On March 29, 2021, the US Commerce Department’s Bureau of Industry and Security (BIS) revised the US Export Administration Regulations (EAR) to implement export control changes agreed to by the United States and other members of the Wassenaar Arrangement on Export Controls for Conventional Arms and Dual-Use Goods and Technologies, a group of 42 countries that seeks to harmonize global export licensing policy.
Among the more significant changes, BIS has revised the reporting obligations for the export, reexport, and transfer of encryption software and commodities and revised License Exception Encryption Commodities, Software, and Technology (ENC) in ways that are expected to reduce the regulatory burden on software and hardware developers under export controls. These changes may also impact mandatory filing determinations for foreign investments subject to review by the Committee on Foreign Investment in the United States (CFIUS).
The EAR impose controls on the export, reexport, and transfer of software and commodities that incorporate encryption, which includes nearly all software produced, developed, or hosted in the United States as well as many non-US software and hardware products. In most cases, companies can rely upon License Exception ENC to export, reexport, or transfer encryption products without seeking authorization from BIS.
Most encryption products (including both software and hardware) may be self-classified as Export Control Classification Number (ECCN) 5A002 (hardware) or 5D002 (software). Commodity encryption products that are generally available to the public at retail (or similar sales channels) and meet other criteria may be self-classified as “mass market” or ECCN 5A992 (hardware) or 5D992 (software). In these cases, companies have until now been required to submit an annual self-classification report to BIS and the National Security Agency listing all self-classified products that they exported or reexported during the previous year.
For more advanced or sensitive products – including network infrastructure items, non-public encryption source code, customized, non-standard, or open interface encryption, quantum cryptography, network penetration tools, network vulnerability/digital forensics items, public safety/first responder radios, ultra-wideband and spread spectrum items, and cryptanalytic items – companies must obtain a formal classification determination (known as a Commodity Classification Automated Tracking System or CCATS request) from BIS in addition to submitting semi-annual sales reports.
BIS has now reduced or eliminated these requirements for many mass market hardware and software products, as described below:
On their own, each of the above changes to the EAR regulations governing encryption items represent an incremental, although still significant, reduction in reporting burdens for industry. Collectively, however, these changes promise to significantly reduce regulatory burdens for some technology companies that regularly make use of License Exception ENC. The monitoring and preparation of these reports and CCATS requests proved to be a time consuming and costly process for many companies. With the latest updates issued by BIS, companies should see the volume of their CCATS requests and self-classification reports decline substantially. Indeed, BIS estimates that these latest changes will reduce the number of encryption self-classification reports that are filed under License Exception ENC by approximately 60 percent.
These changes will also have an important impact on the CFIUS laws governing foreign investment in software and technology companies. As explained in more detail here, a filing with CFIUS for a covered foreign investment is mandatory where the US business is engaged with “critical technologies” (which includes encryption items under ECCN 5A002 (hardware) and 5D002 (software)) that are subject to export licensing requirements to export to the country of the foreign investor. However, recent changes to the CFIUS regulations eliminated the requirement to file a mandatory declaration with CFIUS if, inter alia, the “critical technology” of the US business is eligible for export to the country of the foreign investor under Subsection (b) of License Exception ENC (15 C.F.R. § 740.17(b)). Anecdotal evidence suggests that this exception had resulted in a substantial increase in the number of CCATS ruling requests and related filings with BIS. With the latest changes to the EAR making it easier to use License Exception ENC without filing CCATS requests or self-classification reports, a greater number of investment transactions involving software and technology companies should now be exempt from CFIUS mandatory declaration filings.
As the above discussion illustrates, the relationship between the classification of software and technology under the US export control regulations and the requirements of the CFIUS regulations is complex. Companies and investors are well advised to carefully consider the application of these regulations to their portfolios and current and future investment plans. Software and technology companies that develop or otherwise engage with encryption hardware or software products should carefully review how these changes impact their reporting obligations.
Learn more about the implications of these regulatory changes for your business by contacting any of the authors.
[1] Non-standard cryptography generally includes proprietary or unpublished cryptographic functionality, including encryption algorithms or protocols that have not been adopted or approved by a duly recognized international standards body, such as IEEE, IETF, ISO, ITU, ETSI, 3GPP, TIA, and GSMA and that have not otherwise been published.