Export Administration Regulations (EAR)

The Export Administration Regulations (EAR) are a set of U.S. government regulations administered by the U.S. Department of Commerce’s Bureau of Industry and Security (BIS). These regulations govern the export and re-export of commercial and dual-use goods, software, and technology. You can find more information about the EAR on the BIS website. Items subject to the EAR can be found on the Commerce Control List (CCL), and each item has a unique Export Control Classification Number (ECCN) assigned.

BIS does not certify cloud providers as being compliant with the EAR. Rather, BIS has issued advisory opinions (available here) regarding the applicability of the EAR to cloud computing. The EAR also excludes certain activities meeting the end-to-end encryption requirements in EAR § 734.18(a)(5) from the definition of “export.”

Google Cloud customers benefit from default encryption of data in transit and at rest that is FIPS 140-2 validated and are able to choose from a variety of key management options including Google Managed Keys, Customer Managed Encryption Keys, and External Key Management.  Customers are also able to restrict support and data access to U.S. locations and personnel using Assured Workloads, with the option to layer in runtime encryption with Confidential Computing to help meet EAR requirements.

Customers with EAR-regulated workloads are responsible for determining what steps (if any) are necessary to ensure that their use of the cloud is consistent with the EAR.  If customers choose to deploy any of the above technologies to meet their EAR compliance requirements, customers have final responsibility to properly deploy and maintain them.