes an Office of Information and Communications Technology and Services inside BIS, led by an Executive Director who reports to an Assistant Secretary (with transitional reporting rules). The Office must identify undue risks, educate industry, and communicate decisions.
It receives investigative tools: compelled reports under oath, subpoenas, hearings, and authority to require specific reporting formats. The Office also gains a streamlined hiring authority to recruit technical staff into the competitive service more quickly.On process, Commerce may open discretionary reviews of any covered transaction it suspects poses “undue risk.” If Commerce finds undue risk it can (1) negotiate and impose mitigation conditions — ranging from cybersecurity standards to excluding specified components — or (2) prohibit the transaction and publish that prohibition in the Federal Register.
The Secretary can also promulgate regulations that treat classes of transactions or parties categorically (including categorical prohibitions) and can create licensing processes to permit otherwise prohibited deals.The bill mandates a rhythm of intelligence input: the Director of National Intelligence must provide an initial risk assessment within 180 days and then annually, identifying high‑risk supply-chain participants and criteria for evaluating national-security risk. SB2040 creates an ICTS technical advisory committee of industry and academic experts to advise the Office, explicitly preserves and authorizes continuation or amendment of existing executive‑order regulations, exempts Commerce actions from the Paperwork Reduction Act, and makes clear that CFIUS authorities remain available.
Finally, the statute establishes enforcement authorities (inspection, seizure, subpoenas), civil and criminal penalties, exclusive D.C. Circuit judicial review with a 180‑day filing window, and confidentiality rules for classified or sensitive records submitted ex parte to the court.
The Five Things You Need to Know
The bill creates an Office of Information and Communications Technology and Services inside BIS and authorizes an Executive Director with special hiring authority to staff it.
A covered transaction is any export, reexport, in‑country transfer, or ICTS transaction involving components or ICTS used in a connected vehicle that are designed, developed, manufactured, or supplied by entities or jurisdictions of concern.
If Commerce determines a covered transaction poses an undue risk it may impose mitigation terms (cybersecurity conditions, component exclusions, compliance agreements) or prohibit the transaction and publish the prohibition in the Federal Register.
The Director of National Intelligence must produce a risk assessment within 180 days of enactment and then annually identifying high‑risk entities, jurisdictions, and classes of transactions.
Enforcement includes criminal penalties up to $1,000,000 and 20 years’ imprisonment for willful violations, civil penalties equal to the greater of $250,000 or twice the value of the violating action, and exclusive judicial review in the D.C. Circuit with a 180‑day statute of limitations.
Section-by-Section Breakdown
Every bill we cover gets an analysis of its key sections.
Short title
Names the statute the “Connected Vehicle National Security Review Act.” This is purely stylistic but signals the bill’s dual focus on vehicles and national‑security review of ICTS.
Definitions that frame scope and triggers
This section sets the gates: what counts as a connected vehicle, covered transaction, entity or jurisdiction of concern, ICTS, and what constitutes “undue risk.” Those statutory definitions determine the transactions Commerce can scrutinize. Notably, the list of jurisdictions of concern is explicit (PRC, Russia, Iran, DPRK) and the Commerce Control List and the Entity List are incorporated as reference points — meaning existing export‑control designations can trigger the new authorities.
Creates the Office inside BIS and authorizes staffing
BIS gets a dedicated Office led by an Executive Director appointed by the Secretary (with transitional accommodation for an incumbent). The Office’s duties are both investigative and outreach‑oriented: identify undue risk, mitigate or prohibit transactions, and educate industry. The bill grants an expedited hiring authority to place technical hires into the competitive service without typical appointment constraints, which matters operationally because the Office will need specialized engineering and cybersecurity staff.
Review mechanics, investigative tools, and mitigation options
Commerce can initiate discretionary reviews of any covered transaction it suspects poses undue risk. The statute supplies robust investigative tools — compelled reports under oath, subpoenas, depositions, hearings — and a menu of mitigation authorities (agreements, cybersecurity mandates, exclusion of hardware/software components). If mitigation is impossible, Commerce may prohibit the transaction and must notify affected parties and publish the prohibition.
