Skip to main content

Yes. The recipient must obtain a Department of Commerce license for such a transfer. If a license is granted, the recipient should notify subsequent recipients and the footnote 1 designated entity of any license conditions.

Company X must have received a license or have confirmation that a license was obtained by the manufacturer of the foreign produced component(s) subject to the EAR under footnote 1. The EAR imposes a license requirement for the export from abroad, reexport, or transfer (in-country) of a foreign-produced direct product (i.e., the component) when there is “knowledge” that it (the foreign-produced direct product) will be incorporated or used in the “production” or “development” of any “part,” “component,” or “equipment” produced, purchased, or ordered by a footnote 1 designated entity or where a footnote 1 entity is a party to the transaction. This response is consistent with previous guidance from BIS, in particular Supply Chain FAQ # 1, describing licensing requirements in the context of a supply chain. Failure by Company X to either: (1) confirm that the component supplier has obtained a license for the export from abroad, reexport, or transfer of the component subject to the EAR under footnote 1 being incorporated by Company X or a third party at Company X’s direction into an item destined to a footnote 1 designated entity; or (2) obtain a license for the export from abroad, reexport, or transfer (in-country) of the component subject to the EAR under footnote 1 from the component supplier to Company X implicates General Prohibition 10. General Prohibition 10 prohibits proceeding with transactions with knowledge that a violation has occurred or is about to occur. See 15 C.F.R. §§ 736.2(b)(10) and 764.2(e). Specifically, absent an applicable license, Company X or its subcontractors “may not sell, transfer, export, reexport, finance, order, buy, remove, conceal, store, use, loan, dispose of, transport, forward, or otherwise service, in whole or in part” the components for incorporation into or use in the “production” or “development” of any “part,” “component,” or “equipment” produced, purchased, or ordered by a footnote 1 entity or where a footnote 1 entity is a party to the transaction without authorization. See §§ 736.2(b)(10) and 764.2(e) of the EAR.

This list is published in the IAEA’s Information Circular titled "Agreement between the Government of India and the International Atomic Energy Agency for the Application of Safeguards to Civilian Nuclear Facilities" (INFCIRC/754), which is available at the IAEA’s website (www.iaea.org). In this document there is an annex (the "List of Facilities Subject to Safeguards Under the Agreement Between the Government of India and The International Atomic Energy Agency for the Application of Safeguards to Civilian Nuclear Facilities") that contains the list of nuclear reactors (including power plants) and fuel fabrication facilities under IAEA safeguards. Please note that this list is updated regularly with the publication of documents titled "Agreement between the Government of India and the International Atomic Energy Agency for the Application of Safeguards to Civilian Nuclear Facilities: Addition to the List of Facilities Subject to Safeguards Under the Agreement" and that these updates are numbered as follows: INFCIRC/754/Add.1, INFCIRC/754/Add.2, INFCIRC/754/Add.3, etc. BIS recommends that exporters check the most recent version of the list on a regular basis by searching the IAEA’s website for "INFCIRC/754". As of November 18, 2013, the most recent version of this document is INFCIRC/754/Add.4.

No. Hospitals and medical centers of Indian Department of Atomic Energy (DAE) entities are not—and were never intended to be--captured by the Entity List. Consequently, hospitals and medical centers of DAE entities are not subject to the Entity List’s licensing requirements. Note that the licensing requirements found elsewhere in the EAR may be applicable to such hospitals and medical centers. Such hospitals and medical centers would also be generally subject to destination-based licensing requirements that apply to India.

No. Although both the Denied Persons List (DPL) and the Entity List are administered by the Department of Commerce, they are separate and distinct lists. The DPL includes parties that have been denied export and reexport privileges. In contrast, the Entity List imposes specific license requirements for the export, reexport, or transfer (in-country) of specified items to the persons named on it.

No. The SDN List is published by the U.S. Department of the Treasury, Office of Foreign Assets Control (OFAC). The SDN List has different foreign policy objectives and legal requirements than the Entity List.

The Entity List includes restrictions on exports, reexports, or transfers (in-country) to certain persons by reference, meaning that the EAR defines the licensing policy and requirements specific to such persons but does not necessarily include them as individual entries on the Entity List. These persons are designated in or pursuant to Executive Orders or other legal mechanisms. Examples of such persons include but are not limited to Specially Designated Global Terrorists (SDGTs), as referenced in §744.12 of the EAR, and Specially Designated Terrorists (SDTs), as referenced in §744.13 of the EAR.

In incorporating the lists maintained by other U.S. Government (USG) agencies by reference, BIS is clarifying the EAR licensing requirements and policies applicable to the entities on the other USG lists. BIS recommends that exporters, reexporters, or transferors in-country consult the other lists maintained by the USG when exporting, reexporting, and/or transferring (in-country) items since, in many cases, they will not be required to also seek separate authorization from BIS. Note, however, that in some cases an EAR authorization may still be required. See §§ 744.8, 744.12, 744.13, 744.14, 744.18, and 744.22 of the EAR for additional details. In other words, EAR license requirements supplement those of the other USG agencies.

The Departments of Commerce, State, and the Treasury maintain separate lists for the programs each agency administers because these programs have different purposes and are regulated under different authorities.

