Breaking down the Latest National Security Tech Regulations


The Biden administration has significantly intensified national security-related technology regulation recently, focusing in particular on China-related vectors of risk. This has included:

  • Export controls on specified advanced integrated circuits — especially those used for artificial intelligence — machines incorporating them, and equipment to produce them;
  • A proposed rule that would establish due diligence and reporting requirements and certain restrictions, directed at providers of U.S. infrastructure as a service, or IaaS, a type of cloud computing service; and
  • Measures intended to secure the technology supply chain, including with respect to connected vehicles and Chinese-origin ship-to-shore cranes at U.S. ports.

This article will explore these developments and describe the related compliance implications.

The latest clarifications to export controls regarding advanced computing items and semiconductor manufacturing equipment, as set out in an interim final rule, were published on April 4.

Export Controls

Overview of Expanded Controls

In two rounds of rulemaking in October 2022 and October 2023, the U.S. Department of Commerce's, Bureau of Industry and Security issued controls under the Export Administration Regulations, or EAR, regarding (1) advanced-node integrated circuits and electronic assemblies and computers incorporating them, (2) certain semiconductor manufacturing equipment, and (3) support for the development or production of supercomputers or specified advanced electronics.

Specifically, the rules:

  • Expand the EAR's coverage under the Commerce Control List to include specified advanced computing integrated circuits, electronics, subassemblies and computers that incorporate them, as well as specified semiconductor manufacturing equipment;
  • Broaden the reach of the EAR foreign direct product rule to cover a range of non-U.S. items that are derived from U.S. technology or software;
  • Impose license requirements for the export, reexport and transfer of controlled items to or within certain countries, including China and other countries that present risk of diversion to China or data center usage by China, with additional restrictions on companies headquartered in, or those with parents headquartered in, such countries;
  • Restrict U.S. persons from supporting the development or production of certain integrated circuits in certain jurisdictions; and
  • Restrict certain exports, reexports and transfers with knowledge that an item will be used in certain production of supercomputers or of integrated circuits at certain facilities.

Items Controlled

In the October 2022 and October 2023 rules, a key vehicle for the new controls is Export Control Classification Number, or ECCN, 3A090, which covers advanced integrated circuits that meet certain performance parameters, relying on two metrics: total processing performance, a complex measure of computer computations relative to processing units on a chip; and performance density, total processing performance divided by the area of silicon on a single integrated circuit.

Relatedly, ECCN 4A090 covers electronic assemblies and computers that incorporate integrated circuits controlled under ECCN 3A090.

As amended in the October 2023 rule, ECCN 3A090 draws a distinction between integrated circuits used in data centers and those that are not, imposing enhanced controls on data center chips that meet certain parameters. This is reflective of BIS' concern regarding the usage of data centers to train large AI models.

Furthermore, the rules expanded controls on semiconductor manufacturing equipment. Specifically, the new rules have ushered in controls over certain equipment designed for epitaxial growth, etch equipment, deposition equipment and inspection equipment.

Destination-Based Controls

The export controls impose restrictions based on the destination of the export and the headquarters or parent company of the company receiving the item. Specifically, companies must seek a license to export advanced computing items that are destined for China — including Hong Kong and Macau — and 43 other countries specified in BIS Country Groups D:1, D:4 and D:5.[5]

Regarding specified semiconductor manufacturing equipment, a license is required to export, reexport or transfer covered items to or within China, including Hong Kong and Macau, and the 22 arms-embargoed countries listed in BIS Country Group D:5.

Furthermore, pursuant to the October 2023 interim final rule, a license is required for export, reexport or transfer of advanced computing items to or within any country, when the end user is headquartered in, or its ultimate parent company is headquartered in, China, including Hong Kong or Macau, or the other 22 countries in Country Group D:5. This is a significant modification, attempting to prevent such companies from setting up cloud or data servers in third countries to train AI models contrary to U.S. national security interests.

Companies should be mindful of the expanded geographic scope of the new rules, which now sweep far beyond China to cover much of the Middle East and other parts of Asia.

Expanded Foreign Direct Product Rules

The new BIS rules significantly expand the foreign direct product rules under the EAR to cover a range of non-U.S. advanced computing items and semiconductor manufacturing equipment that are the direct product of certain U.S. technology or software, or of a plant or major component of a plant that is the direct product of such U.S. technology or software.

Given the U.S.' outsized role in tech development, this has the practical effect of subjecting a broad array of non-U.S. items to U.S. export control jurisdiction, and prompting impacted companies to conduct sophisticated jurisdictional assessments with respect to their items.

Accurately gauging the impact of these rules requires a detailed understanding of the role of U.S. technology and software in the research, development and production processes, which can present significant diligence challenges.

U.S. Person Support for Certain Development or Production Activity

BIS has imposed licensing requirements on U.S. persons that support the development or production of certain integrated circuits in China — including Hong Kong and Macau — or any of the other 22 arms-embargoed countries, or at a facility of an entity headquartered or with a parent in such countries.

Support includes shipping, transmitting or transferring in-country items not subject to the EAR; facilitating such activities; or servicing items not subject to the EAR.

Notably, BIS provided for certain exclusions from these restrictions in its October 2023 rules. First, backend production steps, such as assembly, testing or packaging, that do not alter the technology level of an item, are excluded.

