U.S. Imposes Sweeping New Sanctions and Export Controls on Russia and Belarus, including on Certain Software and Related Services

Citing Russia’s “transition to a full war economy,” the United States imposed sweeping new sanctions and export controls on Russia and Belarus today, including companies and individuals that continue to supply Russia’s economy. The Office of Foreign Assets Control (OFAC), the Bureau of Industry and Security (BIS), and the State Department announced coordinated updates to their respective rules and regulations ahead of a Group of Seven (G7) leaders meeting this week.

The new sanctions measures include:

• A ban on the provision of (i) IT consultancy and design services and (ii) IT support or cloud-based services for “enterprise management software” and “design and manufacturing software." This measure takes effect on September 12, 2024.
• Expanded authority to impose secondary sanctions on foreign banks that conduct or facilitate significant transactions with or provide any service to persons blocked pursuant to Executive Order (E.O.) 14024, including sanctioned Russian banks and their overseas affiliates. This move will likely further restrict global banks’ willingness to conduct transactions involving Russia.
• The imposition of blocking sanctions on over 300 parties, including those central to Russia’s financial infrastructure, those operating in Russia’s defense and related materiel, manufacturing, energy, metals and mining, technology, transportation, and financial services sectors, and those involved in the evasion of U.S. and western sanctions, among others.

The new export control measures include four major updates to the Export Administration Regulations (EAR):

• Expansion of export control measures against Russia and Belarus, to cover certain enterprise and industrial software and to include more items subject to industry sector sanctions.
• Consolidation of Russia and Belarus sanctions into a single section of the EAR.
• Changes to the Entity List structure to include physical addresses associated with shell company service providers, and additional listings.
• Narrowing the scope of the Consumer Communications Devices (CCD) license exception for Russia and Belarus, and clarification of standards used to revoke license exceptions.

The new measures align the United States further with sanctions imposed by the European Union and other allies, presenting new risks for companies that continue to have links to Russia or the Russian economy. Collectively, they show a continuing focus by OFAC and BIS to counter Russia’s access to goods, software, and services that can provide material support for its war efforts, along with intense focus on third country circumvention channels.

1. New Sanctions Measures

        a. Software and IT Services: IT consultancy and design services, IT support and cloud-based services

Under a new Determination issued by OFAC pursuant to E.O. 14071, it will generally be prohibited to supply, directly or indirectly, certain IT and software services to any person located in Russia, subject to limited exceptions and certain authorized activities. Specifically, the Determination prohibits the supply of (i) “IT consultancy and design services” or (ii) “IT support services” and “cloud-based services” for “covered software,” which is currently defined to be “enterprise management software” and “design and manufacturing software." The restrictions notably apply to upgrading services and the provision of patches and updates to covered software already installed in Russia. OFAC expects that this element of the new sanctions will have a substantial impact on the use of covered software in the country.

OFAC issued a series of FAQs defining the key terms and describing the intended scope of the new restrictions, including the following:

IT consultancy and design services is both IT consulting services and IT design and development services for applications, and is defined consistent with United Nations’ Central Product Classification (CPC) Codes 83131 and 83141, respectively:

• IT consultancy services includes providing advice or expert opinion on technical matters related to the use of information technology, such as: (a) advice on matters such as hardware and software requirements and procurement; (b) systems integration; (c) systems security; and (d) provision of expert testimony on IT related issues.
• IT design and development services for applications includes services of designing the structure and/or writing the computer code necessary to create and/or implement a software application, such as: (a) designing the structure of a web page and/or writing the computer code necessary to create and implement a web page; (b) designing the structure and content of a database and/or writing the computer code necessary to create and implement a database; (c) designing the structure and writing the computer code necessary to design and develop a custom software application; (d) customization and integration, adapting (modifying, configuring, etc.) and installing an existing application so that it is functional within the clients’ information system environment.

OFAC further clarified that the retail sale of off-the-shelf software, falling under CPC Code 63252, is not included in the scope of IT consultancy and design services. However, such software could be captured by other restrictions, including the separate export controls administered by BIS. FAQ 1185 contains examples of services that would and would not be prohibited by the Determination.

Enterprise management software is enterprise resource planning (ERP), customer relationship management (CRM), business intelligence (BI), supply chain management (SCM), enterprise data warehouse (EDW), computerized maintenance management system (CMMS), project management, and product lifecycle management (PLM) software.

Design and manufacturing software is building information modelling (BIM), computer aided design (CAD), computer-aided manufacturing (CAM), and engineer to order (ETO) software.

Cloud-based services include the delivery of software via the internet or over the cloud, including through Software-as-a-Service (SaaS), or SaaS cloud services in relation to such software.

