On January 12, 2026, the US House of Representatives passed the Remote Access Security Act (H.R. 2683), which would amend the Export Control Reform Act of 2018 (“ECRA”) to authorize the extension of existing export controls to the remote access of US goods, software, or technology, if a determination is made that “the use of the item could pose a serious risk to the national security or foreign policy of the United States.” The House Select Committee on the CCP applauded the House’s passage of the Remote Access Security Act as a means to “restrict foreign adversaries’ ability to access technologies, including AI chips, remotely through cloud computing services.”
Statutory Background
ECRA is the main statutory authority for US export controls on “dual-use” items (those having military and civilian applications) that are embodied in the Export Administration Regulations (“EAR”). The Commerce Department’s Bureau of Industry and Security (“BIS”) administers and enforces current export regulations under the EAR, including requiring licenses (and imposing penalties) with regard to the export, re-export, or in-country transfer of certain goods, software, or technology.
Historically, BIS has not broadly regulated mere remote access to the functionality of such items. That said, in 2025, BIS issued public guidance warning that the provision of access to advanced computing integrated circuits and commodities for training AI models has the potential to enable military-intelligence and weapons of mass destruction end-uses in Country Group D:5 countries, including China, or Macau, and could trigger licensing requirements under the EAR Part 744 catch-all controls. See our blog post about that BIS guidance here.
Expansion of Authority
The Remote Access Security Act would expressly expand the authority of BIS to regulate “remote access” to items subject to the EAR – e.g., Software as a Service (“SaaS”) or Infrastructure as a Service (“IaaS”). Under ECRA and the EAR, BIS could pursue enforcement cases against US and non-US parties that violate remote-access restrictions that may be implemented.
Specifically, it would amend ECRA to add a technical definition for “remote access,” defining the term as access to an item subject to the EAR “by a foreign person through a network connection, including the internet or a cloud computing service, from a location other than where the item is physically located, if the Secretary [of Commerce] determines that the use of the item could pose a serious risk to the national security or foreign policy of the United States.” The requirement that such a determination be issued suggests that perhaps not all SaaS and IaaS offerings will be impacted by this legislation, if enacted.
Next Steps
The bill will now be sent over to the US Senate and referred to the Senate Banking, Housing, and Urban Affairs Committee. While it does not appear that this legislation would be politically important enough to be considered under regular order in the Senate, its strong bipartisan support suggests that it could be considered under the unanimous consent process.