Second, U.S. persons employed by or working on behalf of certain companies headquartered in the U.S. or certain allied countries are excluded as well.

U.S. person participants in the semiconductor value chain should assess whether they provide the type of support that could be restricted under the rules.

End-Use Controls

Under the BIS rules, a license is required to export any item subject to the EAR (1) with knowledge that the items will be used in the development or production of integrated circuits at a facility in China or the arms-embargoed countries where production of advanced-node integrated circuits takes place, or (2) to China or one of the arms-embargoed countries with knowledge that the item will be used in the development or production of certain front-end integrated circuit production equipment.

Companies in the semiconductor value chain should conduct reasonably tailored end-use diligence when selling to counterparties in order to assess the potential applicability of these controls.

License Exception

BIS has issued a license exception — titled "Notified Advanced Computing" — that eliminates the licensing requirement in many instances described above, with the notable exception of certain sensitive data center items.

Any party seeking to use License Exception Notified Advanced Computing should review its terms closely.

Possible Controls on Cloud Computing

While the export controls described above address the flow of advanced computing capabilities to countries of concern, U.S. authorities also are concerned about the ability to remotely access computing capacity to train large AI models via cloud resources.

In the October 2023 rule, BIS noted that it is considering what additional regulations may be appropriate to address this issue.[6]

Along these lines, as mentioned above, in January, BIS proposed certain due diligence and reporting requirements for U.S. IaaS providers and their foreign resellers.[7]

Specifically, under the proposed rule, U.S. IaaS providers and their foreign resellers would be required to implement customer identification programs to verify the identity of foreign account holders.[8] BIS would also be empowered to impose special measures to restrict the opening and maintenance of U.S. IaaS accounts.

Finally, under the proposed rule, U.S. IaaS providers would be required to report instances of training runs by foreign persons for large AI models with potential capabilities usable in malicious cyber-enabled activity. Parties have until April 29 to comment on the proposed rule. 

Companies in the industry should monitor developments regarding this rulemaking and anticipate the eventual need to develop compliance programs as envisioned in the proposed rule.

Technology Supply Chain Measures

In addition to stemming the flow of advanced technology to countries of concern, U.S. authorities also have focused on risks arising from items sourced from such countries. Two recent developments in this respect are notable.

First, the Commerce Department issued an advanced notice of proposed rulemaking to initiate the process to regulate national security risks presented by certain foreign technology in connected vehicles. Specifically, the advanced notice of proposed rulemaking focuses on connected vehicle-related "information and communications technology and services" supplied by persons with a nexus to designated foreign adversaries, such as China.

Second, the U.S. Coast Guard issued a maritime security directive regarding risks posed by ship-to-shore cranes manufactured in China.

Companies seeking to source from China such items — or other information and communications technology and services — should assess the impact of U.S. supply chain regulation on their business planning and operations.

Global Impact

While BIS' export control revisions in the October 2022 rule were unilateral, practically speaking, they required buy-in from the Netherlands and Japan, two major producers of the items BIS sought to control. In January 2023, the three countries reached a deal to align export control policies on advanced semiconductor manufacturing equipment.[9]

The Netherlands and Japan announced their intention to proceed with new export controls the following March.[10] Since then, both countries largely appear to have aligned their export control regimes with U.S. controls regarding semiconductor manufacturing equipment.[11] In fact, the Dutch government broadcasted its conformity by partially revoking an export license for shipping lithography systems to China in early 2024.[12]

China's Response                                                             

China has expressed "serious concerns" over U.S. export controls,[13] and reports suggest that such controls may be spurring Chinese domestic investments and strengthening its chip production.

Reportedly, Huawei, China's telecom giant, may be working more closely with Semiconductor Manufacturing International Corporation, China's biggest chip manufacturer, with help from Chinese government subsidies. Reports also indicate that China may be working around the controls by training AI models on large numbers of less sophisticated integrated circuits.[14]

China has also retaliated. Specifically, it has requested dispute settlement consultations at the World Trade Organization over BIS' export controls, arguing that they are inconsistent with multilateral trade rules,[15] and it has implemented its own export restrictions on metals used in the electronics and fiber optics industries, as well as those used to produce lithium-ion batteries for electric vehicles.[16]

As of August 2023, China requires export permits for gallium and germanium, and even more recently for types of graphite.[17] China's restrictions have also spread to an export ban on rare earth extraction and separation technologies.[18] China produces 60% of the global supply of rare earth elements, a group of 17 metals used in all kinds of sensitive military applications, and processes almost 90% of them.[19]

Accordingly, Chinese retaliatory export controls can have a significant effect on the global supply chain.

Key Takeaways

Companies all along the semiconductor value chain, across all industries and all geographies, should be mindful of the nature and extent of the highly complex, sweeping U.S. controls, and how they can affect research and development, investment, production, and sales.

In this regard, it is especially important to note that this is a dynamic, highly sensitive area at the heart of the great power competition of the 2020s and the apex of national security concerns regarding AI, and accordingly is subject to further U.S. regulatory developments — as BIS as previewed — controls implemented by other U.S.-aligned countries, and Chinese countermeasures.

Along these lines, it will be important to watch BIS regulation of cloud services, which BIS has identified as an area of focus, as well as U.S. regulation of the technology supply chain. 

"Breaking down the Latest National Security Tech Regulations," by Brendan Saslow and Anthony Rapa was published in Law360 on April 4, 2024.