BIS Advanced Computing Guidance (May 31, 2026): How the D:5 Headquarters Test Changes AI Chip and Data Center Transactions

Hello, this is Hamamoto from TIMEWELL.

On May 31, 2026, the U.S. Bureau of Industry and Security (BIS) published a short piece of guidance on the license requirements for advanced computing items[^1]. For Japanese export compliance officers working with semiconductors, cloud infrastructure, or data centers, this is not a document to skim past. Read closely, it is not a new regulation. It confirms that a requirement dating back to 2023 is still alive, and that it continues to apply even while the AI Diffusion Rule sits unenforced. The trouble is that the confirmation pulls in a far wider range of transactions than most teams assume.

The first thing to grasp is that the heart of this guidance is location, specifically where a company is headquartered. There is a closely related mechanism, the so-called 50% rule, which asks whether an Entity List party holds more than half of a company's shares. That is a different instrument. Build your internal screening around one while ignoring the other, and you will miss transactions that genuinely require a license. In this article I read what the guidance actually confirms, unpack the location-based test, draw a clear line between it and the 50% rule, examine its relationship with the AI Diffusion Rule non-enforcement, and then work through the practical impact on Japanese companies, especially for data centers and reexports, always against the primary sources.

What the May 31, 2026 Guidance Confirms

The full title of this document is "Guidance Regarding Enforcement of License Requirements for Advanced Computing Items for Entities Headquartered in Country Group D:5 and Macau"[^1]. The title alone tells you it is about clarifying enforcement, not creating new rules. BIS opens by stating that a license is required to export advanced computing items to entities headquartered in D:5 countries, defined in supplement no. 1 to part 740 of the EAR, or Macau, or with an ultimate parent company headquartered there. Then comes the decisive sentence. The requirement applies even if the entities themselves are located outside D:5 or Macau.

Why issue this at all? The background was questions from the field. People wanted to know whether the requirement introduced in November 2023 was still being enforced for ".a" items after the arrival of the AI Diffusion Rule, and whether it reached D:5 or Macau-headquartered entities located in destinations that had not required a license before that rule. BIS answered in a single word, yes. The location-based requirement is still in force and continues to bite regardless of the back-and-forth over how the AI Diffusion Rule itself is being enforced. That is the core of the guidance.

What is D:5? It is the group within the EAR country classifications that bundles together destinations subject to a U.S. arms embargo, including China and Russia[^5]. It is designed to track the arms-embargoed countries listed in §126.1 of the ITAR, so when the State Department updates its embargo notices, D:5 follows. D:5 is less a fixed list of countries than a set that moves with arms-embargo policy. As a compliance officer, you need the habit of checking, against the current supplement no. 1, whether your counterparties and the end users beyond them fall into this group. It is a single paragraph of guidance, but the phrase "regardless of where they are located" carries all the practical weight we examine below.

What the Location-Based Test Actually Is

Now to the mechanics. According to the guidance, this requirement was first introduced on November 17, 2023. The point of entry was the end-user control in §744.23(a)(3) of the EAR, and it applied to advanced computing items generally, specifically the items in ECCNs 3A090.a and .b, 4A090.a and .b, and related .z paragraph items[^1]. An ECCN, or Export Control Classification Number, is the U.S. code system that tells you whether a product is controlled and under what conditions it can be exported[^7]. 3A090 and 4A090 are the numbers built to capture advanced AI processors and related integrated circuits. The .a and .b suffixes are performance-threshold tiers, and .z covers equipment that incorporates specified items.

Follow the timeline and the picture sharpens. In January 2025, the AI Diffusion Rule transferred the requirement for these ".a" items out of §744.23(a) and into §742.6, recasting it as a new worldwide license requirement[^1]. The control moved house from an end-user rule to a destination-based one. Then, in May 2025, BIS announced that it would not enforce the AI Diffusion Rule's new compliance requirements. That sequence is exactly what bred the field's confusion about whether the 2023 requirement still stood.

