On May 26, 2022, the US Department of Commerce’s Bureau of Industry and Security (“BIS”) issued a final rule (the “Final Rule”) updating the scope of License Exceptions Authorized Cybersecurity Exports (“ACE”) and Encryption Commodities, Software, and Technology (“ENC”) related to cybersecurity items in response to public comments on the interim final rule related to cybersecurity items published on October 21, 2021. The interim final rule established a new control on certain cybersecurity items for National Security (NS) and Anti-terrorism (AT) reasons and created License Exception ACE in Section 740.22 of the Export Administration Regulations (“EAR”), which authorizes exports of identified cybersecurity items to most destinations except in certain circumstances.

The Final Rule makes the following revisions to the EAR, as follows:

  • An illustrative list of “Government end users” was added to License Exception ACE, which includes (i) international government organizations, (ii) government-operated research institutions, (iii) “more-sensitive government end users,” (iv) “less-sensitive government end users” (as both of these terms are already defined in Section 772.1 of the EAR), and (v) utilities, transportation hubs and services, and retail or wholesale firms wholly or partially operated or owned by a government or governmental authority.
    • “Partially operated or owned by a government or governmental authority” means that a foreign government owns or controls, directly or indirectly, 25 percent or more of the voting securities of the foreign entity or a foreign government or governmental authority has the authority to appoint a majority of board members of the foreign entity.
  • In respect of exports of “digital artifacts” (related to a cybersecurity incident involving information systems owned or operated “government end user”) to “government end users” in Country Group D, License Exception ACE has been narrowed to only allow for such exports to police or judicial bodies in Country Group D countries that are also listed in Country Group A:6 and only for purposes of criminal or civil investigations or prosecutions of such cybersecurity incidents.
  • A new end use restriction was added to License Exception ENC in Section 740.17(f) of the EAR such that ENC is not authorized for the following items if an exporter “knows” or has “reason to know” that the following items will be used to affect the confidentiality, integrity, or availability of information or information systems, without authorization of the owner, operator, or administrator of the information system:
    • “Cryptanalytic items,” classified in ECCNs 5A004.a, 5D002.a.3.a or c.3.a, or 5E002;
    • Network penetration tools described in Section 740.17(b)(2)(i)(F) of the EAR, and ECCN 5E002 technology therefor; or
    • Automated network vulnerability analysis and response tools described in Section 740.17(b)(3)(iii)(A) of the EAR, and ECCN 5E002 technology therefor.

BIS considered this change necessary to prevent evasion of one of the end-use restrictions in License Exception ACE, i.e., by adding cryptographic or cryptanalytic functionality to a cybersecurity item and exporting, reexporting, or transferring (in-country) the resulting item under License Exception ENC.

The authors acknowledge the assistance of Eweosa Owenaze in the drafting this post.