Increasing U.S. Software Developers’ Global Competitive Advantage: Bureau of Industry and Security Eases Export Administration Regulations for Certain Encryption Items
April 7, 2021
By Brett W. Johnson, Chariese R. Solorio and Derek Flint
Traditionally, United States software developers have struggled to compete globally due to strict export control and international trade laws. But since export control reform that began during President Obama’s administration, certain export controls have been relaxed to allow U.S. software developers to take advantage of new global business opportunities. The trend is continuing and technology companies should consider evaluating export control policies and procedures to take advantage of the opportunities.
In a continuation of this trend, on March 26, the Department of Commerce’s Bureau of Industry and Security (“BIS”) issued a final rule amending certain Export Administration Regulations (“EAR”) that relate to software and encryption items. The final rule became effective March 29. BIS explained that the changes “are designed to reduce the regulatory burden for exporters while still fulfilling U.S. national security and foreign policy objectives.” To this end, the final rule made two main sets of changes.
(1) Elimination of the email notification requirement for certain encryption source code. Before BIS issued the final rule, companies were required to submit an email notification to BIS when they published software source code online that contained encryption functionality. The final rule eliminated this email requirement. Now, only source code that uses proprietary or unpublished encryption (i.e., “non-standard cryptography”) must be reported to BIS before being released from the EAR’s control. BIS estimates that this revision will reduce email notifications by 80 percent.
(2) Revisions to reporting and classification requirements for certain "mass market" encryption items. Prior to the final rule, exporters were required to submit classification requests or self-classification reports to BIS for certain “mass market” encryption products before the items were approved for export. Under the revised regulations, certain “mass market” items, such as toolsets and toolkits, are no longer subject to self-classification reporting. Other “mass market” items, including “mass market” encryption components (like chips, chipsets, electronic assemblies and field programmable logic devices) and their qualifying “executable software,” are now eligible for self-classification—instead of formal classification requests—so long as they do not use “non-standard cryptography.” Notably, the final rule does not change the licensing requirements for non-“mass market” encryption items or for encryption items that use “non-standard cryptography.” Therefore, pre-existing rules regarding classification requests still apply to those items.
The final rule should reduce the regulatory and reporting burdens on companies by eliminating certain classification and reporting requirements. That said, companies should still take a close look at the specific characteristics of their software and encryption technologies to determine which requirements apply. For example, determining whether a particular type of software uses non-standard cryptography may involve a fact-specific analysis. In addition, as export control laws are constantly changing, companies should consider additional training for personnel involved in maintaining such controls. For assistance in classifying items and assessing reporting requirements, companies may want to consider contacting legal counsel.