Two Stacks, Two Markets: The Connected Vehicle's Bloc-Level Software Split
Beneath the consensus narrative on EVs, autonomy and Mobility-as-a-Service, the connected-vehicle software stack is being structurally split along bloc lines: the US Connected Vehicles Rule's legacy software cutoff just passed in March 2026, with full prohibition effective from model year 2027, and the EU Cybersecurity Act is moving to designate connected vehicles a sensitive sector for vendor restriction.
The consensus narrative on Connected Transport in 2026 runs along familiar tracks: V2X enables smart mobility, software-defined vehicles are the platform of the future, autonomous freight scales before robo-taxis. Each is true. Underneath sits a more immediate development the consensus understates: the connected-vehicle software stack is being structurally split along bloc lines. The US Connected Vehicles Rule's legacy software cutoff passed on 17 March 2026; full software prohibition is effective from model year 2027 (vehicles produced from mid-2026); and the EU Cybersecurity Act is moving to designate connected vehicles a sensitive sector. The Alliance for Automotive Innovation calls this "one of the most consequential and complex auto regulations in decades", and the supply-chain rewiring is happening now.
Signal Identification
A regulatory disruption codifying a bloc-level split in the connected-vehicle software supply chain. The US Connected Vehicles Rule's hard deadlines have begun to land (17 March 2026 legacy cutoff already passed; MY2027 software prohibition next), the EU is moving toward parallel measures, and OEMs and tier-1 suppliers face a structural compliance and stack-architecture challenge.
What's Changing
The US Connected Vehicles Rule prohibits vehicles with covered software designed by entities subject to PRC or Russian jurisdiction; the legacy carve-out cutoff was 17/03/2026, after which any newly developed or maintained software loses the legacy exemption per DLA Piper (04/2026). Software prohibitions enforce against MY2027 vehicles, generally produced from mid-2026. Hardware prohibitions extend to MY2030 per the Bureau of Industry and Security (current).
Manufacturers must submit Declarations of Conformity to BIS at least 60 days before first importation or sale of each MY2027+ connected vehicle, certifying due-diligence on the entire software supply chain per Venable LLP (02/2026). The Alliance for Automotive Innovation calls this one of the most consequential auto regulations in decades because automakers must trace code through layers of vendors, subcontractors and licensed repositories that few have ever fully mapped per Auto Connected Car News (03/2026).
The EU is moving in parallel. The new EU Cybersecurity Act broadens the legal architecture for restricting market access for vendors deemed "high-risk" in sensitive sectors including connected vehicles, electricity, cloud and medical devices per The Diplomat (03/2026). China has warned of reciprocal measures against EU firms if Huawei or ZTE are penalised. The connected-vehicle stack is now a contested security category, not just a commercial one, per Insurance Journal (02/2026) reporting Bloomberg.
The US Connected Vehicles Rule, the regulatory clock
The first hard compliance deadline (legacy software cutoff) passed two months ago. Declarations of Conformity for MY2027 vehicles begin landing late 2026.
Disruption Pathway
The pathway runs in three overlapping stages. 2026-2027: US enforcement begins for MY2027 vehicles; OEMs that have not fully mapped their software supply chains face delivery delays and Declaration-of-Conformity rejections. 2027-2028: EU equivalent measures crystallise; tier-1 suppliers (Bosch, Continental, Aptiv, ZF) consolidate Western-stack offerings while Chinese tier-1s (Huawei Auto, ThunderSoft, ECARX) consolidate the China-domestic stack. 2028-2030: hardware prohibition extends to MY2030; the bloc-level architectural split codifies down to silicon and connectivity hardware.
Stresses concentrate in three pressure points. OEM platform economics: maintaining two parallel software stacks compresses the margin gains of software-defined vehicles, whose case rested on amortising one stack across global volume. Tier-1 supplier consolidation: vendors that can credibly attest to a clean Chinese-Russian-free supply chain win share; those that cannot lose access to the US market. National-security review timing: each MY2027 model now needs a 60-day pre-shipment Declaration of Conformity, slowing OEM time-to-market in the most lucrative single market.
Three adaptations are visible. Operationally, OEMs are running first-time software bills of materials (SBOM) audits, often discovering Chinese components they did not know were in their stack. Strategically, tier-1 suppliers are repositioning around the "compliance-attestable" stack; expect M&A consolidation through 2027. Architecturally, the model of one global software platform is giving way to region-specific stacks with a compliance overlay tracking which version ships to which market. The over-the-air update model has to absorb that fragmentation.
