Regulating Autonomy: Lessons from the Connected Vehicle Rule

The Commerce Department’s connected vehicle rule offers a practical preview of what comes after the FCC’s drone gate—from subsystem definitions and carve-outs to the documentation that will underpin trusted autonomy.

An Alta-8 small unmanned aircraft system testbed flies above NASA’s Langley Research Center in Hampton, Virginia. Image: NASA/Bowman

When the U.S. government decides a class of networked machines is an unacceptable national security risk, the first move is often a gate: a regulatory chokepoint that can reshape market access much faster than a traditional product safety regime. For the automotive sector, that gate is now the Commerce Department’s transaction controls aimed at vehicle connectivity and automated driving systems. For drones, the gate has emerged through the FCC’s equipment authorization framework and the agency’s Covered List actions on foreign produced unmanned aircraft systems and “UAS critical components.”

For OEMs, integrators, public safety agencies and industrial operators, the point is not which agency moved first. It is what comes after the gate: how definitions harden, how carve-outs appear, what documentation becomes non-negotiable, and how businesses build a defensible trust framework that can withstand shifting policies.

The connected vehicle rule offers a practical precedent. Elizabeth Cannon, then head of Commerce’s Information and Communications Technology and Services (ICTS) office, told an industry audience in July 2025: “I think it’s a very good example of how we engage industry, to focus on specific systems in a vehicle, so that we are not overburdening industry, and how we can use timelines to account for the fact that maybe an industry needs new suppliers, maybe it will take time to shift the supply chain.”

Two different gates, one recurring pattern

Commerce’s connected vehicle action is built on ICTS supply-chain authorities. The final rule, published January 16, 2025, targets defined buckets of technology inside connected vehicles, including vehicle connectivity systems (VCS) and automated driving systems (ADS), and prohibits certain transactions involving covered software and, on a longer timeline, covered VCS hardware tied to China and Russia-linked entities. That rule is now in force: it took effect March 17, 2025 and remains on the books unless a future rulemaking changes it.

The rule is phased. Software-related prohibitions start with model year 2027 vehicles, while the VCS hardware prohibitions are not implemented until model year 2030, reflecting what Commerce heard from OEMs about realistic supplier-substitution timelines. Declarations of Conformity must be filed at least 60 days before first import or first sale for each affected model year.

The FCC’s drone action uses a different legal mechanism but has a similar market effect. On December 22, 2025, the FCC updated its Covered List to add “uncrewed aircraft systems (UAS) and UAS critical components produced in a foreign country,” citing an executive branch national security determination and establishing a forward-looking barrier to new FCC authorizations for covered equipment.

In both cases, the gate is the trigger that forces industry to answer questions: can you prove, not merely claim, that your platform’s software, communications, updates and data pathways do not create unacceptable exposure?

Connected driving utilizes GNSS and 5G technology, transmitting data in ways similar to drones. Image: Radio Labs/ESA

What connected vehicles teach: regulated units, phased timelines

The connected vehicle rule is instructive because it shows how Washington can regulate a fast-moving tech stack without “regulating the whole car,” but focus on specific systems, use timelines and build in a path for those who legitimately need more time.

“What we learned from industry is that at this time, there is a manageable amount of Chinese and Russian software on these vehicles,” Cannon said. “They probably asked for two years, and we said we think one year is sufficient. Hardware, they emphasized that would take much longer for them to find alternative suppliers.”

Industry gave Commerce a best-case and worst-case view of how quickly suppliers could be swapped out. “We went with the best-case scenario, because obviously we are very much concerned with the national security risks, but we have to balance that with supply-chain practicalities,” Cannon said.

That approach is visible in the connected-vehicle final rule itself.

Scope is subsystem-driven. Commerce focuses on connectivity and automation-enabling systems, areas where remote access, data collection and update authority concentrate. Timelines are only part of the balance; the other piece is identifying the specific systems that cause the most concern for national security, so that industry is not being asked to re-engineer everything.

