This is the seventh in a series of Covington blogs on implementation of Executive Order 14028, “Improving the Nation’s Cybersecurity,” issued by President Biden on May 12, 2021 (the “Cyber EO”).  The first blog summarized the Cyber EO’s key provisions and timelines, and the secondthirdfourthfifth, and sixth blogs described the actions taken by various government agencies to implement the EO during June, July, August, September, and October 2021, respectively.  This blog summarizes the key actions taken to implement the Cyber EO during November 2021.

Although most of the developments in November were directed at U.S. Government agencies, the standards being developed for such agencies could be imposed upon their contractors or otherwise be adopted as industry standards for all organizations that develop or acquire software.

Continue Reading November 2021 Developments Under President Biden’s Cybersecurity Executive Order

Last week, the office of Acting FCC Chairwoman Jessica Rosenworcel released a draft Notice of Inquiry (NOI) regarding spectrum availability and requirements to support the growth of Internet of Things (IoT).  The FCC will consider this NOI, which is intended to collect information and does not propose rules, in its next Open Commission Meeting scheduled for September 30, 2021. This proposed NOI is the latest in a series of FCC actions that will affect the future deployment of IoT products and services in the United States. Continue Reading IoT Update: FCC to Open Inquiry into Spectrum Needs for Growth of the Internet of Things

NHTSA recently issued a First Amended Standing General Order requiring electronic portal submission of crash incident data for automated and semi-autonomous vehicles. As of August 12, 2021, automated motor vehicle manufacturers, motor vehicle equipment manufacturers, and operators will be required to report and upload crash incident data within 24 hours to the NHTSA Incident Report Portal. The 24 hour incident crash reporting requirement is in effect for three years from the date of issuance of the Standing General Order (“SGO”), until June 29, 2024.

The First Amended Standing General Order supersedes but does not substantively change the requirements of NHTSA’s initial SGO, which NHTSA served on 108 major OEMs, robotics, electronics, AI, rideshare, and software companies on June 29, 2021. The SGO applies to manufacturers and operators of motor vehicle equipment and motor vehicles equipped with (i) SAE Level 2 advanced driver assistance systems (“ADAS”), which includes common safety features such as adaptive cruise control and lane-keeping assistance, and (ii) SAE Levels 3-5 automated driving systems (“ADS”) (conditional to full driving automation).

The First Amended SGO and SGO are early demonstrations of NHTSA’s more aggressive regulatory and enforcement oversight of automated and semi-autonomous vehicles under Biden administration leadership. For the first time, NHTSA has imposed reporting obligations solely through regulatory action rather than as a result of a Congressional mandate. The 24 hour timeline for reporting is also a swifter timeline than Part 573 safety defect and noncompliance reporting under the Motor Vehicle Safety Act, and the monthly reporting requirement (even in the absence of crash incident data), is a swifter timeline than quarterly early warning reporting requirements under the TREAD Act. NHTSA also determines through the Orders that ADS and ADAS constitute “motor vehicle equipment” subject to regulation under the Motor Vehicle Safety Act.

The SGO also provides three limited exceptions to public disclosure of the incident reports based on confidentiality claims under Part 512. The Order’s guidance signals a greater transparency approach to public safety information.

Who is Responsible for Reporting?

The SGO requires vehicle and equipment manufacturers and operators to report certain crashes that occur while the ADS or Level 2 ADAS is engaged, or immediately after it is in use, and to provide sufficient information for NHTSA to identify crashes warranting further follow-up. As with other reporting requirements, the SGO does not prioritize reports between manufacturers and other reporting entities. The SGO’s imposition of reporting requirements on operators as well as vehicle manufacturers, and its determination that ADS and Level 2 ADAS constitute “motor vehicle equipment” reflects a more expansive assertion of NHTSA authority over technology companies that supply automated systems to vehicle manufacturers.

Which Crashes Trigger Reporting?

