BIS Eliminates Certain Encryption Reporting Requirements as Part of 2019 Wassenaar Changes
The Bureau of Industry and Security revised the Commerce Control List and the Export Administration Regulations to implement changes made during the 2019 Wassenaar Arrangement plenary, the agency said in a final rule released March 26. Along with revising various Export Control Classification Numbers and correcting language in the EAR, the rule eliminated certain reporting requirements for encryption items, which BIS expects to “reduce the regulatory burden” for U.S. exporters. The changes take effect March 29.
The rule eliminates several requirements, including an email notification requirement for certain “publicly available” encryption source code and beta test encryption software. The agency will also eliminate the self-classification reporting requirement for certain “mass market” encryption products and will allow self-classification reporting for certain ECCNs, including components of mass market products and their “executable software.” BIS stressed that the rule doesn’t make changes to License Exception Encryption commodities, software and technology (ENC) for “any non-‘mass market’ encryption item, or for any encryption item (‘mass market’ or not) that implements ‘non-standard cryptography.’”
All exports, reexports and transfers that now require a license as a result of these changes that were aboard a carrier to a port as of March 29 may proceed to their destinations so long as they have been exported before May 28. Any items not exported, reexported or transferred before midnight May 28 will require a license.