Azure export controls white paper updates
Disclaimer: Customers are wholly responsible for ensuring their own compliance with all applicable laws and regulations. Information provided in this post does not constitute legal advice, and customers should consult their legal advisors for any questions regarding regulatory compliance.
In previous two parts of this blog series on export controls, we provided overviews of 1) the US export control regulations and their implications on cloud computing, and 2) Azure and Azure Government features in support of export control requirements. In this latest installment, we cover the most recent version of the Azure export controls white paper that was updated in February 2022 to address export control requirements of the United States, United Kingdom, European Union, and Japan.
The Azure export controls white paper offers a brief overview of US, UK, EU, and Japan export control laws and regulations as they may apply to customers using Microsoft Azure cloud services. Also provided is some general guidance concerning the considerations that Azure and Azure Government customers should bear in mind when assessing their obligations under US, UK, EU, and Japan export controls. Moreover, the latest version of the white paper provides perspectives on export controls from five allied countries: Australia, Canada, New Zealand, United States, and United Kingdom.
Azure offers flexible options, capabilities, and tools that customers may use to help ensure their compliance with export control laws and regulations. The white paper describes how customers can gain control over data access in Azure using Azure technologies for end-to-end data encryption. Moreover, the paper provides guidance on how export controls apply to Azure and Azure Government customers, including potential sources of export control risks and Azure features to manage potential export control risks. Detailed coverage is provided to help customers determine what they should do to comply with export control risks using Azure, including how to:
- Determine whether the data are technology or technical data.
- Determine whether the data are controlled by military trade controls, for example the International Traffic in Arms Regulations (ITAR).
- Classify the data that may be controlled technology under the Export Administration Regulations (EAR) or other dual use export control regulations.
- Take steps to comply with export control regulations.
Not all data are subject to the export controls of the US, EU, UK, or Japan. Azure offers important features and tools to help customers manage export-control risks. Customers should carefully assess how their use of Azure may implicate export controls of these countries and determine whether any of the data they want to use or store in the Azure cloud may be subject to export controls, and if so, what controls apply. Where technical data subject to tighter export controls may be involved, Azure is configured to offer features that help mitigate the potential risk that customers may inadvertently violate export controls when uploading or downloading controlled technical data in Azure. With appropriate planning, customers can use Azure tools and their own internal procedures to help ensure full compliance with US, EU, UK, and Japanese export controls when using the Azure platform.
- To learn more about Azure and Azure Government support for export controls, download the white paper: Microsoft Azure Cloud Services: Export Controls of the US, UK, EU, and Japan.
- To learn more about how Microsoft helps customers meet their own compliance obligations across regulated industries and markets worldwide, see Azure compliance offerings.