Nixon Peabody LLP

Trending Topics

    Practices

    View All

    Industries

    View All

    Value-Added Services

    View All

    Alert / Export Controls & Economic Sanctions

    New Data Center Validated End User Authorization

    Oct 2, 2024

    By David Crosby and Alexandra Lopez-CaseroJule Giegling (Legal Intern–Corporate Practice) assisted with the preparation of this alert

    BIS expanded its long-standing Validated End User (VEU) program to data centers located in specific countries outside China or other D:5 countries. Companies can now (re-)export certain controlled hardware, software, or technology to these data centers without a BIS license as long as their export matches the specific VEU entry.

    What’s the impact?

    • BIS expands its long-standing Validated End User (VEU) program to data centers.
    • Data centers can now apply to be added as eligible VEUs, as long as they are not located in China or other Country Group D:5 countries.
    • Companies can (re-)export hardware, software, or technology controlled, e.g., in ECCNs 3A090 or 4A090, or under .z in Categories 3, 4, and 5 to these data centers without a BIS license as long as their (re)export matches the specific VEU entry (eligible items and name + address of the eligible VEU).

    DOWNLOAD

    New Data Center Validated End User Authorization (PDF)

    On September 30, 2024, the Department of Commerce’s Bureau of Industry and Security (BIS) issued the final rule, “Expansion of Validated End User Authorization: Data Center Validated End User Authorization” (Federal Register Document 2024-22587). This rule expands the current, long-standing Validated End User Authorization (VEU) program in Section 748.15 of the EAR (all section/part references in this alert are to the EAR) to data centers located in any destination for which a license is required for ECCN 3A090, 4A090 items, and .z items in Categories 3, 4, and 5, except for destinations in Country Group D:5 countries (Data Center VEU or Data Center VEU Authorization). The new Data Center VEU is intended to facilitate the export and reexport of items on the Commerce Control List (excluding 600-series items) necessary for use at a specified data center. VEUs under this new authorization will be companies that BIS considers to have very robust export and security controls in place. Through the Data Center VEU Authorization, BIS seeks to build a trusted technology ecosystem; going forward, it could expand the VEU authorizations to other export-controlled sectors. The Data Center VEU adopts much of the framework of BIS’s traditional VEU program but comes with additional requirements. So far, BIS has not publicly named, i.e., listed on the VEU List in Supplement No. 7 to Part 748, any Data Center VEUs.

    The final rule was formally published (and thereby became effective) on October 2, 2024.

    The general VEU program

    The traditional “general” VEU program was established in 2007. It is a trade-facilitating program for high-technology civilian trade between the US and VEU-eligible countries (currently, China and India). Under the VEU program, entities in China and India that pass an interagency review and agree to ongoing compliance obligations are eligible to receive specifically listed items that would otherwise require an individual BIS license (except items controlled for missile technology [MT] and crime control [CC] reasons). Items obtained under a VEU authorization for China may be used only for civil end uses (for India, military end uses are also allowed) and not for any activities prohibited under Part 744. However, for specific Western VEUs in China, some of the semiconductor end-use restrictions of 744.23(a) and 744.6(c) do not apply to the extent specified in their respective VEU entry.

    The regulatory requirements for the “general” VEU authorization can be found in Section 748.15. Any entity can apply for the general VEU authorization under the requirements established in Section 748.15(a). The list of currently eligible VEUs can be found in Supplement 7 to Part 748; however, the VEU authorization can also apply if an entity is not listed in Supplement 7; i.e., if it holds a VEU authorization letter provided by BIS. BIS confirmed this point in a recent case where the VEU obtained the VEU letter from BIS, but BIS had not yet updated Supplement 7 accordingly.

    The VEU program allows exports, reexports, and transfers (in-country) to a VEU only if the items will be consigned to and for use by the validated end user and if the VEU only: (i) uses such items at the end user's own facility located in an eligible destination or at a facility located in an eligible destination over which the end user demonstrates effective control; (ii)) consumes such items “during use,” or (iii) transfers or reexports the items only as authorized by BIS.

    The new Data Center VEU

    The new Data Center VEU expands the VEU program to facilitate the export or reexport of items on the Commerce Control List that require a license to the destination and that are necessary for use at a data center (excluding 600-series items) to pre-approved trusted validated end users in destinations for which a license is required for items classified under ECCNs 3A090 and 4A090, and .z items in Categories 3, 4, and 5. The Data Center VEU is not available for end users in China and other countries of Country Group D:5 (Supplement 1 to Part 740).

    The Data Center VEU is implemented by amending Section 748.15. BIS re-labels the current VEU program as “General VEU Authorization” and introduced the new program as “Data Center VEU Authorization.”

    One notable difference between the programs is that, under the new Data Center VEU, (i) reexports of eligible items by a Data Center VEU are permitted only as specifically authorized by BIS and (ii) in-country transfers are not permitted unless the item is transferred in-country to a VEU-authorized location by the same VEU.

    Eligibility criteria

    Revised Section 748.15(a)(1) contains the eligibility criteria for both VEU authorizations. Paragraphs (b) and (d) now each distinguish between the two VEU authorizations, with new Paragraph (1) discussing the General VEU and new Paragraph (2) discussing the Data Center VEU. Paragraph (c) of Section 748.15, which contains restrictions on eligible items, now includes a new Paragraph (1), indicating the general ineligibility of items controlled for MT and CC reasons, and new Paragraph (2), with item restrictions specific to the new Data Center VEU Authorization, i.e., only items on the Commerce Control List that require a license to the destination (excluding “600 series” items) and are necessary for use at a data center are eligible.

