(a) Scope. License Exception ACE authorizes export, reexport, and transfer (in-country), including deemed exports and reexports, of 'cybersecurity items,' as set forth in paragraph (b) of this section, subject to the restrictions set forth in paragraph (c) of this section. Deemed exports and reexports are authorized under this license exception, except for deemed exports or reexports to E:1 and E:2 nationals as described in paragraph (c)(1)(i) of this section, to certain 'government end-users' as described in paragraph (c)(1)(ii) of this section, and subject to the end-use restrictions described in paragraph (c)(2) of this section. Even if License Exception ACE is not available for a particular transaction, other license exceptions may be available. For example, License Exception GOV (§ 740.11 of the EAR) authorizes certain exports to U.S. government agencies and personnel. License Exception TMP (§ 740.9(a)(1) of the EAR) authorizes the export, reexport, and transfer (in country) of tools of the trade in certain situations.
(b) Definitions. The following terms and definitions are for the purpose of License Exception ACE only.
(1) Cybersecurity Items are ECCNs 4A005, 4D001.a (for 4A005 or 4D004), 4D004, 4E001.a (for 4A005, 4D001.a (for 4A005 or 4D004) or 4D004), 4E001.c, 5A001.j, 5B001.a (for 5A001.j), 5D001.a (for 5A001.j), 5D001.c (for 5A001.j or 5B001.a (for 5A001.j)), and 5E001.a (for 5A001.j or 5D001.a (for 5A001.j)).
(2) Digital artifacts are items (e.g., “software” or “technology”) found or discovered on an information system that show past or present activity pertaining to the use or compromise of, or other effects on, that information system.
(3) Favorable treatment cybersecurity end user is any of the following:
(i) A “U.S. subsidiary”;
(ii) Providers of banking and other financial services;
(iii) Insurance companies; or
(iv) Civil health and medical institutions providing medical treatment or otherwise conducting the practice of medicine, including medical research.
(4) Government end user, for the purpose of § 740.22, is a national, regional or local department, agency or entity that provides any governmental function or service, including international governmental organizations, government operated research institutions, and entities and individuals who are acting on behalf of such an entity. This term includes retail or wholesale firms engaged in the manufacture, distribution, or provision of items or services, controlled on the Wassenaar Arrangement Munitions List.
(c) Restrictions. License Exception ACE exports, reexports, or transfers (in-country) of 'cybersecurity items' are subject to the restrictions of this paragraph (c).
(1) Destination or end-user restrictions. License Exception ACE does not authorize deemed exports under paragraph (c)(1)(i) or (ii) of this section.The restrictions in paragraphs (c)(1)(i) and (ii) apply to activities, including exports, reexports, and transfers (in-country), related to “vulnerability disclosure” and “cyber incident response.” However, Note 1 to ECCN 4E001 in the CCL (supplement no. 1 to part 774 of the EAR) excludes “vulnerability disclosure” and ”cyber incident response” from control under 4E001.a or .c.
(i) A destination that is listed in Country Group E:1 or E:2 in supplement no.1 to part 740 of the EAR.
(ii) A government end user, as defined in this section, of any country listed in Country Group D:1, D:2, D:3, D:4 or D:5 in supplement no. 1 to part 740. This restriction does not apply to:
(A) Exports, reexports, and transfers (in-country) to Country Group D countries that are also listed in Country Group A:6 of 'digital artifacts' that are related to a cybersecurity incident involving information systems owned or operated by a 'favorable treatment cybersecurity end user', or to police or judicial bodies in Country Group D countries that are also listed in Country Group A:6 for purposes of criminal or civil investigations or prosecutions of such cybersecurity incidents; or
(B) Exports, reexports, and transfers (in-country) to national computer security incident response teams in Country Group D countries that are also listed in Country Group A:6 of 'cybersecurity items' for purposes of responding to cybersecurity incidents, for purposes of 'vulnerability disclosure', or for purposes of criminal or civil investigations or prosecutions of such cybersecurity incidents.
(iii) A non-government end user located in any country listed in Country Group D:1 or D:5 of Supplement No. 1 to part 740 of the EAR. This restriction does not apply to:
(A) Exports, reexports or transfers (in-country) of cybersecurity items classified under ECCNs 4A005, 4D001.a (for 4A005 or 4D004), 4D004, 4E001.a (for 4A005, 4D001.a (for 4A005 or 4D004) or 4D004) and 4E001.c, to any `favorable treatment cybersecurity end user;'
(B) “Vulnerability disclosure” or “cyber incident response;”or
(C) Deemed exports.
(2) End-use restrictions. License Exception ACE is not authorized if the exporter, reexporter, or transferor “knows” or has “reason to know” at the time of export, reexport, or transfer (in-country), including deemed exports and reexports, that the 'cybersecurity item' will be used to affect the confidentiality, integrity or availability of information or information systems, without authorization by the owner, operator or administrator of the information system (including the information and processes within such systems).
[86 FR 58209, Oct. 21, 2021]