Some of the trickier export compliance issues to navigate are the ones related to computing technology, 软件和数据.

Export controls require a license or license exception for certain types of technical data and software, 包括加密等计算技术[参见相关文章: 许可证例外ENC和加密的复杂性].

云计算的发展, 以及相关的软件即服务(SaaS)概念, 对这些规则如何适用提出了新的问题, while simultaneously making the regulations relevant to companies that may not even realize they have an export concern.


  1. Even simple cloud computing events – such as sharing a spreadsheet among coworkers at remote locations – rely on multiple layers of interdependent technology. Sharing that spreadsheet involves software (think Excel or Google Sheets), cloud services (Microsoft Azure) and user data; who has possession of it at any given moment is rarely clear.
  2. 云计算是无国界的. 云存储旨在确保不间断地访问信息, which requires the ability to move and store data among servers located around the world.

据TechCrunch报道, two-thirds of worldwide cloud computing activity in 2022 was supported by the cloud infrastructure of just three entities: Amazon Web Services (AWS), Microsoft Azure and Google Cloud Platform (GCP) – all of which maintain interconnected data centers around the globe. AWS has data centers in more than 20 countries, including six in China alone, according to Dgitl Infra该公司服务于全球数字基础设施行业.

所以即使你的公司只在美国经营, there is some risk that your export-controlled software or technology is accessible in a foreign location where it doesn’t belong without proper export control authorization. 如果你在其他国家有合作伙伴负责销售, distribution, 制造或售后服务, 获取受出口控制的数据或技术可能很困难.

你应该担心吗?? And what steps can you take to prevent the unintentional export of controlled software, 技术或数据?

So far, neither the Bureau of Industry and Security (BIS) nor the Directorate of 国防贸易管制 (DDTC), 分别由哪两个机构负责管理《皇冠365app下载》和《皇冠365官方app》, 是否通过法规在很大程度上解决了这个问题.

但国际清算银行已经就此事发表了一些咨询意见, 其摘要载于相关文章: 在云中发生的事情将留在云中. 答案取决于您在云中的角色.



对于主要的U.S.-based providers of cloud infrastructure – giants like AWS and GCP – providing “computational capacity” in itself is not subject to the EAR, 根据BIS指南.

This opinion views the cloud service providers like telephone and mobile communications carriers: A carrier like Verizon or AT&T can’t be held responsible for what you say in a phone conversation that’s carried on its network.

国际清算银行的观点是有界限的. If a cloud provider allows access by “foreign persons” to its operating technology – such as 不公开的技术数据和支持信息 -实际上可能成为受EAR管制的出口产品.

此外,云服务受到与任何其他美国法律相同的限制.S. 向个人提供物品的实体, 受制裁的实体和国家, 比如伊朗和朝鲜.


For Software-as-a-Service companies that use the cloud to distribute software functionality that businesses use every day, 这些问题超出了数据的存储和检索.

Examples of these companies include Slack (team collaboration),客户关系管理)和Autodesk (CAD/CAM), 这只是现存的数千个中的几个. The chances are that you’ll use several SaaS offerings before today is over.

在云计算和SaaS之前, such software would have been made available on CDs or through downloads, 在很多情况下,哪种出口是受控制的. 但这些设备往往安装在个人电脑上, 或通过公司局域网提供, 哪些相对容易保护.

但当CAD/CAM软件, 举个例子, 是通过云提供的吗, users will create simulations of their own products and manufacturing systems using computer servers that might be located anywhere in the world. 其中一些可能是敏感物品, 比如核动力部件或美国海军的导航系统.S. military.

在这种情况下, 问题不仅仅在于他们是否在出口软件, 但它们储存着高度受控技术的细节.

自2016年起,《皇冠365官方app》的相关条文(Section 120.54)及EAR (Section 734.18) have been updated to say that technical data and software are not considered to be exported if the following conditions are met:

Ultimately, it means that SaaS提供商 must secure their own technology from being exported, 但就像云服务提供商一样, they aren’t likely to be held responsible for the content users place in their network.

Meanwhile, 云服务的用户必须采取行动, 包括端到端加密的使用, to ensure that their actions are not considered to be exports (potentially requiring a license) under the ITAR or EAR. 如果该活动不是导出, it logically follows that no license would be required; this is the main advantage of these exclusions from regulation.


与责任有限的云服务和SaaS提供商, the ultimate responsibility for security of information that flows through these systems falls to the end-user. The same regulations that apply to cloud and SaaS entities apply to other businesses as well: Section 120.54 ,以及 Section 734.18 of the EAR.


  • Determine if their own information is subject to the regulations – regardless of how it may be stored and transmitted [see related post: EAR和ITAR基础-开始正确的方式];
  • Manage export compliance competently and thoroughly as with any other product, service or technology – including responsibility for who accesses controlled software, 美国境外的数据或技术;
  • Ensure data is properly encrypted, if they intend to rely upon an applicable ITAR/EAR exclusion.

基于行业对这些问题的关注, a number of cloud providers now offer what they call government-compliant cloud services. These premium offerings may include things like encryption capabilities that meet the above-referenced federal standard; exclusive storage on servers based in the United States; and operating teams comprised only of U.S. citizens.

For example, AWS产品, 叫做美国云政府, claims its solutions “comply with FedRAMP High baseline; the DOJ’s Criminal Justice Information Systems (CJIS) Security Policy; U.S. International Traffic in Arms Regulations (ITAR); Export Administration Regulations (EAR); Department of Defense (DoD) 云计算 Security Requirements Guide (SRG) for Impact Levels 2, 4 and 5; FIPS 140-2; IRS-1075; and other compliance regimes.”

While these services may offer value, they are also widely misunderstood.

出口条例规定了出口商的义务, 但他们没有规定如何满足这些要求.

这些高级服务没有得到美国政府的授权或批准.S. government. So these government-compliant clouds may provide an extra level of security, 但是他们不能提供赔偿, and they aren’t required in order to be compliant with export regulations.


你对云计算的出口影响有什么问题吗? Visit 了解皇冠365官方app的公司,皇冠365官方app的教师,皇冠365官方app的员工和皇冠365官方app尊敬的人 出口合规专家(ECoP®)认证计划. 找到即将到来的 e-seminars现场研讨会 and 生活皇冠365官方app and 浏览皇冠365官方app的目录80多个按需网络研讨会参观皇冠365官方app的ECTI学院. 您也可以致电皇冠365官方app 540-433-3977 了解更多信息.

斯科特Gearity 是ECTI公司的总裁.
