When we think of export controls, we usually picture physical goods: weapons, computers, or industrial machinery. Yet in today’s digital economy, some of the most heavily regulated transfers take place without any containers or physical shipments: a simple email attachment or an upload to the cloud may be all it takes.
What is an “intangible asset”?
Export control regulations govern the transfer of goods, technologies, and information across national borders, including software. Legally, intangible goods subject to control include, among other things, software, source code, technical data, algorithms, and, increasingly, artificial intelligence model weights (“AI model weights”). The determining factor is not the physical form of the good, but its strategic nature.
Under European Union law, “dual-use items” are defined as goods that can be used for both civilian and military purposes, including software and technologies. Thus, sending controlled software via email or sharing it through a cloud storage service with a person located abroad may constitute a regulated export.
The U.S. and European regulatory frameworks
In the United States, two main regulations apply. The Export Administration Regulations (EAR), administered by the Bureau of Industry and Security (BIS), and the International Traffic in Arms Regulations (ITAR) both cover technical data and software. Software with potential military applications, particularly cryptographic tools, frequently falls under the categories of dual-use items.
On the European side, Regulation (EU) 2021/821, known as the “recast Dual-Use Regulation,” which entered into force in September 2021, replaced the 2009 framework. It covers sensitive goods, services, software, and technologies that can be used for both civilian and military purposes. European export controls apply to both physical and non-physical exports of controlled goods.
The Challenge of Tracking Digital Transfers
As we already know, intangible transfers are particularly difficult to monitor. Compliance teams must now incorporate the monitoring of these transfers into their internal procedures, particularly with regard to remote access, cloud-based engineering tools, and research and development collaborations. These are areas that were traditionally not, or only minimally, addressed in export compliance programs.
The very concept of “export” was conceived in an era dominated by physical shipments, not for a world in which a data center located in Germany can be accessed remotely by an engineer based in Shanghai. It is precisely on this point that the regulatory framework is currently facing its greatest challenges in adapting.
The Remote Access Security Act and the "cloud vulnerability"
If the United States bans the export of a chip to China, but a Chinese company can access that same chip via a cloud service even though it is physically located in a data center in the Netherlands, the effectiveness of export controls is significantly reduced. It is against this backdrop that the Remote Access Security Act (RASA) was drafted in Washington.
Introduced in December 2025 and passed by the House of Representatives on January 12, the bill is now awaiting review by the Senate Banking Committee. The bill amendsthe Export Control Reform Act of 2018 to extend existing export controls to remote access to U.S. controlled technologies via cloud infrastructure. Remote access is defined therein as access by a“foreign person of concern” to controlled goods listed on the Commerce Control List through cloud services such as servers, processors, or storage space.
If enacted, the RASA would require exporters to obtain an export license issued by the BIS before granting remote access to controlled technologies to foreign entities. Companies operating data centers, cloud platforms, or artificial intelligence infrastructure with an international customer base would then need to monitor not only physical shipments but also access from countries subject to restrictions.
Outlook: Export Controls in the Digital Age
Export controls used to be a concern primarily reserved for the defense industry. In the age of artificial intelligence, cloud computing, and borderless software, they now affect a much broader audience. Whether it’s a developer sharing code with a colleague abroad or a company granting cloud access to a non-U.S. customer, export control obligations can be triggered without the parties involved even realizing it.
If enacted, the RASA would mark a major shift in U.S. export control law in the digital age and confirm that a robust internal compliance program, combined with ongoing regulatory monitoring, is no longer an option but a necessity.
Written by: Zilene PESSÔA, Trade Compliance Project Manager, MyTower
Looking for the right solution for your business?
