On September 12, 2024, the U.S. Department of the Treasury, Office of Foreign Assets Control (“OFAC”) June 12, 2024 determination entitled “Prohibition on Certain Information Technology and Software Services” entered into effect. The determination prohibits the direct or indirect provision to Russia from the United States or by U.S. persons of (1) information technology (“IT”) consultancy and design services and (2) IT support services and cloud-based services for enterprise management software and design and manufacturing software (collectively, the “IT Services Prohibition”). On September 16, 2024, similarly focused export controls took effect, prohibiting the export, reexport, or transfer (in-country) to Russia and Belarus of certain EAR99 software relating to enterprise resource planning (ERP) and other commercial functions, which were issued earlier by the U.S. Department of Commerce, Bureau of Industry and Security (“BIS”) on June 12, 2024.
Further explanations regarding the scope of the new restrictions on U.S. persons – which add yet another sector and additional items to the growing list of prohibited services and exports to Russia – are set forth in a series of Frequently Asked Questions (“FAQs”), FAQs 1185-1187, issued by OFAC. Together, these controls are likely to continue to have a significant impact on the Russian economy, particularly for companies reliant on technologies and services from U.S. and non-Russian IT providers for business operations. U.S. persons providing such services to persons in or related to Russia should pay particular attention to the FAQs, which are highly fact-specific. Likewise, all persons exporting, reexporting, or transferring (in-country) software (even if retail off-the-shelf software) to or within Russia that is subject to the Export Administration Regulations (“EAR”) must consider the implications of the new export controls.
The IT Services Prohibition, which was issued pursuant to Executive Order (“E.O.”) 14071 and 31 C.F.R. § 587.802, includes two components:
- “IT consultancy and design services,” which includes “development and implementation of software, as well as assistance or advice relating to the development and implementation of software, including the supply and installation of bespoke software.” The prohibition does not include the retail sale of off-the-shelf software (though such software could still be subject to export controls), nor does it include: (i) the provision of internet access; (ii) delivery of internet services (such as domain name services); (iii) cloud-based, free-of-charge, or publicly available web applications (such as email, spreadsheet, and document applications); or (iv) VPN services. Additional guidance is available in OFAC FAQs 1185 and 1187.
- “IT support services and cloud-based services,” which includes “the provision of technical expertise to solve problems for the client in using software, hardware, or an entire computer system (i.e., “IT support services”) and “the supply of software and associated services via the internet or the cloud, including through Software-as-a-Service” (i.e., “cloud-based services”). Notably, this prohibition is limited to “enterprise management software” and “design and manufacturing software,” which are further defined in OFAC FAQ 1187. Additional guidance is also available in OFAC FAQ 1186.
Although the IT Services Prohibition is broadly worded, there are certain limitations that will mitigate its impact. First, as with other services bans imposed by OFAC, the IT Services Prohibition does not apply to services provided to entities located in the Russian Federation that are owned and controlled, directly or indirectly, by a U.S. person, or services in connection with the wind down or divestiture of an entity located in the Russian Federation. Further, the determination does not apply to services for software that are (i) subject to the EAR and licensed or otherwise authorized by BIS, or (ii) software not subject to the EAR and for which the exportation, reexportation, or transfer (in-country) to Russia of such software would be eligible for a license exception or otherwise authorized by BIS if it were subject to the EAR. See OFAC FAQs 1184, 1185, 1186, 1187, and FAQ 1188 for more information.
Alongside the IT Services Prohibition, OFAC also amended the following Russia-related general licenses authorizing activity that otherwise would be prohibited:
- Russia-related General License 6D – “Transactions Related to Agricultural Commodities, Medicine, Medical Devices, Replacement Parts and Components, or Software Updates, the Coronavirus Disease 2019 (COVID-19) Pandemic, or Clinical Trials”
- Russia-related General License 25D – “Authorizing Transactions Related to Telecommunications and Certain Internet-Based Communications”
At the time of issuance of the IT Services Prohibition, BIS also introduced additional IT and software-related restrictions (among a host of new export controls targeted at Russia). Although the new OFAC IT-related service restrictions exempt retail sale of off-the-shelf software, on September 16, 2024, new export controls also went into effect that now restrict the export, reexport, or transfer (in-country) of certain EAR99 software to Russia or Belarus, as set forth in 15 C.F.R. § 746.8(a)(8).
The new export controls extend to the following types of software when subject to the EAR, as well as any software updates to software previously sold to parties in Russia or Belarus:
- Enterprise resource planning (ERP);
- Customer relationship management (CRM);
- Business intelligence (BI);
- Supply chain management (SCM);
- Enterprise data warehouse (EDW);
- Computerized maintenance management system (CMMS);
- Project management software,
- Product lifecycle management (PLM);
- Building information modelling (BIM);
- Computer aided design (CAD);
- Computer-aided manufacturing (CAM); and
- Engineering to order (ETO).
EU and UK IT and Software-Related Restrictions
The EU, UK, and United States have aligned in many respects as it relates to the provision of software and IT-related services to Russia, although there remain certain distinctions that multinational companies should be aware of to ensure compliance.
The UK has prohibited the provision of certain IT services (as well as a variety of other professional services) to Russia since December 16, 2022 in Amendment 17 to The Russia (Sanctions) (EU Exit) Regulations 2022. Under Amendment 17, UK persons anywhere in the world, as well as any persons in the UK, are prohibited from providing, among other services, “IT consultancy and design services” to persons connected with Russia. IT consultancy and design services are defined in Schedule 3J to The Russia (Sanctions) (EU Exit) Regulations 2019 paragraph 8 to refer to the 2015 Central Product Classification codes 83131 for IT consulting services, and 83141 for IT design and development services for applications. The scope of the services broadly aligns with the scope of IT consultancy and design services in accordance with the OFAC guidance. The United Kingdom has not, however, introduced similar prohibitions specific to enterprise management and design and manufacturing software to persons connected with Russia.
Likewise, EU sanctions have also, since December 18, 2023, prohibited the provision of IT consultancy services as a type of prohibited “professional services.” Pursuant to the 12th EU sanctions package against Russia, the EU also prohibits the sale, supply, transfer, export, or provision, directly or indirectly, of software for the management of enterprises and software for industrial design and manufacture to the Government of Russia or legal persons, entities or bodies established in Russia. IT consultancy services are defined by reference to the United Nations’ Central Products Classification “CPC” (Statistical Office of the United Nations, Statistical Papers, Series M, No77, CPC prov., 1991) and include software design. The scope of the enterprise management and design and manufacturing software under Annex XXXIX to Council Regulation (EU) 833/2014 is also the same as under the guidance to IT Services Prohibition. Both the United Kingdom and European Union, similar to the United States, prohibit indirect provision of the prohibited services.
The three regimes provide for similar exceptions that allow the provision of services, such as services for the purposes of internet and telecommunications, and prohibit indirect provision of services.
However, unlike the key exception under the IT Services Prohibition for services provided to entities in the Russian Federation that are owned and controlled, directly or indirectly, by a U.S. person, the EU has withdrawn, as of September 30, 2024 the so-called “subsidiary exemption” that allowed EU persons to continue to provide the restricted software services to persons owned by, or solely or jointly controlled by, a legal person, entity or body which is incorporated or constituted under the law of a Member State, a country member of the European Economic Area, Switzerland or a partner country as listed in Annex VIII to Council Regulation (EU) 833/2014. Now, under EU sanctions, such software and services to a Russian subsidiary are permitted only if a derogation is received from the relevant Member State sanctions authority. The United Kingdom also provides for a licensing regime for the provision of the prohibited services to a company’s own parent or subsidiary.