On December 2, 2024, the Department of Commerce’s Bureau of Industry and Security (BIS) announced its third round of export controls,1 primarily aimed at creating an “independent and controllable” semiconductor industry to support military modernization. targeted at China’s attempts to do so. The new export control package consists of two regulations, each establishing a number of new export controls2 and over 140 new entity list designations3. The Biden administration had previously issued export controls targeting advanced computing and semiconductor manufacturing equipment starting October 7, 202224 and October 25, 2023.35
According to the accompanying press release, these measures under the Export Administration Regulations (EAR) “limit (China’s) ability to domesticate the production of advanced technologies, such as advanced node integrated circuits and the equipment used in their production. It is intended to do so.” poses a significant risk to the national security of the United States. ” Although the focus of this new rule is clearly China, many of the new rules apply to all “D:5” countries (i.e., countries under the U.S. arms embargo, including China)6 and Macau. Certain new regulations also include carve-outs for companies headquartered in U.S. allies. One notable change that treats commercial software license keys as new exports of the underlying software applies broadly to exported software and hardware distributed according to the license key mechanism. Some of the key parts of the new rules are outlined below.
Expansion of export control jurisdiction
U.S. export control jurisdiction applies to all items of U.S. origin, all items exported from the U.S., foreign-made products containing at least a minimum amount of U.S. content (De Minimis Rule), and certain Applies to foreign products. A “direct product” of certain U.S. technology or production equipment (Foreign Direct Product (FDP) Regulations). The new rules extend the FDP and De Minimis rules to cover additional foreign-made items.
There are two new FDP rules.
First, certain Entity List companies are subject to the new “Footnote 5” FDP rules. Companies with a “Footnote 5” designation are subject to additional limitations beyond those generally applicable to most other Entity List designators. Under the new Footnote 5 FDP Regulations, if the exporter has constructive knowledge that foreign goods (i) will be incorporated into something produced, purchased, or ordered by the Footnote 5 designee, the U.S. ‘s export control jurisdiction applies to certain “direct products.” or (ii) is part of a transaction to which the person specified in footnote 5 is a party. Second, the new rules introduce new FDP rules specific to semiconductor manufacturing equipment (SMEs), which are themselves direct products of certain software, technology, or manufacturing equipment subject to U.S. export controls. Extends U.S. regulatory jurisdiction to foreign-made small businesses. For example, rather than applying only to small and medium-sized enterprises embodying U.S.-originated technology or software, jurisdiction would apply based on a separate FDP rule’s extension of jurisdiction. The Small Business FDP rules apply to small businesses bound for U.S. arms embargoed countries or Macau.
The general de minimis rule extends U.S. jurisdiction to certain foreign-made items, such that foreign-made items with at least 25% (10% in sanctioned territories) U.S. content must be subject to U.S. It stipulates that export control regulations apply to the following: To further expand U.S. jurisdiction, new provisions have been added to the de minimis rule, including:
There is typically no minimum level for certain small businesses if the equipment is used for the “development” or “production” of certain advanced semiconductors. This means that if it contains a non-zero percentage of US content, the device falls under the jurisdiction of US export controls. If a product contains U.S.-origin integrated circuits and is destined for a U.S. arms embargo (or Macau) (with some exceptions) or a Footnote 5 destination, it typically There are no minimum levels for companies. The purpose of this change is to ensure that foreign-produced small businesses that include U.S.-origin parts are subject to the same degree of control as foreign-produced small businesses that are subject to the FDP described above.
New “red flag”
The new regulations introduce eight new compliance “red flags” intended to guide exporters’ due diligence analysis. Various aspects of U.S. export controls depend on a person’s knowledge (whether actual or constructive knowledge) of the end use, end user, final destination, or other facts relevant to the transaction. It depends. Red Flags provide guidance on how individuals and businesses should act based on this knowledge standard.
There are eight new red flags, including, among others:
Red Flag #21: The exporter receives an order where the ultimate owner or user of the item is unknown. Typically, the order may ask the vendor for equipment for the “development” or “production” of integrated circuits, if the item is customized for the end user or installed by the supplier. The ultimate owner or beneficiary is unknown, as the distributor is unlikely to be the end user of the equipment. This raises concerns about the potential for products to be diverted to unauthorized parties, destinations, or end users. Red Flag 24: The exporter receives a request for items or services from a customer whose senior management or technical lead overlaps with an entity listed on the Entity List. This likewise raises concerns about possible diversion to unauthorized parties or end users. Red Flag 26: For purposes of Footnote 5 and the SME FDP Rule, certain foreign-produced items containing at least one integrated circuit are presumed to meet the scope of the applicable FDP Rule. Exporters are now expected to resolve this red flag, including by investigating whether U.S. software, technology or production equipment was used in design or manufacturing before proceeding.
