Yes, persons seeking to export software, services, or hardware to Iran or conduct other activities in support of internet freedom in Iran that are not exempt transactions or authorized by the general license in 31 CFR § 560.540 or other authorizations are encouraged to submit a specific license application to through the OFAC License Application Page. 

Date Updated: May 16, 2024

A cloud-based service or software provider whose non-Iranian customers provide services or software to persons in Iran via the cloud may rely upon the authorization in 31 CFR § 560.540 to provide access to Iran, provided that such provider conducts due diligence based on information available to it in the ordinary course of business to confirm that the non-Iranian customer: (1) is not a person whose property and interests in property are blocked, except as authorized under paragraph (a)(6) of 31 CFR § 560.540; and (2) provides software and services that fall within one of the categories described in FAQ 1087, including activity authorized or exempt under the ITSR.

In instances where cloud-based services or software are used to support the exportation of services or software to Iran authorized under 31 CFR § 560.540, OFAC does not generally expect a cloud-based service or software provider to evaluate the ultimate end use or end user of the authorized software or services, provided the cloud-based provider conducts due diligence based on information available to it in the ordinary course of business.  For example, if a cloud-based service or software provider supports non-Iranian customers providing access in Iran to news websites or Virtual Private Networks (VPNs) that fall within one of the categories described in FAQ 1087, the cloud-based service or software provider need not evaluate whether the provision of access via the cloud involving Iranian end users is related to communication.  By contrast, if a U.S. cloud-based service or software provider supports non-Iranian customers providing certain enterprise management software to Iran, such as payroll management software, the cloud-based service or software provider would be expected to evaluate whether its support of the software is a prohibited export of software or services to Iran because payroll management software is not generally considered a qualifying software incident to communications.

Please note that 31 CFR § 560.540 does not authorize the importation into the United States of Iranian-origin software or the dealing in such software, including the hosting of Iranian-origin software on a mobile application store.  Persons seeking to engage in such activity may submit applications for specific licenses to OFAC that describe the nature of the software and the Iranian developers involved.

Date Updated: May 16, 2024

Yes.  Section 560.540(a)(1) of the ITSR authorizes the exportation to Iran of fee-based or no-cost cloud-based services incident to the exchange of communications over the internet.  In addition, 31 CFR § 560.540(a)(2) authorizes the exportation to Iran of cloud-based software that is incident to, or enables services incident to, communications over the Internet.  Software exported under 31 CFR § 560.540(a)(2) either: (i) must be designated as EAR99 under the Export Administration Regulations, 15 CFR parts 730 through 774 (EAR), excluded from the EAR because it is described under 15 CFR § 734,3(b)(3), or classified under Export Control Classification Number (ECCN) 5D992.c; or (ii) if the software is not subject to the EAR because it is of foreign origin, must be the type of software that would be designated EAR99 or classified under ECCN 5D992.c if it were subject to the EAR.
For purposes of 31 CFR § 560.540, cloud-based services and software are determined to be incident to the exchange of communications over the Internet when they are used to support transactions authorized or exempt under the ITSR, including the following categories of activities: 

• instant messaging, chat, email, social networking, sharing of photos and movies, web browsing, blogging, social media platforms, collaboration platforms, video conferencing, e-gaming platforms, e-learning platforms, automated translation, web maps, and user authentication services; 
• the export, reexport, or provision of software and services listed in the categories (6) through (11) of the 31 CFR § 560.540 List of Services, Software, and Hardware Incident to Communications, including anti-virus and anti-malware software, anti-tracking software, mobile operating systems and related software, anti-censorship tools and related software; Virtual Private Network (VPN) client software and related software; and provisioning and verification software for Secure Sockets Layers (SSL) certificates and related software, provided that the software meets the relevant conditions of 31 CFR § 560.540, including applicable export control classification-related criteria;
• transactions that are exempt from the prohibitions of the ITSR, including news outlets and media websites covered by the exemption for information or informational materials in 31 CFR § 560.210(c) of the ITSR; and
• other transactions authorized under the ITSR, such as transactions necessary and ordinarily incident to publishing authorized pursuant to 31 CFR § 560.538, transactions for the conduct of the official business of certain international organizations pursuant to 31 CFR § 560.539, the sale and exportation of agricultural commodities, medicine, medical devices, and certain software and services pursuant to 31 CFR § 560.530, and transactions authorized pursuant to any general or specific licenses issued under the ITSR. 

Please note that 31 CFR § 560.540(a)(1) does not authorize the exportation of cloud-based services or software to the Government of Iran, except as specified in 31 CFR § 560.540(a)(6). 

Date Updated: May 16, 2024