On December 2, 2024, the Department of Commerce’s Bureau of Industry and Security (BIS) released¹ its third round of export controls primarily targeting China’s attempts to create an “independent and controllable” semiconductor industry to support its military modernization. The new package of export regulations consists of two rules, which institute a host of new export controls² and over 140 new Entity List designations³, respectively. The Biden Administration had previously issued respective export controls targeting advanced computing and semiconductor manufacturing equipment effective on October 7, 2022⁴, and October 25, 2023⁵.

According to the accompanying press release, these actions under the Export Administration Regulations (EAR) “are designed to limit [China’s] ability to indigenize the production of advanced technologies—such as advanced-node integrated circuits and the equipment used to produce them—that pose a substantial risk to US national security.” While China is clearly the focus of this new rule, many of the new rules apply to all “D:5” countries (i.e., U.S. Arms Embargoed destinations, including China)⁶ and Macau. Certain new controls also contain carve-outs for companies headquartered in US allied countries. One notable change that treats commercial software license keys as new exports of the underlying software is broadly applicable to exported software and hardware that is distributed pursuant to license key mechanisms. Some of the salient parts of the new rule are outlined below.

Expanded Export Control Jurisdiction

US export control jurisdiction extends to all US origin items, all items exported from the United States, foreign-made products that include more than a de minimis amount of US content (De Minimis Rule), and certain foreign-made items that are the “direct product” of certain US technology or production equipment (Foreign Direct Product (FDP) Rules). The new rule expands the FDP Rules and the De Minimis Rule to cover additional foreign-made items.

There are two new FDP Rules:

• First, certain Entity List companies will be subject to the new “Footnote 5” FDP Rule. A company with a “Footnote 5” designation is subject to additional restrictions beyond those that are generally applied to most other Entity List designees. Under the new Footnote 5 FDP Rule, US export control jurisdiction will apply to certain “direct products” if the exporter has constructive knowledge that the foreign-produced commodity (i) will be incorporated in anything produced, purchased or ordered by a Footnote 5 designee or (ii) is part of a transaction to which a Footnote 5 designee is party.
• Second, the new rules introduce a new FDP Rule specific to semiconductor manufacturing equipment (SME), extending US regulatory jurisdiction to certain foreign-produced SME that is the direct product of certain software, technology or production equipment that is itself subject to US export control jurisdiction, e.g., under another FDP Rule’s extension of jurisdiction, rather than applying only to SME that embodies US-origin technology or software. The SME FDP Rule applies to SME destined for a US Arms Embargoed destination or Macau.

The general De Minimis Rule, which also extends US jurisdiction to certain foreign-made items, states that foreign-produced items that contain at least 25% US content (or 10% for sanctioned jurisdictions) are subject to US export control regulations. New provisions were added to the De Minimis Rule to further expand US jurisdiction, including:

• There is generally no de minimis level for certain SME when the equipment is destined for use in the “development” or “production” of certain advanced semiconductors. This means that any non-zero proportion of US content will render the equipment subject to US export control jurisdiction.
• There is generally no de minimis level for certain foreign-produced SME when the commodity contains a US-origin integrated circuit and the commodity is destined for a U.S. Arms Embargoed destination (or Macau) (with certain exclusions) or a Footnote 5 designee. The stated purpose of this change is to ensure that foreign-produced SME containing US-origin components is controlled to the same extent as foreign-produced SME covered by the FDPs noted above.

New “Red Flags”

The new rules introduce eight new compliance “Red Flags” intended to guide exporters’ due diligence analysis. Various aspects of US export controls are dependent on a person’s knowledge (whether actual or constructive) of the end use, end user, ultimate destination or other facts relating to a transaction. The Red Flags provide guidance on how individuals and firms should act under this knowledge standard.

There are eight new Red Flags, notably including:

• Red Flag 21: An exporter receives an order for which the ultimate owner or user of the item is uncertain. The order could seek equipment for the “development” or “production” of an integrated circuit to a distributor, e.g., when the item is ordinarily customized for the end user or installed by the supplier. Because it would be unlikely that the distributor would be the end user of the equipment, the ultimate owner or beneficiary is unknown. This raises concerns about possible diversion of a product to an unauthorized party, destination or end user.
• Red Flag 24: An exporter receives a request for an item or service from a customer whose senior management or technical leadership overlaps with an entity on the Entity List. This similarly raises concerns about possible diversion to an unauthorized party or end user.
• Red Flag 26: For the purposes of the Footnote 5 and SME FDP Rules, certain foreign-produced items that contain at least one integrated circuit are presumed to meet the scope of the applicable FDP Rule. The exporter is now expected to resolve this Red Flag, such as by investigating whether US software, technology or production equipment was used in its design or manufacture, before proceeding.