BIS maintains three lists: the Denied Persons List (DPL); the Unverified List; and the Entity List. The Entity List is described in detail in these FAQs and can be found here.

The DPL lists persons that have been denied export privileges; any dealings with persons listed on the DPL that violate the terms of their denial order would be a violation of the EAR. The DPL can be found here.

The Unverified List is a list of parties that have not cooperated with BIS during post-shipment verification checks. The presence of a party on the Unverified List in a transaction is a “red flag” that must be resolved before proceeding with the transaction. The Unverified List can be found here.

The Departments of the Treasury and State maintain other lists that should be consulted before exporting, reexporting, or transferring item(s). These lists include the Specially Designated Nationals and Blocked Persons (SDN) List, the Debarred List, and the lists of persons subject to Nonproliferation Sanctions. You can find links to these lists here.

A consolidated version of all of the U.S. Government proscribed parties lists is available here.

It depends on what your company wants to donate, whether BIS requires a license for the export, reexport, or transfer of that item to the university (as specified in the Entity List entry for the university), and, given that a license is required, whether BIS approves your license application.

Employees of persons on the Entity List are subject to the licensing requirements and policies specific to their employer. Therefore, in the case of universities on the Entity List, employees of the universities are subject to the same licensing policy and requirements that the universities are. This also applies to officers, trustees, and other persons in a similar position with the university.

Can my company hire an individual who used to be employed by a university on the Entity List?

Yes. However, previous employment at any organization on the Entity List carries a “red flag” which requires an additional level of due diligence before proceeding with the hiring process.

Pursuant to §734.8 of the EAR, information resulting from fundamental research is not subject to the EAR. Therefore, given that the collaboration remains limited to fundamental research, it cannot be subject to the Entity List’s licensing requirements and policies. Any research undertaken that involves the export, reexport, or transfer of an item subject to the EAR and that does not conform to the requirements of § 734.8 of the EAR may, depending on the licensing requirements and policies specified in the Entity List entry, require a license from BIS.

A student’s enrollment at a university included on the Entity List is a “red flag” which requires exporters undertake an additional level of due diligence before proceeding with any such transaction. However, a student is not an integral part of the university (e.g., does not have fiduciary duty to from the university in the same manner that as an employee, officer, trustee, or person in a similar position in the university would) in which he/she is enrolled and therefore BIS does not include them in the licensing requirements and policy specific to the university. With the caveat of the red flag mentioned above, BIS advises exporters to treat exports, reexports, and transfers (in country) to students as shipments to the country of which the student is a citizen.

The Bureau of Industry & Security’s jurisdiction is limited to the export, reexport and transfer (in-country) of items subject to the Export Administration Regulations (EAR) and the placement of a person on the Entity List imposes supplemental license requirements and license application review policies on the shipment of items subject to the EAR to that person. Although a person’s inclusion on the Entity List does not create a prohibition on purchases from that person, companies contemplating such purchases should note that BIS suggests that there are red flags on the purchase of U.S.-origin items and other items subject to the EAR from Entity List persons. Companies need to exercise additional due diligence to ensure that the items desired for purchase, should they be U.S. origin or otherwise subject to the EAR, were sent to the company listed on the Entity List with the appropriate authorization. Anyone seeking to purchase items from a company listed on the Entity List should note that the Entity List is made up of entities about whom the United States Government found there to be reasonable cause to believe that the entity has been involved, is involved, or poses a significant risk of being or becoming involved in activities that are contrary to the national security or foreign policy interests of the U.S. government, and those acting on behalf of such entities.

BIS does not have jurisdiction over the import of items into the United States. However, you should consult other lists maintained by the U.S. Government, as sanctions or other restrictions may apply to import transactions with the particular listed entity or from that particular country of import. BIS publishes a consolidated version of all of the U.S. Government lists that may be relevant to your transaction.

BIS does not prohibit the sale or transfer of commodities subject to the EAR to persons on the Entity List if those persons are in the United States. However, the release of software source code or technology in the United States to a person on the Entity List or a person employed by or representing an organization on the Entity List may require a license as a “deemed export.” Should such a person depart the United States, a license will be required for the export of commodities and software (other than software source code) consistent with the entity’s listing on the Entity List. In addition, if at the time of the domestic sale or transfer in the United States, the transferor or seller had “knowledge” that the person on the Entity List or the person employed by or representing the organization on the Entity List intended to export the item(s) out of the United States without obtaining BIS authorization, a violation of the EAR under §736.2(b)(10) (General Prohibition Ten) and §764.2(e) may occur. BIS recommends that exporters exercise a high level of due diligence prior to entering into a transaction with any person on the Entity List, regardless of where that person is located. Note also that the release outside of the United States of software source code or technology subject to the EAR to a person on the Entity List or a person employed by or representing an organization on the Entity List may require a license or other EAR authorization prior to the “deemed reexport” of that software source code or technology.

No. All persons named in Entity List entries are subject to the main entry's licensing requirements and policy.

Branches and operating divisions of a listed entity are, by definition, part of the listed entity. They are not legally distinct entities. Therefore, with one exception pertaining to hospitals and medical centers of the Department of Atomic Energy entities in India (see FAQ #39), the licensing and other obligations imposed on a listed entity also apply to its branches and operating divisions.

Do the license requirements and policies in the Entity List also apply to the parent company if a subsidiary is a listed entity?

