- Supplement No. 8 to Part 748—Information Required in Requests for VEU Authorization

VEU authorization applicants must provide to BIS certain information about the prospective and related respective validated end-user. This information must be included in requests for authorization submitted by prospective validated end-users, or exporters or reexporters who seek to have certain entities approved as validated end-users. BIS may, in the course of its evaluation, request additional information.

A. Required Information for Both General and Data Center Validated End-user Authorization Requests

(1) Name of proposed VEU candidates, including all names under which the candidate conducts business; complete company physical address (simply listing a post office box is insufficient); telephone number; fax number; email address; company website (if available); and name of individual who should be contacted if BIS has any questions. If the entity submitting the application is different from the prospective validated end-user identified in the application, this information must be submitted for both entities. If the candidate has multiple locations, all physical addresses located in the eligible destination must be listed.

(2) Provide an overview of the structure, ownership and business of the prospective validated end-user. Include a description of the entity, including type of business activity, ownership, subsidiaries, and joint-venture projects, as well as an overview of any business activity or corporate relationship that the entity has with either government or military organizations.

(3) List the items proposed for VEU authorization approval and their intended end-uses. Include a description of the items; the ECCN for all items, classified to the subparagraph level, as appropriate; technical parameters for the items including performance specifications; and end-use description for the items. If BIS has previously classified the item, the Commodity Classification Automated Tracking System (CCATS) number may be provided in lieu of the information listed in the foregoing provisions of this paragraph.

(4) Provide the physical address(es) of the location(s) where the item(s) will be used, if this address is different from the address of the prospective validated end-user provided in paragraph (1) of this supplement.

(5) If the prospective validated end-user plans to reexport the item, specify the destination to which the items will be reexported.

(6) Specify how the prospective validated end-user's record keeping system will allow compliance with the recordkeeping requirements set forth in § 748.15(e) of the EAR. Describe the system that is in place to ensure compliance with VEU requirements.

(7) Include an original statement on letterhead of the prospective validated end-user, signed and dated by a person who has authority to legally bind the prospective validated end-user, certifying that the end-user will comply with all VEU requirements. This statement must include acknowledgement that the prospective end-user:

(i) Has been informed of and understands that the item(s) it may receive as a validated end-user will have been exported in accordance with the EAR and that use or diversion of such items contrary to the EAR is prohibited;

(ii) Understands and will abide by all authorization VEU end-use restrictions, including the requirement that items received under authorization VEU will only be used for authorized end-uses and may not be used for any activities described in part 744 of the EAR unless authorized by § 748.15(d);

(iii) Will comply with VEU recordkeeping requirements; and

(iv) Agrees to allow on-site reviews by U.S. Government officials to verify the end-user's compliance with the conditions of the VEU authorization.

B. Additional Required Information for Data Center Validated End-User Authorization Requests

(1) A description of controlled items required in the data center and an accompanying rationale for why these items are required;

(2) An overview of any business activity or corporate relationship that the candidate has with either government or military organizations;

(3) An overview of business activities or corporate relationships that the candidate has with any organization designated on the Entity List in Supp. No. 4 to part 744 and/or Military End-User List in Supp. No. 7 to part 744;

(4) Describe physical and logical security requirements for each location the controlled items will be housed (e.g., around the clock monitoring, cybersecurity requirements, third-party monitoring; and/or physical security);

(5) A description of the policies and procedures governing employees physical and logical access to the VEU data center;

(6) Absent a legal prohibition or other such exceptional circumstances, a list of current and potential customers of the data center;

(7) An overview of the data center's information security plan, which should include:

(i) Cybersecurity plan;

(ii) Logging and monitoring plan;

(iii) Technology control plan that describes how much compute is required for the various end uses involved;

(iv) Baseline cloud configuration and identity and access management process for tenants, if a cloud provider;

(v) Personnel security plan; and

(vi) An incident, identification, investigation, and reporting plan;

(8) An explanation of the network infrastructure and architecture and service providers;

(9) An overview of the applicant's supply chain risk management plan that will prevent PRC-origin equipment entering the data-center environment and no PRC vendors are in the supply chain; and

(10) An overview of the applicant's export control training program and compliance program procedures.

[89 FR 80093, Oct. 2, 2024]