Each incident that meets the following criteria requires submission of an incident report by a manufacturer and operator within one day of each entity learning of a crash, and an updated report within ten days:

  • The crash occurred on a publicly accessible road in the United States;
  • The ADS or ADAS was engaged at any time during the 30 seconds immediately prior to the crash through the conclusion of the crash; and
  • The crash results in a hospital-treated injury, a fatality, a vehicle tow-away, an air bag deployment, or involved a vulnerable road user (e.g., pedestrian, cyclist, etc.).

Additionally, every month, companies must report all other crashes of an ADS or Level 2 ADAS-equipped vehicle that involve injury or property damage. If no crashes occur in any given month, reporting entities must submit a monthly incident report confirming the lack of any reportable information.

What Information is Collected and Disseminated?

The initial reports must include information on the reporting entity, vehicle, incident (date, time, scene, and crash severity details), and post-crash activities and data availability. NHTSA plans to review the reports to identify crashes for further follow-up, including potential Special Crash Investigations or requests for further information, such as Event Data Recorder data. NHTSA may also open defect investigations, as warranted.

The Order preemptively identifies the limited scope of information to be afforded confidential treatment, including: (1) the version of the ADAS/ADS with which a vehicle is equipped; (2) whether the vehicle was within its operational design domain at the time of the incident; and (3) the defect narrative.

If you have any questions concerning the material discussed in this blog post, please contact the following members of our Connected and Autonomous Vehicles practice:

Sarah Wilson                                     +1 202 662 5397          
Jennifer Johnson                              +1 202 662 5552          
Rebecca Yergin                                 +1 202 662 5935          
Olivia Dworkin                                  +1 424 332 4817          
Nira Pandya                                       +1 650 632 4724          


This post is a part of Covington’s CAV blog series, which covers CAV developments across the world. To access prior CAV blog posts and webinars and to learn more about our team and our work, please visit Covington’s CAV website.

This information is not intended as legal advice. Readers should seek specific legal advice before acting with regard to the subjects mentioned herein.

Covington & Burling LLP, an international law firm, provides corporate, litigation and regulatory expertise to enable clients to achieve their goals. This communication is intended to bring relevant developments to our clients and other interested colleagues. Please send an email to if you do not wish to receive future emails or electronic alerts.

In this update, we detail the key legislative developments in the second quarter of 2021 related to artificial intelligence (“AI”), the Internet of Things (“IoT”), connected and automated vehicles (“CAVs”), and federal privacy legislation.  As we recently covered on May 12,  President Biden signed an Executive Order to strengthen the federal government’s ability to respond to and prevent cybersecurity threats, including by removing obstacles to sharing threat information between private sector entities and federal agencies and modernizing federal systems.  On the hill, lawmakers have introduced a number of proposals to regulate AI, IoT, CAVs, and privacy.

Continue Reading U.S. AI, IoT, CAV, and Privacy Legislative Update – Second Quarter 2021

Last Thursday, the Federal Communications Commission (“FCC”) announced that it will consider a Report and Order at its June 21, 2021 open meeting that would permit the importation and conditional sale of radiofrequency (RF) devices prior to obtaining equipment authorization in some circumstances.  The consumer electronics industry has advocated for this rule change, which will facilitate pre-sales and other marketing of new devices in the marketplace.

If adopted, the Report and Order would afford manufacturers and developers of RF devices significant flexibility in conducting pre-sale activities and potentially reduce the time required to deliver devices to market.  These revisions represent a significant change to the FCC’s equipment and marketing rules and bring the FCC’s equipment marketing and pre-sales regime in line with many other industries.    Continue Reading FCC Set to Ease Rules that Have Limited Pre-Sales and Other Marketing of Some New Electronic Devices

In Episode 12 of our Inside Privacy Audiocast, together with special guest Advocate Pansy Tlakula, Chairperson of the Information Regulator of South Africa, we discussed the Information Regulator’s mandate and the implementation of data protection legislation in South Africa.  Now, with less than a month to go before South Africa’s Protection of Personal Information Act, 2013 (“POPIA”) takes full effect on July 1, 2021, it is critical for organizations operating in South Africa to ensure that they are ready, if and when the Information Regulator comes knocking.

