Export Controls on Advanced AI and Computing Chips
Summary
With this interim final rule, the Commerce Department's Bureau of Industry and Security (BIS) revises the Export Administration Regulations' (EAR) controls on advanced computing integrated circuits (ICs) and adds a new control on artificial intelligence (AI) model weights for certain advanced closed-weight dual-use AI models. In conjunction with the expansion of these controls, which BIS has determined are necessary to protect U.S. national security and foreign policy interests, BIS is adding new license exceptions and updating the Data Center Validated End User authorization to facilitate the export, reexport, and transfer (in-country) of advanced computing (ICs) to end users in destinations that do not raise national security or foreign policy concerns. Together, these changes will cultivate secure ecosystems for the responsible diffusion and use of AI and advanced computing ICs.
Market Impacts
Worldwide license requirement imposed for export, reexport, or transfer of advanced computing ICs (ECCNs 3A090.a, 4A090.a, and corresponding .z items) and AI model weights (ECCN 4E091) to all destinations, requiring BIS scrutiny of transactions presenting elevated risk of diversion or misuse; License Exception AIA allows entities in specified low-risk destinations to obtain advanced computing ICs and AI model weights without individual licenses, provided they certify compliance with security requirements and restrictions on providing IaaS access to entities outside these destinations; Presumption of denial licensing policy for exports of advanced computing ICs and AI model weights to Macau, Country Group D:5 destinations, and entities headquartered in these locations, with strict restrictions maintained from previous controls; Universal and National Validated End-User (VEU) authorizations require data centers to implement stringent security measures including NIST 800-53 compliance, FedRAMP High equivalent security, physical security requirements, personnel vetting, and supply chain security protocols to receive advanced computing ICs; License Exception ACM authorizes exports for development, production, or storage of eligible items to private sector end users, provided items are ultimately destined to customers outside Macau or Country Group D:5; Per-company, per-country TPP allocations limit cumulative installed base of advanced computing power for NVEUs, with quarterly caps increasing from 633 million TPP in Q1 2025 to 5.064 billion TPP in 2027, representing clusters approximately 12 months behind frontier cluster sizes; No controls imposed on open-weight models, but continued monitoring of risks with potential future actions if heightened risks emerge from open-weight models exceeding certain capability thresholds
Estimated Monetary Impact
Basis: Based on regulatory complexity, reporting requirements, certification processes, and security measures described in the rule. Small companies are likely exempt from most requirements. Medium companies face moderate compliance burdens for certification and reporting. Large companies have significant implementation costs but also benefit from new market opportunities through VEU authorizations and license exceptions. Penalty amounts are estimated based on typical EAR violations, though no specific amounts are mentioned in this rule.; Action items: No action items to analyzeConfidence: 50%
Small Companies
< $10M
Costs
Implementation: $0
Ongoing/yr: $0
Penalties: $0
Benefits
Efficiency: $0
New Revenue: $0
Risk Reduction: $0
Net Impact: $0/yr
Medium Companies
$10M - $100M
Costs
Implementation: $50K
Ongoing/yr: $25K
Penalties: $1M
Benefits
Efficiency: $10K
New Revenue: $0
Risk Reduction: $50K
Net Impact: $110K/yr
Large Companies
> $100M
Costs
Implementation: $500K
Ongoing/yr: $250K
Penalties: $10M
Benefits
Efficiency: $100K
New Revenue: $500K
Risk Reduction: $1M
Net Impact: $550K/yr
Validated Company Impacts
Palantir Technologies Inc.
Palantir develops and deploys AI and machine learning technologies that likely involve advanced computing ICs and potentially AI model weights, placing them within the rule's scope for export controls and security requirements. Their cloud-agnostic solutions and work with sensitive government data suggest they would need to comply with data center security protocols and licensing exceptions.
ADVANCED MICRO DEVICES INC
AMD operates as a global semiconductor company that designs and manufactures advanced computing integrated circuits, which are directly controlled under ECCNs 3A090.a and 4A090.a in this rule. The company's business activities involving export, reexport, and transfer of these ICs fall squarely under the rule's jurisdiction and licensing requirements.
Arista Networks, Inc.
Arista Networks operates directly in data center and AI networking infrastructure, which falls under the rule's jurisdiction for advanced computing IC controls and data center security requirements. The company's focus on AI networking solutions and data center environments aligns with markets targeted by export controls on advanced computing components and VEU authorization requirements.
APPLIED MATERIALS INC /DE
Applied Materials is a leading manufacturer of semiconductor fabrication equipment, directly producing the advanced computing integrated circuits (ICs) controlled under this rule. The company's global operations in semiconductor manufacturing equipment place it squarely within the regulated markets and subject to export controls on advanced computing ICs.
Dell Technologies Inc.
Dell Technologies operates directly in multiple markets targeted by this rule, including advanced computing integrated circuits through its semiconductor business, data center services via its infrastructure solutions, and AI model development through partnerships and offerings. The company's global operations in computing hardware and data center services would require compliance with export controls, license exceptions, and security protocols for advanced computing ICs and AI model weights.
DigitalOcean Holdings, Inc.
DigitalOcean operates data centers providing Infrastructure-as-a-Service (IaaS) and cloud computing services, which directly fall under the rule's requirements for data center security measures, NIST 800-53 compliance, and restrictions on providing IaaS access to certain entities. The company's AI/ML services and global cloud platform operations would be subject to the export controls and license requirements for advanced computing infrastructure.
Alphabet Inc.
Google Cloud's data center operations and AI model development activities directly align with the rule's controls on advanced computing ICs and AI model weights, requiring compliance with security protocols and potential license requirements for exports.
MERCURY SYSTEMS INC
Mercury Systems operates in defense technology with significant manufacturing of mission-critical processing systems and digital data processing technologies, which aligns with the rule's controls on advanced computing ICs and security requirements for defense applications. The company's focus on cybersecurity, supply chain management, and trusted microelectronics directly corresponds to the rule's security protocols and export controls for sensitive technologies.
MACOM Technology Solutions Holdings, Inc.
The rule directly addresses the company's identified 'export control regulations' risk, imposing worldwide license requirements for advanced computing ICs and AI model weights that would restrict sales to certain markets and increase compliance costs. The company's supply chain disruptions and manufacturing inefficiencies could also be exacerbated by the rule's semiconductor manufacturing controls and security requirements.
NVIDIA CORP
NVIDIA's data center segment directly produces and exports advanced computing ICs (GPUs) that fall under ECCN 3A090.a controls, and the company develops AI model weights through its full-stack computing infrastructure. The rule's export controls, license exceptions, and security requirements directly apply to NVIDIA's core semiconductor manufacturing and AI development operations.
NXP Semiconductors N.V.
NXP Semiconductors operates as a global semiconductor manufacturer, directly aligning with the rule's controls on advanced computing integrated circuits (ECCNs 3A090.a, 4A090.a) which are core to their business operations. The company's global manufacturing and export activities would be subject to BIS licensing requirements and scrutiny for transactions involving advanced computing ICs.
ORACLE CORP
Oracle operates significant cloud computing and data center services through its Cloud and License business segment, which directly aligns with the rule's requirements for data center security measures, VEU authorizations, and restrictions on providing IaaS access. The company's hardware business involving server and storage offerings could also be affected by controls on advanced computing ICs and semiconductor equipment.