BIS Adds European Firms to Entity List for 'Trafficking in Cyber Exploits'
The Bureau of Industry and Security this week added four European spyware and surveillance technology companies to the Entity List for their role in “threatening” cyber activities. BIS accused all four of “trafficking in cyber exploits used to gain access to information systems, threatening the privacy and security of individuals and organizations worldwide.”
Sign up for a free preview to unlock the rest of this article
Timely, relevant coverage of court proceedings and agency rulings involving tariffs, classification, valuation, origin and antidumping and countervailing duties. Each day, Trade Law Daily subscribers receive a daily headline email, in-depth PDF edition and access to all relevant documents via our trade law source document library and website.
The additions, outlined in a final rule effective July 18, are for Intellexa S.A. in Greece, Cytrox Holdings Zrt in Hungary, Intellexa Limited in Ireland and Cytrox AD in North Macedonia. The companies will be subject to license requirements for all items subject to the Export Administration Regulations, and BIS will review license applications under a presumption of denial.
The agency said surveillance technology is increasingly playing a “key role” in “enabling campaigns of repression and other human rights abuses,” and the entity listings will restrict those companies’ from acquiring “commodities, software, and technology that could contribute to the development of surveillance tools that pose a risk of misuse in violations or abuses of human rights.”
BIS is “laser focused on stemming the proliferation of digital tools for repression,” Undersecretary Alan Estevez said. Thea Kendler, BIS assistant secretary for export administration, said the export control code of conduct released during the U.S. Summit for Democracy in March (see 2303300054), which underscored concerns around global “misuse” of surveillance tools, helped lead to these entity listings. “The U.S. Government’s commitment” to the code of conduct “remains a top priority for BIS,” Kendler said.
All exports that now require a license as a result of this rule that were aboard a carrier to a port as of June 18 may proceed to their destinations under the previous eligibility as long as the items have been exported before Aug. 17, BIS said. Any items not exported before midnight Aug. 17 will require a license.
Intellexa didn't immediately respond to a request for comment. Cytrox couldn't be reached.
The Entity List addition builds on previous BIS actions against spyware firms, including its 2021 listings of Israeli companies NSO Group and Candiru, Russia’s Positive Technologies and Singapore’s Computer Security Initiative Consultancy (see 2111030010). The agency last year finalized new controls on cybersecurity items, which aligned U.S. restrictions with controls previously agreed to at the multilateral Wassenaar Arrangement and created new License Exception Authorized Cybersecurity Exports (see 2205250012).