ACEING it: BIS publishes rule on cybersecurity licence exception

The US Bureau of Industry and Security (‘BIS’) has published a final rule which finalises ‘changes to License Exception ACE and corresponding changes in the definition section of the Export Administration Regulations (EAR) in response to public comments to an October 21, 2021 interim rule.’

BIS says that the interim rule ‘established a new control on certain cybersecurity items for National Security (NS) and Anti-terrorism (AT) reasons, as well as adding a new License Exception Authorized Cybersecurity Exports (ACE) that authorizes exports of these items to most destinations except in certain circumstances. These items warrant controls because these tools could be used for surveillance, espionage, or other actions that disrupt, deny or degrade the network or devices on it. This rule also corrects Export Control Classification Number (ECCN) 5D001 in the Commerce Control List.’

The final rule text in the Federal Register includes a useful and concise history of the evolution of the new controls, and notes that, following publication of the interim rule, BIS received a number of comments from industry that it had taken into account in framing the final rule. For example, ‘Several commenters asked for clarification of BIS’s “reason to know” standard. One commenter said that the end-use based control uses the phrase “knows or has reason to know” and asked if this was supposed to be different from the “knowledge” standard. Others recommended BIS provide guidelines on when an exporter would have “reason to know” something will be used for unauthorized surveillance. The terms “know” and “reason to know” use the same definition found in § 772.1 of the EAR as the term “knowledge,” which is the one that should be used for this rule. BIS has published extensive “Know Your Customer” guidance in supplement no. 3 to part 732 of the EAR and on its website. That information also applies to transactions under license exception ACE. BIS believes the current guidance is sufficient to address the questions raised by the commenters and declines to provide additional sector-specific guidance for this area beyond what is published on the website.’