    Requests for authorization

    Requests for authorization for each VEU authorization must be submitted in the form of an advisory opinion request, as described in Sections 748.15(a)(2) and 748.3(c), and in accordance with revised Supplement 8 and Supplement 9. A new paragraph B is added to Supplement 8 to indicate the additional information required for requests under the new Data Center VEU Authorization.

    Upon a request for authorization, the US government will evaluate the applicant based on a range of factors, including whether the VEU host country has provided assurances to the US government regarding the safe and secure use of the technology to be provided under the VEU authorization. Further, the review will examine the applicant’s record of compliance with US export controls; the applicant’s capability to comply with the requirements for VEU; the applicant’s agreement to on-site compliance reviews by representatives of the US government, including to guard against both the misuse and diversion of computing resources; the applicant’s relationships with US and foreign companies; the applicant’s technology roadmap, and its technology control plan.

    Approval of VEU status

    If the request is approved, BIS will issue a response in the form of a letter granting VEU status. The letter will state the items that are permitted for export or reexport to the VEU, along with any conditions required of the VEU. Such conditions may include a commitment to:

    • Implement physical and logical security requirements;
    • Prohibit access to individuals working for entities and/or countries of concern;
    • Prohibit access to any national working for or on behalf of a party on the BIS Entity List;
    • Ensure inspection/onsite reviews by US government officials as necessary, to determine whether VEU authorization conditions are being met; and/or
    • Not provide computing power above prohibited thresholds to entities or countries of concern.

    Reporting requirements

    Revised Section 748.15(e) expands the current certification and reporting requirements for (re)exports under the General VEU Authorization to include the new Data Center VEU Authorization.

    Before an initial export or reexport under General or Data Center VEU authorizations, exporters or reexporters must obtain certifications that are compliant with Supplement 8 to Part 748 from VEUs regarding the end use and compliance with VEU requirements.

    As provided in revised Section 748.15(f)(1)(i), reexporters who make use of either VEU Authorization must submit reports to BIS (i) annually when using the General VEU Authorization and (ii) semi-annually when using the Data Center VEU Authorization. For either authorization, reexporters must include, “for each validated end user to whom the exporter or reexporter exported or reexported eligible items:” [sic] (a) the name and address of each VEU to whom eligible items were reexported, (b) the eligible destination to which the items were reexported; (c) the quantity of the items, (d) the value of the items, and (e) the ECCN of each item.  

    Pursuant to Section 748.15(f)(1)(ii), end users that make use of Data Center VEU Authorizations must submit reports to BIS semi-annually and include information such as (i) a record of current inventory of eligible items received, (ii) dates of when eligible items were received and by whom, (iii) a description of how current compute is being used, and (iv) a list of current customers with a description of their use.

    Under the revised Section 748.15(f)(1)(iii), such reports are due:

    • For General VEU Authorization reports by reexporters, by February 15 of each year, covering the period of January 1 through December 31 of the prior year.
    • For Data Center VEU Authorization reports by reexporters and end users, the first report by July 15 of each year, covering the period from January 1 through June 30, and the second report by January 15, covering the period from June 30 to December 31 of the previous year.

    Certifications and all records related to shipments made under a VEU authorization must be retained by the exporters or reexporters in accordance with recordkeeping requirements pursuant to Part 762. Under the revised Section 748.15(f)(2), exporters, reexporters, transferors, and VEUs who make use of a VEU authorization must allow BIS to review (including on-site) the relevant records pertaining to the information covered by the VEU certifications and the submitted reports.

    Practical impact

    The General VEU authorization has been a long-standing program since 2007. However, it had been essentially dormant for years until BIS revived it in connection with the semiconductor restrictions in 2023 by adding, e.g., US- and South Korean-owned advanced-node semiconductor fabrication facilities in China as eligible VEUs. With the increased tightening of US export controls in high-tech sectors, BIS appears to try to strike a balance between national security concerns and the facilitation of exports to trusted entities. For this, BIS is using all the tools it has available, as can be seen, for example, in the recent introduction of new controls in sectors such as quantum computers, aerospace technology, and integrated circuits, with the simultaneous introduction of new license exception “Implemented Export Control” (IEC). IEC authorizes exports, reexports, and transfers (in-country) of specified items to specified “Western” countries that have implemented equivalent export controls that substantially align with those implemented by the United States.

    With the introduction of the new Data Center VEU Authorization, BIS approaches the ever-increasing technology controls from yet another, but familiar, angle. Data centers that wish to be added as eligible VEUs should expect a rigorous vetting process. However, once they are added to the VEU List, their suppliers will benefit from being able to export, e.g., ECCN 5A002.z. or 5D002.z. to them without having to go through the BIS licensing process.

    For more information on the content of this alert, please contact your Nixon Peabody attorney or the authors of this alert.

    Insights And Happenings

    The foregoing has been prepared for the general information of clients and friends of the firm. It is not meant to provide legal advice with respect to any specific matter and should not be acted upon without professional counsel. If you have any questions or require any further information regarding these or other related matters, please contact your regular Nixon Peabody LLP representative. This material may be considered advertising under certain rules of professional conduct.

    Stay informed of the latest legal news, alerts, and business trends.Subscribe