On May 17, 2024, OFAC amended 31 CFR § 560.540 of the Iranian Transactions and Sanctions Regulations (ITSR) to incorporate the provisions of General License (GL) D-2 into 31 CFR § 560.540, with certain additional amendments.  Section 560.540 supersedes GL D-2, which OFAC issued on September 23, 2022, to further support the provision of communication tools to ordinary Iranians and assist in their efforts to resist repressive internet censorship and surveillance tools deployed by the Iranian government.  In addition to incorporating GL D-2 into the ITSR, the amended 31 CFR § 560.540 includes several key changes: 

• The list of services, software, and hardware incident to communications authorized for exportation, reexportation, or provision to Iran previously found in the Annex to GL D-2 is now found in the 31 CFR § 560.540 List of Services, Software, and Hardware Incident to Communications.
• Effective [30 DAYS AFTER PUBLICATION] OFAC is amending the 31 CFR § 560.540 List of Services, Software, and Hardware Incident to Communications to exclude laptops, tablets, and personal computing devices with an “Adjusted Peak Performance” (“APP”) exceeding 1 Weighted TeraFLOP (WT). 
• The authorization previously found at paragraph (a)(5) of GL D-2 and now incorporated into 31 CFR § 560.540(a)(5) is revised to authorize transactions for the importation of hardware or software into third countries, in addition to the United States, provided that the items were previously exported to Iran pursuant to an authorization issued pursuant to the ITSR.
• OFAC has added a new 31 CFR § 560.540(a)(7) to authorize the exportation or reexportation of certain services conducted outside Iran to install, repair, or replace hardware or software authorized for exportation, reexportation, or provision to Iran by paragraphs (a)(2) or (3).  The new 31 CFR § 560.540(a)(7) authorizes such services only when the service provider is located outside Iran and does not authorize the service provider to engage in such services while in Iran.
• Section 560.540(b)(3), which incorporates paragraph (b) of GL D-2, is also being revised to clarify the restrictions related to provision of web-hosting services or of domain name registration services in Iran authorized by 31 CFR § 560.540(a) by specifically excluding from authorization the exportation or reexportation of web-hosting services for websites of commercial entities located in Iran or of domain name registration services for or on behalf of the Government of Iran or another person whose property and interests in property are blocked pursuant to Section 560.211 of the ITSR.
• Section 560.540(d) has been added to set forth the case-by-case licensing policy previously set forth in paragraph (d) of GL D-2, for additional activities that support internet freedom in Iran, such as development and hosting of anti-surveillance software by Iranian developers Such services would also include, for example, the development and hosting of anti-censoring software by Iranian software developers and the exportation of certain software development tools to Iranians seeking to create their own anti-surveillance or anti-censorship apps and upload them to mobile app sites. 

Date Updated: May 16, 2024

Yes, persons seeking to export software, services, or hardware to Iran or conduct other activities in support of internet freedom in Iran that are not exempt transactions or authorized by the general license in 31 CFR § 560.540 or other authorizations are encouraged to submit a specific license application to through the OFAC License Application Page. 

Date Updated: May 16, 2024

A cloud-based service or software provider whose non-Iranian customers provide services or software to persons in Iran via the cloud may rely upon the authorization in 31 CFR § 560.540 to provide access to Iran, provided that such provider conducts due diligence based on information available to it in the ordinary course of business to confirm that the non-Iranian customer: (1) is not a person whose property and interests in property are blocked, except as authorized under paragraph (a)(6) of 31 CFR § 560.540; and (2) provides software and services that fall within one of the categories described in FAQ 1087, including activity authorized or exempt under the ITSR.

In instances where cloud-based services or software are used to support the exportation of services or software to Iran authorized under 31 CFR § 560.540, OFAC does not generally expect a cloud-based service or software provider to evaluate the ultimate end use or end user of the authorized software or services, provided the cloud-based provider conducts due diligence based on information available to it in the ordinary course of business.  For example, if a cloud-based service or software provider supports non-Iranian customers providing access in Iran to news websites or Virtual Private Networks (VPNs) that fall within one of the categories described in FAQ 1087, the cloud-based service or software provider need not evaluate whether the provision of access via the cloud involving Iranian end users is related to communication.  By contrast, if a U.S. cloud-based service or software provider supports non-Iranian customers providing certain enterprise management software to Iran, such as payroll management software, the cloud-based service or software provider would be expected to evaluate whether its support of the software is a prohibited export of software or services to Iran because payroll management software is not generally considered a qualifying software incident to communications.

Please note that 31 CFR § 560.540 does not authorize the importation into the United States of Iranian-origin software or the dealing in such software, including the hosting of Iranian-origin software on a mobile application store.  Persons seeking to engage in such activity may submit applications for specific licenses to OFAC that describe the nature of the software and the Iranian developers involved.

