BIS Lays Groundwork for More ‘High Probability’-Based Enforcement, Including First-Ever ‘High Probability’ Presumption Warning and Policy Statement on the WMD and Military-Intelligence Catch-All Provisions

May 16, 2025 – On May 13, the U.S. Bureau of Industry & Security (BIS) issued three important guidance and policy documents directed at the advanced computing integrated circuit (IC) industry, including both U.S. design or manufacturing companies and foreign providers of infrastructure as a service (IaaS) (i.e., data centers).

The guidance and policy announcements all turn on the full definition of “knowledge” under the U.S. Export Administration Regulations (EAR) that includes “an awareness of a high probability” of a violation. The key takeaways of each of the three guidance and policy documents are below.

General Prohibition 10 ‘High Probability’ Presumption

• BIS issued a first-ever “Guidance on the application of General Prohibition 10 (GP10) to People’s Republic of China (PRC) Advanced-Computing Integrated Circuits (ICs),” emphasizing that for certain integrated circuits made in China (PRC ICs), a Foreign Direct Product Rule will “likely” apply because of the use of U.S. technology or software in either the design or production, or both, of the ICs. In other words, BIS is making clear its view that these PRC ICs are actually the result of U.S. technology.
  • “Accordingly,” BIS warns, “there is a high probability that a BIS license was required during the design and production of such” ICs.
  • In addition to the design and production having a high probability of a license requirement, BIS further warns that GP10 applies not only to the purchase but also the mere “use” of any item in violation of the EAR. Accordingly, “BIS is notifying all persons and companies in the United States and abroad that engaging in GP10 activities, including use of [PRC ICs] such as those listed above, without requisite authorization from BIS could result in BIS enforcement actions which could include substantial criminal and administrative penalties, up to and including imprisonment, fines, loss of export privileges, or other restrictions.”
  • In practice, this means that for IaaS and data center companies seeking to comply with U.S. export controls but that have locations where such PRC ICs are being used, the ongoing use of PRC ICs would need to stop unless and until the IC supplier confirms that authorization was received from BIS or such authorization is obtained.
  • Note that GP10 also impacts the financing of any transaction in violation of the EAR, as BIS warned financial institutions specifically in prior guidance on Oct. 9, 2024.

Policy Statement Regarding AI Models and Certain Catch-All Provisions (WMD and Military Intelligence)

• BIS also issued a Policy Statement warning industry, especially applicable to operators of foreign data centers that might be accessed by Chinese clients, “that access to advanced computing integrated circuits (ICs) and commodities subject to the EAR for training AI models has the potential to enable military-intelligence and weapons of mass destruction (WMD) end uses in” arms-embargoed (i.e., “D:5”) countries including China.
  • This would trigger the WMD and military-intelligence “catch-all” provisions under the EAR, both of which turn on “knowledge,” defined to include “an awareness of a high probability.”
  • BIS specifically identified the export, reexport or in-country transfer of such items or commodities to “any party, such as foreign Infrastructure as a Service (IaaS) providers (e.g., data center providers)” may “trigger a license requirement” when the items are used to train AI models “for or on behalf of”—think “directly or indirectly”—parties headquartered in China or other arms-embargoed countries.
  • BIS warns that foreign parties “acting contrary to U.S. national security or foreign policy interests, including by training AI models that could support WMD or military-intelligence end uses” for arms-embargoed countries, may be added to the Entity List even where there is no violation of the EAR.

New ‘Red Flags’ and Due Diligence Guidance

• BIS also contemporaneously issued “Industry Guidance to Prevent Diversion of Advanced Computing Integrated Circuits,” in which:
  • BIS reemphasized the national security basis for its controls on advanced computing ICs, stating “BIS has determined that advanced computing ICs have the potential to enable military-intelligence and weapons of mass destruction (WMD) end uses,” including nuclear weapons, hypersonic missiles and cognitive electronic warfare.
  • BIS identifies 11 “New Transactional and Behavioral Red Flags,” which (among others) include:
    • “The ultimate delivery or installation address is unknown. You are unable to determine whether the headquarters of the customer or its ultimate parent is located in a destination specified in Country Group D:5 (including China) or Macau, or the customer refuses to disclose or provides incomplete information about the location of its headquarters or ultimate parent company.”
    • “The data center to which the advanced ICs and/or commodities containing such ICs are being exported does not or cannot affirm it has the infrastructure (e.g., power/energy, cooling capacity, or physical space needed to run servers containing advanced ICs) to operate the advanced computing ICs and/or commodities that contain such ICs.”
    • “The customer providing Infrastructure as a Service (IaaS) does not or cannot affirm that users of its services are not headquartered in the PRC, whether or not such customer is located inside or outside of China and Macau.”
  • BIS further identifies seven “Due Diligence” actions “that companies should take for new customers, as well as evaluating IaaS providers, involved with the export or use of advanced computing ICs and/or commodities that contain such ICs subject to the EAR,” including (among others):
    • “Evaluate data centers to determine whether they have the infrastructure to operate servers containing advanced ICs greater than 10 megawatts. Data centers at or above this threshold merit additional scrutiny as they may be able to provide access to a large quantity of advanced computing ICs for training AI models for or on behalf of parties headquartered in countries of concern, where such activities may support WMD or military-intelligence end uses/end users.”

Outlook for US Manufacturing and Design Companies

U.S. manufacturers and design companies should anticipate that BIS is issuing the above guidance and policy to lay the groundwork for future enforcement, including under theories that leverage the “awareness of a high probability” aspect of the definition of “knowledge” under the end-use and end-user provisions.

Outlook for Non-US IaaS Providers/Data Centers

Foreign IaaS (i.e., data center) operators should anticipate, in turn, increased due diligence scrutiny from chip suppliers and that such due diligence will focus not only on suppliers’ actual knowledge but also on resolving where suppliers might otherwise be concerned that the facts and circumstances could be seen, by U.S. authorities, as presenting a “high probability” of a violation of the EAR.

* * * *

We have extensive experience in helping companies to navigate “high- probability” enforcement regimes, including how to make and defend inherently subjective judgments about the scope and extent of due diligence to conduct on customers, distributors, resellers, IaaS providers and other counterparties.

• Check out our articles on everything from risk assessments to responding to BIS administrative subpoenas at www.hugheshubbard.com/fresh-looks.

Our team is available to help you navigate this dynamic and challenging geopolitical environment.