It is only when organizations start their POPIA journey that they realize just how wide the POPIA net is cast, and that very few businesses fall outside of its reach.  The road to POPIA compliance should be viewed as a marathon, and not a sprint.  While implementing and maintaining an effective POPIA compliance program will take continued effort and resources well beyond the July 1, 2021 go-live date, here we outline five steps to which companies subject to POPIA should give their attention in the short term.

Continue Reading Final Countdown to POPIA Compliance: Five Critical Steps to Take Before July 1st, 2021

Acting Chairwoman Jessica Rosenworcel has announced that at its next monthly public meeting on June 17, the Federal Communications Commission (“FCC”) will kick off a process to change its equipment authorization rules and competitive bidding procedures to address national security threats.

The draft Notice of Proposed Rulemaking (“NPRM”), released Thursday, proposes changes to the FCC’s rules on equipment authorization that could restrict and revoke the authorization of devices determined to pose a threat to national security—effectively banning them from the U.S. marketplace.  The NPRM also proposes updates that would effectively require parties bidding for spectrum licenses or FCC broadband funding to certify that they will not rely on financial support from entities designated by the FCC as a national security threat.

Continue Reading FCC Announces New Efforts to Block “Insecure Devices” from the U.S. Market

In April 2021, the European Commission released its proposed Regulation Laying Down Harmonized Rules on Artificial Intelligence (the “Regulation”), which would establish rules on the development, placing on the market, and use of artificial intelligence systems (“AI systems”) across the EU. The proposal, comprising 85 articles and nine annexes, is part of a wider package of Commission initiatives aimed at positioning the EU as a world leader in trustworthy and ethical AI and technological innovation.

The Commission’s objectives with the Regulation are twofold: to promote the development of AI technologies and harness their potential benefits, while also protecting individuals against potential threats to their health, safety, and fundamental rights posed by AI systems. To that end, the Commission proposal focuses primarily on AI systems identified as “high-risk,” but also prohibits three AI practices and imposes transparency obligations on providers of certain non-high-risk AI systems as well. Notably, it would impose significant administrative costs on high-risk AI systems of around 10 percent of the underlying value, based on compliance, oversight, and verification costs. This blog highlights several key aspects of the proposal.

Continue Reading European Commission Proposes New Artificial Intelligence Regulation

On May 12, the Biden Administration issued an “Executive Order on Improving the Nation’s Cybersecurity.”  The Order seeks to strengthen the federal government’s ability to respond to and prevent cybersecurity threats, including by modernizing federal networks, enhancing the federal government’s software supply chain security, implementing enhanced cybersecurity practices and procedures in the federal government, and creating government-wide plans for incident response.  The Order covers a wide array of issues and processes, setting numerous deadlines for recommendations and actions by federal agencies, and focusing on enhancing the protection of federal networks in partnership with the service providers on which federal agencies rely.  Private sector entities, including federal contractors and service providers, will have opportunities to provide input to some of these actions.

Continue Reading President Biden Signs Executive Order Aimed at Improving Government Cybersecurity

As has been widely reported, there is an ongoing global shortage of semiconductor chips that enable products and services throughout many sectors of the economy.  On Tuesday, the U.S. Federal Communications Commission (“FCC”) released a Public Notice seeking public comment on the impact of this chip shortage on the U.S. communications sector specifically.

The Public Notice does not propose new rules, rather, it seeks input from stakeholders in the communications sector to guide the FCC’s priorities and initiatives as it seeks to help build a more secure and resilient communications supply chain.  In issuing the Public Notice, acting FCC Chairwoman Jessica Rosenworcel pointed out that “these tiny pieces of technology are the basic building blocks of modern communications—including 5G, Wi-Fi, satellites, and more.”

Continue Reading FCC Seeks Input on Impact of Global Semiconductor Shortage