Building for the Road Ahead: Regulatory Strategy and Investment in the AV Startup Era

The autonomous transportation industry represents one of the most consequential opportunities for market growth, but it is also one of the most heavily regulated emerging technology sectors. For startups navigating the rapidly evolving landscape of technology and regulation, understanding how policy shapes the industry is critical to staying competitive. Federal and state frameworks governing operating authority, insurance mandates, data collection and foreign investment are not static hurdles to be cleared at some future milestone but dynamic forces that shape a startup's competitive position, investor appeal and long-term viability from inception.

Adopting a proactive regulatory strategy at the outset can mean the difference between sustainable growth and costly setbacks. Early engagement helps companies anticipate regulatory challenges, align business models accordingly and deploy capital with greater confidence. The companies that will define this industry are those whose leadership understands that regulatory strategy and business strategy are, in this space, inseparable – and who build accordingly.

Regulation as a Strategy

That principle applies across the autonomous transportation ecosystem, from aviation and logistics to connected fleets, but it is especially visible in the autonomous vehicle (AV) sector, where the regulatory framework is already shaping market entry, technical design and commercialization strategy. State, federal and international regulators shape not only how AVs operate but also how they are built and how they must perform. More than 50 countries have introduced or are drafting AV legislation and policies to govern self-driving technology around the world. In the U.S., the current landscape is a dual-track system: Federal regulators oversee how vehicles are made and perform, while states oversee vehicle operation. Although the U.S. Congress is actively considering legislation that would support the large-scale deployment of commercial and passenger AVs, without an overarching federal framework delineating how this traditional model applies to AVs, companies must currently navigate a patchwork of state laws. As of 2026, more than 30 states have individual AV frameworks that vary widely in their requirements.

Understanding where state and federal regulators are likely to focus in both the short and long term is crucial for founders, investors and strategic partners. Future federal standards could establish performance requirements that dictate how AVs are built, validated and deployed. Companies therefore need to navigate the current regulatory landscape while anticipating what future federal standards may require. Companies that embed regulatory strategy into road map planning from day one move faster, raise funds more easily and avoid the costly pivots that can derail early-stage AV ventures. The following areas are where a regulatory strategy from the start is particularly critical to startup success.

Licensing and Operating Authority

Because states govern the operation of motor vehicles, state-level regulations are a key factor in determining how AVs are tested and operated across the U.S. More than 30 states have enacted their own AV laws or rules, and those frameworks vary significantly. Some states are more permissive, allowing testing or deployment with limited state preclearance. Others impose detailed permitting, reporting, documentation and safety-assurance requirements. These programs are changing and adapting in real time. As of May 2026, Texas now requires active authorization from the state Department of Motor Vehicles (DMV) for the commercial operation of AVs, signaling a broader shift toward more formalized oversight in states that were previously considered relatively permissive. California's DMV also finalized new regulations earlier this year introducing significant new safety and oversight requirements, including coverage of heavy-duty trucks for the first time, and shifting from disengagement reports to documentation of dynamic driving task system failures.

Though most of these states have a testing permit pathway, far fewer have mature structures for commercial deployments. If a company wants to test Level 4 or Level 5 vehicles without standard equipment such as steering wheels or pedals, it may need to petition the National Highway Traffic Safety Administration (NHTSA) for narrow, temporary exemptions unless an available exception applies. Understanding how to navigate these exemption and authorization processes can materially affect the timing, cost and feasibility of larger-scale deployments involving new and novel vehicle designs.

Even where state law permits deployment, cities can impose their own operating restrictions through traffic management, permitting and curb access rules. City-level friction is real and often underestimated. Startups need to understand not only formal state requirements but also local priorities around congestion, curb management, emergency response, labor impacts and public acceptance. Active engagement with city transportation officials, public safety agencies and community stakeholders can help ensure that operations are welcomed in the markets where a company intends to operate.

