Data Center Validated End User Program

China and India

Adobe Stock

Posted Monday, September 30, 2024 9:52 am

The Department of Commerce has expanded the Validated End User (VEU) program with additional controls for data center items destined for China and India.

This expansion of the VEU program to include Data Center VEU is intended to facilitate quick and reliable export or reexport of items on the Commerce Control List necessary for a data center, including advanced computing items, to preapproved trusted end users.

Similar to Existing VEU Program

Data Center VEU adopts much of the framework of the existing VEU program, with additional requirements. This expansion of eligibility is intended to update the VEU program to recognize the advancement and benefits of artificial intelligence.

As under the original VEU Authorization Program, the U.S. government will rigorously review Data Center VEU candidates’ applications subject to detailed and verifiable criteria. A limited number of firms participate in the VEU program, including Advanced Micro Devices, Applied Materials, Intel, Boeing, LAM Research, Samsung and General Electric..

Although BIS strictly controls the export of advanced integrated circuits, BIS also recognizes that in certain destinations where a license is currently required, advanced computing integrated circuits can be deployed in highly trusted environments, enabling the use of AI for technological discoveries and the development of new tools that improve the world.

Specifically, BIS has determined that there could be significant benefits from authorizing the export and reexport of advanced computing integrated circuits to end users who operate data centers that implement certain security measures and satisfy other criteria.

Framework Similar, Requirements Differ

Accordingly, BIS is amending the EAR to establish a new authorization ‘Data Center VEU’ that is intended to facilitate export or reexport of all items on the Commerce Control List that require a license to the destination excluding “600 series” items and are necessary for a data center, including advanced computing integrated circuits and electronic assemblies, to trusted end users that meet certain prerequisites

This rule expands the VEU program to facilitate the export or reexport of items necessary for a data center to preapproved trusted validated end users in destinations that require a license for items classified under Export Control Classification Numbers (ECCNs) 3A090.a and 4A090.a, and .z items in Categories 3, 4, and 5, excluding D:5 countries. Data Center VEU adopts much of the framework of the existing VEU program, with additional requirements appropriate for a data center environment.

To implement Data Center VEU, BIS amends the EAR to refer to the existing VEU program that currently applies to India and China as ‘General VEU Authorization’ and to refer to the new program as ‘Data Center VEU Authorization.’ The framework for both programs is similar, although the requirements are different.

All VEU authorizations allow exports and reexports to the VEUs. However, a separate authorization is needed if a VEU reexports to a third party. Although in country transfers are permitted under General VEU Authorization, in country transfers are not permitted under Data Center VEU Authorization unless the transfer (in- country) is to a VEU authorized location by the same VEU.

Neither VEU authorization is authorized for items controlled under the EAR for missile technology or crime control reasons, consistent with current restrictions, and a new paragraph (2) providing that all items on the Commerce Control List are eligible for Data Center VEU Authorizations if those items require a license to the destination (excluding “600 series” items) and are necessary for a data center.

Request Advisory Opinion

Requests for authorization for General VEU Authorizations or Data Center VEU must be submitted in the form of an advisory opinion request, to include the following information:

State in an evaluation of the data center’s VEU eligibility:

Absent a legal prohibition or other such exceptional circumstances, a list of current and potential customers of the data center;
An overview of business activities or corporate relationships that the candidate has with any organization designated on the Entity List or Military End-User List, the Department of the Treasury’s Specially Designated Nationals and Blocked Persons List, Foreign Sanctions Evaders List,or S. Sectoral Sanctions Identifications List, or the Department of State’s Nonproliferation Sanctions determinations.
A description of physical, and logical security requirements, including access restrictions for each location the controlled items will be housed (e.g., around the clock monitoring, cybersecurity requirements, third-party monitoring; and/or physical security);
A description of the policies and procedures governing employees physical and logical access to the VEU data center;
An overview of the data center’s information security plan, which should include:
- Cybersecurity plan, including compliance with relevant NIST standards;
- Logging and monitoring plan;
- Technology control plan that describes how much compute is required for the various end uses involved;
- Baseline cloud configuration and identity and access management process for tenants, if a cloud provider;
- Personnel security plan; and
- An incident, identification, investigation, and reporting plan;
An explanation of the network infrastructure and architecture and service providers;
An overview of the applicant’s supply chain risk management plan that will ensure no prohibitedtechnology enters the environment and no prohibited vendors are in the supply chain; and
An overview of the applicant’s export control training program and compliance program

Included in this evaluation will be whether the VEU host country has provided assurances to the U.S. government regarding the safe and secure use of the technology to be provided under Authorization VEU.

