October 5, 2016

Important Changes to Export Administration Regulations Affecting Software Industry

On September 20, 2016, the Department of Commerce’s Bureau of Industry and Security (BIS) issued a Final Rule, revising 58 Export Classification Control Numbers (ECCNs), adding two ECCNs, and updating technical definitions in the Export Administration Regulations (EAR). These updates are important to most companies that export software, including providers of mass-market software, network infrastructure software, open-source software, short-range wireless software, authentication-only software, software that requires annual reporting, and non-cryptographic information security software.

These updates include:

  • Companies are no longer required to file a company Encryption Registration prior to exporting 5D992 mass-market software or 5D002 software items eligible for self-classification.  
  • Exporters are now excused from the annual reporting requirements for 5D992 mass-market software and 5D002 software by filing a one-time product-specific Classification Request with BIS.
  • Publicly available encryption source code and corresponding object code is no longer “subject to the EAR” after compliance with the notification requirement. 
  • The threshold parameters for “network infrastructure” have changed and the software is now eligible for export to “less sensitive government end users” in certain countries, subject to semi-annual reporting requirements. 
  • New ECCNs cover items that perform specified “information security” functions but do not themselves include or use encryption, including for systems, equipment and components “for communications cable systems designed . . . to detect surreptitious intrusion,” and “for defeating, weakening or bypassing information security.” 
  • Software performing authentication-only encryption is now classified as EAR99. 
  • Short range wireless encryption items are now classified as EAR99.
  • A new License Exception authorizes exports, reexports, and transfers (in-country) among related parties for internal use when the parent company is headquartered in a list of “friendly” countries that was expanded to include Croatia.

These are just a few of the EAR changes most likely to affect exporters of software. If you would like additional information about the issues addressed in this client alert, please contact Rich Matheny or Jacob Osborn, or the Goodwin attorney with whom you typically consult.