The Entity List license requirements do not extend to parent companies unless the applicable listing for the company so states. Exporters, reexporters, and transferors are reminded that the EAR imposes licensing requirements, such as end-user and end-use based restrictions in Part 744 of the EAR, that could apply to such companies even if they are legally separate from the listed entity.

A BIS license is required prior to such a transaction. As stated in § 744.11(a), a license is required for the export, reexport, or transfer (in-country) of items subject to the EAR when an entity on the Entity List is a party to the transaction as described in § 748.5(c)-(f). Parties to the transaction may include purchasers, intermediate consignees (such as forwarding agents), ultimate consignees, and end-users. Any application for such a license will be reviewed in accordance with the License Review Policy associated with the listed entity on the Entity List. This policy is, most commonly, a presumption of denial. BIS also recommends consulting the other export screening lists maintained by the U.S. Government to ensure that any listed entity performing an activity (e.g., services) not subject to the EAR does not violate sanctions or restrictions administered by other U.S. Government agencies.

Do the license requirements and policies of the Entity List apply to separately incorporated subsidiaries, partially owned subsidiaries, or sister companies of a listed entity?

Subsidiaries, parent companies, and sister companies are legally distinct from listed entities. Therefore, the licensing and other obligations imposed on a listed entity by virtue of its being listed do not per se apply to its subsidiaries, parent companies, sister companies, or other legally distinct affiliates that are not listed on the Entity List. If, however, such a company, or even an unaffiliated company, acts as an agent, a front, or a shell company for the listed entity in order to facilitate transactions that would not otherwise be permissible with the listed entity, then the company is likely violating, inter alia, General Prohibition 10, EAR section 764.2(b) (causing, aiding, or abetting a violation) and possibly other subsections of 764.2 as well.

Those who export, reexport, or transfer items subject to the EAR with knowledge that the items are destined to a subsidiary, sister, parent, or other affiliate of a listed entity are encouraged to take extra due diligence steps to ensure that (i) the items are not ultimately destined for the listed entity and (ii) the affiliate is a separate legal entity (as opposed to a branch or operating division of the listed entity). If one is uncertain whether a planned transaction involving an actor with some relationship to a listed entity would be affected by the obligations pertaining to the listed entity, one may seek an advisory opinion from BIS pursuant to section 748.3.

You should call the Office of Exporter Services at 202-482-4811, or e-mail them a question via the website. Pursuant to the guidance in §748.3 of the EAR, you may also submit an advisory opinion request to the End-User Review Committee Chair at [email protected], or call the Committee Chair directly at 202-482-5991.

Can a listed entity act as purchaser or freight forwarder to transport my shipment of items subject to the EAR to the ultimate consignee or end-user?

A BIS license is required prior to such a transaction. As stated in § 744.11(a), a license is required for the export, reexport, or transfer (in-country) of items subject to the EAR when an entity on the Entity List is a party to the transaction as described in § 748.5(c)-(f). Parties to the transaction may include purchasers, intermediate consignees (such as forwarding agents), ultimate consignees, and end-users. Any application for such a license will be reviewed in accordance with the License Review Policy associated with the listed entity on the Entity List. This policy is, most commonly, a presumption of denial. BIS also recommends consulting the other export screening lists maintained by the U.S. Government to ensure that any listed entity performing an activity (e.g., services) not subject to the EAR does not violate sanctions or restrictions administered by other U.S. Government agencies.

Yes. As set forth in Supplement No. 5 to Part 744 of the EAR, proposed changes to the Entity List are reviewed and approved by the interagency End-User Review Committee (ERC). Comprised of representatives from the Departments of State, Defense, and Energy, the ERC is chaired by a Commerce employee. In addition to the review of appeals, the ERC reviews the Entity List on an annual basis. Any ERC member agency may also recommend changes to the Entity List on an ad-hoc basis.

Yes. See a consolidated version of all U.S. Government proscribed parties lists on the Consolidated Screening List.

Yes; this process was articulated in BIS’s August 2008 revision of the EAR titled “Authorization to Impose License Requirements for Exports or Reexports to Entities Acting Contrary to the National Security or Foreign Policy Interests of the United States.” As a result of the August 2008 rule, §744.16 of the EAR defines the procedures that allow a person listed on the Entity List to submit a written request to the End-User Review Committee (ERC) that its entry be removed or modified. The request must be made in English and the party must provide a basis for the removal or modification. After the ERC has reviewed the request and reached a decision, BIS’s Deputy Assistant Secretary for Export Administration will provide the decision in a written response to the requesting party. The decision communicated to the party by the Deputy Assistant Secretary is final. BIS will publish any modifications to, or removals from, the Entity List resulting from such appeals in the Federal Register. The timeframe for appeals is 30 calendar days after the ERC’s receipt of the appeal (note that BIS conducts an internal review of all appeals prior to referral to the ERC that may add to this timeframe).

Please note that if a party on the Entity List submits an appeal, it remains subject to the Entity List's licensing requirements while the appeal is being processed. In order for a party to be released from the additional licensing requirements imposed by being on the Entity List, two actions must occur: 1) the appeal must be approved by the ERC, and 2) a formal notice of the party’s removal from the Entity List must be published in the Federal Register.