The guidance settles the matter. A license requirement now applies under §742.6(a)(6)(iii)(A) to all destinations outside the United States for these advanced computing items[^1], when they are for entities headquartered in, or whose ultimate parent company is headquartered in, D:5 or Macau. The concept of the ultimate parent company does the heavy lifting. Your counterparty may look like an innocuous third-country legal entity, but if you trace its corporate chain to the topmost parent and find a headquarters in D:5 or Macau, the requirement reaches it. Selling to a subsidiary registered in Singapore or Germany does not help if the ultimate parent sits in Beijing. The location-based test, then, asks not where the counterparty is registered but where the top of the corporate group resides.

It is worth dwelling on why this test is so much harder to operationalize than a destination check. A traditional destination control asks a question you can answer from the shipping documents, where is this going. The location-based test asks a question the shipping documents rarely answer, who ultimately controls the entity receiving this. Corporate ownership chains are often deliberately layered, with holding companies in low-tax jurisdictions sitting between an operating subsidiary and its real parent. A counterparty in Ireland may be wholly owned by an entity in the Cayman Islands, which is in turn owned by a group headquartered in a D:5 country. Nothing on the purchase order reveals that. The burden falls on the exporter to establish, through corporate registries, beneficial ownership filings, and direct diligence questions, where the top of the chain actually sits. The guidance does not soften that burden. It simply confirms that the obligation is there, which means the diligence work has to be there too.

How It Differs From the 50% Rule

Here is the mechanism you must not conflate with it, the so-called 50% rule, or Affiliates Rule. This is the 2025 regulation under which BIS extended the reach of the Entity List and the Military End-User (MEU) List to subsidiaries and affiliates, and it turns on ownership structure[^2]. The Entity List is the blacklist of parties that require a license to deal with because of U.S. national security or foreign policy concerns[^6]. The Affiliates Rule provides that any entity at least 50 percent owned by one or more parties on the Entity List or MEU List automatically becomes subject to the same restrictions. Significant minority ownership by a listed party is treated as a red flag that triggers additional due diligence.

On the surface these two look alike, both casting a net at the group level. But their axes are entirely different. The location-based test looks at headquarters, at whether the ultimate parent is headquartered in D:5 or Macau. The 50% rule looks at capital, at whether an Entity List party holds more than half the voting stock. One is geography, the other is shareholding. So a transaction can clear one and still be caught by the other.

Consider a concrete case. You export AI chips to a company whose ultimate parent is headquartered in China, a D:5 country, but which appears nowhere on the Entity List. From the 50% rule's perspective there is no issue, because nobody is on the Entity List. Yet under the location-based test, the single fact of a Chinese-headquartered ultimate parent triggers the license requirement. Run it the other way. A company headquartered in the Netherlands but 55% owned by an Entity List party clears the location-based test and is caught by the 50% rule instead. Any company that builds its screening solely around capital relationships will miss the first case entirely.

The two rules also fail in different directions, which is why running only one is not a partial safeguard but a false sense of security. A screening process tuned to the 50% rule will produce clean results for the China-headquartered, non-listed buyer above, and a compliance officer reading that clean result has no signal that anything was missed. The system did exactly what it was built to do, and the answer was still wrong for the transaction at hand. The same holds in reverse for a process tuned only to headquarters location. This is the practical reason the guidance matters even though it announces nothing new. It forces teams to confront whether their screening logic has a blind spot that a clean report will never reveal. The full picture of both rules is covered in a separate article, the Complete Guide to the BIS Affiliates Rule (50% Rule), but let me state it plainly here. The ownership check and the headquarters check have to run as two separate passes. For how the Entity List, MEU List, and SDN List relate to one another, see the Entity List, MEU List, and SDN List comparison.

Its Relationship With the AI Diffusion Rule Non-Enforcement

Now to the point that confuses the field most. BIS announced in May 2025 that it would not enforce the AI Diffusion Rule's new compliance requirements. Heard in isolation, that can be taken to mean the export of advanced computing items has become a free-for-all for a while. Some companies surely have voices saying the AI Diffusion Rule is not being enforced, so we no longer need to worry. The guidance shuts that misreading down head-on.

