United States: Export Control Reminder: Encryption Reporting Deadline Is February 1, 2022

The deadline for submitting reports regarding certain exports of encryption items under the US Export Administration Regulations (EAR) is February 1, 2022. Two types of reports are subject to the deadline:

• Annual self-classification reports for certain encryption items exported or re-exported under paragraph (b)(1) of License Exception ENC during calendar year 2021 (January 1 through December 31, 2021).
• Semiannual reports for specified encryption items exported or re-exported under paragraphs (b)(2) and (b)(3)(iii) of License Exception ENC between July 1 and December 31, 2021.

In addition, the Bureau of Industry and Security (BIS) of the US Commerce Department amended the encryption controls and License Exception ENC, effective March 29, 2021, resulting in the following changes to the above reporting requirements:

• Mass market chips, chipsets, electronic assemblies and field-programmable logic devices  classified under export control classification numbers (ECCNs) 5A992.c or 5D992.c (except for such items implementing “non-standard cryptography”) now fall under paragraph (b)(1) of License Exception ENC and are subject to the annual self-classification reporting requirement, unless a formal commodity classification (i.e., CCATS) has been obtained from BIS. Such items previously fell under paragraph (b)(3) of License Exception ENC and required a CCATS.
• Mass market cryptographic libraries, modules, development kits and toolkits classified under ECCNs 5A992.c or 5D992.c (except for such items implementing “non-standard cryptography”) now fall under paragraph (b)(1) of License Exception ENC, but are no longer subject to the annual self-classification reporting or mandatory classification requirements. Such items previously fell under paragraph (b)(3) of License Exception ENC and required submission of a CCATS request.
• Other mass market items classified under ECCNs 5A992.c or 5D992.c remain under paragraph (b)(1) of License Exception ENC, but are no longer subject to the annual self-classification reporting requirement.
• “Publicly available” encryption source code and beta test encryption softwareclassified under ECCN 5D002 (except for such items implementing “non-standard cryptography”) are no longer subject to an email notification requirement.

A few notes regarding the reporting requirements:

• We can provide templates and instructions that you can use to prepare and submit the reports.
• Most mass market encryption products classified under ECCNs 5A992 and 5D992 are no longer subject to an annual reporting requirement.
• Companies that have obtained a CCATS for certain encryption products aren't required to submit annual self-classification reports. Please contact us to learn more about how to obtain a CCATS from BIS and eliminate your annual self-classification reporting burden going forward.

The new year is also a good time to conduct an export compliance checkup, including an assessment of any new product offerings or changes to the encryption functionality of existing products.

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.