Reporting and Oversight

Wherever a company operates, there are reporting and registration requirements that startups need to navigate. On the federal side, companies may be required to submit complaint, warranty, property damage or crash-related information, and there are specific federal crash reporting requirements for AVs. On the state side, AV-specific reporting requirements vary widely. Some states require periodic safety reports, disengagement or failure-event reporting, collision notices or proof of insurance; others impose fewer AV-specific reporting obligations. Failure to report – or even a delay in reporting – can result in operating authority being paused or revoked or carry significant monetary penalties. At the federal level, in addition to NHTSA, a company may be overseen by the Federal Motor Carrier Administration (FMCSA), Federal Transit Administration (FTA) and U.S. Environmental Protection Agency (EPA). States and localities may also impose specific reporting requirements through state DMVs or departments of transportation, public utilities commissions, city governments and other agencies. It is crucial to know and understand what triggers a reportable incident, to whom it is reportable and when it needs to be reported under federal, state and city-specific testing programs.

Key to meeting those reporting requirements is having forward-looking processes for how companies collect and store information. Manual processes will not scale over time without significant additional investment, so companies should understand the full universe of reporting and retention requirements in potential markets before they launch operations. Beyond routine reporting requirements, if regulators – or Congress – ever open an investigation into a company, having the right structure in place will be key to meeting demands for information and building trust and confidence in the company's internal practices.

Liability and Insurance

Determining accountability when an AV crashes is one of the most unsettled areas and a genuine strategic variable to consider. States govern AV crash liability through a combination of traditional tort laws, product liability and specialized AV legislation. Some states have passed legislation that specifically deems the automated driving system (ADS) as the operator of the vehicle while engaged; other states have taken tiered approaches assigning liability differently for civil damages and traffic infractions. Liability can fall on manufacturers, software developers, fleet owners or operators, safety drivers or other third parties depending on where and how a crash occurs. It can differ drastically by jurisdiction and be particularly complex in states where responsibility is not clearly defined.

Liability can also arise from how a company portrays its operations. Both federal and state laws mandate that companies must substantiate their marketing claims so that consumers and investors are not misled about autonomous capabilities. Recent cases and class action suits moving through the legal systems in the U.S. and Europe have demonstrated the significant risk exposure companies face if they start to scale up without understanding the broader regulatory environment.

As the nature of liability shifts, traditional models of insurance are unlikely to be sufficient to cover AV operations. Some states (and countries) have mandatory insurance coverage requirements, both for testing and commercial operation. The complexity of the right insurance model multiplies if a company transports goods or people as part of its business model, enters regulated fleet operations or operates across multiple jurisdictions. Typical insurance policies may not account for a non-human operator and may not fully anticipate cybersecurity vulnerabilities that can render a vehicle immobile. Insurance coverage should not be treated as a check-the-box exercise; it should be aligned with the company's operating model, deployment jurisdictions, customer commitments and evolving liability profile.

Data Privacy and Cybersecurity

AVs collect large volumes of sensitive data, including camera, Light Detection and Ranging (LiDAR), location, passenger-behavior and, in some cases, biometric data. This creates regulatory obligations around collection, use, sharing, retention and security that should be addressed before data is collected at scale.

At the federal level, the Driver Privacy Protection Act and related vehicle-data laws shape access to certain vehicle records, and event data recorder data – often referred to as "black box" data – is subject to specific access limitations. The Federal Trade Commission also scrutinizes connected-vehicle data practices, particularly where companies collect, use, disclose or rely on sensitive data for automated decision-making. NHTSA has issued voluntary recommendations emphasizing transparency and consumer consent; although voluntary, these principles may influence future federal compliance obligations.

State privacy laws add another layer of complexity. More than 20 states have enacted comprehensive consumer privacy laws, and their requirements vary. California, for example, imposes data minimization, purpose limitation, opt-out and data broker registration obligations depending on how sensor data is used. Illinois imposes strict biometric privacy restrictions and provides a private right of action. At least 25 states also require private-sector businesses that maintain personal information to implement reasonable security procedures and practices. For startups testing or deploying across multiple states, privacy compliance can require tailored governance, policies, training and legal oversight by jurisdiction.

