Export Administration Regulations (EAR)
The US Department of Commerce is responsible for enforcing the Export Administration Regulations (EAR) through the Bureau of Industry and Security (BIS). According to BIS definitions, export is the transfer of protected technology or information to a foreign destination or release of protected technology or information to a foreign person in the United States (also known as deemed export). Items subject to the EAR can be found on the Commerce Control List (CCL), and each item has a unique Export Control Classification Number (ECCN) assigned. Items not listed on the CCL are designated as EAR99, and most EAR99 commercial products do not require a license to be exported. However, depending on the destination, end user, or end use of the item, even an EAR99 item may require a BIS export license.
The EAR is applicable to dual-use items that have both commercial and military applications, as well as to items with purely commercial application. The BIS has provided guidance that cloud service providers (CSP) are not exporters of customers’ data due to the customers’ use of cloud services. Moreover, in the final rule published on 3 June 2016, BIS clarified that EAR licensing requirements would not apply if the transmission and storage of unclassified technical data and software were encrypted end-to-end using FIPS 140 validated cryptographic modules and not intentionally stored in a military-embargoed country (i.e., Country Group D:5 as described in Supplement No. 1 to Part 740 of the EAR) or in the Russian Federation. The US Department of Commerce has made it clear that, when data or software is uploaded to the cloud, the customer, not the cloud provider, is the exporter who has the responsibility to ensure that transfers, storage, and access to that data or software complies with the EAR.
Azure and EAR
If you are subject to the EAR, Azure, Azure Government, and Azure Government Secret can help you meet your EAR compliance requirements.
Except for the Azure region in Hong Kong SAR, Azure datacenters are not located in proscribed countries or in the Russian Federation. Azure services rely on FIPS 140 validated cryptographic modules in the underlying operating system, and provide you with a wide range of options for encrypting data in transit and at rest, including encryption key management using Azure Key Vault, which can store encryption keys in FIPS 140 validated hardware security modules (HSMs) under your control (customer-managed keys, CMK). Keys generated inside the Azure Key Vault HSMs are not exportable – there can be no clear-text version of the key outside the HSMs. This binding is enforced by the underlying HSM. Moreover, Azure Key Vault is designed, deployed, and operated such that Microsoft and its agents do not see or extract your cryptographic keys.
You are responsible for choosing the Azure regions for deploying your applications and data. Moreover, you are responsible for designing your applications to use end-to-end data encryption that meets EAR requirements. Microsoft does not inspect or approve your Azure applications.
Azure Government provides an additional layer of protection to customers through contractual commitments regarding storage of customer data in the United States and limiting potential access to systems processing customer data to screened US persons.
For additional information regarding the EAR, your should review:
- Azure Government
- Azure Government Secret
Office 365 and EAR
For more information about Office 365 compliance, see Office 365 EAR documentation.
Frequently asked questions
What should I do to comply with export control laws when using Azure? Under the EAR, when data is uploaded to a cloud service, the customer who owns the data — not the cloud services provider — is considered to be the exporter who has the responsibility to ensure that transfers, storage, and access to that data or software complies with the EAR. For that reason, you, as the owner of the data, must carefully assess how your use of the Microsoft cloud may implicate US export controls and determine whether any of the data you want to use or store there may be subject to EAR controls, and if so, what controls apply. To learn more about how Azure can help you ensure your full compliance with US export controls, review the Microsoft Azure Export Controls whitepaper.
What technical features does Azure provide to help customers meet their EAR compliance obligations? The following Azure features are available to you to manage potential export control risks:
- Ability to control data location - You have visibility as to where your data is stored, and robust tools to restrict data storage to a single geography, region, or country. For example, you may therefore ensure that data is stored in the United States or your country of choice and minimize transfer of controlled technology/technical data outside the target country. Customer data is not intentionally stored in a non-conforming location, consistent with the EAR rules.
- Control over access to data - You can know and control who can access your data and on what terms. Microsoft technical support personnel do not need and do not have default access to customer data. For those rare instances where resolving customer support requests requires elevated access to customer data, Customer Lockbox for Azure puts you in charge of approving or rejecting customer data access requests.
- End-to-end encryption - Implies the data is kept encrypted at all times between the originator and intended recipient, and the means of decryption are not provided to any third party. Azure relies on FIPS 140 validated cryptographic modules in the underlying operating system, and provides you with a wide range of options for encrypting data in transit and at rest, including encryption key management using Azure Key Vault, which can store encryption keys in FIPS 140 validated hardware security modules (HSMs) under your control (customer-managed keys, CMK). Azure Key Vault is designed, deployed, and operated such that Microsoft and its agents do not see or extract your cryptographic keys.
- Tools and protocols to prevent unauthorized deemed export/re-export - Apart from the EAR end-to-end encryption safe harbor for physical storage locations, the use of encryption also helps protect against a potential deemed export (or deemed re-export), because even if a non-US person has access to the encrypted data, nothing is actually revealed to non-US person who cannot read or understand the data while it is encrypted and thus there is no release of any controlled data. Azure offers a wide range of encryption capabilities and solutions, flexibility to choose among encryption options, and robust tools for managing encryption.
Are Microsoft technologies, products, and services subject to the EAR? Most Microsoft technologies, products, and services are either 1) not subject to the EAR and thus are not on the Commerce Control List and have no ECCN; or 2) they are EAR99 or 5D992 Mass Market-eligible for self-classification by Microsoft and may be exported to non-embargoed countries without a license as No License Required (NLR). That said, a few Microsoft products have been assigned an ECCN that may or may not require a license. Consult the BIS or legal counsel to determine the appropriate license type and eligible countries for export purposes.
What’s the difference between the EAR and International Traffic in Arms Regulations (ITAR)? The primary US export controls with the broadest application are the EAR, administered by the US Department of Commerce. The EAR is applicable to dual-use items that have both commercial and military applications, and to items with purely commercial applications.
The United States also has separate and more specialized export control regulations, such as the ITAR, that governs the most sensitive items and technology. Administered by the US Department of State, ITAR imposes controls on the export, temporary import, re-export, and transfer of many military, defense, and intelligence items (also known as defense articles), including related technical data documented on the Unites States Munitions List (USML).
Should I use Azure or Azure Government for workloads that are subject to EAR? You are wholly responsible for ensuring your own compliance with all applicable laws and regulations, and should consult your legal advisor for questions regarding regulatory compliance. Azure and Azure Government have the same security controls in place, including the same provisions for data encryption in transit and at rest to support EAR requirements. The cloud environment decision will rest with you based on your business requirements. Most US government agencies and their partners are best aligned with Azure Government, which provides an additional layer of protection to customers through contractual commitments regarding storage of customer data in the United States and limiting potential access to systems processing customer data to screened US persons.
- Azure compliance documentation
- Azure enables a world of compliance
- Microsoft 365 compliance offerings
- What is Azure Government?
- Explore Azure Government
- Microsoft government solutions
- Azure support for export controls
- Microsoft Azure Export Controls whitepaper
- Export Administration Regulations
- Bureau of Industry and Security (BIS)
- BIS definitions
- Commerce Control List (CCL)
- Export Control Classification Number (ECCN)
- Revisions to Definitions in the Export Administration Regulations - BIS Final Rule published 3 June 2016
- Supplement No. 1 to Part 740 of the EAR