Note
Access to this page requires authorization. You can try signing in or changing directories.
Access to this page requires authorization. You can try changing directories.
About the EAR
The US Department of Commerce enforces the Export Administration Regulations (EAR) through the Bureau of Industry and Security (BIS). The EAR broadly governs and imposes controls on the export and re-export of most commercial goods, software, and technology, including 'dual-use' items that you can use both for commercial and military purposes and certain defense items.
BIS guidance holds that when you upload data or software to the cloud or transfer it between user nodes, you're the 'exporter' and have the responsibility to ensure that transfers of, storage of, and access to that data or software complies with the EAR.
According to the BIS, export refers to the transfer of protected technology or technical data to a foreign destination or its release to a foreign person in the United States (also referred to as a deemed export). The EAR broadly governs:
- Exports from the United States.
- Re-exports or retransfers of US-origin items and certain foreign-origin items with more than a de minimis portion of US-origin content.
- Transfers or disclosures to persons from other countries or regions.
You can find items subject to the EAR on the Commerce Control List (CCL) where each item is assigned a unique Export Control Classification Number (ECCN). Items not listed on the CCL are designated as EAR99 and most EAR99 commercial products don't require a license to be exported. However, depending on the destination, end user, or end use of the item, even an EAR99 item might require a BIS export license.
The final rule, published in June 2016, clarified that EAR licensing requirements also don't apply to the transmission and storage of unclassified technical data and software if they're encrypted end-to-end using FIPS 140-2 validated cryptographic modules and aren't intentionally stored in a military-embargoed country or region or in the Russian Federation.
Microsoft and the EAR
Microsoft technologies, products, and services are subject to the US Export Administration Regulations (EAR). While there's no compliance certification for the EAR, Microsoft Azure, Microsoft Azure Government, and Microsoft Office 365 Government (GCC High and DoD environments) offer important features and tools to help eligible customers subject to the EAR manage export control risks and meet their compliance requirements.
The US Commerce Department, which enforces the EAR, takes the position that customers, not cloud service providers such as Microsoft, are considered to be exporters of their own customer data. While most customer data isn't considered 'technology' or 'technical data' subject to EAR export controls, Microsoft in-scope cloud services are structured to help customers manage and significantly mitigate the potential export control risks they face. Microsoft generally, but not exclusively, recommends the use of its government cloud services for eligible customers. With appropriate planning, customers can use the following tools and their own internal procedures to help ensure full compliance with US export controls.
- Controls on data location. Customers have visibility into where their data is stored and access to robust tools to restrict its storage. They can ensure that their data is stored in the United States and minimize transfer of controlled technology or technical data outside the United States. Furthermore, customer data isn't stored in a nonconforming location, consistent with EAR prohibitions on where data is 'intentionally stored': no Azure datacenter is located in any of the 25 Group D:5 countries/regions or the Russian Federation.
- End-to-end encryption. By taking advantage of the end-to-end encryption safe harbor for physical storage locations specified in the EAR, Microsoft in-scope cloud services deliver encryption features that can help protect against export control risks. They also offer customers a wide range of options for encrypting data in transit and at rest, and the flexibility to choose among encryption options. To learn more, see:
- Tools and protocols to prevent unauthorized deemed export. The use of encryption also helps protect against a potential deemed export (or deemed re-export) under the EAR, because even if a non-US person has access to encrypted data, nothing is revealed if they can't read or understand the data while it's encrypted; thus there's no 'release' of controlled data.
Microsoft in-scope cloud platforms and services
- Azure and Azure Government
- Office 365 Government (GCC-High and DoD)
- Intune
Frequently asked questions
What should I do to comply with export controls when using Microsoft cloud services?
Under the EAR, when you upload data to a cloud server such as the Microsoft cloud, you, as the customer and data owner, are considered the exporter, not the cloud services provider. For that reason, you must carefully assess how your use of the Microsoft cloud might implicate US export controls. Determine whether any of the data you want to use or store in the cloud is subject to EAR controls, and if so, identify the applicable controls. Learn more about how Azure and Office 365 cloud services can help you ensure full compliance with US export controls. For more information, see the Cloud FAQs section of the Frequently Asked Questions page at Exporting Microsoft Products.
Are Microsoft technologies, products, and services subject to the EAR?
Most Microsoft technologies, products, and services either:
- Aren't subject to the EAR and thus aren't on the Commerce Control List and have no ECCN;
- Or they're EAR99 or 5D992 Mass Market-eligible for self-classification by Microsoft and can be exported to non-embargoed countries or regions without a license as No License Required (NLR).
That said, a few Microsoft products have been assigned an ECCN that might require a license. Consult the EAR or legal counsel to determine the appropriate license type and eligible countries or regions for export purposes.
What's the difference between the EAR and International Traffic in Arms Regulations (ITAR)?
The primary US export controls with the broadest application are the EAR, administered by the US Department of Commerce. The EAR applies to dual-use items that have both commercial and military applications, and to items with purely commercial applications.
The United States also has separate and more specialized export control regulations, such as the ITAR, that govern the most sensitive items and technology. Administered by the US Department of State, these regulations impose controls on the export, temporary import, re-export, and transfer of many military, defense, and intelligence items (also known as "defense articles"), including related technical data.