The new “Red Flags” largely appear to be specific to the compliance obligations for items and activities covered by this new rule. However, since they are included in a generally applicable portion of the EAR, they may be considered to enhance the degree of end use diligence expected of exporters in general.

“Software Keys”

Previously, the EAR stated that “access information,” which allows access to encrypted technology or software in an unencrypted form, was subject to the same restrictions as the technology or software it decrypted. The new rules expand these restrictions to broadly cover “software keys” that enable authorized users to use software or hardware. Accordingly, any software or hardware that is accessible or usable pursuant to a software license key mechanism will now be considered to be exported anew each time the software license key is furnished to an end user. Thus, if a legacy product was not export controlled when first provided to the user, a new software license key could implicate an export licensing requirement if the product, end user or end use has been subjected to new export controls since the product was originally provided.

This means that all software or hardware products that rely on software keys—such as license keys for annual contract renewals—must now be fully assessed as if they involved new exports of the underlying software or hardware, and exporters may need to deactivate a user’s access if the software was exported under a now-expired license or if the controls governing the product or the customer changed after the product was initially exported. Companies that require software keys to access their software or hardware will thus need to incorporate dynamic compliance measures to ensure that they are not inadvertently sending software keys to unauthorized users.

New End User Restrictions on Design Software

The EAR restricts the export of certain items when the end use relates to the “development” or “production” of advanced semiconductors in U.S. Arms Embargoed countries or Macau. The new rules expand these restrictions to prevent the provision of electronic computer-aided design (ECAD) and technology computer-aided design (TCAD) software when there is knowledge (actual or constructive) that it will be used in the design of advanced semiconductors.

New Controls on High Bandwidth Memory (HBM)

HBM is found in most advanced semiconductors, particularly those used with advanced AI models. BIS has added a new Export Control Classification Number (ECCN)—ECCN 3A090.c—to cover HBM stacks with a specific memory bandwidth density. BIS’s stated policy reasons for imposing these new controls are that “[s]uch applications can enable advanced military and intelligence applications, lower the barriers to entry for non-experts to develop WMD, support powerful offensive cyber operations, and assist in using mass surveillance to commit human rights abuses.” This new ECCN covers HBM stacks as a stand-alone commodity; semiconductors that incorporate HBM stacks are generally classified under existing ECCNs. 

ECCN 3A090.c is also not eligible for the Notified Advanced Computing (NAC) or Advanced Computing (ACA) license exceptions. However, the new rules introduce license exception HBM, which authorizes the transfer of HBM if (1) the transfer is to a packing site owned by a US or allied headquartered company and (2) the US or allied headquartered company carefully tracks the HBM being sent and returned by the packing site.

Expanded Entity List and Removals From the Validated End User Program

BIS added 140 new entities to the Entity List, including entities from China, Japan, South Korea and Singapore. These include semiconductor fabrication plant and tool companies found to have aided in the development or production of semiconductors or SME for military end use, attempted to circumvent US export controls, or supported Huawei’s efforts to support the Chinese government’s goal to indigenize its semiconductor industry. BIS also designated three investment companies that were found to have supported the Chinese government’s attempt to acquire sensitive semiconductor manufacturing capability. A license will be required for the export of any item subject to US export control jurisdiction to these new designees.

BIS also modified its Validated End User (VEU) program. VEUs are designated entities to which eligible items subject to the EAR may be exported under general EAR authorization instead of pursuant to a specific license. Three Chinese companies were removed from the VEU program.

* * *

The adoption of the new Red Flags and the expanded restrictions on software keys are effective immediately. The majority of the remaining changes, including the new FDP Rules, HBM controls and Entity List license requirements, will go into effect December 31, 2024.

These rules are likely to be among the final export control measures that BIS will issue during the Biden Administration and its purported “small yard, high fence” strategy. As we look ahead to export control policy under the incoming Trump Administration, it is likely that controls on semiconductors, advanced computing and supercomputing, among other high-tech sectors, will continue to be national security and foreign policy focal points.