Cybersecurity risks extend beyond traditional data breaches. Malicious actors could interfere with vehicle systems, disrupt vehicle-to-infrastructure communications or disable fleets through ransomware. These incidents can trigger safety consequences, liability claims, regulatory investigations, privacy litigation and reputational harm. Proposed federal legislation would require manufacturers to develop written cybersecurity plans that identify and mitigate risks to vehicle systems and protect critical vehicle functions.

Failure to build data governance and cybersecurity into the company before data is collected at scale can create risks that are difficult and expensive to unwind. Companies that cannot explain what data is operationally necessary, what data is commercially valuable and what data is gratuitous may face greater regulatory scrutiny, weaker defenses in litigation and diminished leverage in commercial negotiations. If a company plans to sell or license driving data to third parties – such as mapping companies, insurers or municipalities – but lacks a consent framework that supports that use at the point of collection, it may later be forced to abandon revenue opportunities, redesign products or seek new consents from users who have already opted into a different set of expectations. Similarly, startups that lack documented incident-response plans, regular security audits, employee training, third-party penetration testing, vulnerability assessments or a formal Cybersecurity Management System may struggle to satisfy enterprise customers, municipalities, insurers or sophisticated investors, and may see security gaps become financing, contracting or deployment blockers rather than merely technical issues.

Foreign Supply Chains

There are also federal laws governing the use of foreign-backed or foreign-made materials in AVs. The U.S. Department of Commerce's Bureau of Industry and Security issued a final rule in 2025 prohibiting the importation and sale of completed connected vehicles and ADS software originating from entities under the control or jurisdiction of foreign adversaries – namely, China or Russia – and restricts the use of specific vehicle connectivity hardware developed, manufactured or supplied by foreign-adversary entities. Federal lawmakers are also currently considering legislation that would explicitly prohibit the importation, manufacture, sale or resale of connected vehicles, critical components and software linked to foreign adversaries, including China, Russia, North Korea and Iran. Other legislation moving through Congress would also prohibit the U.S. Department of Transportation from funding or using certain foreign-made LiDAR technology.

A related signal can be seen in the federal government's treatment of foreign-made drones. The Federal Communications Commission's (FCC) Covered List identifies communications equipment and services that pose an unacceptable national security risk, and Congress has considered measures that would place certain foreign-linked drones within that framework or otherwise restrict their authorization. Although the drone-specific covered-list regime does not directly apply to all AVs, it is important for autonomous technology startups to monitor because it shows how communications, sensor and mobility technologies can become subject to national security-based market-access restrictions. Companies seeking to stay outside those restrictions should be prepared to document ownership, control, software provenance, data flows, cybersecurity controls and supply chain integrity from inception rather than trying to reconstruct that record during an FCC, Commerce Department or investor review.

Investment Strategy

The investment environment for AV startups has improved materially from the more cautious period that followed the 2021 technology-market peak, but it has not returned to the broad, speculative funding cycle that characterized the first wave of autonomy. Capital is available – and in some cases available in very large amounts – but it is increasingly concentrated in companies that can demonstrate technical maturity, credible deployment pathways, regulatory traction and a plausible route to unit economics. Recent market data reflects that shift. AV startups raised a record level of capital in early 2026, driven by several multibillion-dollar financings, including Waymo's $16 billion round, Wayve's $1.5 billion round and Waabi's $1 billion round. But those headline figures can be misleading if read as a return to easy money. The more important point for founders is that investors are writing larger checks to fewer companies, and those checks are flowing disproportionately to platforms that appear close to commercialization, expansion or strategic integration with major mobility, logistics, defense or technology partners.