No, not all sections of Part 744 of the EAR (which defines the criteria for possible inclusion on the Entity List) require that a person’s alleged activity involve items subject to the EAR. Section 744.11, for example, requires that the person’s activities be contrary to U.S. national security and/or foreign policy interests but does not require that the activities involve items subject to the EAR.

Persons on the Entity List are subject to the licensing policy and requirements defined in their specific entries on the Entity List regardless of their location. BIS works to revise and correct the entries on the Entity List on a regular basis, in order to ensure that each entry reflects the most accurate and recent information for the person named in that entry. However, if your due diligence indicates that the person to whom you wish to export, reexport, or transfer (in-country) is designated on the Entity List, then, regardless of the address listed in the Entity List entry, you should follow the licensing requirements set forth in the Entity List for that person.

As this is a "red flag", BIS recommends that detailed due diligence be undertaken. You should conduct due diligence by examining other factors to determine if the company you want to export to is the same as the listed entity. Such factors may include, but are not limited to, the company’s name, address, corporate officers, business activities, contact information, etc. You may be able to locate this information via the company’s website or through internet search results.

This is a "red flag" and the exporter must undertake sufficient due diligence to verify that the company co-located with the listed entity is not, in fact, the listed entity and does not intend to transfer (in-country) the requested items to the listed entity.

Yes. However, BIS considers that transactions of any nature with listed entities carry a "red flag" and recommends that U.S. companies proceed with caution with respect to such transactions. Note that the Entity List describes license requirements and policies for the export, reexport, and/or transfer (in-country) of items subject to the EAR only. Additionally, although many of the persons included on the Entity List are subject to policies of denial for the export, reexport, and/or transfer (in-country) of all items subject to the EAR, some are subject to policies and requirements that are narrower in scope (i.e., not all persons included on the Entity List are subject to license requirements for all items subject to the EAR, while others are subject to license requirements for all or some items listed on the Commerce Control List (CCL)). Be sure to review the licensing policy and requirements carefully.

BIS first published the Entity List in February 1997 as part of its efforts to inform the public of entities that have engaged in activities that could result in an increased risk of the diversion of exported, reexported or transferred (in-country) items to weapons of mass destruction (WMD) programs. Since its initial publication, grounds for inclusion on the Entity List have expanded to activities sanctioned by the State Department and activities contrary to U.S. national security and/or foreign policy interests.

Section 744.1(c) of the EAR generally prohibits the use of license exceptions for almost all exports and reexports to listed entities. However, if one or more license exceptions are available to a listed entity, the availability will be noted in the licensing requirements information specific to that entity.

BIS reviews license applications that include listed entities according to the entity’s role in the proposed transaction and the specific license review policy(ies) set forth for the entity(ies) on the Entity List. Note that while transactions outside of the scope of the license review policy for a listed entity are not prohibited, BIS considers that such transactions carry a "red flag."

No. ECCN 5A002 was restructured in 2017 for readability. Because of the change in structure to 5A002.a, BIS is now issuing classifications under 5A002.a instead of 5A002.a.1. Previous classifications issued under 5A002.a.1 remain valid under the new structure. Those classifications can be understood to be under 5A002.a now.

Similar to the dormant encryption decontrol note, Note 4 was moved to 5A002.a and stated in a positive manner. Instead of saying what is not controlled in Category 5 Part 2, 5A002.a now specifies that, to be controlled, the item must have “information security” as a primary function, it must be a digital communications or networking system, or it must be a computer or have information storage or processing as a primary function. This change does not impact the scope of Note 4.

Yes, Note (j) part 2.a and b can apply to single board computers (SBC) where the cryptography is integral to (within) a mass market (Note 3 to Category 5 Part 2) processor on the SBC (e.g., processor with hardware accelerated encryption primitives); or integral to (within) an operating system that is not in 5D002 (e.g., mass market OS).

Part 2.c of the Decontrol note (j) makes reference to OAM. See #8 above for OAM.

Before the Wassenaar 2016 rule, Note (g) to 5A002.a released products where the encryption functionality could not be used or could only be made useable by “cryptographic activation.” This decontrol note has been moved to 5A002.a and stated in a more positive manner. It now says that 5A002.a controls products “where that cryptographic capability is usable without “cryptographic activation” or has been activated.” This change does not impact the scope of what was released under Note (g).

Universities are “less-sensitive government end users” while government research institutes are “more sensitive government end users.” If a university has a government research institute, BIS considers exports to the university itself to be an export to a “less-sensitive government end user.” Exports directly to a government research institute within the university, for use by a government research institute within the university, would be considered an export to a “more sensitive government end user.” If you are unsure about how a particular transaction should be treated, please seek guidance from BIS.

The grandfathering provision is no longer required. The September 20, 2016 rule eliminated requirements for the encryption registration and self-classification report when the exporter has obtained a CCATS from BIS for the item. As a result, CCATS issued prior to June 25, 2010 are still valid without submission of an encryption registration or self-classification report unless the encryption functionality of the item changes.

Prior to the September 20, 2016 updates, licenses were required to “government end users” outside the countries listed in Supplement No. 3 to part 740. Now, “less sensitive government end users” worldwide (except to AT-controlled countries) are eligible for ENC. Licenses previously submitted for these end users who are now eligible for ENC may use ENC without any further submissions to BIS. These exports were subject to a semi-annual sales reporting license condition. The semi-annual sales report still remains for these exports per 740.17(e) of ENC.

