How New US Export Rules Could Restrict China’s Cybersecurity Collaboration

Recently, the U.S. Department of Commerce’s Bureau of Industry and Security (BIS) released its final export‑control regulations for the cybersecurity sector. The rules expand on a 2021 draft and categorize countries into four groups (A, B, D, E), with China placed in the D‑class – a “restricted” tier.

The regulation mandates that U.S. entities collaborating with Chinese government‑related organizations or individuals must obtain a BIS license before transmitting any security‑related vulnerability information. The stated reasons are national‑security and anti‑terrorism concerns, as the controlled projects could be used for surveillance, espionage, or other hostile activities.

However, the rule also creates a new exemption: legitimate cybersecurity activities such as public vulnerability disclosure or incident response are exempt from the licensing requirement. BIS has revised the Commerce Control List classification numbers and broadened the scope of the exemption to accommodate open‑source community needs.

Microsoft publicly opposed the regulation, arguing that the requirement to vet every government‑linked recipient would cripple global cybersecurity cooperation and slow vulnerability remediation. The company submitted formal comments during the draft stage and reiterated its concerns after the final rule was published, urging BIS to clarify the definition of “government end‑user.”

BIS responded that the regulation protects U.S. national security and foreign‑policy interests without unduly harming legitimate cybersecurity work, noting that the exemption for open‑source projects addresses many practical concerns.

The new rules are also linked to the Wassenaar Arrangement, the multilateral export‑control regime for conventional weapons and dual‑use technologies. BIS highlighted that the cybersecurity controls fall within the Wassenaar framework, which is heavily influenced by the United States and serves as a tool for high‑technology restrictions on China.

In summary, the final BIS decision tightens export controls on cybersecurity tools and vulnerability information, places China in a restricted category, offers limited exemptions for legitimate security activities, faces criticism from major tech firms, and aligns with broader U.S. strategic goals under the Wassenaar Arrangement.