The rule is phased in via model years, with software and hardware staggered, and it draws a clear distinction between where software is designed and where it is manufactured or installed.

Compliance is institutionalized. Commerce requires Declarations of Conformity filed at least 60 days prior to import or first sale for covered software in completed vehicles, and prior to import for VCS hardware, alongside structured recordkeeping and ongoing due diligence.

U.S. Department of Commerce Herbert C. Hoover Building. Photo: APK / Wikimedia Commons (CC BY-SA 4.0)

How it maps to drones

In January 2026, Reuters reported that Commerce withdrew a planned proposal to restrict Chinese-made drones after the FCC had already moved ahead. The practical result is that the primary “gate” for drones ended up at the FCC rather than Commerce, but the underlying national security concerns did not disappear.

The takeaway is that the U.S. has multiple legal levers that can produce similar outcomes—transaction prohibitions versus authorization chokepoints. What remains consistent is the maturation curve after the gate drops: scope definitions tighten, carve-outs appear, evidence obligations migrate into the market.

The drone regime today: a gate, carve-outs and a path for determinations

The FCC’s December 2025 Covered List update did not ban the use of drones already holding FCC authorizations; it primarily affects new authorizations going forward. That is why the market impact shows up first in roadmap planning, new model launches and component substitutions, rather than in an immediate grounding of existing fleets.

On January 7, 2026, the FCC issued a major clarification: it updated the Covered List to exempt (until January 1, 2027) two categories that were determined not to pose unacceptable risks: items on the Defense Contract Management Agency (DCMA) Blue UAS Cleared List and items qualifying as “domestic end products” under the Buy American Standard.

Two points matter for the connected vehicles to drones comparison.

First, carve-outs are not an anomaly; they are how the regime stays operational. Connected-vehicle policy uses timelines and exemptions (including repair and warranty) to avoid instantly stranding fleets and supply chains. Drones are showing the same pattern, through exemptions and determinations designed to prevent mission failure in public safety, defense and infrastructure contexts.

Second, the compliance center is shifting to evidence. Buyers want auditable proof of component provenance, update control and data-handling constraints.

A compliance roadmap for drones, from the connected-vehicle playbook

What follows is a principles-based roadmap for drone manufacturers, integrators and large operators. It does not assume U.S.-only compliance; it treats the U.S. gate as one driver of a broader assurance economy that is also being reinforced by EU cybersecurity regimes for connected radio products and products with digital elements.

Principle 1: Define the regulated unit inside your own stack before regulators do it for you

Connected vehicle rules define the regulated unit as specific subsystems (VCS and ADS) rather than the entire platform. Cannon described this as focusing enforcement on the systems that matter most, rather than trying to cover everything.

For drones, the practical equivalent is to treat the communications and software stack as the regulated unit, not the airframe: the radios and datalinks, onboard computers and firmware, ground-control software and update channels, any cloud services handling telemetry, video or commands, and the docks and other infrastructure that enable autonomous operation.

Cannon flagged docking stations as especially sensitive, because they often signal critical-infrastructure use. These systems exist around cities where drones can be used for first responders.

Principle 2: Assume the market will demand Declarations-of-Conformity-style evidence, even if the agency does not use that label

Connected vehicle rules operationalize compliance through Declarations of Conformity and defined lead times.

For drones, the practical translation is to build a documentation package that integrators and customers can reuse across tenders and jurisdictions. That will increasingly include a controlled bill of materials with country-of-origin for critical components; software bills of materials for firmware, ground control and cloud services; signed build and update governance; data-governance maps; documented vulnerability management; and repeatable regression tests for component substitution.

The goal is not bureaucracy for its own sake, but to make a fleet decision defensible once national security risk becomes a procurement criterion.

Principle 3: Use timelines and transition logic as a compliance instrument

In the connected vehicle rule, Commerce built those timelines out of detailed industry conversations and paired them with mechanisms to handle edge cases. Suppliers who cannot meet the deadlines can seek specific authorizations, where they must show what mitigation steps they are taking and how long they will need to shift.