No. The definition of “OAM” includes “monitoring or managing the operation condition or performance of an item.” BIS does not consider network security monitoring or network forensics functions to be part of monitoring or managing operation condition or performance.

The phrase “monitoring or managing the operating condition or performance of an item” is meant to include all the activities associated with keeping a computer or network-capable device in proper operating condition, including: configuring the item; checking or updating its software; monitoring device error or fault indicators; testing, diagnosing or troubleshooting the item; measuring bandwidth, speed, available storage (e.g. free disk space) and processor/memory/power utilization; logging uptime/downtime; and capturing or measuring quality of service (QoS) indicators and Service Level Agreement-related data.

However, the “OAM” definition does not apply to cryptographic functions performed on the forwarding or data plane, such as: decrypting network traffic to reveal or analyze content (e.g., activity signatures, indicators or event data extracted from monitored network traffic) over the forwarding plane; or securing the re-transmission of captured network activity.

Thus, products that use encryption for such network security monitoring or forensics operations, or to provision these cryptographic services, would not be released by the OAM decontrol notes (l) or (m), or the Note to 5D002.c.

Similarly, the “OAM” decontrol does not apply to security operations directed against data traversing the network, such as capturing, profiling, tracking or mapping potentially malicious network activity, or “hacking back” against such activity.

Mass market encryption authorizations issued under 742.15(b)(1) or (b)(3) prior to the September 20, 2016 rule change, continue to be authorized under the mass market provisions found in 740.17(b)(1) and (b)(3), respectively. A new classification is NOT required merely because the provision moved from 742.15 to 740.17.

Classifications issued for ECCNs 5A992/5D992.a and b, and 5E002.a prior to the elimination of these ECCNs may now be classified elsewhere (e.g., 5A991) if applicable or designated EAR99. A new CCATS is not required.

If you are requesting a classification of an item described in paragraph 740.(b)(2) or (b)(3), then a classification request is required. If you are requesting a classification of an item described in paragraph 740.17(b)(1) (in other words, the item is not described in either Section 740.17(b)(2) or (b)(3)), a Supplement No. 6 questionnaire is not required as a supporting document. Provide sufficient information about the item (e.g., technical data sheet and/or other explanation in a separate letter of explanation) for BIS to determine that the item is described in paragraph 740.17(b)(1). If you are not sure that your product is authorized as 740.17(b)(1) and you want BIS to confirm that it is authorized under 740.17(b)(1), providing answers to the questions set forth in Supplement No. 6 to part 742 with your request should provide BIS with sufficient information to make this determination.

Only items listed in 740.17(b)(2) and (b)(3) require a classification. For those items, a new classification is required when the cryptographic functionality changes or other technical characteristics affecting license exception ENC eligibility – e.g., encrypted throughput. New classifications are not required for other changes, including patches, upgrades or releases, name changes. Items described in 740.17(b)(1) do not require a classification to be eligible for ENC.

No. The classification of your item does not depend on the classification of the encryption you are incorporating. Your product should be classified separately as a standalone item.

If you are not the producer and are unable to obtain the producer’s information or if the producer has not submitted a self-classification report or commodity classification for his/her products to BIS, then you are responsible for properly classifying the item and obtaining the proper authorization. This may require you to submit a self-classification report or classification request.

Exporters or reexporters that are not producers of the encryption items can rely on the self-classification or CCATS that is published by the producer when exporting or reexporting the classified encryption item. Separate commodity classification request or self-classification report to BIS is NOT required.

Any party who exports certain U.S.-origin encryption products may be required to submit a classification request and/or self-classification report; however, if a manufacturer has self-classified relevant items and/or had items classified by BIS, and has made the classifications available to other parties such as resellers and other exporters/reexporters, such other parties are not required to submit a classification request or to submit an annual self-classification report.

The recipient can rely on the supplier’s license. The recipient must receive written confirmation of the license and any conditions relevant to the transaction prior to using it. The recipient should notify any subsequent recipients of the license conditions and direct them to further notify the next recipient.

A BIS license is required prior to such a transaction. As stated in § 744.11(a), a license is required for the export, reexport, or transfer (in-country) of items subject to the EAR when an entity on the Entity List is a party to the transaction as described in § 748.5(c)-(f). Parties to the transaction may include purchasers, intermediate consignees (such as forwarding agents), ultimate consignees, and end-users. Any application for such a license will be reviewed in accordance with the License Review Policy associated with the listed entity on the Entity List. This policy is, most commonly, a presumption of denial. BIS also recommends consulting the other export screening lists maintained by the U.S. Government to ensure that any listed entity performing an activity (e.g., services) not subject to the EAR does not violate sanctions or restrictions administered by other U.S. Government agencies

A BIS license is required prior to such a transaction. As stated in § 744.11(a), a license is required for the export, reexport, or transfer (in-country) of items subject to the EAR when an entity on the Entity List is a party to the transaction as described in § 748.5(c)-(f). Parties to the transaction may include purchasers, intermediate consignees (such as forwarding agents), ultimate consignees, and end-users. Any application for such a license will be reviewed in accordance with the License Review Policy associated with the listed entity on the Entity List. This policy is, most commonly, a presumption of denial. BIS also recommends consulting the other export screening lists maintained by the U.S. Government to ensure that any listed entity performing an activity (e.g., services) not subject to the EAR does not violate sanctions or restrictions administered by other U.S. Government agencies

Because the distributor has a license to provide the final product to the footnote 1 designated entity, the license requirement of the Entity List FDP rule is fulfilled and does not apply to the supplier. The distributor should communicate the existence of a license to the 7 suppliers of the product and the suppliers should ensure they receive written confirmation of the license and any conditions.

