New Russia sanctions restrict certain IT, software, related services; expanded secondary sanctions authority targets foreign financial institutions
On June 12, 2024, prior to the Group of Seven (G7) summit in Italy, the US government announced several new economic sanctions and export controls on Russia and Russia-related parties.
Most notably, the US government is implementing new restrictions on the provision of certain software and IT services to Russia, which will go into effect on September 12, 2024.[1] Additional parties were sanctioned, and the new changes expanded the government’s ability to issue secondary sanctions on foreign financial institutions transacting with sanctioned parties.
Companies are encouraged to review any dealings in Russia or with Russian parties to ensure that they are not affected by these new restrictions.
New restrictions on IT software and services
The new actions by the US Department of the Treasury Office of Foreign Assets Control (OFAC) restrict the export, re-export, sale, or supply of services to Russia from the US or by US persons relating to:
(i) IT consultancy and design and
(ii) IT support services or cloud-based services for enterprise management software and design and manufacturing software.
In concert with OFAC’s restrictions on services, the US Department of Commerce Bureau of Industry and Security (BIS) will also now require a license to export EAR99 enterprise management software and design and manufacturing software to Russia or Belarus.[2] BIS restrictions will go into effect on September 16, 2024, four days after OFAC restrictions are implemented.
Restrictions on IT consultancy and design services
This prohibition generally restricts specifically tailoring software to a Russian party’s needs by a US person (wherever located) or from the US.
OFAC defines “IT consultancy and design services” as the development and implementation of software, as well as assistance or advice relating to the development or implementation of software, and excludes sales of "off the shelf" software.[3] Examples of prohibited activity include a US company modifying existing web applications to be functional within a Russian company’s internal IT environment, or a US service provider planning to design and engineer custom-made software that the Russian company uses for internal purposes. However, a US company is not prohibited from providing Russian individuals and entities with access to cloud-based, free-of-charge, publicly available web applications.
Restrictions on IT support services or cloud-based services for and exports of enterprise management software and design and manufacturing software
This prohibition generally restricts the provision of enterprise management software and design and manufacturing software to Russian parties, or technical support for that software, by a US person (wherever located) or from the US.
IT support services include “the provision of technical expertise to solve problems for the client in using software, hardware, or an entire computer system,” while cloud-based services include “the supply of software and associated services via the internet or the cloud, including through Software-as-a-Service (SaaS).”[4] In its FAQs, OFAC identifies examples of provision of software or support services that may not be prohibited, but any such determinations will likely be fact-intensive and require close review.
OFAC includes the following types of software in its definition of enterprise management software and design and manufacturing software:[5]
- Enterprise resource planning (ERP)
- Customer relationship management (CRM)
- Business intelligence (BI)
- Supply chain management (SCM)
- Enterprise data warehouse (EDW)
- Computerized maintenance management system (CMMS)
- Project management and product lifecycle management (PLM) software
- Building information modelling (BIM)
- Computer aided design (CAD)
- Computer-aided manufacturing (CAM), and
- Engineer to order (ETO) software.
Exclusions to the new restrictions on IT software and services
There are certain carve outs from the new sanctions described above. These include:
- Services to an entity located in Russia that is owned or controlled, directly or indirectly, by a US person
- Services in connection with the wind-down or divestiture of an entity located in Russia that is not owned or controlled by a Russian person
- Services relating to software that is subject to EAR and for which the export, re-export, or transfer to Russia of such software is licensed or otherwise authorized, and
- New Russia General License (GL) 25D – which replaced and amended former GL 25C – authorizes the export or re-export, sale, or supply, from the US or by US persons of services incident to the exchange of communications over the internet. GL 25D also authorizes the export, re-export, sale, or supply from the US to Russia of software, hardware, or technology incident to the exchange of communications over the internet if it is otherwise licensed by BIS.[6]
BIS export license requirements
BIS has also imposed new export control requirements on designated enterprise management software and design and manufacturing software to Russia or Belarus. In specific, a license will be required to export, re-export, or transfer to or within Russia or Belarus any enterprise management or design and manufacturing software, even if it is classified as EAR99, including for downloads of the software.
