The U.S. Department of Commerce’s Bureau of Industry and Security (BIS) recently announced key updates to its export control regulations, with significant implications for data centre operators.
Subscribe today for free
The connectivity news and insights that matter - straight to your inbox
The changes, effective immediately, introduce a new “Data Centre Validated End-User (VEU) Authorisation,” aimed at streamlining the process for overseas data centres to acquire advanced computing technologies that are subject to U.S. export controls. These technologies, including artificial intelligence (AI) components and supercomputing hardware, are crucial for modern data centre operations.
The new authorisation simplifies access to critical technologies for qualifying overseas data centres by reducing the need for individual export licences, provided they meet specific compliance and security standards. This development could be highly beneficial for data centre operators, as it enables faster acquisition of technologies necessary for high-performance computing and AI, which are critical to expanding their capabilities.
Background
Technologies relevant to the VEU programme are controlled for export due to their potential misuse for military purposes. In the hands of U.S. adversaries, they could be used to develop cyberweapons or for mass surveillance activities. The VEU programme was initially launched in 2007 to ease restrictions on the export of high-tech items to certain countries, thereby promoting international trade while managing national security risks. The programme allows pre-approved entities to import controlled items without needing separate export licences for each transaction, following a stringent review process.
With the growing reliance on AI and supercomputing, the extension of VEU authorisation to data centres recognises both the increasing importance and the potential security risks of these technologies. The updated rules aim to balance the need for technological advancement with safeguarding national security interests.
Key Features of the Data Centre VEU Authorisation
The updated rules simplify the export and re-export of advanced computing items, such as integrated circuits, to eligible data centres. These items fall under specific Export Control Classification Numbers (ECCN) on the Commerce Control List (CCL).
To qualify, data centres must submit a comprehensive application to BIS, including a customer list, security measures, and connections to entities on national security-related lists.
The application process also requires a detailed cybersecurity plan that aligns with NIST standards, covering aspects such as technology controls, identity management, and incident reporting.
Once approved, data centres must submit periodic reports to BIS and are subject to on-site inspections to ensure ongoing compliance.
Security measures, including 24/7 monitoring and strict access controls, are mandatory to protect sensitive technologies from unauthorised access.
This regulatory update reflects the growing importance of data centres in global technology infrastructure and the need to manage the associated national security risks.
Andrew D. Lipman, partner at Morgan, Lewis & Bockius LLP said “This recent favorable modification to US export control rules is welcome news to data center operators outside the US to more quickly and more easier receive critical US originated AI and supercomputing components, assuming they carefully adhere to prescribed compliance and security procedures.”
Related stories
Andrew Lipman’s 10 themes to watch at Metro Connect 2024
Does the EU's approach to regulating data centres make sense?