On May 16, 2024, the US Department of the Treasury’s Office of Foreign Assets Control (“OFAC”) published a final rule amending the Iranian Transactions and Sanctions Regulations, 31 C.F.R Part 560 (“ITSR”), to incorporate OFAC General License (“GL”) D-2 and the preexisting list of items deemed incident to communications that are authorized for export or reexport to Iran under GL D-2, and to concurrently update such list.  OFAC also published one new and 26 revised Frequently Asked Questions (“FAQs”).  The OFAC press release is available here.

GL D-2

Effective May 17, 2024, OFAC amended the ITSR to incorporate the provisions of GL D-2 and certain additional amendments into the existing authorization at 31 C.F.R. § 560.540.  GL D-2 authorizes the exportation or reexportation to Iran of certain no-cost or fee-based services and software that are incident to, and software that enables services incident to, the exchange of communications over the internet, as well as cloud-based services in support of the foregoing services or of any other transactions authorized or exempt under the ITSR, subject to certain conditions.  Our prior blog post on GL D-2 is available here.

In addition to incorporating GL D-2 into the ITSR, OFAC introduced several key changes as follows:

  • 31 C.F.R. § 560.540(a)(5) authorizes transactions for the importation of hardware or software into third countries, in additional to the United States, provided the items were previously exported to Iran pursuant to an authorization issued under the ITSR. 
  • 31 C.F.R. § 560.540(a)(7) authorizes the export or reexport of certain services conducted outside Iran to install, repair, or replace hardware or software authorized for exportation, reexportation, or provision to Iran, provided that the service provided the service provider is located outside of Iran (and does not authorize the service provider to engage in such services while in Iran). 
  • 31 C.F.R. § 560.540(b)(3) excludes the exportation or reexportation of web-hosting services for websites of commercial entities located in Iran or of domain name registration services for or on behalf of the Government of Iran or another person whose property and interests in property are blocked pursuant to 31 C.F.R. § 560.211.
  • 31 C.F.R. § 560.540(d) sets forth a case-by-case licensing policy for additional activities that support internet freedom in Iran (e.g., development and hosting of anti-surveillance software by Iranian developers).

Upon publication of this rule, OFAC has archived GL D-2 from its website although GLs D, D-1, and D-2 will continue to be available in the Federal Register.

List of Services, Software, and Hardware Incident to Communication

The List of Services, Software, and Hardware Incident to Communication (“List”) describes items that have been determined to be incident to communications and therefore authorized for export or reexport to Iran under GL D-2.  The List was previously found as an annex to ITSR GL D and its amended versions (i.e., GL D-1 and GL D-2).  Effective May 17, 2024, the List is available at 31 C.F.R. § 560.540.  Concurrently, OFAC published an updated version of the List, which will be effective June 17, 2024.  OFAC stated that it is updating the List to restrict the computing power of certain items on the List.

New and Revised FAQs

Lastly, OFAC published a new FAQ 1173 and amended 26 ITSR-related FAQs.  FAQ 1173 clarifies that user authentication services for the purposes of 31 C.F.R. § 560.540 are services used to login or verify the identity of a user to a particular software or service such as a user identification account often used to login to email, mobile app stores, or other activities authorized by 31 C.F.R. § 560.540.  The amended FAQs replaced references to prior GLs with 31 C.F.R. § 560.540.


Mr. McMillan's practice involves compliance counseling; compliance programs; licensing; compliance reviews; internal investigations; voluntary disclosures; administrative enforcement actions; criminal investigations; customs inquiries, audits, detentions, and seizures; and trade-compliance due diligence and post-acquisition integration in mergers and acquisitions. His practice includes matters that implicate the US International Traffic in Arms Regulations (ITAR), US Export Administration Regulations (EAR), US National Industrial Security Program (NISP), the US Committee on Foreign Investment in the United States (CFIUS), and equivalent non-US laws. Mr. McMillan regularly advises on and represents clients in matters involving technology, including its control, protection, accidental disclosure, diversion, or unauthorized collection. Mr. McMillan has extensive experience working with companies in the aerospace and defense industry, as well as companies in the Middle East and other parts of Asia.


Eunkyung advices clients on various regulatory compliance and trade issues, concentrating on the US export controls such as the Export Administration Regulations (EAR) and International Traffic in Arms Regulations (ITAR), economic and trade sanctions, US customs and import laws, the US Foreign Corrupt Practices Act (FCPA), and foreign anti-bribery laws.


Alex is an associate in the Washington, DC office where she is a member of the International Commercial Practice Group. Her practice is focused on international trade, particularly compliance with US export controls, trade and economic sanctions, and antiboycott controls. Admitted in New York and Washington, DC.