That concentration creates a bifurcated market. For later-stage companies with validated technology, substantial data assets, established safety cases and a credible plan for multimarket deployment, the funding environment can be favorable, particularly where investors believe the company can become a category leader or an indispensable infrastructure layer. For earlier-stage companies, however, the bar is higher. Pure research narratives are less compelling than they were several years ago. Investors are more likely to ask whether the company can narrow its operating domain, reduce capital intensity, access proprietary data, secure customer commitments and show that regulatory approvals, insurance coverage, cybersecurity controls and supply chain diligence can scale with the business.

The resulting financing strategy should be disciplined and milestone-driven. AV founders should resist the temptation to raise against a broad vision of generalized autonomy unless the company has the resources to support that vision. In the current market, a more financeable strategy often begins with a constrained use case: a defined geography, vehicle class, route structure, customer segment or operating design domain where the company can show measurable safety performance, repeatable operations and a clear economic advantage over human-driven or conventional alternatives. Autonomous trucking on specific freight lanes, low-speed shuttles in controlled environments, yard or depot automation, fixed-route delivery, industrial logistics, mapping and simulation tools, sensor software, validation infrastructure, fleet operations software and cybersecurity solutions may be more immediately financeable than open-ended consumer robotaxi models unless the startup can credibly support the capital demands of fleet ownership and city-by-city deployment.

Startups should also match the source of capital to the company's stage and operating model. Traditional venture capital may still be appropriate for core software, simulation, artificial intelligence, mapping, developer tools or other asset-light businesses with high gross-margin potential. Hardware-intensive or fleet-operating models may require a more layered capital stack, including strategic investors, customer prepayments, joint development agreements, equipment financing, project finance, venture debt, government grants and commercial partnerships that reduce the amount of equity capital required to reach the next milestone. Strategic investors can be particularly valuable in this sector because they may provide manufacturing support, vehicle platforms, sensor supply, fleet access, data, distribution, regulatory credibility or a launch customer. But those benefits come with tradeoffs. Exclusivity, rights of first refusal, most-favored-nation provisions, field-of-use restrictions, data rights and change-of-control limitations can materially affect future financing, commercialization and exit options. Founders should treat strategic capital as a commercial transaction, not simply a valuation event.

Because the AV sector is highly regulated, legal and regulatory readiness should be part of the financing story rather than a separate diligence exercise. Investors will increasingly evaluate whether the company has mapped its testing and deployment authorities, documented its safety case, implemented incident-reporting and data-retention processes, secured appropriate insurance, protected sensitive vehicle and customer data, and assessed foreign supply chain exposure. These issues affect valuation because they affect time to market. A startup that can show a credible regulatory road map, clean data rights, documented cybersecurity controls, and an auditable safety and compliance infrastructure is better positioned to raise capital on favorable terms than a company that treats those matters as post-financing implementation items.

Founders should also be realistic about runway and valuation. The current funding rebound does not mean that every company will be able to raise progressively higher values. The sector has already seen high-profile shutdowns, strategic pullbacks, restructurings and consolidation where technical progress did not translate quickly enough into commercial traction. In that environment, a smaller round that gets the company to a fundable milestone may be more valuable than an aggressively priced round that creates unrealistic expectations for the next financing. Milestones should be specific and financeable: a safety validation threshold, regulator-approved testing expansion, revenue-generating pilot, signed customer deployment, reduction in remote-assistance cost, demonstrated insurance framework, manufacturing or integration agreement, or measurable improvement in fleet utilization or unit economics. The company should know what proof point the next investor will need before it depletes the current round.

The most resilient AV financing strategies therefore combine ambition with staged proof. Companies should preserve optionality by avoiding overbroad exclusivity, protecting ownership of core intellectual property and data assets, structuring commercial partnerships so they remain compatible with future investors, and building compliance infrastructure before scale requires it. They should also be prepared for multiple possible exit paths. Public-market windows may reopen selectively for mature companies with revenue visibility, but many AV startups are more likely to exit through acquisition, strategic merger, asset sale, joint venture or platform integration. A startup that has clean governance, defensible technology, well-documented safety and regulatory practices, and a financing plan tied to commercial milestones will be better positioned in each of those scenarios. In short, capital is returning to autonomy, but it is disciplined capital. The companies most likely to benefit are those that can show not only that the technology works, but that the business can be financed, regulated, insured, deployed and scaled.