Concurrently, BIS also narrowed the scope of eligible commodities and software that could be exported to Russia or Belarus under License Exception Consumer Communications Devices (CCD), which now prohibits, for example, lower-level graphics processing units.
Expanded secondary sanctions authority
In addition to the restrictions on IT services and software mentioned above, OFAC announced that it would broaden secondary sanctions risks for foreign financial institutions who transact with blocked Russian parties. Such institutions now face potential OFAC penalties for facilitating significant transactions, or providing any service, involving any person blocked pursuant to OFAC’s authority under Executive Order 14024. The vast majority of prohibited Russia parties have been blocked pursuant to EO 14024. In concert with the expansion of secondary sanctions risk, OFAC also published an updated compliance advisory for foreign financial institutions.[7]
OFAC further designated more than 300 new Russian and non-Russian parties, including many major financial institutions in Russia like the Moscow Exchange (MoEx) and the National Settlement Depository (NSD), which continues to seriously restrict the ability of parties to engage in financial transactions in Russia.
Conclusion
Since the Russian invasion of Ukraine in February 2022, the US government has implemented several economic sanctions, export controls, and other prohibitions on Russia and Russia-connected entities and parties. As doing business in 2024 almost always requires an online presence or interaction, companies who provide IT services or software to Russia may consider closely reviewing the new restrictions to ensure they stop any prohibited services by September 12 (OFAC) and September 16 (BIS).
The new sanctions and export controls represent yet another escalation in US restrictions against Russia. These trade restrictions further increase the risk of doing business in Russia, as well as the risk of facilitating transactions for Russian parties. For more information on prior restrictions the US government has placed on business in Russia, please see our client alerts here and here.
DLA Piper has a robust sanctions and export controls practice that provides global coverage and deep experience with complex compliance, licensing, and enforcement matters. Find out more about the implications of these new restrictions for your business and compliance with sanctions and export controls by contacting any of the authors, or any of the partners in the National Security and Global Trade practice: Christine Daya, Melanie Garcia, Nicholas Klein, Richard Newcomb, and Ignacio E. Sanchez.
[1] The US Department of the Treasury Office of Foreign Assets Control (OFAC) sanctions will go into effect on September 12, 2024; the US Department of Commerce Bureau of Industry and Security (BIS) restrictions will go into effect on September 16, 2024.
[2] Determination Pursuant to Section 1(a)(ii) of Executive Order 14071, Office of Foreign Assets Control (June 12, 2024), https://ofac.treasury.gov/media/932951/download?inline; Implementation of Additional Sanctions Against Russia and Belarus Under the Export Administration Regulations (EAR) and Refinements to Existing Controls, Industry and Security Bureau (June 18, 2024), https://www.federalregister.gov/documents/2024/06/18/2024-13148/implementation-of-additional-sanctions-against-russia-and-belarus-under-the-export-administration.
[3] FAQ 1185, Office of Foreign Assets Control (June 12, 2024), https://ofac.treasury.gov/faqs/1185.
[4] FAQ 1186, Office of Foreign Assets Control (June 12, 2024), https://ofac.treasury.gov/faqs/1186.
[5] FAQ 1187, Office of Foreign Assets Control (June 12, 2024), https://ofac.treasury.gov/faqs/1187.
[6] General License 25D, Office of Foreign Assets Control (June 12, 2024), https://ofac.treasury.gov/media/932931/download?inline.
[7] Updated Guidance for Foreign Financial Institutions on OFAC Sanctions Authorities Targeting Support to Russia’s Military-Industrial Base, Office of Foreign Assets Control (June 12, 2024), https://ofac.treasury.gov/media/932436/download?inline.