No, the FDP rules apply to foreign-produced items. However, other provisions in the EAR may impose license requirements for the export of items from the United States.

Yes, in two ways. Because they were designed using U.S.-origin technology, the integrated circuits would be captured by § 734.9(e)(1) of the Entity List FPD rule. In addition, because they were produced using a major component of a plant that is U.S.- origin, they would be captured by § 734.9(e)(2). For purposes of this question, BIS assumes the technology and major component are specified by one of the ECCNs listed in the Entity List FDP rule.

a. If Company A knows that its items are destined for incorporation into Company B’s products that will be sold to a footnote 1 designated entity, a license is required for the export from abroad, reexport, or transfer (in-country) of those items to Company B.

b. If a percentage of Company A’s items are destined for incorporation into a Company B’s products that will be sold to a footnote 1 designated entity, a license is required for the export from abroad, reexport, or transfer (in-country) of the percentage of those items to Company B.

c. If Company A knows that some percentage of the items it sells to Company B are destined for a footnote 1 entity but does not know which items, or what percentage of the items will be incorporated into those products, Company A should ask for that information from Company B. If no information is provided by Company B, a license would be required for all of Company A’s items that will be exported from abroad, reexported, or transferred (in-country) to Company B.

While incorporation of a part that is subject to the EAR pursuant to the Entity List FDP rule does not necessarily make the larger foreign product subject to the EAR, the larger item must be evaluated to determine whether it is subject to the other foreign direct product provisions in § 734.9), or the de minimis rules in § 734.4 of the EAR.

The term “production,” as defined in § 772.1 of the EAR, includes equipment needed for any production stage, including testing. Parties producing items should assess the function of equipment in the production process to determine whether it is essential. BIS is not in a position to provide a list of equipment.

No. While wafers and semiconductors produced by the equipment described in § 734.9(e)(1)(ii) of the EAR are clearly covered by the FDP rule, § 734.9(e)(1)(ii) refers to any foreign-produced “item” produced with such equipment.

The FDP rule does not require a license for such transactions though parties need to review other provisions of the EAR to determine if a license is required for such transactions, such as a replacement part for equipment at a footnote 1 designated entity (see Supplement No. 4 to part 744 of the EAR).

Yes, it is possible that the wafer would be subject to a license requirement because it is a FDP that meets the criteria of §734.9(e) and a footnote 1 designated entity, while not the end user or ultimate consignee, is another party to the transaction, e.g., as a “purchaser,” “intermediate consignee,” or order party.

If the wafer meets the criteria of § 734.9(e)(1) and the wafer maker has “knowledge” that a footnote 1 designated entity is a party to the transaction involving the finished integrated circuit or higher-level assembly incorporating such wafer, then a license is required to export from abroad the wafer to the integrated circuit manufacturer. Either the wafer maker or the integrated circuit manufacturer may apply for the license, see Q17 through Q21 below.

Yes, it applies to both finished and unfinished wafers.

Such a foreign-produced item could be within the scope of § 734.9(e)(ii), which applies to items “produced by” equipment described in that paragraph. Thus, if the equipment (which includes testing equipment) covered by § 734.9(e)(ii) is used to produce the foreign-produced item, such an item is covered.

No. The rule applies to any item that meets the criteria of §734.9(e)(1) of the EAR.

Yes, the August 2020 rule changed the licensing review policy. License applications for foreign-produced items subject to the EAR under § 734.9(e) that are capable of supporting the “development” or “production” of telecom systems, equipment and devices at only below the 5G level (e.g., 4G, 3G, etc.) will be reviewed on a case-by-case basis (see § 744.11(a)(2) of the EAR). All other license applications will be reviewed using the license review policy in the license requirement column of the Entity List for each footnote 1-designated entity, which is presumption of denial.

Yes. The scope of the rule applies to non-U.S. companies only. The rule imposes license requirements on any foreign-produced items that are subject to the FDP rule.

The license requirement referenced in footnote 1 to Supplement No. 4 to part 744 of the EAR was added in the August 2020 FDP rule. The subsequent February 2022 rule moved the license requirement to § 744.11(a)(2) and consolidated the provisions for Foreign Direct Product in §734.9 (Foreign-Direct Product (FDP) Rules. The Foreign-Produced Direct Product Rule as it relates to the Entity List is now described in § 734.9(e) of the EAR and based on: (1) whether the foreign-produced item (see § 734.9(e)(1) of the EAR): (i) is the direct product of “technology” or “software” subject to the EAR and classified under one of the specified Export Control Classification Numbers (ECCN); or (ii) is produced by any plant or major component of a plant that is located outside the United States, when the plant or major component of a plant itself is a direct product of U.S.-origin “technology” or “software” and classified under one of the specified ECCNs; and (2) there is knowledge that (see § 734.9(e)(2) of the EAR): (i) the foreign-produced item will be incorporated into, or will be used in the “production” or “development” of any “part,” “component,” or “equipment” produced, purchased, or ordered by a footnote 1 designated entity; or (ii) a footnote 1 designated entity is a party to any transaction involving the foreign-produced item, e.g., as a “purchaser,” “intermediate consignee,” “ultimate consignee,” or “end-user.”

