1. Home
  2. |Insights
  3. |Welcome Revisions to the Encryption Export Control Regulations

Welcome Revisions to the Encryption Export Control Regulations

Client Alert | 4 min read | 06.29.10

On June 25, 2010, the Department of Commerce, Bureau of Industry and Security ("BIS"), issued an interim final rule (75 Fed. Reg. 36481), significantly modifying and relaxing certain regulations regarding encryption items under the Export Administration Regulations ("EAR").

Among the most significant reforms, the new rule:

  • Replaces the current "product-by-product" authorization scheme for less sensitive and mass market encryption items with a company-based authorization scheme that will operate like a bulk license for such products;
  • Removes the 30-day delay and review requirement for exporting less sensitive encryption items and classifying most mass market encryption items;
  • Creates an annual self-classification reporting requirement for less sensitive and most mass market items, in place of the prior semi-annual post-export sales and distribution reporting requirement;
  • Expands the scope of encryption technology eligible for License Exception ENC to permit broad exportation except to countries of the highest concern; and
  • Removes "ancillary cryptography" from control under the "Information Security" ECCNs in Category 5, Part 2 of the EAR.

Company Registration for Less Strictly Controlled and Mass Market Encryption Items: For encryption items of lesser national security concern and for most mass market encryption items, the rule establishes a new, one-time, company "encryption registration" requirement. Once a company has electronically submitted an encryption registration and been issued an Encryption Registration Number ("ERN"), it may immediately self-classify and export eligible products. This modification thus removes the previous requirement of a 30-day technical review by BIS for each individual product. Exporters and reexporters of a product may rely on the manufacturer's self-classification, and need not submit a separate encryption registration or classification request.

Revised Reporting Requirements: BIS has also revised the former requirement to file semi-annual post-export reports for nearly all items exported under License Exception ENC. Parties must now submit an annual self-classification report identifying the less strictly controlled commodities and software exported under ENC. Although semi-annual reports will still be required for more strictly controlled items, BIS expects the total number of semi-annual reports filed to decline from approximately 400 to fewer than 100 per year.

Greatly Expanded Applicability of License Exception ENC for Encryption Technology: Prior to the new rule, all exports of ECCN 5E002 encryption technology to end-users other than U.S. subsidiaries and companies located or headquartered in "favorable treatment" countries (under Supplement 3 to Part 740 of the EAR) required a license. Under the new rule, encryption technology classified as 5E002 -- as long as it is not related to cryptanalytic items, non-standard cryptography, or open cryptographic interfaces -- may be exported under License Exception ENC to any non-government end-user located in a country not listed in country groups D:1 or E:1 of the EAR. This change is expected to decrease encryption licensing arrangements ("ELAs") and other license applications to export encryption technology by approximately 60 percent.

Removal of "Ancillary Cryptography" Items from Control Under Category 5 of the EAR: The rule completely excludes "ancillary cryptography" items -- those where the item's primary function is not information security, computing, communications, storing information, or networking -- from control under Category 5, Part 2 of the EAR. This change brings the EAR in line with agreements made by the Wassenaar Arrangement in December 2009, and focuses "information security" controls on encryption used for computing, communications, networking, and information security. The rule provides an extensive illustrative list of items now excluded from Category 5, Part 2.

Encryption Classification Requests: Beyond greatly limiting the number of products for which encryption classification requests are required, the rule also removes the requirement to file such requests separately with both BIS and the National Security Agency's ("NSA") ENC Encryption Coordinator (although all reports still must be filed with both agencies).

Grandfathering Provision: The new rule includes a grandfathering provision, by which most products reviewed and classified by BIS prior to June 25, 2010 may be exported using the CCATS previously obtained by BIS, without requiring registration, new classification by BIS, or reporting.

What Has Not Changed: Items classified under 5x992 (such as items with limited cryptographic functionality) and those eligible for ENC under EAR § 740.17(a) (certain exports for internal development and production or to U.S. subsidiaries) remain eligible for self-classification without registration or reporting. Likewise, more strictly controlled encryption items described in EAR § 740.17(b)(2) continue to require classification by BIS with, in most cases, a 30-day waiting period, as well as semi-annual reporting (in addition to company registration).

This rule is a significant first step in the administration's effort to reform and streamline U.S. encryption export controls. It will reduce the number of items subject to Encryption Items ("EI") controls -- a real advance -- and will eliminate the waiting time associated with reviews for a wide variety of products and technology. Compliance requirements will therefore shift from waiting for BIS to review products' functionality to establishing an effective internal corporate process to register, self-review, and report. This approach will place a premium on quickly analyzing the specific encryption functionality of products, and confirming their treatment under these new rules.

Insights

Client Alert | 6 min read | 03.26.24

California Office of Health Care Affordability Notice Requirement for Material Change Transactions Closing on or After April 1, 2024

Starting next week, on April 1st, health care entities in California closing “material change transactions” will be required to notify California’s new Office of Health Care Affordability (“OHCA”) and potentially undergo an extensive review process prior to closing. The new review process will impact a broad range of providers, payers, delivery systems, and pharmacy benefit managers with either a current California footprint or a plan to expand into the California market. While health care service plans in California are already subject to an extensive transaction approval process by the Department of Managed Health Care, other health care entities in California have not been required to file notices of transactions historically, and so the notice requirement will have a significant impact on how health care entities need to structure and close deals in California, and the timing on which closing is permitted to occur....