The logic runs as follows. In January 2025 the AI Diffusion Rule moved the ".a" item requirement that had existed since 2023 out of §744.23(a) and into §742.6, reconstituting it as a worldwide requirement. What BIS said it would not enforce was the new compliance requirements the AI Diffusion Rule imposed. But the license requirement keyed to D:5 and Macau headquarters predates that rule. So the non-enforcement policy does not reach this earlier requirement. In the guidance's own words, the non-enforcement policy with respect to the destination-based license requirements under §742.6(a)(6)(iii)(A) applies only to the extent the items are not for entities headquartered in, or with ultimate parent companies headquartered in, D:5 or Macau[^1].

Put plainly, the only thing that fits under the umbrella of non-enforcement is transactions not destined for D:5 or Macau headquarters. Exports of advanced computing items to a counterparty whose ultimate parent is headquartered in D:5 or Macau stay out in the rain. BIS states clearly that exporters should continue to seek licenses for such transactions, adding the caveat unless a license exception specified in §740.2(a)(9)(ii) is available[^1]. That means you also have to determine for yourself whether an exception applies. Reading the word non-enforcement as a blanket pardon for the whole transaction is dangerous. The reality is that only the genuinely new portion the AI Diffusion Rule tried to layer on has been paused, while the 2023-vintage location-based requirement buried beneath it keeps running as if nothing had happened.

There is a further trap in the way non-enforcement interacts with corporate compliance posture. A non-enforcement policy is a statement of how an agency intends to use its discretion, not a repeal of the underlying legal requirement. The requirement remains on the books, which means a transaction made in reliance on non-enforcement is still, technically, a transaction that needed a license. Enforcement discretion can change, and it can change with little warning. A company that has documented its decisions as conscious choices to proceed without a license, on the theory that nothing would be enforced, is in a far weaker position than one that correctly identified which requirements were genuinely paused and which were not. For the location-based requirement, the guidance removes any ambiguity. It was never within the scope of the non-enforcement policy to begin with, so there is no discretion to rely on. Treating it otherwise is not a gray-area judgment call but a clear misreading.

Practical Impact for Japanese Companies, Data Centers, and Reexports

Let me bring all of this down to the Japanese compliance desk. Start with reexport risk. The EAR applies extraterritorially to U.S.-origin items and items containing them above a de minimis threshold, including when a Japanese company resells or transfers them onward to a third country. If, somewhere in the chain of procuring an advanced computing item in Japan and moving it through group companies or customers abroad, the ultimate recipient's ultimate parent turns out to be headquartered in D:5 or Macau, misjudging the license requirement becomes a violation. A harmless country of registration for the recipient is not enough. You cannot reach a conclusion without checking the top of the capital chain. The operating discipline is to ask, at every link in the flow, where this party's ultimate parent is headquartered.

This matters because Japanese companies frequently sit in the middle of these chains rather than at the origin. A Japanese distributor or systems integrator may buy advanced accelerators from a U.S. supplier, integrate them into a server product, and sell the result to a customer in Southeast Asia who then resells regionally. Each of those steps is a potential reexport or in-country transfer under the EAR, and the location-based requirement travels with the items the whole way. The Japanese company in the middle cannot wash its hands of the question by pointing to the supplier's original license, because the obligation attaches to the transaction in front of it, not only to the first export from the United States. That is precisely the kind of multi-step exposure where the ultimate parent of a downstream buyer, three or four transactions removed, can pull an otherwise routine deal into license territory.

For data center and cloud teams, one sentence the guidance adds matters a great deal. BIS states that bona fide data center operators otherwise engaged in activities consistent with the EAR are not required to cease the ongoing use, storage, disposal, or servicing of advanced computing items because of this guidance[^1], with the condition until further notice. There is no demand to shut down a running GPU cluster on the spot, which is reassuring. But this concerns continuity of operations only. New exports, reexports, or in-country transfers still require a separate license determination. When a cloud provider adds AI accelerators to an overseas region, or relocates hardware for a customer's workload, there is no escaping the check on the recipient and the ultimate parent's location.

The carve-out also carries two conditions that are easy to read past. The first is bona fide, which is doing real work in the sentence. An operator standing up infrastructure as a front, or structuring its operations to route advanced computing capacity to a D:5-headquartered parent while presenting itself as an independent data center, is not the kind of operator the carve-out protects. The second is until further notice, which signals that this is a forbearance BIS can withdraw. Neither condition turns the carve-out into a license to expand freely. The honest reading is narrow. You may keep operating the hardware you already legitimately run, and you should assume nothing beyond that without a fresh license analysis. For cloud businesses serving customers whose own corporate parents reach into D:5 jurisdictions, the practical upshot is that capacity decisions and customer onboarding now need an export control gate, not just a commercial one.

