For many mass market software and app developers, as well as many other exporters, the regulatory landscape just got a little less burdensome. On March 29, 2021, the US Department of Commerce (Commerce), Bureau of Industry and Security (BIS) issued a final rule amending the Export Administration Regulations (EAR) to significantly reduce notification and reporting requirements related to mass market and publicly available encryption items under Category 5, Part 2 of the Commerce Control List (CCL). In addition, the final rule also implements certain modifications to the CCL and associated changes to the EAR as part of the government's continued participation in the Wassenaar Arrangement on Export Controls for Conventional Arms and Dual-Use Goods and Technologies (Wassenaar Arrangement).
We expect that these changes, which are effective immediately, will considerably ease ongoing regulatory burdens associated with the widespread distribution of software and source code (and other mass market items) involving many common encryption components and functions.
Elimination of Annual Self-classification Reporting for Most Mass Market Software
With the exception of a limited set of certain mass market encryption-related components and "executable software" (discussed below), the final rule largely eliminates annual self-classification reporting requirements for the vast majority of "mass market" encryption items and software, including many mass market "apps" incorporating encryption. Most mobile apps that are widely distributed over common app stores and the Internet qualify as "mass market" items if they aren't exempted from controls for other reasons. This means that most mass market software can be self-classified and exported to most destinations under License Exception encryption commodities, software, and technology (ENC) without the ongoing regulatory burdens associated with annual self-classification reporting.
In addition, under the final rule, License Exception ENC now allows mass market development kits (toolsets) and toolkits that are stand-alone products (e.g., are not components or software of another "mass market" product) to be self-classified under Export Control Classification Number (ECCN) 5A992.c or 5D992.c. Importantly, once classified, stand-alone toolsets and toolkits are also not subject to Commerce's annual self-classification reporting requirements under the final rule.
Elimination of Mandatory Classification Requests for Certain Mass Market Items
The rule eliminates mandatory classification request requirements under License Exception ENC for ECCN 5A992.c components and ECCN 5D992.c 'executable software' of mass market products, except for non-standard cryptography as defined in part 772 of the EAR. With the elimination of this classification request requirement, many ECCN 5A992.c or 5D992.c components of mass market products (and their "executable software") now may be self-classified and annually reported to Commerce. However, Commerce notes that most cryptographic libraries and modules themselves will likely not be impacted by this change because the mass market note (Note 3 to Category 5, Part 2 or the "Cryptography Note") specifically excludes items whose primary function is "information security."
Elimination of Notification Requirements for "Publicly Available" Encryption
The final rule also generally eliminates the requirement to notify Commerce of "publicly available"—published on the Internet or otherwise available to the public—encryption source code (e.g., open source software) and beta test encryption software classified under ECCN 5D002. While the notification requirement will remain in place for encryption source code involving "non-standard cryptography," the vast majority of publicly available encryption source code will no longer be subject to notification requirements under this final rule. This eliminates much ambiguity particularly for non-US software developers that often utilize open source code.
Additional Updates to the EAR
Apart from the significant changes to encryption reporting obligations described above, the final rule also modifies encryption-based controls for items with wireless personal area network functionality and adds "gateways" to the list of items (routers, switches, relays) incorporating standard encryption and limited to the tasks of Operations, Administration or Maintenance (OAM) for which an existing carve-out from encryption-based controls applies.
Commerce also made several other new changes agreed upon during the December 2019 Wassenaar Arrangement Plenary meeting, including certain revisions related to items classified under ECCN Categories 0, 1, 2, 3, 6, and 9 of the CCL.
Taken together, Commerce's encryption-related changes reflect an awareness of the proliferation of encryption in the global market and the perceived overbreadth of some of the encryption reporting procedures for common, widely available apps. These changes will considerably reduce regulatory burden for companies that incorporate commercial-standard encryption into products sold to the public. Companies potentially affected by these changes, including those that currently utilize License Exception ENC, should determine whether the changes will impact their current and anticipated compliance processes and procedures.
The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.