WANT TO DISCOVER MORE?
SEARCH

Cybersecurity meets geopolitics

Munich, May 2025

Cybersecurity meets geopolitics

Munich, May 2025
H

ow the sourcing of connected vehicles must evolve to sidestep the US sales ban and technology restrictions

TENSIONS AMONG MAJOR GLOBAL POWERS ARE RISING. SIMULTANEOUSLY, MODERN VEHICLES ARE EVOLVING, INTEGRATING MORE SOPHISTICATED SYSTEMS AND CONNECTIVITY, ALONG WITH AN EXPANDING SUITE OF ADVANCED TECHNOLOGIES INCLUDING THE LATEST ADVANCED DRIVER ASSISTANT SYSTEMS (ADAS). SOME COUNTRIES AND MARKETS ARE INCREASINGLY CAUTIOUS ABOUT ADOPTING ADVANCED TECHNOLOGIES DEVELOPED ABROAD WITHOUT RIGOROUS EVALUATION AND APPROVAL PROCESSES. CONCERNS RANGE FROM POTENTIAL SAFETY CONCERNS TO BROADER SECURITY CONCERNS SUCH AS THE RISK OF THESE SYSTEMS BEING EXPLOITED AS ENTRY POINTS FOR LARGE-SCALE CYBER THREATS.

REGULATORY SHOCK: THE U.S. CONNECTED-VEHICLE BAN

The newly signed Securing the Information and Communications Technology and Services Supply Chain: Connected Vehicles (RIN:  0694-AJ56) cybersecurity regulation took effect on March 17, 2025, preventing Chinese and Russian connected vehicle manufacturers from selling and importing connected passenger cars and technology into the US. As a result, OEMs and suppliers face the potential loss of a key market for many of their products. Sales and import bans will start affecting passenger cars with a model year of 2027 and may extend to commercial vehicles with similar upcoming rules.

Today, we are taking strong action to protect Americans against these national security risks by safeguarding our critical infrastructure and automotive supply chain. President Biden has been clear: we will not hesitate to take needed action to protect the safety of the American people,” said US National Security Advisor Jake Sullivan.

GEOPOLITICS TAKES THE CENTER STAGE

MAJOR AUTOMOTIVE REGIONS USE REGULATION AS A TOOL TO SHAPE THE FUTURE OF AUTOMOTIVE IN LINE WITH THEIR OWN AMBITIONS.

Even before the now infamous “Liberation Day” of US tariff announcements, the peak of economic integration between China and the US appears behind us. Over recent years, foreign direct investment (FDI) as well as the share of imports from China into the US have been going down. The same trend holds true for the share of US treasuries held by China. While these economic ties go down, the lead in terms of GDP by China over the US continues to widen. At least if GDP is measured adjusted for purchasing power. Indeed, however, PPP-adjusted GDP may be more relevant than nominal GDP to capture the evolving relationship of US and China. After all, if China were to continue ramping up its defense spending to see economic power be backed up by military capabilities, most defense manufacturing can be expected to be done domestically.

Source: Berylls by AlixPartners

Mirroring these trends, the USA and China increasingly perceive each other as adversaries, decreasing their dependency on each other especially in critical strategic areas, e.g., through tariffs, subsidies and regulation. This trend is now gaining new urgency and importance, as China has resorted to controlling exports of rare earths in response to the ongoing US tariff escalation.

LOCALIZATION TUG-OF-WAR: OEM FOOTPRINTS UNDER PRESSURE

Production “in China for China” has historically been a common mantra for international automotive OEMs. This trend was initially driven by the Chinese requirement to engage in joint ventures to sell into the Chinese market. Now increasingly this mantra is reiterated in no small part due to raised expectations by local consumers. After years of strong support of local electric vehicles by the Chinese government, Chinese customers come to expect more than what is typically offered outside of China.

 

Local US production was similarly pushed through loans and tax credits as well as especially by the 2022 Inflation Reduction Act. This is a natural continued focus for the second term of President Trump, fitting the public statements made so far. Meanwhile, the European Union increasingly is following suit on its own terms. For example, the EU pushed for a local competitive battery manufacturing ecosystem (“European Battery Alliance”) and announced tariffs on Chinese electric vehicles in October 2024.

EU’S BALANCING ACT: DE-RISKING WITHOUT DECOUPLING

On the diplomatic front, however, over the last years signs have been accumulating that the EU and China will deepentheir collaboration. The clearest sign so far was an interview by French president Macron on its way home from a trilateral meeting among France, the EU and China. President Macron explicitly called for European autonomy to acquire the strategic option to not be pulled militarily into a US-China conflict regarding Taiwan. This French push for greater military autonomy now has received traction within EU politics, especially after the US had decided to pause military aid and intelligence sharing for Ukraine. In parallel, China has been supporting the French stance for greater EU autonomy and repeatedly agreed to increased investments into the European automotive sector.