And there is one more burden Japanese companies face, simultaneous compliance across jurisdictions. Beyond the U.S. EAR, the EU also updated its dual-use control list in September 2025 to include advanced computing integrated circuits and FPGAs[^4]. The EU builds on a common control list across member states and multilateral frameworks such as the Wassenaar Arrangement, a design philosophy quite different from the unilateral, headquarters-based logic of the United States. Japanese companies must satisfy both systems, and Japan's own Foreign Exchange and Foreign Trade Act alongside them. Reconciling section numbers, ECCNs, target country groups, headquarters locations, and ownership percentages product by product and deal by deal will, sooner or later, break a process run on spreadsheets and manual screening. If you are uncertain about ECCN classification itself, the practical ECCN classification guide is worth reading alongside this.

Our export compliance AI agent TRAFEED was built precisely to automate this multi-jurisdiction, multi-citation reconciliation. Aligned with Japanese METI standards, it binds together the judgment axes of EAR ECCNs, the Entity List, and ultimate parent location into a single review flow, and surfaces the issues when you feed in transaction data. The value, every time a guidance update like this lands, is that you can run requirements with different axes, such as the location-based test and the 50% rule, in parallel without relying on an officer's memory. Regulations will keep making small revisions. The dividing line for export compliance from here is whether you can move from a process where you hand-edit a ledger every time a citation shifts to one where updating a rule flows instantly through every transaction.

Summary

Here is what compliance officers should take away from the May 31, 2026 BIS guidance.

• The guidance is not a new regulation. It confirms that the existing license requirement introduced on November 17, 2023 under §744.23(a)(3) is still being enforced[^1]
• The axis is location-based. Advanced computing items (ECCNs 3A090.a/.b, 4A090.a/.b, related .z) for entities headquartered in, or with ultimate parent companies headquartered in, D:5 countries or Macau are covered, and it applies even when the entity itself is located outside D:5 or Macau[^1]
• This is a different mechanism from the ownership-based 50% rule (Affiliates Rule). The ownership check and the headquarters check must run as separate passes[^2]
• The AI Diffusion Rule non-enforcement does not reach the location-based requirement. ".a" items for D:5 or Macau headquarters require a license to all destinations outside the U.S. under §742.6(a)(6)(iii)(A)[^1]
• Bona fide data center operators need not cease ongoing use, but new exports and reexports require a separate license determination[^1]

Where the ultimate parent company is headquartered decides whether a transaction is permitted. Do not rest on the recipient's country of registration alone. Move to a process that traces all the way to the top of the capital chain.

References

[^1]: Guidance Regarding Enforcement of License Requirements for Advanced Computing Items for Entities Headquartered in Country Group D:5 and Macau｜Bureau of Industry and Security, U.S. Department of Commerce (May 31, 2026) [^2]: Department of Commerce Expands Entity List to Cover Affiliates of Listed Entities｜Bureau of Industry and Security, U.S. Department of Commerce (2025) [^3]: Revision to License Review Policy for Advanced Computing Commodities (2026-00789)｜Federal Register (January 15, 2026) [^4]: 2025 update of the EU control list of dual-use items｜European Commission, DG Trade (September 8, 2025) [^5]: Supplement No. 1 to Part 740 — Country Groups｜Bureau of Industry and Security (current) [^6]: Supplement No. 4 to Part 744 — Entity List｜eCFR, Title 15 (current) [^7]: Commerce Control List (Part 774) — Export Control Classification Numbers｜eCFR, Title 15 (current) [^8]: Section 742.6 — Regional Stability｜eCFR, Title 15 (current) [^9]: Section 744.23 — Advanced computing and supercomputer end use｜eCFR, Title 15 (current) [^10]: Section 740.2 — License exceptions, restrictions｜eCFR, Title 15 (current) [^11]: Supplement No. 1 to Part 740 — Country Groups｜eCFR, Title 15 (current)