Latest Posts
Search for:

BIS Updates License Exceptions Related to Cybersecurity Items

By , and 3 Mins Read

On May 26, 2022, the US Department of Commerce’s Bureau of Industry and Security (“BIS”) issued a final rule (the “Final Rule”) updating the scope of License Exceptions Authorized Cybersecurity Exports (“ACE”) and Encryption Commodities, Software, and Technology (“ENC”) related to cybersecurity items in response to public comments on the interim final rule related to cybersecurity items published on October 21, 2021.  The interim final rule established a new control on certain cybersecurity items for National Security (NS) and Anti-terrorism (AT) reasons and created License Exception ACE in Section 740.22 of the Export Administration Regulations (“EAR”), which authorizes exports of identified cybersecurity items to most destinations except in certain circumstances.

The Final Rule makes the following revisions to the EAR, as follows:

  • An illustrative list of “Government end users” was added to License Exception ACE, which includes (i) international government organizations, (ii) government-operated research institutions, (iii) “more-sensitive government end users,” (iv) “less-sensitive government end users” (as both of these terms are already defined in Section 772.1 of the EAR), and (v) utilities, transportation hubs and services, and retail or wholesale firms wholly or partially operated or owned by a government or governmental authority.
    • “Partially operated or owned by a government or governmental authority” means that a foreign government owns or controls, directly or indirectly, 25 percent or more of the voting securities of the foreign entity or a foreign government or governmental authority has the authority to appoint a majority of board members of the foreign entity.
  • In respect of exports of “digital artifacts” (related to a cybersecurity incident involving information systems owned or operated “government end user”) to “government end users” in Country Group D, License Exception ACE has been narrowed to only allow for such exports to police or judicial bodies in Country Group D countries that are also listed in Country Group A:6 and only for purposes of criminal or civil investigations or prosecutions of such cybersecurity incidents.
  • A new end use restriction was added to License Exception ENC in Section 740.17(f) of the EAR such that ENC is not authorized for the following items if an exporter “knows” or has “reason to know” that the following items will be used to affect the confidentiality, integrity, or availability of information or information systems, without authorization of the owner, operator, or administrator of the information system:
    • “Cryptanalytic items,” classified in ECCNs 5A004.a, 5D002.a.3.a or c.3.a, or 5E002;
    • Network penetration tools described in Section 740.17(b)(2)(i)(F) of the EAR, and ECCN 5E002 technology therefor; or
    • Automated network vulnerability analysis and response tools described in Section 740.17(b)(3)(iii)(A) of the EAR, and ECCN 5E002 technology therefor.

BIS considered this change necessary to prevent evasion of one of the end-use restrictions in License Exception ACE, i.e., by adding cryptographic or cryptanalytic functionality to a cybersecurity item and exporting, reexporting, or transferring (in-country) the resulting item under License Exception ENC.

The authors acknowledge the assistance of Eweosa Owenaze in the drafting this post.

Categories:
Author

Paul Amberg is a partner in Baker McKenzie’s Madrid office, where he handles international trade and compliance issues. He advises multinational companies on export controls, trade sanctions, antiboycott rules, customs laws, anticorruption laws, and commercial law matters. Paul helps clients assess and address compliance risks presented by export controls, trade sanctions, antiboycott rules, customs laws, and anticorruption laws. His practice especially focuses on internal reviews, voluntary disclosure filings, and enforcement actions brought by, the US Government in relation to the Export Administration Regulations (EAR), International Traffic in Arms Regulations (ITAR), trade and economic sanctions programs, and US customs laws.

Author

Ms. Test advices clients on issues relating to licensing, regulatory interpretations, enforcement actions, internal investigations and compliance audits, as well as the design, implementation and administration of compliance programs. She also advises clients on the extra-territorial application of trade compliance-related regulations in cross-border transactions.

Author

Taylor Parker is an associate at Baker McKenzie's Chicago office and a member of the International Commercial group. Taylor leverages her background in governmental affairs, public health and the private business sector to provide global clients with coordinated solutions to international transactions and issues. Taylor advises clients on various international commercial matters, including domestic and cross-border mergers and acquisitions, economic and trade sanctions, export controls, and customs and import laws.

Related Posts