Source: Berylls by AlixPartners

The EU represented by President von der Leyen appears to push for a nuanced strategy towards China. As early as 2023 von der Leyen rejected decoupling from China. Instead, the EU intends to “de-risk” towards China by reducing dependency in critical areas such as raw materials. Chinese investment such as into EU automotive plants are explicitly welcome – to quote from an official statement from May 2024 directed at President Xi: “Our market is and remains open to fair competition and to investments, but it is not good for Europe if it harms our security and makes us vulnerable.” In line with this continued policy, BYD as a Chinese company did invest into Hungary in December 2023 and currently is reported to consider another EU plant in Germany.

Source: Berylls by AlixPartners

This relationship between the EU and China has the potential to deepen further over time and automotive may play a key role. Paradoxically, this deepening may happen not despite the Ukraine war but because of it.

China has been consciously building up immense industrial production capacity to a degree that makes exports inevitable. Meanwhile, the EU is faced with rising pressure to ramp up its defense sector. By simply keeping its automotive market open for China, EU consumers stand to benefit from cheap cars and the defense industry from improved access to manufacturing talent. The alternative is a rising risk of returning inflation through wage competition with the defense sector, similar to the ongoing economic developments in Russia.

Early signs of this complementary relationship between automotive and defense are already manifesting. Volkswagen is scaling down its production in several plants not least due to intense competition with Chinese EV manufacturers. At least one of these affected plants, Osnabrück, may now be used by Rheinmetall for defense manufacturing. The potential pattern is as simple as it is supported by geopolitical trends – an increasing automotive market share by Chinese OEM frees up manufacturing capacity for European defense.

CYBERSECURITY REGULATION: ECONOMIC WEAPON OF CHOICE

Cybersecurity regulation will increasingly play a key role in determining how the ongoing global reshuffling will eventually play out economically. The latest US decisions effectively prevent China from using revenue from the US market to grow the Chinese manufacturing footprint. Beyond that, the US also uses regulation to create significant obstacles for other economies to continue to integrate their automotive industries with China. After all, cars produced with China would be banned from sale in the US car market.

Source: Berylls by AlixPartners

A reduction of economic ties between the US and China is a given, escalating trend. How authorities and car companies from the EU, Japan, South Korea and other major automotive markets will respond to these unfolding developments remains to be seen. While several scenarios are feasible, it has been the consistent policy of the EU to remain open to economic collaboration with both the US and China. At the same time, the US and China each appear to expect benefits from walling off one another from strategic areas of the economy. Since “Liberation Day”, the world’s two major economies have moved from mutual de-risking to a path of full decoupling. At tariff levels above 100%, trade would reach insignificant levels fast. The latest exemptions for several critical types of electronics for now are designed as transitional measures, allowing major US companies to build up alternative routes of supply.

The key factor will be how the EU and other major economies navigate the US-China divide. US tariffs put immense pressure on China to find new export markets.

China is highly incentivized to make concessions to the EU and other major non-US economies in exchange for improved market access. The steep “reciprocal” US tariffs announced for 60 countries may further increase the appeal of collaborating with China economically. At the same time, the Trump administration has been searching for ways to build up leverage towards its traditional economic and military allies. When the time is right – for example when the 90 days pause for “reciprocal” tariffs is over – the US administration could use its bargaining power to bind economies to the US. 

We are in the middle of a transformation from globalization to regionalization. It will be treaties and regulationsthat will decide which regions form and last. Given the foreign policy pivot by the US White House towards Canada, Panama, Greenland and Mexico, the US may already be well on track to embrace this shift head on. Diplomatic signalsand efforts over the next weeks and months will determine how this ongoing transformation will take form.

THREE CYBERSECURITY PLAYBOOKS: U.S., UN/EU & ISO/SAE

CYBERSECURITY EMERGES AS AN AREA OF REGULATION THAT IS AS SENSITIVE AS IT IS POWERFUL. IT DETERMINES HOW AND BY WHOM PRODUCTS AND SERVICES WILL BE DEVELOPED GOING FORWARD IN AUTOMOTIVE AND BEYOND. 

