Flurry of National Security Regulations Issued as Biden Administration Departs

The U.S. Commerce Department and other regulatory agencies published regulations at a furious pace as the Biden administration came to a close this month. These new regulations appear to be primarily aimed at restricting China’s ability to further develop certain critical technologies (e.g., artificial intelligence (AI) and biotechnology) or to access the U.S. market, but each has a wider impact and may have some unintended consequences for the impacted industries. This alert provides a high-level summary of key rules published during the past several weeks.

It remains to be seen whether or how the implementation of these rules will be revised over the next several months, particularly in light of President Trump’s “Day One” Executive Orders (EOs) implementing a regulatory freeze and undoing many actions taken by the Biden administration. To the extent that these rules impose restrictions on China, an area in which the two administrations have historically been largely aligned, they may be more likely to be maintained under the new administration. Other rules may be rolled back or modified.

We expect to publish more in-depth alerts as we learn more about the new administration’s plans for these rules. In the interim, we recommend that companies consider the potential impact of the rules and be prepared to implement changes as needed.

AI and Semiconductor Export Controls

• Foreign-Produced Direct Product Rule Additions, and Refinements to Controls for Advanced Computing and Semiconductor Manufacturing Items (Dec. 5, 2024): In this interim final rule (IFR), the Bureau of Industry and Security (BIS) added new Export Administration Regulations (EAR) controls for certain high-bandwidth memory, semiconductor manufacturing equipment (SME), and related items that enable advanced-node integrated circuit (IC) production. BIS also implemented two new Foreign Direct Product (FDP) Rules and revised its “de minimis” rule to extend U.S. jurisdiction to cover foreign-produced SME that either contains certain types of U.S.-origin integrated circuits, or is produced using certain U.S.-origin software, technology, or plant/major equipment. The new FDP Rules do not apply to items produced in some countries that have implemented similar controls. BIS also clarified its controls on the export of software keys that unlock controlled software.
• Framework for AI Diffusion (Jan. 15, 2025): BIS implemented significant additional controls on advanced computing chips and certain closed AI model weights, as well as new license exceptions and updates to Validated End User (VEU) authorizations. The framework adopts a “three-pronged strategy” that i) requires authorizations for exports, reexports, and transfers of advanced node ICs to a broad range of countries; ii) institutes new controls on the most advanced AI model weights, including a new FDP Rule that applies these controls to certain model weights produced abroad using advanced computing chips made with U.S. technology or equipment; and iii) imposes additional security conditions related to the storage of certain AI models. Though the rule took effect immediately, the slated compliance date for these rules is set for May 15, 2025, with some elements of these controls having a delayed compliance date of January 15, 2026.
• Implementation of Additional Due Diligence Measures for Advanced Computing Integrated Circuits (Jan. 16, 2025): BIS revised the EAR to require certain due diligence procedures for advanced computing ICs. The new rule is intended to provide “objective, bright-line rules” to front-end fabricators of advanced node ICs that are “designed to assist in better identifying transactions” with potential diversion risk. To that end, a license is required for certain advanced node ICs controlled under ECCN 3A090.a to or within any destination worldwide unless the transfer is to an “Approved IC designer” or “Approved [Outsourced Semiconductor Assembly and Test] (OSAT) Company” listed in the EAR or to a company that meets certain criteria in the notes to ECCN 3A090. The rules also include new reporting requirements for certain transactions by front-end fabricators. The target compliance date for these amendments to the EAR is set for January 31, 2025.

Other Export Control Rules

• Implementation of Additional Controls on Pakistan (Nov. 26, 2024): BIS imposed new licensing requirements for Pakistan relating to items in six Export Control Classification Numbers (ECCNs) that were previously controlled only for anti-terrorism (AT) reasons but are considered to be nuclear- or missile-related items at risk of diversion to end-users or end-uses of concern. The specific ECCNs are 1B999, 2B999, and 3B999 (specific processing equipment as listed in the ECCNs); 2A992 (piping, fittings, and valves made of, or lined with stainless, copper-nickel alloy or other alloy steel containing 10 percent or more nickel and/or chromium); 3A992 (general purpose electronic equipment not controlled by 3A002); and 6A996 (magnetometers not controlled by 6A006, superconductive electromagnetic sensors, and specially designed components for the listed items).
• Implementation of Certain Australia Group Decisions (Dec. 23, 2024): BIS amended the EAR to implement changes agreed to by Australia Group (AG) member countries. The rule adds controls for automated peptide synthesizers, dipropylamine, and neosaxitoxin, and revises the controls for botulinum toxins, toxic gas monitors, and centrifugal separators.
• Controls on Certain Laboratory Equipment and Related Technology to Address Dual Use Concerns About Biotechnology (Jan. 16, 2025): This interim final rule (IFR) immediately imposes new EAR controls on high-parameter flow cytometers and certain liquid chromatography mass spectrometry equipment and related technology. These items generate high-quality, high-content biological data including that which is suitable for use to facilitate the development of AI and biological design tools. The items are now subject to national security and regional stability controls but are also eligible for license exceptions in certain circumstances.
• BIS also made numerous additions and revisions to the Entity List during the last several weeks under the following rules:
  • Addition of Entities to and Revision of Entry on the Entity List (Jan. 16, 2025): adding 11 entities under China and revising one existing entry under India.
  • Additions to the Entity List (Jan. 16, 2025): adding 16 entities under China (14) and Singapore (2).
  • Revisions to the Entity List (Jan. 6, 2025): adding 13 entities under Burma (1), China (11), and Pakistan (1).
  • Additions to the Entity List (Dec. 11, 2024): adding 8 entities under Burma (2), China (2), and Russia (4).
  • Additions and Modifications to the Entity List; Removals From the Validated End-User (VEU) Program (Dec. 5, 2024): adding 140 entities under the destinations of China, Japan, South Korea, and Singapore, revising 14 existing entries under China, and removing three entities from the Validated End-User (VEU) Program.