The removal of an entity from the Entity List removes only the additional license requirements imposed by its listing on the Entity List and does not modify the other license requirements that may be applicable under the EAR (i.e., as a result of an item’s classification on the CCL or the proposed country of destination for the export, reexport, or transfer (in-country)). Additionally, if you know or have been informed that the item proposed for export, reexport, or transfer (in-country) will be used in nuclear, missile, and/or chemical and biological weapons programs, you must seek a license pursuant to the requirements found in Part 744 of the EAR. You should also consult the other export screening lists maintained by BIS and other U.S. Government agencies to determine whether other license requirements or sanctions apply. In summary, you should conduct the same due diligence as you would for any other export, reexport, or transfer (in-country) of items subject to the EAR.

The Entity List is subject to ongoing review and revision. All changes to the Entity List are published in the Federal Register. You can subscribe to a BIS e-mail notification service that will alert you when EAR rules are published in the Federal Register, including rules implementing changes to the Entity List, by clicking here.

Section 744.1(c) of the EAR generally prohibits the use of license exceptions for almost all exports and reexports to listed entities. However, if one or more license exceptions are available to a listed entity, the availability will be noted in the licensing requirements information specific to that entity.

BIS reviews license applications that include listed entities according to the entity’s role in the proposed transaction and the specific license review policy(ies) set forth for the entity(ies) on the Entity List. Note that while transactions outside of the scope of the license review policy for a listed entity are not prohibited, BIS considers that such transactions carry a "red flag."

Each entity on the Entity List is assigned a specific licensing requirement on the basis of the national security and/or foreign policy considerations associated with the entity’s designation on the Entity List. Within the Entity List, the information for each listed entity includes the license requirement, license review policy, and Federal Register citation(s). License requirements vary from “all items subject to the EAR,” which includes items on the CCL as well as EAR99 items, to all items on the CCL, or to all items on the CCL except for specified items.

As set forth in the answer to question 28, both BIS and other agencies in the U.S. Government maintain other lists of entities for which there are restrictions on doing business. In addition, the provisions of part 744 of the EAR, including § 744.6 of the EAR, apply to transactions regardless of whether the entity in question is listed on the Entity List or not.

The Bureau of Industry and Security (BIS) publishes the names of certain foreign persons – including businesses, research institutions, government and private organizations, individuals, and other types of legal persons - that are subject to specific license requirements for the export, reexport and/or transfer (in-country) of specified items. These persons comprise the Entity List, which is found at Supplement No. 4 to Part 744 of the Export Administration Regulations (EAR). The persons on the Entity List are subject to individual licensing requirements and policies supplemental to those found elsewhere in the EAR.

No. ECCN 5A002 was restructured in 2017 for readability. Because of the change in structure to 5A002.a, BIS is now issuing classifications under 5A002.a instead of 5A002.a.1. Previous classifications issued under 5A002.a.1 remain valid under the new structure. Those classifications can be understood to be under 5A002.a now.

Similar to the dormant encryption decontrol note, Note 4 was moved to 5A002.a and stated in a positive manner. Instead of saying what is not controlled in Category 5 Part 2, 5A002.a now specifies that, to be controlled, the item must have “information security” as a primary function, it must be a digital communications or networking system, or it must be a computer or have information storage or processing as a primary function. This change does not impact the scope of Note 4.

Yes, Note (j) part 2.a and b can apply to single board computers (SBC) where the cryptography is integral to (within) a mass market (Note 3 to Category 5 Part 2) processor on the SBC (e.g., processor with hardware accelerated encryption primitives); or integral to (within) an operating system that is not in 5D002 (e.g., mass market OS). Part 2.c of the Decontrol note (j) makes reference to OAM.

Before the Wassenaar 2016 rule, Note (g) to 5A002.a released products where the encryption functionality could not be used or could only be made useable by “cryptographic activation.” This decontrol note has been moved to 5A002.a and stated in a more positive manner. It now says that 5A002.a controls products “where that cryptographic capability is usable without “cryptographic activation” or has been activated.” This change does not impact the scope of what was released under Note (g).

Universities are “less-sensitive government end users” while government research institutes are “more sensitive government end users.” If a university has a government research institute, BIS considers exports to the university itself to be an export to a “less-sensitive government end user.” Exports directly to a government research institute within the university, for use by a government research institute within the university, would be considered an export to a “more sensitive government end user.” If you are unsure about how a particular transaction should be treated, please seek guidance from BIS.

The grandfathering provision is no longer required. The September 20, 2016 rule eliminated requirements for the encryption registration and self-classification report when the exporter has obtained a CCATS from BIS for the item. As a result, CCATS issued prior to June 25, 2010 are still valid without submission of an encryption registration or self-classification report unless the encryption functionality of the item changes.

