On August 17, 2020, the U.S. Department of Commerce's Bureau of Industry and Security (BIS) issued a final rule that makes three significant changes to the export licensing requirements on technology, commodities, and software being reexported, exported from abroad, or transferred (in country) to Huawei Technologies Co., Ltd. (Huawei) and its affiliates (collectively, "Huawei entities") or for a transaction involving a Huawei entity. First, BIS added 38 additional non-U.S. affiliates of Huawei to the Entity List, bringing the total number of Huawei entities on the Entity List to over 150. A list of the newly designated entities is included below. Second, BIS replaced the temporary general license for the Huawei entities with a limited authorization that allows the release of information related to security vulnerabilities in certain instances to the Huawei entities. Third, and most significantly, BIS further expanded its jurisdiction over foreign-produced items developed or produced from a specified U.S. technology and software (or SUST/S) to cover almost all transactions involving a Huawei entity.

Expansion of BIS Entity List – More Huawei Entities and Broader License Requirement Scope

Effective August 17, BIS added 38 new Huawei-affiliated entities to the Entity List. The additions were made to minimize the risk that these entities would be used to evade the export license requirements on the 100-plus Huawei entities that were already on the Entity List. The new listed entities are set forth below. Additionally, in a separate but related rule, BIS clarified that the license requirement applies to transactions that involve a listed entity in any portion of the transaction, whether the purchaser, intermediate consignee, agent, ultimate consignee, or end-user.

Cybersecurity Research and Vulnerability Disclosure Authorization

The rule also removes the temporary general license and replaces it with a more limited permanent authorization focused on cybersecurity research and vulnerability disclosure. Effective August 17, U.S.-origin information may be disclosed to the Huawei entities in certain instances when the disclosure "is limited to information regarding security vulnerabilities in items owned, possessed, or controlled by Huawei or any of its non-U.S. affiliates when related to the process of providing ongoing security research critical to maintaining the integrity and reliability of existing and currently [third-party] 'fully operational network' and equipment."

Further Expansion of the Foreign Direct Product Rule

The rule continues to expand the Export Administration Regulations' (EAR's) "foreign direct product rule" (FDPR). This rule builds upon the May 2020 regulation and now subjects foreign-made items to U.S. control not only when those items are developed or produced by or for Huawei using SUST/S or in a plant using SUST/S, but also certain foreign-produced commercial off-the-shelf items. While this rule became effective on August 17, it authorized certain shipments of foreign-produced items produced by any plant or major component of any plant that is the direct product of a SUST/S to be made until September 14, 2020.