These updates include:
- Companies are no longer required to file a company Encryption Registration prior to exporting 5D992 mass-market software or 5D002 software items eligible for self-classification.
- Exporters are now excused from the annual reporting requirements for 5D992 mass-market software and 5D002 software by filing a one-time product-specific Classification Request with BIS.
- Publicly available encryption source code and corresponding object code is no longer “subject to the EAR” after compliance with the notification requirement.
- The threshold parameters for “network infrastructure” have changed and the software is now eligible for export to “less sensitive government end users” in certain countries, subject to semi-annual reporting requirements.
- New ECCNs cover items that perform specified “information security” functions but do not themselves include or use encryption, including for systems, equipment and components “for communications cable systems designed . . . to detect surreptitious intrusion,” and “for defeating, weakening or bypassing information security.”
- Software performing authentication-only encryption is now classified as EAR99.
- Short range wireless encryption items are now classified as EAR99.
- A new License Exception authorizes exports, reexports, and transfers (in-country) among related parties for internal use when the parent company is headquartered in a list of “friendly” countries that was expanded to include Croatia.
These are just a few of the EAR changes most likely to affect exporters of software. If you would like additional information about the issues addressed in this client alert, please contact Rich Matheny or Jacob Osborn, or the Goodwin attorney with whom you typically consult.