It is generally agreed that the broad increase in technological capabilities in vehicles could present risks to consumers and even have national security implications. However, there have been wildly differing approaches to mitigating this risk across the world’s major automotive markets. The US is just now beginning to implement new rules. Meanwhile, there have been UN regulations and ISO/SAE standards focused on mitigating the increasing risk from software defined vehicles for a few years now. It is useful to compare these three approaches to help understand how different countries and standards bodies are working to mitigate risks.

The new US rule, „Securing the Information and Communications Technology and Services Supply Chain: Connected Vehicles“ (RIN: 0694-AJ56), focuses on mitigating national security risks posed by foreign adversaries, particularly China and Russia, in the connected vehicle supply chain. This rule prohibits transactions involving connected vehicle hardware and software from these countries, aiming to protect sensitive data and prevent potential cyber threats. The rule emphasizes safeguarding US national security by ensuring that connected vehicle technologies are free from foreign manipulation. 

In contrast, the UNECE Cybersecurity Vehicle Regulation (UN Regulation No. 155) provides a comprehensive framework for managing cybersecurity risks in vehicles globally. It mandates that manufacturers implement measures across four key areas: managing vehicle cyber risks, securing vehicles by design, detecting and responding to security incidents, and ensuring safe and secure software updates. This regulation applies to all new vehicle types in the EU from July 2022 and all new vehicles from July 2024. It aims to create a harmonized approach to vehicle cybersecurity, ensuring that vehicles are protected against cyber threats throughout their lifecycle. 

ISO/SAE 21434, on the other hand, is a standard that specifies engineering requirements for cybersecurity risk management in road vehicles. It covers the entire life cycle of electrical and electronic systems, from concept and development to production, operation, and decommissioning. The standard provides a common language and framework for managing cybersecurity risks, helping manufacturers integrate cybersecurity into their engineering processes. Unlike the US rule, which targets specific foreign threats, ISO/SAE 21434 focuses on establishing robust cybersecurity practices within the automotive industry globally.

Underpinning these three types of Cybersecurity policies are different visions and priorities for the future of automotive. Both ISO/SAE and the latest UN regulation adopted by the EU focus on establishing a level playing field where in principle any OEM can continue to sell cars if Cybersecurity rules are followed.

US ICTS REGULATION: NATIONAL SECURITY ABOVE ALL

THE EMERGING US REGULATION FOCUSES LESS ON SPECIFIC SAFETY AND SECURITY CONCERNS AND MORE ON MITIGATING ANY POTENTIAL NATIONAL SECURITY THREATS FROM COUNTRIES DEEMED FOREIGN ADVERSARIES.

 
The new rule published by the US Department of Commerce’s Bureau of Industry and Security (BIS) establishes regulations and procedures to address national security risks. Specifically, the intent is to handle risks stemming from transactions involving information and communications technology and services (ICTS). In this final rule, BIS prohibits transactions involving Vehicle Connectivity System (VCS) hardware and covered software designed, developed, manufactured, or supplied by persons owned by, controlled by, or subject to the jurisdiction or direction of the People’s Republic of China, including the Hong Kong Special Administrative Region and the Macau Special Administrative Region, (PRC); or the Russian Federation (Russia).

Source: Berylls by AlixPartners

ADOPTED ICTS RULES: DEADLINES AND IMPLICATIONS

The final rule on connected passenger cars as adopted has far-reaching consequences. The main implications for OEMsand importers of connected vehicles as well as for tier one and tier two suppliers of connectivity hardware:

  • Starting in 2027, the rule prohibits the import of VCS hardware or connected vehicles containing such hardware, and the import and sale of vehicles containing VCS or ADS software, with a sufficient nexus to the PRC or Russia. VCS is defined as the set of systems that allow the vehicle to communicate externally, including telematics control units, Bluetooth, cellular, satellite, and Wi-Fi modules. ADS includes the components that collectively allow a highly autonomous vehicle to operate without a driver.    
  • The software-related prohibitions will take effect for Model Year 2027. The hardware-related prohibitions will take effect for Model Year 2030, or January 1, 2029, for units without a model year. Prohibitions on the sale of connected vehicles by manufacturers with a sufficient nexus to the PRC or Russia, even if manufactured in the United States, take effect for Model Year 2027.  

Excluded is software that is firmware, fully open-source or used for lower risk functions. Such lower risk functions include sensing (e.g., for LiDAR, radar, and cameras), power provision, physical car access, satellite navigation, and in-car radio.

Source: Berylls by AlixPartners

Each of these provisions currently is targeting passenger cars with a similar regulation expected for commercial vehicles to be released in the future.

