On Sept. 20, 2016, the Bureau of Industry and Security (BIS) published a final rule that revises the Export Administration Regulations (EAR) and the Commerce Control List (CCL), primarily to implement changes that were agreed to by the U.S. government at the 2015 Wassenaar Agreement Plenary Meeting. The rule, effective on the date of publication, makes a variety of procedural and substantive changes to the EAR, particularly in connection with the export of encryption items, as described below.

Changes to CCL Category 5 Part 2 (Information Security)

Some encryption items that were previously classified under ECCN 5A002 have been moved to newly created ECCNs 5A003 and 5A004. Specifically, the regulations establish a new ECCN 5A003 covering systems, equipment and components for non-cryptographic information security, such as communications cable systems designed to detect intrusion, which were previously classified as 5A002.a.8 or 5A002.a.4. The new ECCN 5A004 controls systems, equipment and components for defeating, weakening or bypassing information security, which were previously classified as 5A002.a.2. The same license requirements and license exceptions that applied to the items when classified under 5A002 apply to both 5A003 and 5A004. Thus, 5A003 items are not eligible for export under License Exception ENC and will require a license for shipment to all countries, except Canada, while 5A004 items are eligible for export under License Exception ENC.

The rule amends ECCN 5B002 by adding references to the newly created ECCNs 5A003 and 5A004 in paragraphs a. and b. Thus, ECCN 5B002 now includes equipment specially designed for the development or production of equipment controlled by 5A002, 5A003 or 5A004, rather than just equipment controlled by 5A002. The rule also amends ECCNs 5D002 and 5E002 to ensure consistency with the changes to 5A002 and 5B002.

The new rule also reclassifies most previously 5A992 and 5D992 items under EAR99, other than 5A992/5D992 “mass market” items. The only items that are now classified under 5A9922 or 5D9922 are those that qualify for mass market treatment. Most other items that were previously classified as 5A992 or 5D992 are now EAR99, though a few likely remain controlled under either Category 4 or Category 5 Part 1. ECCN 5E992 is amended to remove technology for production, development or use of hardware or software that is no longer controlled under 5A992/5D992.

Accompanying Changes to the EAR

BIS staff stated in a conference call on Sept. 21, 2016, that the major changes implemented by this rule are aimed at simplifying the requirements of encryption controls, improving the processes by which exporters comply with those requirements and simplifying the text implementing the regulations.

In that vein, the rule eliminates the previous requirement that an exporter file an encryption registration before exporting items under ENC-Restricted or ENC-Unrestricted. In order to export under License Exception ENC, an exporter now needs only to self-classify appropriately and file the associated self-classification report, or file a CCATS request if the item is described in 15 C.F.R. § 740.17(b)(2) or (b)(3). The form previously used to file an encryption registration, Supplement 5 to part 742, is deleted, and some of the information previously required to be submitted with the encryption registration is now requested in Supplement 8, which is the self-classification report for encryption items.

Substantive changes were also made to License Exception ENC provisions. Items in 5A002.d or .e (certain cordless telephone equipment and portable or mobile radiotelephones and similar client wireless devices) and equivalent or related software therefor classified under 5D002 have been moved to 15 C.F.R. § 740.17(b)(2) because BIS determined they warrant a higher level of control. In addition, the performance parameters for “network infrastructure” items were updated to make them less restrictive.

Section 740.17(b)(2) was also amended to authorize exports, reexports and transfers of network infrastructure items to “less sensitive government end users” in all countries except Country Groups E:1 and E:2, instead of only to non-government end users. The corresponding definition of “less sensitive government end users” that is now included in part 772 provides that less sensitive government end users are certain local, state and provincial entities and national, federal or royal entities that provide certain civil functions or services.

The “grandfathering” provisions of License Exception ENC, which applied to encryption items reviewed and classified by BIS under License Exception ENC before June 25, 2010, have been deleted, as BIS determined them to be obsolete. Finally, the mass market provisions formerly located in section 742.15 are now found in section 740.17, which deals with License Exception ENC.

The rule also alters the treatment of publicly available encryption source code. The notification requirement for publicly available source code software, which requires the exporter to notify BIS of the internet location of the publicly available 5D002 encryption source code before export, is moved from License Exception TSU to section 742.15(b). Under the new rule, publicly available encryption source code and corresponding object code are not subject to the EAR, so long as the notification requirements of section 742.15(b) have been met.


Though this alert highlights some of the key changes in the final rule, BIS has implemented a variety of changes in this rule that are not addressed here. Other regulations that were revised include (i) entries in Category 4 of the CCL for high-performance computers, (ii) License Exception APP, (iii) License Exception CIV, and (iv) certain CCL entries controlled for national security reasons. See the Federal Register published on Sept. 20, 2016, 81 Fed. Reg. 64656, for full details of the final rule.