Should an entity be interested in obtaining Data Center VEU status, its national government will need to engage the Commerce and State Departments to make such assurances.

Evaluation Criteria

The agencies will examine

the entity’s record of the party's compliance with U.S. export controls;
the entity’s capability to comply with the requirements for VEU;
the entity’s agreement to on-site compliance reviews by representatives of the United States Government, including to guard against both the misuse and diversion of computing resources;
the entity’s relationships with U.S and foreign companies;
the party’s technology roadmap, and technology control plan.

When evaluating the eligibility of an end-user, agencies would consider the status of export controls in the eligible destination and adherence to multilateral export control regimes of the government of the eligible destination.

BIS will issue a response in the form of a letter granting VEU status. The letter will state the items that are permitted for export or reexport to the VEU, along with any conditions required of the VEU. Conditions will be tailored to the national security and foreign policy risks presented. Examples of conditions include a commitment to:

Implement physical and logical security requirements;
Prohibit access to individuals working for entities and/or countries of concern;
Prohibit access to any national working for or on behalf of a party on BIS’s Entity List;
Ensure inspection/onsite reviews by S. government officials as necessary, to determine whether VEU authorization conditions are being met; and/or
Not provide computing power above prohibited thresholds to entities or countries of

Reporting Requirements

Exporters or reexporters must obtain certifications from validated end-users regarding the end use and compliance with VEU requirements.

In addition to the certification requirements, reexporters who make use of either VEUAuthorization must file reports to BIS.

Data Center Validated End Users must submit reports to BIS semiannually, which include information such as:

a record of current inventory of eligible items received;
dates of when eligible items were received and by whom;
a description of how current compute is being utilized; and
a list of current customers with a description of their utilization.

A notice of proposed rulemaking and an opportunity for public comment are not required to be given for this rule.

Background

Authorization Validated End-user (VEU) includes two types of VEUs: General VEU Authorization and Data Center VEU Authorization.

General VEU Authorizations permit the export, reexport, and transfer to validated end-users of any eligible items that will be used in a specific eligible destination.

Data Center VEU Authorizations permit the export and reexport to validated end-users of any eligible items that will be used in specific data centers. In country transfers are not permitted under Data Center VEU Authorization unless the transfer (in-country) is to a VEU authorized location by the same VEU.

Reexports by a VEU require separate authorization. Validated end-users are those who have been previously approved by BIS pursuant.

If a request for VEU authorization for a particular end-user is not granted, no new license requirement is triggered. In addition, such a result does not render the end-user ineligible for license approvals from BIS.

Eligibility

In evaluating an end user for eligibility under authorization VEU, the ERC will consider a range of information, including but not limited to such factors as:

the end user’s record of exclusive engagement in appropriate end-use activities;
the end user’s compliance with U.S. export controls;
the need for an on-site review prior to approval;
he end user’s capability of complying with the requirements of authorization VEU
, the ability of the end user to guard against both the misuse and diversion of computing resources;
the end user’s technology roadmap;
the end user’s technology control plan;
the end user’s agreement to on-site reviews by representatives of the U.S. Government to ensure adherence to the conditions of the VEU authorization;
and the end user’s relationships with U.S. and foreign companies.

In addition, when evaluating the eligibility of an end user, the ERC will consider the status of the eligible destination country’s export controls and the support and adherence to multilateral export control regimes of the government of the eligible destination.

Eligible destinations--

General VEU General VEU Authorizations may be used for The People's Republic of China and India.

Data Center VEU Authorizations may be used for any destination for which a license is required for ECCN 3A090, 4A090 items, and .z items in Categories 3, 4, and 5, except for destinations in Country Groups D:5 countries. Item (1) Items controlled under the EAR for missile technology (MT) and crime control (CC) reasons may not be exported or reexported under General or Data Center VEU Authorizations.

Eligible items for Data Center VEU Authorizations are all those items on the Commerce Control List, that require a license to the destination excluding “600 series” items, and are necessary for a data center.

End-use restrictions--

Items obtained under General VEU Authorizations in China may be used only for civil end uses and may not be used for any activities as described in the requlations.

Items obtained under General VEU Authorizations in India may be used for either civil or military end uses and may not be used for any activities described in part 744 of the EAR.

Items obtained under Data Center VEU Authorizations maynot be used for any activities described in part 744 of the EAR.