IT support services is defined consistent with CPC Code 83132 to include:

• providing technical expertise to solve problems for the client in using software, hardware, or an entire computer system, such as: (a) providing customer support in using or troubleshooting the software; (b) upgrading services and the provision of patches and updates; (c) providing customer support in using or troubleshooting the computer hardware, including testing and cleaning on a routine basis and repair of information technology (IT) equipment; (d) technical assistance in moving a client’s computer system to a new location; (e) providing customer support in using or troubleshooting the computer hardware and software in combination; and
• providing technical expertise to solve specialized problems for the client in using a computer system, such as: (a) auditing or assessing computer operations without providing advice or other follow-up action including auditing, assessing and documenting a server, network or process for components, capabilities, performance, or security; (b) data recovery services, i.e. retrieving a client’s data from a damaged or unstable hard drive or other storage medium, or providing standby computer equipment and duplicate software in a separate location to enable a client to relocate regular staff to resume and maintain routine computerized operations in event of a disaster such as a fire or flood; and (c) other IT technical support services not elsewhere classified.

FAQ 1186 contains examples of what would and would not be considered IT support or cloud-based services related to covered software.

             i. Exclusions, Limitations, and General Licenses

The Determination contains exceptions for services provided to entities in Russia that are owned or controlled by a U.S. person; services in connection with the wind down or divestiture of an entity in Russia that is not owned or controlled by a Russian person; and services for software that would be eligible for a license exception or otherwise authorized for export or reexport to Russia by the Department of Commerce. Such services are not prohibited by the Determination.

OFAC indicated in FAQ 1188 that the Determination does not apply to the provision of services to entities or individuals located outside of Russia, unless the benefit of the services is ultimately received by a person located in the Russian Federation. As a result, companies may continue to provide services to companies outside of Russia that may be owned or controlled by a Russian person, but must ensure that the ultimate benefit of the service is not received in Russia. The FAQ contains helpful examples of what would and would not be considered the impermissible indirect provision of services to Russia.

OFAC issued FAQ 1184 and amended certain general licenses indicating that the Determination does not prohibit certain services related to internet communications, telecommunications, and certain agricultural and medical activities. The general license amendments include an updated General License No. 25D, modifying the scope of authorized activities related to the exchange of communications over the internet.

             ii. Effective Date

The Determination takes effect on September 12, 2024. Companies subject to U.S. jurisdiction with remaining touch points with Russia must examine the Determination’s potential impact on their business and begin planning to suspend any services without scope of the Determination that would constitute violations of OFAC’s regulations.

      b. New secondary sanctions authority targeting foreign banks

On December 23, 2023, President Biden issued E.O. 14114, authorizing OFAC to impose secondary sanctions on foreign financial institutions that engage in conduct or facilitate any significant transaction or transactions, or provide any service involving Russia’s military-industrial base. Today, OFAC expanded the definition of “military-industrial base” to include any person subject to blocking sanctions pursuant to E.O. 14024, which includes most parties designated as SDNs in Russia, parties involved in Russia-related sanctions evasion, and parties owned, 50 percent or more, directly or indirectly, by such SDNs. As a result of the change, foreign banks that conduct, facilitate, or provide services to parties blocked pursuant to E.O. 14024, including major Russian financial institutions, risk the imposition of U.S. secondary sanctions.

This change is likely to cause banks to further limit ties with Russia given the severity of U.S. secondary sanctions consequences, including losing access to the U.S. and global financial systems.

       c. Additions to the SDN List

OFAC and the State Department imposed sanctions on over 300 parties today. These included:

• Entities and individuals in Russia, Belarus, the British Virgin Islands, Bulgaria, Kazakhstan, the Kyrgyz Republic, the PRC, Serbia, South Africa, Turkey, and the United Arab Emirates involved in sanctions evasion, circumvention, and backfill;
• Core elements of Russia’s financial infrastructure, including The Moscow Exchange (MOEX), The National Clearing Center (NCC), the Non-Bank Credit Institution Joint Stock Company National Settlement Depository (NSD), Gas Industry Insurance Company Sogaz (Sogaz), and Joint Stock Company Russian National Reinsurance Company (RNRC);
• Companies engaged in activities related to future energy production, including LNG projects and vessels; and
• Companies operating in Russia’s defense and related materiel, manufacturing, metals and mining, technology, transportation, and financial services sectors.

Transactions with these parties are prohibited for all U.S. persons and persons otherwise subject to U.S. jurisdiction. Foreign financial institutions also risk secondary sanctions for dealing with these parties. OFAC also issued or amended general licenses authorizing certain limited transactions involving certain of the newly sanctioned entities. Some of those authorizations are time limited.

