Note: This rule does not change any of the existing restrictions on exports and reexports of encryption items to designated terrorist supporting countries and nationals of such countries, and persons designated in Part 744 of the EAR.
The United States has updated its encryption export control policy to reflect changes made to the Wassenaar Arrangement List of dual-use items. This rule also clarifies existing provisions of the Export Administration Regulations (EAR) pertaining to encryption export controls. This policy update includes the following features:
For the first time, "mass market" encryption commodities and software with symmetric key lengths exceeding 64 bits may be exported and reexported under Export Control Classification Numbers (ECCNs) 5A992 and 5D992, following a 30-day review by the Bureau of Industry and Security (BIS). See Note. Such "mass market" encryption products will no longer require post-export reporting or additional national security review for de minimis eligibility.
This rule amends the EAR by creating a new 30-day review procedure for "mass market" encryption commodities and software. The new "mass market" encryption review procedure is similar to the existing License Exception ENC review procedure for commodities and software controlled under ECCNs 5A002 and 5D002. To the European Union, Australia, Czech Republic, Hungary, Japan, New Zealand, Norway, Poland and Switzerland (except "code breaking" cryptanalytic products to government end-users), you may immediately export your encryption products once your review request is registered with BIS and the ENC Encryption Request Coordinator. To other countries, unless you are otherwise notified by BIS, you may export your "mass market" encryption products 30 calendar days after your review request is registered, even if you have not yet received your official authorization response from BIS. See Note. Encryption products submitted for review under these "mass market" or License Exception ENC review procedures do not require independent commodity classification by BIS.
The new rule clarifies that test, inspection and production equipment controlled under ECCN 5B002 is eligible for export and reexport to U.S. subsidiaries, government and non-government end-users in the European Union (plus the eight additional countries) and non-government end-users in all other countries (except in Cuba, Iran, Iraq, Libya, North Korea, Sudan, Syria) under the provisions of License Exception ENC.
Certain encryption items may be exported and reexported without review or notification
This rule clarifies that, when a license is not otherwise required, no review or notification is required to export or reexport the following:
1. Encryption items (including technology and source code) to U.S. companies and their subsidiaries (except exports and reexports to subsidiaries located in designated terrorist supporting countries, and encryption technology or source code to foreign nationals of these countries) for internal company use, including the development of new products by employees, contractors and interns of U.S. companies. Exporters are referred to Section 734.2 of the EAR for applicable definitions of "export" and "reexport" that apply to encryption source code and technology. (The encryption products that are developed using these items are subject to the EAR and require review before they are sold or transferred outside the company.)
2. Products that are only controlled as "Information Security" items because they incorporate parts and components with limited short-range wireless encryption capabilities (e.g. consumer products conforming to the Bluetooth, Home Radio Frequency - HomeRF or IEEE 802.11b - "WiFi" standards with operating range typically not exceeding 100 meters).
3. Items with limited use of cryptography, such as for authentication, digital signature, execution of copy protected software, commercial civil cellular telephones not capable of end-to-end encryption and finance specific items specially designed and limited to banking use or money transactions.
Encryption source code that would be considered publicly available (and the corresponding object code) may be exported and reexported to most destinations (see Note) under License Exception TSU (Technology and Software Unrestricted) once proper notification (or a copy of the source code) is provided to BIS and the ENC Encryption Request Coordinator, regardless of whether a fee or royalty is charged for commercial production or sale of products developed using this software. See 15 C.F.R. § 740.13(e).
These License Exception TSU provisions do not apply to encryption source code that would not be considered publicly available under Section 734.3(b)(3). However, such commercial proprietary source code may be immediately exported and reexported to government and non-government end-users in the European Union (plus the eight additional countries), and to non-government end-users in all other countries (except in Cuba, Iran, Iraq, Libya, North Korea, Sudan, and Syria), under License Exception ENC, once a proper review request (including a copy of the source code) is submitted.