BIS Eases Encryption Reporting and Self-Classification Requirements

Apr. 6, 2021

On March 29, 2021, the Bureau of Industry and Security (BIS) amended the Export Administration Regulations (EAR) by publishing a final rule which eliminated a variety of reporting and notification requirements related to open-source encryption software and certain mass-market encryption items. The move is designed to lighten the regulatory burden imposed on industry in hopes of streamlining the export process associated with such items.

First, the rule eliminates the email notification requirement for publicly available encryption source code and beta test encryption software, except for such items which implement “non-standard cryptography.” Prior to the implementation of this changes, software source code published online containing or using encryption functionality typically remained subject to the EAR until the author of the source code submitted an email notification report to the BIS. With this new rule, the email notification provision has been eliminated for source code that uses “standard cryptography.” Effective immediately, source code using standard cryptography will be released from the EAR’s licensing requirements as soon as the source code is published online. This rule is expected to substantially reduce the reporting burden for entities that frequently publish open-source software online. BIS estimates that the change will eliminate roughly 80% of the notifications it receives regarding publicly available encryption software. It should be noted however, source code which utilizes proprietary or unpublished encryption must still be reported to the BIS before release from the EAR will occur.

Next, the rule amends license exception ENC by moving mass-market components such as chips, assemblies, Field-Programmable Gate Arrays, etc., as well as executable software, toolsets, and toolkits out of 15 CFR § 740.17(b)(3)(i) and into (b)(1). With this change, the EAR now allows for the aforementioned items to be self-classified, meaning that product classification can take place in house without the need for an exporter to obtain a commodity classification (CCATS) directly from the BIS. Under this rule mass market components and executable software are subject to self-classification reporting requirements, while toolsets and toolkits are not. The shift from § 740.17(b)(3)(i) to (b)(1) additionally means these items are no longer subject to semi-annual sales reporting requirements.

While the regulatory burden in relation to classification and reporting for mass market items under license exception ENC has now been greatly reduced, it is important to keep in mind that this rule does not change any ENC requirements for non-mass market items, nor does it change any requirements for encryption item that implements nonstandard cryptography. If you have any questions or would like more information about the recent changes to the EAR relating to encryption reporting and classification requirements do not hesitate to contact an attorney at Barnes, Richardson & Colburn LLP.