Why This Matters
For OEM CEOs, tier-1 supplier strategy teams, automotive investors and corporate-IT buyers in connected fleets, the consensus debate has been about EVs and autonomy, not the software supply chain underneath both. The bloc-level split forces a structural choice: maintain one global stack and lose access to either the US or China market, or maintain two stacks and absorb the cost. CFOs of OEMs should treat the software-supply-chain audit as a 2026 capital and disclosure issue. Tier-1 software suppliers should expect M&A activity and regulatory due-diligence intensification. For investors, the trade is long compliance-attestable Western tier-1 software, with explicit sensitivity to whether the EU's measures crystallise on schedule.
Decision-action posture: Prepare. Commit on named triggers: BIS rejects a major OEM's Declaration of Conformity for MY2027; the EU Cybersecurity Act formally designates connected vehicles a sensitive sector under the high-risk vendor framework; a Chinese OEM exits the US market entirely.
Counter-Argument
The strongest objection is that the Connected Vehicles Rule will be re-litigated, narrowed, or unevenly enforced. The BIS rule depends on ongoing Bureau resourcing and willingness to enforce; if a major OEM's Declaration of Conformity passes despite known Chinese-software components, the precedent weakens the rule. The EU's "China-free automotive" narrative is also called a myth by some legal commentators per Bird & Bird (2026), because EU law contains no general ban; it relies on case-by-case high-risk vendor designation that may move slowly. If both US enforcement and EU designation soften, the bloc split becomes more friction than fracture.
Implications
This is durable structural change. The cost of building two software stacks is now embedded in OEM platform economics for the rest of the decade; even if enforcement softens, the audit and SBOM infrastructure built under the rule does not get unwound. Compliance-attestable tier-1 software suppliers will accumulate share through 2027-2030; OEMs that move first on the supply-chain rewiring will retain US market access on schedule.
This signal is not an argument that connected vehicles are an EV-only story; the rule applies across powertrain. It is also not simply a US-China trade dispute; the EU's parallel architecture means this is a multi-bloc regulatory phenomenon with structural implications for any OEM with global ambitions. And it is not a claim that Chinese OEMs are excluded from the world; their addressable market shifts toward China-domestic plus belt-and-road export markets, with the US (and possibly the EU) walled off. Competing interpretations to hold: an EU enforcement softening could keep European markets effectively unified, or US enforcement could harden under bipartisan congressional pressure (the Moreno-Slotkin Connected Vehicle Security Act).
Early Indicators to Monitor
- BIS publicly rejects a MY2027 Declaration of Conformity from a major OEM, forcing disclosure of Chinese-software components.
- The EU formally designates connected vehicles a high-risk sector under the EU Cybersecurity Act vendor framework.
- A Western tier-1 supplier (Bosch, Continental, Aptiv, ZF) acquires a "compliance-attestable" automotive software firm.
- A Chinese OEM (BYD, Geely, NIO, Xpeng) publicly withdraws from or formally avoids the US market.
Disconfirming Signals
- BIS issues broad General Authorizations effectively diluting the rule's MY2027 enforcement.
- The EU Cybersecurity Act delays connected-vehicle vendor designation beyond 2028.
- A major OEM Declaration of Conformity passes despite known Chinese components without consequence.
- The US Congress fails to pass the Connected Vehicle Security Act, leaving enforcement to BIS resourcing alone.
Strategic Questions
- For OEMs: do you maintain two parallel software stacks, or exit one of the two largest connected-vehicle markets?
- For tier-1 suppliers: is "compliance-attestable to BIS" now the dominant procurement criterion, ahead of price and capability?
- For investors: which Western tier-1 software vendors are positioned to capture share from the bloc split, and what M&A premium do they warrant?
Keywords
Connected vehicles; software-defined vehicle; BIS Connected Vehicles Rule; covered software; Declaration of Conformity; bloc-level supply chain; EU Cybersecurity Act; Chinese OEMs; Tier-1 software; SBOM; vehicle cybersecurity; supply-chain audit
Bibliography
- Tier 2 Connected vehicles rule takes effect: covered software supply chain requirements. DLA Piper. 04/2026.
- Tier 2 BIS Connected Vehicle Rule Requires Vehicle Software to be Disconnected from China By March 17. Venable LLP. 02/2026.
- Tier 3 US Automakers Outing Chinese Code from Connected Cars Per Federal Anti-Chinese Code Rule. Auto Connected Car News. 03/2026.
- Tier 3 EU Cybersecurity Act: Increased Scrutiny of China-Based Supply Chains. The Diplomat. 03/2026.
- Tier 3 EU Needs Smart-Car Data Security Rules And Can Learn From China. Insurance Journal (reporting Bloomberg). 06/02/2026.
- Tier 2 The China-free automotive myth: what EU law really says. Bird & Bird. 2026.
- Tier 1 Connected Vehicles, Bureau of Industry and Security (rule overview and resources, structural anchor). US Department of Commerce, BIS. Current.
- Tier 3 Moreno, Slotkin Bill to Ban Chinese Vehicles, Connected Components from US Market. Senator Bernie Moreno (press release). 2026.