BIS Delays New Cybersecurity Controls, Considering Changes
The Bureau of Industry and Security delayed the effective date of its new export controls over certain cybersecurity items (see 2110200036) after receiving requests from industry, the agency said in a notice released Jan. 11. The controls, which were scheduled to take effect Jan. 19, were delayed for 45 days and will now take effect March 7.
The announcement came after U.S. technology companies and trade groups said the new controls should be tweaked so they don’t impede certain activities in the cybersecurity sector, including information sharing and exports to certain government end-users (see 2112130028). Although several companies said the controls were an improvement over the restrictions BIS had proposed in 2015, certain aspects of the rule could still be narrowed, they said, and there remains considerable uncertainty surrounding the controls’ compliance requirements.
Based on the feedback, BIS said it “may consider some modifications” to the controls. It also said it wants to delay the effective date to allow companies more time to implement “compliance measures” and for BIS to potentially issue more guidance. “BIS agrees that it is important to allow enough time for industry” to comply with the new restrictions, it said. The agency also stressed it isn’t reopening or extending the rule’s comment period.