For drones, that means planning product and fleet support on two tracks: a “bridge” track, defined by exemptions; and a “destination” track, defined by clean-stack architectures and auditable provenance that will survive tighter definitions. The FCC’s time-limited exemptions through January 1, 2027 are, in effect, a bridge-horizon signal.

Principle 4: Build for component substitution without resetting compliance to zero

This is the hard part of supply-chain design. Cannon emphasized that ICTS authority is structured to avoid whack-a-mole scenarios where regulators chase individual brands around the globe.

Once Commerce identifies the technologies it wants to regulate, she explained, “any of the software or hardware that is designed, developed, manufactured or supplied by an entity that is owned by, controlled by or subject to the jurisdiction or direction of the PRC or Russia” can be in scope. The expectation is that a regulated party does real supply-chain analysis against that standard.

For drones, that translates into designing for modularity plus qualifying at least two sources for RF and compute modules where feasible; defining internal critical component swap rules; maintaining a testing process that can validate security posture after substitutions; and keeping provenance evidence auditable per configuration.

Principle 5: Treat direct-to-consumer imports as a real risk factor

The de minimis import threshold is one of the biggest differences between cars and drones. Below $800, small parcels can come in with very little visibility, which makes it much harder to enforce any kind of restriction.

If your business depends on direct-to-consumer sales and fragmented distribution, regulators are likely going to target a clearly responsible party—the manufacturer, importer, distributor or service provider—not the individual hobbyist who ordered a drone online.

Why this matters in Europe

Even for non-U.S. fleets, the U.S. drone Covered List story matters because EU requirements are also pushing the market toward documented cybersecurity controls for connected radio equipment and products with digital elements.

Two EU anchors are especially relevant:

• Cybersecurity requirements under the Radio Equipment Directive become applicable for certain radio equipment from August 1, 2025, expanding essential requirements related to cybersecurity risks.
• The EU Cyber Resilience Act entered into force on December 10, 2024, with reporting obligations from September 11, 2026, and main obligations applying from December 11, 2027.

In practical terms, the compliance documentation built to satisfy U.S. trust expectations is increasingly the same required for EU market access and customer assurance, particularly as drones become nodes in enterprise networks and critical-infrastructure workflows.

What to watch next: the drone “regulated unit” and the next tightening cycle

With the initial gate now in place, the real impact on the drone market will be decided by how regulators define what they are regulating and how they tighten the rules over time. Four moving pieces in particular may shape that next cycle:

Definitions of “UAS critical components. The market impact will turn on how precisely critical components are defined and interpreted in practice for authorization decisions, substitutions and exemption eligibility.

The evolution of determinations and exemptions. As in connected vehicles, carve-outs are likely to evolve as the government balances national security outcomes with continuity for public safety, agriculture and infrastructure users.

Evidence expectations in procurement. Whether or not a single agency issues a formal Declaration of Conformity equivalent for drones, procurement organizations are likely to demand documentation that looks similar, because it is the only way to manage lifecycle risk in a regulatory environment that can change between contract award and fleet refresh.

The enforcement model for the small drone, direct-to-consumer segment. This is where the drone story diverges sharply from autos, and where industry should expect policy experimentation. The next moves will determine whether the compliance burden consolidates around distributors, service providers or platform ecosystems.

The bottom line

The connected-vehicle rule is an instructive predictor of what happens to an industry after a national-security gate drops.

Regulators narrow scope to the systems that matter most—the control plane, connectivity and autonomy-enabling software. Timelines and carve-outs become the mechanism to avoid mission failure while the supply chain reorients. Compliance hardens into assurance documentation that migrates into procurement.

The implementation of drone regulation will likely echo the connected vehicle rule’s focus on specific systems, using timelines and trying to avoid overburdening industry while still closing national security exposure. The most practical takeaway is that compliance is becoming the commercial language of trust for networked autonomy.