Fans of the movie “Office Space” are familiar with the dreaded TPS Report. Recently, the U.S. Bureau of Industry and Security (BIS) finalized its plans to reduce reporting requirements for certain encryption items. This change was made “in order to reduce exporters’ regulatory burdens.”
By way of background, BIS is responsible for oversight and enforcement of the Export Administration Regulations (EAR) under jurisdiction of the U.S. Department of Commerce. The EAR controls the export of various commercial and dual-use items and technologies. Some of those items include commodities, software and technology subject to various encryption controls under the regulations. Under the previous rules, exporters were required to provide reports to BIS on certain of these encryption items. The new rule eliminates some – but not all of – these reporting requirements.
Specifically, the new rule (effective March 29), implements the following changes:
- Eliminates the email notification requirement for ‘publicly available’ encryption source code and beta test encryption software, except for ‘publicly available’ encryption source code and beta test encryption software implementing ‘‘non-standard cryptography’’; and
- Eliminates the self-classification reporting requirement for certain ‘mass market’ encryption products under §740.17(b)(1); and
- Allows self-classification reporting for ECCN 5A992.c or 5D992.c components of ‘mass market’ products (and their ‘executable software’). This rule moves ‘‘mass market’’ ‘‘components,’’ ‘executable software’, toolsets, and toolkits out of § 740.17(b)(3)(i) and into (b)(1). Of those four items, only ‘‘mass market’’ ‘‘components’’ and ‘executable software’ are subject to self-classification reporting. Mass market toolsets and toolkits are not subject to self-classification reporting.
It’s important to note that this rule does not change any of the License Exception ENC requirements for any non-‘mass market’ encryption item, or for any encryption item (‘mass market’ or not) that implements “non-standard cryptography.”
As you are reading this rule above, keep in mind that any terms appearing in double quotes (“like this”) refers to a specific definition that can be found in Part 772 of the EAR. However, a term in single quotes (‘like this’) is defined or explained in that section of the regulations.
In addition to changing these reporting requirements, BIS also updated a variety of Export Control Classification Numbers (ECCN) to harmonize these items with the latest Wassenaar Arrangement decisions from December 2019. The 22 ECCNs impacted by these changes are:
0A502, 0A503, 0A606, 1A002, 1A005, 1A006, 1A613, 1B002, 1C001, 1C002, 1C006, 1C010, 2A001, 3B001, 3E002, 5A002, 6A004, 6A005, 6A008, 9A011, 9D515, and 9E003.
You can read the full text of the BIS notice here.
If you need help understanding encryption reporting requirements or you have a product/technology controlled by one of these ECCNs, please schedule a no-charge consultation to see how we can help. (If, however, you need to complete a stack of TPS reports for your boss, sorry – you’re on your own!)
Tom Reynolds is the Vice President of Operations for Export Solutions, a consultancy firm which specializes in helping companies with import/export compliance.