2. New Export Control Measures

        a. New controls on EAR99 enterprise and industrial software and other items

Prior to today’s rulemaking, most EAR99 software remained eligible for export to Belarus and Russia. This final rule adds a new license requirement for EAR99 enterprise and industrial software, including updates to such software. The new rule will prohibit the transfer of ERP, CRM, BI, SCM, EDW, CMMS, PLM, BIM, CAD, CAM, and ETO software to or within both countries without prior authorization from Commerce or the use of a license exception or exclusion. Entities exclusively operating in the medical or agricultural sectors are excluded from the new license requirement, as are certain companies that are subsidiaries or joint ventures of companies headquartered in the United States and certain allied countries.

The new restrictions on enterprise and industrial software will become effective 90 days from formal publication of the rule in the Federal Register. The other amendments to the EAR are effective immediately.

Separately, BIS is adding many more EAR99 items to its list of critical industry items in Supplement No. 4 to Part 746. This change imposes a license requirement on goods classified in 522 Harmonized Tariff Codes at the 6-digit level (HTS-6 codes) for export to Belarus and Russia. Further, the list of highly sensitive items in Supplement No. 6 to Part 746 will now include riot control agents used by Russia as a method of warfare against Ukrainian forces in violation of the Chemical Weapons Convention.

To assist with compliance, BIS is posting a list of all HTS-6 codes listed in Supplement Nos. 2, 4, and 5 to Part 746, corresponding to the Russia and Belarus restrictions in Part 746, in downloadable XML format, available here.

        b. Consolidation of Russia and Belarus provisions

The new rule reorganizes and consolidates the Russia and Belarus country-specific license requirements and policies in Part 746 of the EAR into a revised and expanded Section 746.8. Specifically, former license requirements from Section 746.8 (general Russia and Belarus restrictions) are now found in paragraphs (a)(1) through (3) of Section 746.8; license requirements from former Section 746.5 (industry sector sanctions) are now found in paragraphs (a)(4) through (6) of Section 746.8; and license requirements from former Section 746.10 (luxury goods) are now found in paragraph (a)(7) of Section 746.8.

The rule also consolidates the Russia and Belarus licensing exclusions in paragraph (a)(12) of Section 746.8. These exclusions cover certain deemed exports or reexports for Russian and Belarussian nationals in the U.S. or third countries, certain transactions involving mass market encryption commodities and software and the newly controlled EAR99 enterprise and industrial software destined to U.S. and friendly country companies, and application of certain export jurisdictional rules to transactions from the Global Export Control Coalition (GECC) members (i.e., friendly countries) described in Supplement No. 3 to Part 746. The new Section 746.8 also consolidates applicable licensing policies under paragraph (b) and consolidates the license exception availability in paragraph (c).

        c. Changes and updates to the Entity List

In order to limit the diversion of goods to Entity List parties, BIS added a basis for Entity List designation – “Addresses with High Diversion Risk” – in new paragraph (f) Section 744.16 of the EAR. Pursuant to the new provision, BIS may identify by address an entity (or multiple entities) on the Entity List that presents a high risk of diversion without also identifying an associated entity name. Such listed address will have a licensing requirement for all items with export control classification numbers (ECCNs) on the Commerce Control List (CCL), as well as the more sensitive EAR99 items contained in Supplement No. 6 to Part 746 – but not other EAR99 items.

Under this new practice, BIS has added eight addresses in China to the Entity List. BIS reported that these addresses are associated with a multitude of entities and evidence of significant transshipment of sensitive goods to Russia. BIS also added five named entities in China and Russia to the Entity List on grounds of diversion of restricted items to Russia.

        d. Narrowing the scope of License Exception CCD

BIS revised and narrowed license exception CCD, at Section 740.19, to limit the scope of eligible consumer communications items that may be supplied to and within Russia and Belarus for personal use. This final rule revised and reordered paragraphs (b)(1) through (17), so that all the items that are eligible for Russia, Belarus, and Cuba are described under paragraphs (b)(1) through (8) and those that are eligible for Cuba only are in paragraphs (b)(9) through (18). The scope of items eligible for Russia and Belarus has been reduced to cover the most basic personal communications items, such as laptops and mobile phones, as well as related peripherals, while excluding items such as consumer-grade network equipment and storage drives that could be used to build a small office.

        e. Temporary Denial Orders and Notifications to U.S. distributors of electronic components

In addition to the rulemaking, BIS announced that it has issued two Temporary Denial Orders (TDOs) against Russian procurement networks facilitating exports of aircraft parts to Russia through third countries in violation of U.S. export controls. TDOs are severe enforcement measures that cut off not only the right to engage in exports and reexport subject to the EAR, but also the ability to receive or participate in transaction and dealings in items subject to the EAR (including restrictions on receiving or participating in support for such items).

BIS also noted that it recently informed over 130 U.S. distributors of additional restrictions on shipments to known suppliers to Russia, building on the U.S. government’s efforts to disrupt and prevent diversion of restricted items. BIS notes that the controls were intended to disrupt the supply of electronic components and related items to Russia.

Please contact the Fenwick Trade and National Security team with any questions about these regulatory developments.