Search for:

On May 26, 2022, the US Department of Commerce’s Bureau of Industry and Security (“BIS”) issued a final rule (the “Final Rule”) updating the scope of License Exceptions Authorized Cybersecurity Exports (“ACE”) and Encryption Commodities, Software, and Technology (“ENC”) related to cybersecurity items in response to public comments on the interim final rule related to cybersecurity items published on October 21, 2021.  The interim final rule established a new control on certain cybersecurity items for National Security (NS) and Anti-terrorism (AT) reasons and created License Exception ACE in Section 740.22 of the Export Administration Regulations (“EAR”), which authorizes exports of identified cybersecurity items to most destinations except in certain circumstances.

The Final Rule makes the following revisions to the EAR, as follows:

  1. An illustrative list of “Government end users” was added to License Exception ACE, which includes (i) international government organizations, (ii) government-operated research institutions, (iii) “more-sensitive government end users,” (iv) “less-sensitive government end users” (as both of these terms are already defined in Section 772.1 of the EAR), and (v) utilities, transportation hubs and services, and retail or wholesale firms wholly or partially operated or owned by a government or governmental authority.
    • “Partially operated or owned by a government or governmental authority” means that a foreign government owns or controls, directly or indirectly, 25 percent or more of the voting securities of the foreign entity or a foreign government or governmental authority has the authority to appoint a majority of board members of the foreign entity.
  2. In respect of exports of “digital artifacts” (related to a cybersecurity incident involving information systems owned or operated “government end user”) to “government end users” in Country Group D, License Exception ACE has been narrowed to only allow for such exports to police or judicial bodies in Country Group D countries that are also listed in Country Group A:6 and only for purposes of criminal or civil investigations or prosecutions of such cybersecurity incidents.
  3. A new end use restriction was added to License Exception ENC in Section 740.17(f) of the EAR such that ENC is not authorized for the following items if an exporter “knows” or has “reason to know” that the following items will be used to affect the confidentiality, integrity, or availability of information or information systems, without authorization of the owner, operator, or administrator of the information system:
    • “Cryptanalytic items,” classified in ECCNs 5A004.a, 5D002.a.3.a or c.3.a, or 5E002;
    • Network penetration tools described in Section 740.17(b)(2)(i)(F) of the EAR, and ECCN 5E002 technology therefor; or
    • Automated network vulnerability analysis and response tools described in Section 740.17(b)(3)(iii)(A) of the EAR, and ECCN 5E002 technology therefor.

BIS considered this change necessary to prevent evasion of one of the end-use restrictions in License Exception ACE, i.e., by adding cryptographic or cryptanalytic functionality to a cybersecurity item and exporting, reexporting, or transferring (in-country) the resulting item under License Exception ENC.

The authors acknowledge the assistance of Eweosa Owenaze in the drafting this post.

Author

Paul Amberg is a partner in Baker McKenzie’s Madrid office, where he handles international trade and compliance issues. He advises multinational companies on export controls, trade sanctions, antiboycott rules, customs laws, anticorruption laws, and commercial law matters.

Author

Lise Test is an of counsel in the Firm’s International Trade Group in Washington, DC and practices in the area of international trade regulation and compliance — with emphasis on US export control laws (Export Administration Regulations (EAR) and International Traffic in Arms Regulations (ITAR)), trade sanctions, and anti-boycott laws. Ms. Test advises clients on issues relating to product classifications, licensing, regulatory interpretations, risk assessments, enforcement actions, internal investigations and compliance audits, as well as the design, implementation, and administration of compliance programs. Ms. Test works regularly with companies across a wide range of industries, including the pharmaceutical/medical device, telecommunications, manufacturing, and technology sectors. She joined the Firm as a summer associate in 2007 and became a full-time associate in 2008. Prior to joining Baker McKenzie, Ms. Test served as a lawyer at the Danish Ministry of Defence.

Author

Taylor Parker is an associate at Baker McKenzie's Chicago office and a member of the International Commercial group. Taylor leverages her background in governmental affairs, public health and the private business sector to provide global clients with coordinated solutions to international transactions and issues.