On September 9, 2022, the U.S. Commerce Department’s Bureau of Industry and Security (BIS or Commerce) published a rule, sought by tech and telecom companies, and industry organizations, authorizing the release of certain technology and software to BIS Entity List parties who would otherwise be subject to a U.S. export ban prohibiting their receipt of such items.
The rule, Authorization of Certain “Items” to Entities on the Entity List in the Context of Specific Standards Activities (IFRM), amends the Export Administration Regulations (EAR) to authorize the release of specified items subject to the EAR Entity List parties without an export license, when that release occurs in the context of a “standards-related activity,” a term newly defined by the IFRM. The IFRM became effective upon publication, and comments are due by November 8, 2022. Companies engaged in standards-related activities are invited to provide comments to BIS on the impact of this rule and whether further clarity is necessary.
Commerce previously amended the EAR to authorize certain releases of technology without a license to Huawei Technologies Co., Ltd. and its affiliates (“Huawei”) in the context of international standards development, following Huawei’s designation on the Entity List. The IFRM responds to requests from across industry to ensure that U.S. companies are able to participate fully in standards development organizations in which Entity List parties are members, or otherwise risk hampering U.S. leadership in standards development.
The scope of the IFRM includes certain low-controlled technology as well as software; however, the IFRM does not change the assessment of whether technology or software is subject to the EAR. This authorization only overcomes export licensing requirements imposed as a result of an entity’s inclusion on the Entity List. Other EAR licensing requirements, such as restrictions on certain end-use activities or country-based controls, continue to apply.
BIS places entities on the Entity List pursuant to Section 744.11 of the EAR, which imposes license requirements on, and limits the availability of most license exceptions for, exports, reexports and transfers (in-country) to listed entities.
On June 18, 2020, BIS published an interim final rule, Release of “Technology” to Certain Entities on the Entity List in the Context of Standards Organizations, with a request for comment, to allow exchanges of certain EAR-controlled technology in a standards organization environment specifically for Huawei. In particular, technology subject to the EAR and designated as EAR99 or controlled on the Commerce Control List (CCL) only for anti-terrorism (AT) reasons could be released to members of a standards organization, including Huawei, without a license, if released for the purpose of contributing to the revision or development of a standard.
Responsive comments generally urged additional action to expand the scope of the standards exemption to maintain and restore the ability of U.S. participation in international standards development. In response to comments received, BIS issued the IFRM, stating its intent “to protect U.S. technological leadership without discouraging, and indeed supporting and promoting, the full participation of U.S. actors in international standards development efforts.”
The scope of the IFRM parallels the 2020 Huawei-related rulemaking; however, with two major differences:
First, the IFRM revises the authorization to include all entities on the Entity List, and it expanded the scope to cover certain software as well as technology. Accordingly, qualifying technology and software may be released to any Entity List members of a standards organization, without a license, if released for the purpose of contributing to the revision or development of a standard.
Second, BIS affirmed that information security is an important part of standards work, including in the development of 5G standards. Accordingly, the authorization includes software and technology that is designated EAR99; software and technology controlled for AT reasons only; and software that is classified in ECCN subparagraphs 5D002.b and 5D002.c.1 (only when corresponding to equipment specified in ECCNs 5A002.a and 5A002.c) and technology classified in 5E002 (only when corresponding to equipment specified in ECCNs 5A002.a, 5A002.b and 5A002.c, and for software controlled under ECCN 5D002.b and .c.1) when the release is for the “development,” “production” and “use” of cryptographic functionality in connection with the “standards-related activity.”
The general consensus of the comments was that the EAR’s prior use of the definitions for “standards” and “standards organizations” derived from the Office of Management and Budget (OMB) Circular A-119 was not appropriate for this context and created uncertainty and questions.
The IFRM removes the definitions of “standards” and “standards organization” from the EAR and instead incorporates a definition for “standards-related activity,” which is defined to include the development, adoption or application of a standard (i.e., any document or other writing that provides, for common and repeated use, rules, guidelines, technical or other characteristics for products or related processes and production methods, with which compliance is not mandatory), including but not limited to conformity assessment procedures, with the intent that the resulting standard will be “published.” A “standards-related activity” includes an action taken for the purpose of developing, promulgating, revising, amending, reissuing, interpreting, implementing or otherwise maintaining or applying such a standard. Note that the underlying work product need not itself be published, so long as there is an intent to publish the resulting standard.
Commerce is requesting comments on the revisions promulgated by the rule. In particular, BIS seeks comments in the following areas:
As companies consider whether to submit comments, they should evaluate the impact of the authorization to their business operations and whether they can propose more accurate definitions that reflect industry understanding of the terminology used in the rule.
The IFRM removes significant industry uncertainty surrounding participation in standards development and enables greater U.S. participation in international standards development, which is critical to U.S. competitiveness and access to global markets.
Companies should stay alert to releases occurring outside of the “standards-related activity,” which continue to require a license, as would one-on-one (individual-to-individual) discussions that do not relate to a “standards-related activity” (e.g., a sidebar conversation on another topic).
Moreover, standards organizations and their constituent members will need to take stock of their technology and software classifications and be intentional about implementing controls around any items whose ECCNs are not covered by this new rule.