On March 29, 2021, the US Department of Commerce’s Bureau of Industry and Security (“BIS”) published a final rule (“Final Rule”) implementing changes to the Export Administration Regulations (“EAR”) that were agreed to at the December 2019 Wassenaar Arrangement Plenary meeting. Specifically, the Final Rule modified the reporting and self-classification requirements for exports of most mass-market encryption items and the email notification requirement for exports of publicly available encryption source code and beta test software. The final rule also revised the Export Control Classification Number (“ECCN”) entries of twenty-two items on the EAR’s Commerce Control List (“CCL”), which generally narrows the scope of the controls or provides clarification on the existing entries.

Relaxation of Controls on Certain Encryption Items

The Final Rule implemented three major changes to EAR provisions regarding encryption items identified in Category 5, Part 2 of the CCL in Supplement No. 1 to Part 774 of the EAR.

  • First, the Final Rule moved mass-market encryption components (including chipsets, chips, electronic assemblies, and field-programmable logic devices), the executable software related to such encryption components, toolsets, and toolkits from EAR Section 740.17(b)(3) to 750.17(b)(1). Whereas previously these items could only have been exported under License Exception ENC after the submission of a mandatory classification request to BIS, they now can be self-classified under Export Control Classification Numbers (“ECCN”) 5A992.c. or 5D992.c. as mass-market items. BIS notes that most cryptographic libraries and modules will remain Section 740.17(b)(3) items.
  • Second, the Final Rule amended Section 740.17(e) of the EAR such that mass-market development kits (toolsets) and toolkits that are stand-alone products (e.g., are not components or executable software) that fall under Section 740.17(b)(1) of the EAR no longer require submission of an annual self-classification report. Mass market components and their executable software that are self-classified under ECCN 5A992.c or 5D992.c, however, are subject to the annual self-classification reporting requirements.
  • Third, the Final Rule eliminated the requirement previously included in EAR Section 742.15(b) to submit email notifications to BIS and the ENC Encryption Coordinator as a condition for publicly available encryption source code to be released from control under the EAR. Prior to this change, an email notification was required that provided the Internet location (e.g., URL or internet address) or a copy of the publicly available encryption source code before such source code could be considered not subject to the EAR.

Importantly, none of the above changes affect any of the License Exception ENC requirements for any non-mass market encryption item or any encryption item (mass market or not) that implements “nonstandard cryptography.”

This Final Rule also implemented other changes that are unrelated to mass-market encryption items. Specifically, the Final Rule:

  • eliminated the reporting requirement under EAR Section 740.9(c)(8) for beta test encryption software under license exception TMP, as long as the product does not implement nonstandard cryptography;
  • expanded an exclusion in the encryption controls for wireless personal area network functionality by eliminating the range limitations such that items using only published or commercial cryptographic standards, where the information security functionality is limited to personal area network functionality, now fall outside of EAR’s encryption controls;
  • added gateways to an existing carve-out from the encryption controls for certain items (e.g.,routers, switches, relays) that are limited to the tasks of Operations, Administration, or Maintenance(OAM).

Other Non-Encryption Related Changes

Apart from the aforementioned encryption-related changes, the Final Rule also revised the ECCN entries of twenty-two items in Categories 0, 1, 2, 3, 5, 6, and 9 of the CCL to align with decisions made at the December 2019 Wassenaar plenary meeting. Items impacted by these revisions include body armor, metal alloys, optical sensors, and spacecraft-related software. Most of the changes either narrow the scope of the controls or provide clarification on existing entries. These changes follow BIS’s October 2020 rule implementing revisions to the EAR related to emerging technologies, which also were agreed upon at the 2019 Wassenaar plenary meeting.