Prior to the September 20, 2016 updates, licenses were required to “government end users” outside the countries listed in Supplement No. 3 to part 740. Now, “less sensitive government end users” worldwide (except to AT-controlled countries) are eligible for ENC. Licenses previously submitted for these end users who are now eligible for ENC may use ENC without any further submissions to BIS. These exports were subject to a semi-annual sales reporting license condition. The semi-annual sales report still remains for these exports per 740.17(e) of ENC.

No. The definition of “OAM” includes “monitoring or managing the operation condition or performance of an item.” BIS does not consider network security monitoring or network forensics functions to be part of monitoring or managing operation condition or performance.

The phrase “monitoring or managing the operating condition or performance of an item” is meant to include all the activities associated with keeping a computer or network-capable device in proper operating condition, including: configuring the item; checking or updating its software; monitoring device error or fault indicators; testing, diagnosing or troubleshooting the item; measuring bandwidth, speed, available storage (e.g. free disk space) and processor/memory/power utilization; logging uptime/downtime; and capturing or measuring quality of service (QoS) indicators and Service Level Agreement-related data.

However, the “OAM” definition does not apply to cryptographic functions performed on the forwarding or data plane, such as: decrypting network traffic to reveal or analyze content (e.g., activity signatures, indicators or event data extracted from monitored network traffic) over the forwarding plane; or securing the re-transmission of captured network activity.

Thus, products that use encryption for such network security monitoring or forensics operations, or to provision these cryptographic services, would not be released by the OAM decontrol notes (l) or (m), or the Note to 5D002.c.

Similarly, the “OAM” decontrol does not apply to security operations directed against data traversing the network, such as capturing, profiling, tracking or mapping potentially malicious network activity, or “hacking back” against such activity.

Mass market encryption authorizations issued under 742.15(b)(1) or (b)(3) prior to the September 20, 2016 rule change, continue to be authorized under the mass market provisions found in 740.17(b)(1) and (b)(3), respectively. A new classification is NOT required merely because the provision moved from 742.15 to 740.17.

Classifications issued for ECCNs 5A992/5D992.a and b, and 5E002.a prior to the elimination of these ECCNs may now be classified elsewhere (e.g., 5A991) if applicable or designated EAR99. A new CCATS is not required.

If you are requesting a classification of an item described in paragraph 740.(b)(2) or (b)(3), then a classification request is required. If you are requesting a classification of an item described in paragraph 740.17(b)(1) (in other words, the item is not described in either Section 740.17(b)(2) or (b)(3)), a Supplement No. 6 questionnaire is not required as a supporting document. Provide sufficient information about the item (e.g., technical data sheet and/or other explanation in a separate letter of explanation) for BIS to determine that the item is described in paragraph 740.17(b)(1). If you are not sure that your product is authorized as 740.17(b)(1) and you want BIS to confirm that it is authorized under 740.17(b)(1), providing answers to the questions set forth in Supplement No. 6 to part 742 with your request should provide BIS with sufficient information to make this determination.

Only items listed in 740.17(b)(2) and (b)(3) require a classification. For those items, a new classification is required when the cryptographic functionality changes or other technical characteristics affecting license exception ENC eligibility – e.g., encrypted throughput. New classifications are not required for other changes, including patches, upgrades or releases, name changes. Items described in 740.17(b)(1) do not require a classification to be eligible for ENC.

No. The classification of your item does not depend on the classification of the encryption you are incorporating. Your product should be classified separately as a standalone item.

If you are not the producer and are unable to obtain the producer’s information or if the producer has not submitted a self-classification report or commodity classification for his/her products to BIS, then you are responsible for properly classifying the item and obtaining the proper authorization. This may require you to submit a self-classification report or classification request.

Exporters or reexporters that are not producers of the encryption items can rely on the self-classification or CCATS that is published by the producer when exporting or reexporting the classified encryption item. Separate commodity classification request or self-classification report to BIS is NOT required.

Any party who exports certain U.S.-origin encryption products may be required to submit a classification request and/or self-classification report; however, if a manufacturer has self-classified relevant items and/or had items classified by BIS, and has made the classifications available to other parties such as resellers and other exporters/reexporters, such other parties are not required to submit a classification request or to submit an annual self-classification report.

Exporters or reexporters that are not producers of the encryption items can rely on the self-classification or CCATS that is published by the producer when exporting or reexporting the classified encryption item. Separate commodity classification request or self-classification report to BIS is NOT required.

When it comes to Export Transactions, there are certain RED FLAGS that you will need to be aware of. The Bureau of Industry and Security (BIS) has provided a checklist to discover possible violations of the Export Administration Regulations(EAR).

Certain provisions in the Export Administration Regulations (EAR) require an exporter to submit an individual validated license application if the exporter "knows" that an export that is otherwise exempt from the validated licensing requirements is for end-uses involving nuclear, chemical, and biological weapons (CBW), or related missile delivery systems, in named destinations listed in the EAR.

The first step to determining licensing requirements is understanding the license needed and which agency has jurisdiction.

Legal Disclaimer: This is an in-progress website that incorporates new tools to access and use BIS regulations. Results from this website may be inaccurate or incomplete and should not be relied upon for compliance with the EAR. Please continue to utilize the existing BIS site or the eCFR for accessing the regulations.