WASHINGTON -- The U.S. government will require as early as May that companies operating in America ask for permission to use information technology equipment and services from China or other countries deemed "adversaries," a move that could affect up to 4.5 million businesses.
Regulations put in place in March let Washington review such corporate purchases or usage of technology and block any transactions deemed too risky, with the aim of preventing leaks of sensitive information. The Commerce Department is preparing to offer licenses or pre-clearance to reduce the burden on businesses.
Washington has restricted dealings with Chinese tech enterprises before. Last August, the U.S. barred bids for government contracts by companies that use technology from five Chinese businesses including Huawei Technologies, ZTE and surveillance camera maker Hikvision.
The new approach is far more expansive. It targets companies from countries designated as "foreign adversaries" -- China, Russia, North Korea, Iran, Venezuela and Cuba. Chinese corporations are expected to form the bulk of those under the tighter rules.
Though no specific companies are named, any businesses "subject to the jurisdiction or direction of" these countries are covered.
The rules affect all private-sector companies operating in the U.S., not just those that work with the government. Three-quarters of the roughly 6 million companies in the U.S. use foreign technology, the Commerce Department estimates, including the American branches of overseas businesses.
Businesses will need to submit information on any problematic IT gear or services to ensure they do not pose an "undue or unacceptable risk." Companies have the right to object to the results of a review or take steps to reduce risks to a more acceptable level. But those that do not abide by a ban or a mitigation agreement could face civil or criminal penalties.
The Commerce Department issued subpoenas to Chinese companies in mid-March and on Tuesday, demanding information on their U.S. operations to "support the review of transactions."
The rules apply to a broad swath of technology, including hardware and software used in critical infrastructure and telecommunications networks, as well as artificial intelligence and quantum computing tech. The list also covers services that handle personal information, along with monitoring equipment such as internet-enabled surveillance cameras, sensors and drones.
Under these definitions, businesses that use Chinese routers in their internal networks, Chinese cameras in a factory or Chinese cloud services to handle customer data could face scrutiny.
The rules alarm many in the business world. The Commerce Department's own impact analysis estimates the cost of compliance at $10 billion annually. Business groups such as the U.S. Chamber of Commerce have urged Washington to delay implementation given this burden as well as a lack of clarity.
The ability of these measures to protect against leaks also has been called into question. Experts urge companies to assess their level of risk, and many businesses are turning to legal advisers and consulting firms.
"We'll keep an eye on how the rules are applied," said a representative at a U.S. arm of a Japanese company.
The rules originally were announced in 2019 under President Donald Trump's administration. President Joe Biden has let them take effect.