As of March 29, 2021, the U.S. Department of Commerce's Bureau of Industry and Security (BIS) has implemented significant modifications to the Export Administration Regulations (EAR) that relax requirements on the classification and reporting of mass-market encryption items and on email notifications previously required for publicly available encryption source code and beta test software. The new rule also implements revisions that impact 22 dual-use technologies; these changes generally narrow the scope of the controls or provide clarification on the existing entries. The amendments conform the EAR with changes agreed upon by the Wassenaar Arrangement on Export Controls for Conventional Arms and Dual-Use Goods and Technologies, a multilateral export control regime of which the United States is a member.
Changes to Requirements for Classification and Reporting for Mass-Market Encryption Items
First, BIS no longer requires submission of a classification request for mass-market encryption components (including chipsets, chips, and assemblies), toolsets, and toolkits (such as software development kits (SDKs)). These mass-market encryption items were previously approved for export under Section 740.17(b)(3) after submission of a classification request to BIS. Now, these encryption items can be self-classified under Export Control Classification Numbers (ECCNs) 5A992.c. and 5D992.c., as mass-market items under Section 740.17(b)(1) of the EAR, as long as they do not use non-standard cryptography (i.e., proprietary encryption). Additionally, the executable software related to the encryption components, defined as software in executable form from an existing hardware component and excluding complete binary images of the "software" running on an end item, can also be self-classified as a mass-market item under this provision. Items using non-standard cryptography remain classified under Section 740.17(b)(3)(ii) of the EAR and continue to require the submission of a classification request prior to export.
Second, self-classification reporting, which is due on February 1 of each year, is not required for mass-market toolkits or SDKs. Mass-market items that are components and the related executable code require the filing of an annual self-classification report.
These significant liberalizations should save considerable effort on the part of exporters who have mass-market products; companies can now forego the filing of classification requests and annual reports for the designated encryption items. BIS estimates that the reduction in self-classification reporting will reduce the number of filed reports by 60 percent. The changes do not impact non-mass-market encryption items classified under ECCNs 5A002 and 5D002.
Elimination of Other Encryption-Related Reporting Requirements
Additionally, companies no longer need to submit to BIS an email notification under Section 742.15(b) of the EAR, the former "TSU notification" for most publicly available source code. Similar to the changes related to mass-market items, publicly available source code using non-standard encryption continues to require notification.
Finally, BIS eliminated the reporting requirement for beta test encryption software under license exception TMP (for temporary exports)—again, as long as the product does not implement non-standard cryptography.
BIS estimates that these modifications should reduce the number of email notifications by 80 percent.
Other Changes to the CCL
In addition to the mass-market encryption amendments, the new rule implements various changes to other ECCNs on the EAR's Commerce Control List (CCL). These revisions impact 22 dual-use technologies, including body armor, metal alloys, optical sensors, and spacecraft-related software. Most of the changes either narrow the scope of the controls or provide clarification on existing entries. For items such as ECCN 1B002 (metal alloy production equipment), the rule expands the definition by removing certain language ("specially designed") from the entry. The rule does not add any new ECCNs to the CCL, nor does it identify additional emerging or foundational technologies (as BIS' October 2020 final rule did).