Access to Bulk Personal Data

• Preventing Access to U.S. Sensitive Personal Data and Government-Related Data by Countries of Concern or Covered Persons (Jan. 8, 2025): The U.S. Department of Justice issued a final rule to implement EO 14117 of February 28, 2024 (Preventing Access to Americans' Bulk Sensitive Personal Data and United States Government-Related Data by Countries of Concern). The new rule will prohibit a broad range of transactions with certain covered persons/entities/countries of concern (including China) that involve the transfer of or access to “bulk sensitive personal data” or U.S. Government-related data. In addition to these prohibitions, the rule requires certain security measures for broadly defined “data brokerage” with any foreign person. The rule establishes licensing, reporting, and recordkeeping processes, due diligence requirements, protocols for designation of “covered persons,” as well as exemptions for certain types of transactions (particularly related to certain personal communications, corporate group transactions, biological product and medical device authorizations, clinical investigations, among others). The rule is set to take effect on April 8, 2025.

Information and Communications Technology and Services (ICTS) Controls

• Securing the Information and Communications Technology and Services Supply Chain (Dec. 6, 2024): The Department of Commerce (through BIS) issued a final rule that finalizes the regulations that govern review of transactions by U.S. persons involving information and communications technology and services designed, developed, manufactured, or supplied by persons owned by, controlled by, or subject to the jurisdiction or direction of certain foreign adversary nations (e.g., China) that may pose undue or unacceptable risk to national security. This final rule largely just refines definitions and amends procedures for ICTS reviews that are already effective. However, the changes have the overall effect of broadening the scope of transactions BIS is entitled to review; for example, acquisitions of ICTS services involving critical and emerging technologies.
• Securing the Information and Communications Technology and Services Supply Chain: Connected Vehicles (Jan. 16, 2025, as Corrected): In this final rule, BIS established regulations and procedures related to the prohibition and/or review of certain transactions involving vehicle connectivity system hardware and automated driving systems software. These specialized ICTS rules limit the use of ICTS systems that are “integral to connected vehicles” (as defined in the rules) and are designed, developed, manufactured, or supplied by entities that are owned or controlled by, or subject to the jurisdiction or direction of, certain “foreign adversaries.”
• Securing the Information and Communications Technology and Services Supply Chain: Unmanned Aircraft Systems (Jan. 3, 2025): In this advance notice of proposed rulemaking (ANPRM), BIS seeks public comment to identify the technologies and market participants that should be included in the scope of future regulations covering transactions related to IT and communications systems that are integral to unmanned aircraft systems. Again, these further industry-specific ICTS rules would apply to ICTS products designed, developed, manufactured, or supplied by entities that are owned or controlled by, or subject to the jurisdiction or direction of, certain “foreign adversaries.” Public comments will be accepted through March 4, 2025.

Outbound Investment

• Provisions Pertaining to U.S. Investments in Certain National Security Technologies and Products in Countries of Concern (Nov. 15, 2024): On January 2, 2025, the U.S. Treasury Department’s “outbound” investment rules took effect. These rules restrict U.S. persons from engaging in certain transactions with companies that have direct or indirect links to China and that are involved in semiconductor/microelectronics, quantum information technology, and AI industries. The rules are intended to limit the ability of those businesses to use American capital and the “intangible benefits” associated with that capital. In practice, these rules will add new diligence requirements for most U.S. investors’ activities and will create incentives for U.S. investors and many non-U.S. funds to engage in diligence and obtain representations from any business that cannot otherwise clearly rule out connections to those technology areas or direct and indirect ties to China. For more details on the rule and its potential impacts, see our prior alert here.

Sanctions

• Determination Pursuant to Section 1(a)(i) of EO 14024 (Jan. 10, 2025): The Office of Foreign Assets Control (OFAC) announced several actions against the Russian energy sector, including imposition of sanctions on two major Russian oil producers and exporters (Gazprom Neft and Surgutneftegas), as well as oilfield service providers, Russian energy executives and officials, Russia’s “shadow fleet” of vessels, and maritime insurance providers Ingosstrakh Insurance Company and Alfastrakhovanie Group.
• EO 14140: Taking Additional Steps with Respect to the Situation in the Western Balkans (Jan. 8, 2025): This order grants additional authority to OFAC to sanction individuals and entities that are involved in activities to undermine the sovereignty and territorial integrity of Western Balkans nations. This expands on authorities previously granted in a series of prior EOs by adding “attempt” as a basis for designation throughout the order; adding a prong for leadership of or membership in a sanctioned entity; adding a prong for ownership or control of a sanctioned person; and adding a prong for being a spouse or adult child of a sanctioned person.