Changes Under the Final Rule

The final rule makes two changes to the CCL to implement a decision made earlier in 2021 by the Australia Group (“AG”), a forum of 42 countries (including the United States) and the European Union that maintain multilateral export controls on items that could be used in chemical and biological weapons programs. First, the final rule adds ECCN 2D352 to control software designed for certain nucleic acid assemblers and synthesizers² that is capable of designing and building functional genetic elements from digital sequence data. The software is controlled for chemical and biological weapons (“CB”) reasons — and thus requires a license to be exported, reexported, or transferred to or in most countries. Anti-terrorism (“AT”) controls and U.S. embargo restrictions applicable to virtually all items on the CCL also apply. The software, however, will not generally require a license to destinations located in countries participating in the AG.

Second, the final rule amends ECCN 2E001 — which controls technology for the development of most equipment or software in CCL Category 2 (Materials Processing) — to add technology for the development of software controlled by ECCN 2D352. Like the software itself, such technology is controlled for CB and AT reasons. Thus, development technology controlled under ECCN 2E001 will now require a license for export, reexport, or transfer to or in most countries.

The final rule also includes a “saving clause” that will permit certain exports to proceed if the new controls remove eligibility for export under previously applicable license exceptions or “no license required” (“NLR”) status. First, the new license requirements will not apply to certain shipments that were substantially underway on October 5, 2021, so long as the export event is completed before midnight on December 6, 2021. Second, deemed exports of technology and source code may continue under previously applicable license exceptions or NLR status before midnight on December 6, 2021.

Expansion of Export Controls Over Emerging Technologies

This final rule is not surprising. The Export Control Reform Act of 2018 (“ECRA”) defines emerging technologies as those technologies essential to the national security of the United States and not yet defined as a critical technology under ECRA.³ ECRA requires the U.S. President, in coordination with the Secretary of Commerce, Secretary of Defense, Secretary of Energy, Secretary of State, and heads of other federal agencies as appropriate, to identify emerging technologies through an interagency process that takes into account the foreign development of these technologies and the effect of export controls on their development and proliferation to foreign countries. ECRA further requires the Secretary of Commerce to establish appropriate controls over these technologies under the EAR, including proposing that identified emerging technologies be added to the relevant multilateral export control regimes.

On November 19, 2018, BIS identified biotechnology as a representative category of emerging technology.⁴ In accordance with ECRA, BIS issued a proposed rule on November 6, 2020, identifying software for the operation of nucleic acid assemblers and synthesizers already controlled under ECCN 2B352.j as an emerging technology warranting control due to its capability to be used in the production of pathogens and toxins.⁵ The lack of controls over the software presented a risk that the software “could be exploited for biological weapons purposes.”⁶ The proposed rule gave the public notice of its intent to add this software to the CCL, and invited public comment on these changes.

The final rule also reflects the decision made earlier in 2021 by the AG to add this software and technology to the AG Common Control List for dual-use biological equipment. The final rule implementing a multilateral agreement therefore demonstrates a global effort to control this type of software and technology.

Impact on CFIUS Requirements

These new controls highlight the interplay between export control regulations and CFIUS requirements. As we previously discussed here, in 2020, the U.S. Department of Treasury amended regulations under the Foreign Investment Risk Review Modernization Act of 2018 (“FIRRMA”), which expanded CFIUS’s jurisdiction to include non-controlling, non-passive investments in U.S. businesses engaged in certain activities involving critical technologies, critical infrastructure, or sensitive personal data (“TID U.S. Businesses”). Thus, this reform broadened CFIUS’s jurisdiction to include not only transactions which could result in control by foreign persons, but also foreign investment in TID U.S. Businesses that will result in any amount of equity or contingent equity if the foreign investor will receive (1) access to material non-public technical information; (2) board member or observer rights; or (3) involvement in substantive decision-making pertaining to the relevant technology, infrastructure, or data.⁷ Further, a mandatory CFIUS filing is now required for any foreign investment in a TID U.S. Business when that business produces, designs, tests, fabricates, or develops “critical technologies” for which U.S. regulatory authorization would be required to export, reexport, transfer (in-country), or retransfer the technology to a foreign person.⁸ In other words, “critical technologies” for the purpose of CFIUS mandatory filing requirements are generally defined by export control classifications. The addition of ECCN 2D352 and modification of ECCN 2E001 result in new software and technology that are now deemed “critical technologies” under CFIUS regulations. This in turn broadens CFIUS’s reach because more businesses will now be subject to heightened scrutiny by CFIUS and mandatory filing requirements if they accept foreign investment.

What This Means for You

It is important for companies to carefully consider whether and how these new regulations apply to them. Violations of export control or CFIUS regulations can result in government investigations by one or more agencies and possible enforcement actions under the relevant regulatory regimes. For example, a willful violation of ECRA or the EAR can result in a criminal penalty of up to 20 years imprisonment, $1 million in fines per violation, or both; and criminal forfeiture of items or gross proceeds related to the transaction. ECRA also permits civil penalties of up to $308,901 (adjusted annually for inflation) or twice the value of the transaction, whichever is greater; and denial of export privileges, seizure and forfeiture, and loss of government contracting rights. Failure to comply with CFIUS regulations may result in civil penalties amounting to $250,000 or the value of the transaction, whichever is greater. CFIUS penalties are without prejudice to any other civil or criminal penalties available under law. If a company or individual discovers a violation internally, it may make a voluntary self-disclosure to the relevant agency, which can cut the applicable maximum base penalty in half.

¹ CFIUS is an inter-agency panel of the U.S. government that reviews foreign investment for national security concerns.

² As of April 2018, certain nucleic acid assemblers and synthesizers are already controlled under paragraph j of ECCN 2B352, which covers certain equipment capable of use in handling biological materials. See 83 Fed. Reg. 13,849 (Apr. 2, 2018) (implementing AG decisions).

³ See 50 U.S.C. § 4817. “Critical technologies” are defined under 50 U.S.C. § 4565(a)(6)(A). In addition to “emerging and foundational technologies” controlled pursuant to § 4817, critical technologies include defense articles and services included on the United States Munitions List set forth under the International Traffic in Arms Regulations; certain items included on the CCL pursuant to multilateral regimes or for reasons relating to regional stability or surreptitious listening; certain nuclear equipment, parts, components, materials, software, technology, and facilities; and select agents and toxins.

⁴ 83 Fed. Reg. 58,201 (Nov. 19, 2018).

⁵ 85 Fed. Reg. 71,012 (Nov. 6, 2020).

⁶ Id.

⁷ 31 C.F.R. § 800.211.

⁸ Id. § 800.401. “Critical technologies” have nearly identical definitions under CFIUS regulations and ECRA. Compare id. § 800.215 (CFIUS definition), with 50 U.S.C. § 4565(a)(6)(A) (ECRA definition).