The new “red flags” appear to be primarily focused on compliance obligations for items and activities covered by this new regulation. However, because they are included in the generally applicable portions of the EAR, they may be considered to increase the degree of end-use diligence generally expected of exporters.
“Software key”
Previously, the EAR stated that “access information” that permits access to encrypted technology or software in unencrypted form is subject to the same restrictions as decrypted technology or software. I did. The new rules extend these restrictions to broadly cover “software keys” that enable software or hardware to be used by authorized users. Therefore, any software or hardware that can be accessed or used pursuant to a software license key mechanism is deemed to be newly exported each time a software license key is provided to an end user. Therefore, if a legacy product was not export controlled when it was first provided to a user, if the product, end user, or end use has been subject to new export controls since it was first provided, a new Software license keys may imply export license requirements. .
This means that any software or hardware product that relies on software keys (such as license keys for annual renewals) must be fully evaluated as it relates to new exports of the underlying software or hardware. , meaning the exporter may need to deactivate the user’s access. If the Software was exported under an expired license, or if the controls governing the Product or Customer changed after the Product was originally exported. Therefore, companies that require software keys to access their software or hardware must incorporate dynamic compliance measures to ensure that software keys are not sent to unauthorized users.
New end-user restrictions for design software
The EAR restricts the export of certain items if the end use is related to the “development” or “production” of advanced semiconductors in U.S. arms embargoed countries or Macau. The new rules expand these limits and allow electronic computer-aided design (ECAD) and technical computer-aided design (TCAD) software to be provision is prohibited.
New controls for high-bandwidth memory (HBM)
HBM is used in most cutting-edge semiconductors, especially those used in advanced AI models. BIS has added a new Export Control Classification Number (ECCN) – ECCN 3A090.c – to cover HBM stacks with specific memory bandwidth densities. BIS’s policy rationale for imposing these new regulations is that “these applications enable sophisticated military and intelligence applications, lower barriers to entry for non-specialists in developing weapons of mass destruction, and enable powerful offensive cyber “We can support operations and support the use of mass surveillance.” commit human rights violations; ” This new ECCN covers the HBM stack as a standalone product. Semiconductors incorporating HBM stacks typically fall into existing ECCNs.
ECCN 3A090.c is also not eligible for Notified Advanced Computing (NAC) or Advanced Computing (ACA) license exceptions. However, the new rule introduces a license exception for HBM, which requires that (1) the destination is a packaging site owned by a U.S. or affiliated corporate entity, and (2) the U.S. or affiliated corporate entity carefully tracks the HBM in transit. Allows you to transport HBM if you have It is sent from the packing site and returned.
Entity List Expansion and Removal from Verified End User Program
BIS has added 140 new entities to its Entity List, including entities from China, Japan, South Korea, and Singapore. These include supporting the development and production of semiconductors and small businesses for military end-use, seeking to circumvent U.S. export controls, and supporting Huawei’s efforts to support the Chinese government’s goal of indigenizing the semiconductor industry. This includes semiconductor manufacturing plants and tool companies that were found to have BIS also named three investment companies found to have supported the Chinese government’s efforts to acquire sensitive semiconductor manufacturing capacity. A license will be required to export items subject to U.S. export control jurisdiction to these new designees.
BIS also made changes to its Verified End User (VEU) program. A VEU is a designated entity that can export eligible items subject to the EAR under a general EAR authorization rather than a specific license. Three Chinese companies were excluded from the VEU program.
* * *
The adoption of new red flags and increased restrictions on software keys is effective immediately. The majority of remaining changes will become effective on December 31, 2024, including new FDP rules, HBM controls, and entity list licensing requirements.
These rules are likely to be part of the final export control measures BIS issues under the Biden administration and its purported “tall fence, high fence” strategy. Looking ahead to export control policies under the incoming Trump administration, restrictions on semiconductors, advanced computing, and supercomputing, among other high-tech sectors, are likely to remain a focus of national security and foreign policy.
