On November 3, 2021, the Commerce Department’s Bureau of Industry and Security (“BIS”) issued a final rule (“Final Rule”) adding the following four entities to the Department of Commerce Bureau of Industry and Security (“BIS”) Entity List: Candiru (Israel), NSO Group (Israel), Computer Security Initiative Consultancy PTE (Singapore), and Positive Technologies (Russia). The addition of the four entities comes after the October 21, 2021 publication of an interim rule by BIS establishing controls on the export, re-export, and in-country transfers of items that may be used for malicious cyber activities and is part of the ongoing effort by the Biden-Harris Administration to combat the use of digital tools for repression.

According to the Final Rule, Candiru and NSO Group were added to the Entity List for developing and supplying spyware to foreign governments in order to maliciously target government officials, embassy workers, business people, journalists, activities and academics. Computer Security Initiative Consultancy PTE and Positive Technologies were added to the Entity List for the misuse and trafficking of cyber tools used to gain unauthorized access to information systems and posing a threat to the privacy and security of individuals and organizations worldwide. A license will be required from BIS to export, reexport, or transfer (in-country) to or through these parties any items subject to the Export Administration Regulations (“EAR”), subject to a policy of denial.