These terms have several far-reaching consequences, including:

  • FOREIGN ACQUISITION AND INFLUENCE: OEMs and suppliers must consider carefully to accept any Chinese or Russian ownership or other influence as defined by US regulators. Such actions could result in a ban for a company to sell its connected cars, connectivity components or connectivity software in the USA.
  • END-TO-END CYBERSECURITY: Every OEM and supplier producing connected cars or vehicle connectivity hardware for the US market must evaluate its supply chain. It must be ensured that connectivity components do not involve entities owned or influenced by China (or Russia).
  • GLOBAL TECHNOLOGY STRATEGY: OEMs should rethink the technology strategy for China, the USA and the EU. A natural goal would be to maximize global synergies and competitiveness (within the legal limits set by the US and other governments), while retaining strategic and operational Such flexibility is needed in case the decoupling of China (and potentially the US) proceeds further.

DECLARATION VS AUTHORIZATION: CHOOSING YOUR COMPLIANCE PATH

Overall, this new ICTS regulation specifies two ways in which connected cars and connectivity hardware could be sold in the US going forward:

DECLARATION: For each supplier, declare conformity with the new regulation by certifying that the relevant connectivity hardware and software was not designed, developed, manufactured, or supplied by individuals or organizations (“persons”) owned by, controlled by, or subject to the jurisdiction or direction of the People’s Republic of China or Russia

or

AUTHORIZATION: Apply for an exception through an authorization that is planned to be granted in rare cases for special circumstances

CYBERSECURITY AS A COMPETITIVE ADVANTAGE – NOT JUST A REGULATORY OBLIGATION

ALL REGULATION ASIDE, VULNERABILITIES IN ADVANCED TECHNOLOGY INCEASINGLY PUT COMPANIES AND CONSUMERS AT RISK MORE THAN EVER. THE POTENTIAL FOR DATA BREACHES, PRIVACY VIOLATIONS AND OTHER VULNERABILITIES MUST BE IDENTIFIED AND MITIGATED ACROSS THE AUTOMOTIVE VALUE CHAIN.


While today’s consumers seem to have an endless appetite for the latest technology and often appear more willing to trade some level of privacy and risk for the latest features. The automotive industry must continue to strike the increasingly difficult balance of being able to offer the latest technological enhancements while at the same time adhering to a complex web of worldwide data privacy regulations.

Potential violations of privacy and data breaches could be used by foreign countries to harm or influence local companies, private citizens and government officials. For example, movement patterns of specific individuals could be analyzed. The analysis of such sensitive data then could potentially enable a broad range of risks from blackmail to espionage, corruption and physical attacks.

Each automotive player from supplier to manufacturer has a strong responsibility to prevent such incidents in the future. The harm and public backlash in case of flawed Cybersecurity can be incalculable, also given the current international environment.

RECOMMENDED COURSE OF ACTION

Regarding the upcoming ICTS regulation specifically, AlixPartners recommends the following steps:

  • Creating transparency over current risks through ICTS regulation
    • Assess what part of the vehicle portfolio is affected
    • Determine which revenue projections are tied to the affected vehicles
    • Identify quick wins, e.g., by adapting the design and sourcing of vehicles still in development
    • Analyze the relevant components and suppliers for these affected vehicles
  • Design countermeasures for each affected vehicle model, component and supplier in alignment with any ongoing initiatives such as internal work done by preventative supplier management
  • Constantly monitor industry developments for a quick response to relevant changes and update the internal processes to handle future Cybersecurity developments internally

 

In times of rapid transformation and geopolitical turbulence, a clear plan and decisive action is required. AlixPartners is ready to support you on this journey.

Notes:

ADS: Automated Driving Systems
ICTS: Information and Communications Technology and Services
VCS: Vehicle Connectivity Systems

Authors
Malte Broxtermann

Partner

Nate Morin

Director

Timo Krall

Project Manager

Sundeep Kang

Vice President

Malte Broxtermann

Malte is an expert in the development and implementation of automotive digitization strategies.

He focuses on helping clients scale (generative) artificial intelligence to improve their bottom line across the entire automotive value chain. His primary customers are automotive manufacturers and their suppliers, especially those active in the Software-Defined-Vehicle space.

Before his time at Berylls by AlixPartners (formerly Berylls Strategy Advisors), he advised leading North American utility companies. Prior to that, he saved lives as emergency medical technician. Malte holds master’s degrees in economics from Maastricht University and Queen’s University in Canada.

Contact us More about Berylls
NO TIME TO READ THIS WEBSITE?

T +49-89-710 410 40-0
info@berylls.com

Copyright Berylls by AlixPartners