Reminder: Have You Filed Your Encryption Self-Classification Reports with the Bureau of Industry and Security?

This is a reminder that annual self-classification reports and semi-annual reports for hardware, software, or technology utilizing encryption ("Encryption Items") were due to be filed by February 1, 2024, with the Bureau of Industry and Security ("BIS"), Department of Commerce.

Annual Self-classification Report

An annual self-classification report must be filed for items exported under License Exception ENC – 15 CFR § 740.17(b)(1) of the Export Administration Regulations ("EAR"), except for mass market Encryption Items meeting the mass market criteria under Note 3 to Cat. 5, Part 2 and classified as Export Control Classification Number ("ECCN") 5A992.c (hardware) or 5D992.c (software), or when a Commodity Classification ("CCATS") has been obtained from BIS for the Encryption Item. Mass market products are typically consumer products sold at retail stores or internet locations such as consumer electronics, mobile devices and apps, and retail software.

Annual self-classification reports must be filed by February 1 of each year. The annual self-classification report covers Encryption Items exported or reexported during the prior calendar year (January 1 through December 31).

The annual self-classification report must be filed in electronic format by e-mail to crypt-supp8@bis.doc.gov and enc@nsa.gov, or on disk (the latter only if necessary). Detailed filing instructions are on the BIS website here.

Semi-annual Report

Semi-annual reporting is required for exports of Encryption Items controlled by License Exception ENC, 15 CFR §§ 740.17(b)(2) and 740.17(b)(3) ("(b)(2)" and "(b)(3)") to all destinations other than Canada and for reexports from Canada.

Section (b)(2) Encryption Items include network infrastructure items, non-public source code, encryption technology, and quantum cryptography. Network infrastructure includes WAN, MAN, VPN, backhaul and long-haul, satellite infrastructure, and terrestrial wireless infrastructure, all within the specifications of Section 740.17(b)(2).

Section (b)(3) Encryption Items include encryption components (e.g., chips, chipsets, electronic assemblies), non-standard cryptography, digital forensics, and cryptographic libraries and modules.

Encryption Items and transactions excluded from the semi-annual reporting requirement include:

•  Encryption commodities or software with a symmetric key length not exceeding 64 bits.

•  Encryption items exported (or reexported from Canada) via free and anonymous download.

•  Encryption items from or to a U.S. bank, financial institution or its subsidiaries, affiliates, customers, or contractors for banking or financial operations.

•  Foreign products developed by bundling or compiling of source code.

Semi-annual reports must be filed by February 1 of each year (for exports occurring between July 1 and December 1), and by August 1 of each year (for exports occurring between January 1 and June 30).

The semi-annual report must be filed in electronic format by e-mail to crypt@bis.doc.gov and enc@nsa.gov, or on disk (the latter only if necessary). Detailed filing instructions are on the BIS website here.

The EAR encryption regulations are complex, and our descriptions of the Encryption Items subject to or exempt from the reporting requirements are summary in nature and are illustrative but not exhaustive lists.

Brian Wong is an export compliance advisor at Davis Wright Tremaine.