Practical Takeaways

Across every domain examined in this article, a consistent truth emerges: Regulatory missteps in the autonomous systems space tend to compound. Exposure that might have been structured around the seed stage can become a material issue in a Series B disclosure, and a permitting gap that seemed manageable in a single state can become an operational liability when commercial launch is on the horizon. The window to address these issues on favorable terms narrows as a company scales, which is why working with experienced counsel familiar with the unique risks and opportunities in this sector is an integral component of forming a resilient and scalable startup.

Below are some concrete steps that startups can take to reduce regulatory friction and preserve strategic flexibility as the company grows:

• Engage Regulators as Early Partners, Not Late Obstacles. State DMVs, city transportation departments, NHTSA and other relevant agencies all have formal and informal channels for engagement. Companies that brief regulators before filing applications, share safety information proactively and understand local concerns around congestion, curb management, emergency response, labor impacts and public acceptance are better positioned to obtain timely approvals and build credibility.
• Map Authority Before Market Entry. A common pitfall is assuming that one approval unlocks all operations. State AV permits, city-level operating rules, NHTSA exemptions, FMCSA operating authority, public utilities commission requirements, airport or transit permissions, FCC equipment rules, EPA obligations and consumer protection oversight may all be relevant depending on the business model. Companies should identify agency touchpoints before selecting launch markets or committing to deployment timelines.
• Align Insurance, Privacy, Cybersecurity and Supply Chain Diligence with the Operating Model. Insurance coverage should reflect whether the company transports people or goods, operates fleets, deploys across multiple jurisdictions or relies on non-human operators. Privacy and cybersecurity programs should be built before data is collected at scale, and supply chain diligence should address foreign-adversary exposure, software provenance, sensor sourcing and national security review risk.
• Treat Reporting and Auditability as Scalable Infrastructure. Every system log, safety test, incident report, software update and regulator-facing submission should be version-controlled, timestamped and retrievable. Manual processes may work during early testing, but they can break down quickly across multiple jurisdictions, especially when crash reporting, disengagement or failure-event reporting, insurance renewals, investor diligence, litigation and permit renewals converge.
• Finance Against Staged Proof, Not Generalized Autonomy. In the current funding environment, startups should tie each financing to concrete milestones that reduce technical, regulatory, commercial and operational risk. A constrained deployment use case, credible safety case, mapped operating authority, clean data rights, appropriate insurance, supply chain diligence, and customer or strategic-partner validation can make the difference between a promising technology story and a financeable business. Founders should also preserve flexibility by matching capital sources to the operating model, avoiding overbroad strategic-investor restrictions and structuring partnerships so they remain compatible with future rounds and exit paths.

Startups venturing into autonomous technologies face complex and dynamic regulatory demands that extend well beyond foundational business concerns. Keeping up with the evolving regulatory environment is essential to maintaining compliance, avoiding operational risk and preserving flexibility as business models evolve. But these issues are not simply barriers to manage; handled well, regulatory fluency can become a competitive advantage that shapes market entry, builds consumer trust, supports investment and helps technical innovation translate into durable commercial success. Advisors who can turn that fluency into practical business decisions, deal structures and agency engagement strategies can therefore be among the most valuable members of any founding team's extended network.

Information contained in this alert is for the general education and knowledge of our readers. It is not designed to be, and should not be used as, the sole source of information when analyzing and resolving a legal problem, and it should not be substituted for legal advice, which relies on a specific factual analysis. Moreover, the laws of each jurisdiction are different and are constantly changing. This information is not intended to create, and receipt of it does not constitute, an attorney-client relationship. If you have specific questions regarding a particular fact situation, we urge you to consult the authors of this publication, your Holland & Knight representative or other competent legal counsel.