New U.S. Export Control Regulation Lessens Restrictions on Products with Ancillary Cryptography and Eases Review and Reporting Requirements

June 25, 2010

The United States Department of Commerce’s Bureau of Industry and Security (BIS) issued an interim final rule today that reduces restrictions on products with ancillary cryptography as well as increases the efficiency of its review and reporting process.  These reforms mark an early step in the Obama Administration’s promised revision of export controls and substantially lessen the burdens on companies that export products with encryption technology.  The new rule aids exporters in two significant ways.

First, the new rule removes products with ancillary cryptography from export controls altogether.  While these items previously neither had to comply with semi-annual reporting requirements nor undergo a BIS review, they were still controlled by Export Administration Regulations (EAR) unless they met additional criteria.  In accordance with the Wassenaar Agreement’s December 2009 decision, the new rule removes products with ancillary cryptography from the Commerce Control List (CCL) entirely.  These products can now be classified as EAR99 and shipped to most countries without a license.  If a product was previously classified as possessing “ancillary cryptography,” exporters should re-classify it either under a different provision of the CCL or as EAR99.  This loosening of export controls ensures that companies will now be able to ship products with ancillary cryptography without having to navigate the intricacies of BIS regulations.

Second, the new rule reduces the review and reporting requirements for a number of products with encryption technology.  Previously, EAR divided products requiring BIS review into two categories.  More sophisticated encryption products such as network infrastructure software were classified as “license exception ENC restricted” under 15 C.F.R. § 740.17(b)(2).  These products required both a thirty-day waiting period for review as well as a number of export restrictions.  In contrast, general hardware and software with strong encryption were treated as “license exception ENC unrestricted” under 15 C.F.R. § 740.17(b)(3).  Save for shipping destinations such as embargoed nations and prohibited end-users, the export of these items was largely unrestricted.  Nevertheless, they too had to undergo a thirty-day review period.  Additionally, companies with products in either category had to meet semi-annual reporting requirements under 15 C.F.R. § 740.17(e).  For software corporations who primarily exported 740.17(b)(3) items on a large scale, the review and reporting requirements were particularly burdensome.

The new rule aids exporters of 740.17(b)(3) products by reducing the review and reporting requirements for most of these items.  Companies can now self-classify the majority of mass market products and export them without a review or license.  Moreover, they are not required to submit a detailed semi-annual report.  The only 740.17(b)(3) items that will not benefit from this new rule are encryption components and products employing non-standard encryption technology.  Products classified under 740.17(b)(2) will continue to face the standard review and reporting requirements for now.

Exporters freed from the older requirements must still comply with two minimal obligations.  First, a company will have to register with BIS and provide standard information such as its name and address.  Following this one-time registration, BIS will provide the company with an Encryption Registration Number (ERN) authorizing it to self-classify and ship their products on an unrestricted basis.  Second, the company must provide BIS with an annual report by February 1 of each year describing all of the products it has self-classified for the previous year.  This report requires only minimal details such as the model number, the self-classification Export Classification Control Number (ECCN), and the type of product.  This report must be submitted via email to BIS and the ENC Encryption Request Coordinator at the National Security Agency.  Even with these requirements, the new regulatory scheme imposes significantly less burdens on exporters of encryption technology.

As these reforms are part of an interim final rule, they will take effect immediately.  BIS will nevertheless accept comments on the rule from interested companies until August 24, 2010.


Gibson, Dunn & Crutcher’s International Trade Regulation and Compliance Practice Group is available to assist with any questions you may have regarding these issues.  For further information please contact the Gibson Dunn attorney with whom you work or any of the following attorneys in the firm’s Washington, D.C. office:

International Trade Regulation and Compliance Practice Group
Daniel J. Plaine (202-955-8286, [email protected])
Judith A. Lee (202-887-3591, [email protected])
John J. Sullivan (202-955-8565, [email protected])
Jim Slear (202-955-8578, [email protected])
Andrea Farr (202-955-8680, [email protected])

© 2010 Gibson, Dunn & Crutcher LLP

Attorney Advertising: The enclosed materials have been prepared for general informational purposes only and are not intended as legal advice.