How New US Export Controls Could Restrict Global Cybersecurity Collaboration

New BIS Export Controls on Cybersecurity

The U.S. Department of Commerce’s Bureau of Industry and Security (BIS) has officially released updated export‑control regulations targeting the cybersecurity sector. Under the rules, any U.S. entity working with Chinese government‑related organizations or individuals on security‑related projects must obtain a license before disclosing vulnerabilities or related information.

China is classified in the “D” category – a restricted group of countries and regions – while the “E” category denotes a full embargo. The regulations introduce a tiered control system (A, B, D, E) with progressively stricter measures.

The core purpose is to prevent the export of tools that could be used for surveillance, espionage, or other hostile activities, citing national‑security and counter‑terrorism concerns. BIS also revised the Commerce Control List classification numbers and added a new exception allowing most digital‑product exports, except for the newly defined prohibited cases.

Microsoft has formally objected to the rules, arguing that the licensing requirement would severely hamper global cybersecurity collaboration and the timely disclosure of vulnerabilities. The company urges BIS to clarify the definition of “government end‑user” and to provide clearer guidance on permissible activities.

BIS acknowledges Microsoft’s concerns but maintains that the regulations serve U.S. national‑security interests without unduly restricting legitimate cybersecurity work. The agency also notes that the rules are consistent with the Wassenaar Arrangement, which governs the export of conventional weapons and dual‑use technologies.

Images illustrate the classification of countries, the flow of the licensing process, and the relationship between the new BIS rules and the Wassenaar Agreement.