Regulatory pathway for categorical treatment
This provision authorizes Commerce, using notice‑and‑comment rulemaking, to define classes of covered transactions, parties, or components that deserve categorical scrutiny, mitigation, or prohibition. Rules may create per se inclusions or exclusions, set mitigation baselines, and establish licensing routes for otherwise prohibited transactions. The clause preserves the agency’s ability to review even transactions covered by such rules.
Intelligence inputs, reporting cadence, and expert advice
The DNI must deliver a risk assessment within 180 days and annually thereafter; Commerce must translate that assessment into regulatory or enforcement priorities. The bill also requires an ICTS technical advisory committee — industry and academic experts plus a federal officer — to inform the Office. The statute permits classified annexes to risk assessments but requires an unclassified summary to Congress.
Investigatory and enforcement reach, judicial review limits, and statutory relationships
Enforcement mirrors export‑control practice: BIS (and its enforcement arm) can inspect, seize, interview under oath, issue subpoenas, and obtain court orders; the Attorney General can pursue injunctive or divestment relief. The bill establishes exclusive D.C. Circuit jurisdiction for review, allows ex parte and in‑camera submission of sensitive material, sets a 180‑day statute of limitations for challenges, and authorizes substantial criminal and civil fines. The text also clarifies the law does not preempt CFIUS or other Federal authorities and exempts Commerce actions under this part from the Paperwork Reduction Act.
This bill is one of many.
Codify tracks hundreds of bills on Technology across all five countries.
Explore Technology in Codify Search →Who Benefits and Who Bears the Cost
Every bill creates winners and losers. Here's who stands to gain and who bears the cost.
Who Benefits
- Federal policymakers and national‑security agencies — gain a standing statutory mechanism and intelligence cadence (DNI assessments) to target ICTS risk in vehicle supply chains and to coordinate mitigation and enforcement actions.
- BIS and the Department of Commerce — receive a dedicated office and hiring flexibility to build expertise to detect and disrupt risky ICTS transactions in automotive supply chains.
- Cybersecurity and compliance vendors — increased demand for services to meet mitigation conditions, attestations, and the cybersecurity standards the Secretary may require.
Who Bears the Cost
- Automakers and Tier 1/Tier 2 suppliers — face new pre‑transaction review risk, potential prohibitions, component exclusions, and higher compliance and contractual costs to justify supply‑chain choices.
- Small and specialized suppliers — may lose customers or be forced to redesign products if components are excluded from transactions or if suppliers are tied to entities/jurisdictions of concern.
- Foreign suppliers and entities of concern — face expanded practical barriers to participating in U.S. vehicle markets via export, reexport, or in‑country transfers, including potential categorical prohibitions and public listing.
Key Issues
The Core Tension
The central tension is between rapid, robust national‑security intervention in vehicle ICT supply chains and the commercial need for predictable, workable rules that preserve supply‑chain resilience and competitiveness; the bill empowers decisive action to block threats but does so in a way that can impose sudden operational and financial burdens on industry with limited procedural transparency.
The bill consolidates broad discretionary authority at Commerce with minimal procedural friction: investigations can be opened at the Secretary’s discretion, mitigation conditions can be negotiated or imposed, and the Paperwork Reduction Act does not apply. That design favors rapid action but raises implementation questions: how will Commerce operationalize technical review at scale for a sprawling automotive ICTS supply chain; what objective criteria will govern the line between mitigation and prohibition; and how will the agency avoid creating perverse incentives for suppliers to relocate to jurisdictions outside U.S. reach?
Transparency is limited. The statute permits ex parte, in‑camera submissions of classified or sensitive materials and channels most judicial challenges to the D.C.
Circuit under an exclusive and accelerated timetable. That approach protects classified equities but constrains public scrutiny and could prolong business uncertainty for covered parties while key facts remain sealed.
Overlap with CFIUS, existing BIS entity controls, and earlier executive orders is explicitly preserved — useful for flexibility, but it risks duplication, inconsistent standards, and interagency coordination challenges. Finally, the criminal penalties are steep and the civil‑penalty formula (greater of $250,000 or twice the value of the violating action) can produce harsh outcomes for commercial missteps, raising issues about proportionality and the role of disclosure and remediation in penalty determinations.
Try it yourself.
Ask a question in plain English, or pick a topic below. Results in seconds.