Date Updated: May 16, 2024

Yes.  Section 560.540(a)(1) of the ITSR authorizes the exportation to Iran of fee-based or no-cost cloud-based services incident to the exchange of communications over the internet.  In addition, 31 CFR § 560.540(a)(2) authorizes the exportation to Iran of cloud-based software that is incident to, or enables services incident to, communications over the Internet.  Software exported under 31 CFR § 560.540(a)(2) either: (i) must be designated as EAR99 under the Export Administration Regulations, 15 CFR parts 730 through 774 (EAR), excluded from the EAR because it is described under 15 CFR § 734,3(b)(3), or classified under Export Control Classification Number (ECCN) 5D992.c; or (ii) if the software is not subject to the EAR because it is of foreign origin, must be the type of software that would be designated EAR99 or classified under ECCN 5D992.c if it were subject to the EAR.
For purposes of 31 CFR § 560.540, cloud-based services and software are determined to be incident to the exchange of communications over the Internet when they are used to support transactions authorized or exempt under the ITSR, including the following categories of activities: 

• instant messaging, chat, email, social networking, sharing of photos and movies, web browsing, blogging, social media platforms, collaboration platforms, video conferencing, e-gaming platforms, e-learning platforms, automated translation, web maps, and user authentication services; 
• the export, reexport, or provision of software and services listed in the categories (6) through (11) of the 31 CFR § 560.540 List of Services, Software, and Hardware Incident to Communications, including anti-virus and anti-malware software, anti-tracking software, mobile operating systems and related software, anti-censorship tools and related software; Virtual Private Network (VPN) client software and related software; and provisioning and verification software for Secure Sockets Layers (SSL) certificates and related software, provided that the software meets the relevant conditions of 31 CFR § 560.540, including applicable export control classification-related criteria;
• transactions that are exempt from the prohibitions of the ITSR, including news outlets and media websites covered by the exemption for information or informational materials in 31 CFR § 560.210(c) of the ITSR; and
• other transactions authorized under the ITSR, such as transactions necessary and ordinarily incident to publishing authorized pursuant to 31 CFR § 560.538, transactions for the conduct of the official business of certain international organizations pursuant to 31 CFR § 560.539, the sale and exportation of agricultural commodities, medicine, medical devices, and certain software and services pursuant to 31 CFR § 560.530, and transactions authorized pursuant to any general or specific licenses issued under the ITSR. 

Please note that 31 CFR § 560.540(a)(1) does not authorize the exportation of cloud-based services or software to the Government of Iran, except as specified in 31 CFR § 560.540(a)(6). 

Date Updated: May 16, 2024

General licenses issued under the Iranian Transactions and Sanctions Regulations (ITSR) authorize certain U.S. academic institutions and other U.S. persons to provide certain services and software to Iranian students.  These general licenses include:

• General License G (GL G) authorizes accredited graduate and undergraduate degree-granting U.S. academic institutions, including their contractors, to export services to students located in Iran, or located outside of Iran but who are ordinarily resident in Iran (“Iranian students”), to sign up for and participate in certain undergraduate level online courses, notably:  (i) courses in the humanities, social sciences, law, or business that are the equivalent of courses ordinarily required for the completion of undergraduate degree programs in the humanities, social sciences, law, or business; and (ii) introductory undergraduate level science, technology, engineering, or mathematics courses ordinarily required for the completion of undergraduate degree programs in the humanities, social sciences, law, or business.  In addition, under 31 CFR § 560.405, certain transactions ordinarily incident to a licensed transaction are also authorized.  OFAC interprets 31 CFR § 560.405 to authorize certain transactions ordinarily incident to courses authorized by GL G, including the giving of assignments and testing and grading of Iranian students. 
• Section 560.540 of the ITSR authorizes the exportation to Iran of certain services and software incident to the exchange of communications over the internet, such as instant messaging, chat and email, social networking, sharing of photos and movies, web browsing, blogging, social media platforms, collaboration platforms, video conferencing, e-gaming platforms, e-learning platforms, automated translation, web maps, and user authentication services, as well as certain cloud-based services.  OFAC interprets these authorizations to cover video conferencing software and related services, as well as educational technology software and related services, that allow students to view courses and course materials, complete tests and assignments, receive grades, participate in discussions, and other, similar course-related online activity, provided that the software meets the additional criteria of the applicable authorization.  For more guidance on 31 CFR § 560.540 of the ITSR, please see FAQs 338–348, 434–443, 1087–1089, and 1110.

To export services to Iranian students that fall outside of these authorizations, U.S. persons may apply for a specific license through the OFAC License Application Page. 

Please note that the general licenses summarized above do not authorize the exportation of goods (including software), services, or technology to the Government of Iran, except as authorized under 31 CFR § 560.540(a)(6), or to persons blocked under any authority administered by OFAC, including OFAC’s counterterrorism or counterproliferation authorities. 

Date Updated: May 16, 2024

Satellite terminals and other equipment listed in category (4) of the 31 CFR § 560.540 List of Services, Software, and Hardware Incident to Communications, shall be deemed “residential consumer” if the equipment is designated EAR99 or classified under ECCN 5A992.c, 5A991.b.2, or 5A991.b.4 or, in the case of equipment that is not subject to the EAR, would be designated EAR99 if it were located in the United States or would meet the criteria for classification under ECCN 5A992.c, 5A991.b.2, or 5A991.b.4 if it were subject to the EAR. 

Date Updated: May 16, 2024

“Software required for effective consumer use” consists of software essential to the operation of the hardware listed in category (5) of the 31 CFR § 560.540 List of Services, Software, and Hardware Incident to Communications, including, for example, drivers and patches.  Operating systems are separately authorized in category (5) of the 31 CFR § 560.540 List of Services, Software, and Hardware Incident to Communications.

In addition, effective June 16, 2024, OFAC is amending the 31 CFR § 560.540 List of Services, Software, and Hardware Incident to Communications to exclude laptops, tablets, and personal computing devices with an “Adjusted Peak Performance” (“APP”) exceeding 1 Weighted TeraFLOP (WT).  After this change is effective, the only laptops, tablets, and other computing devices that may be exported to Iran are ones with an APP of 1 WT or less.

Date Updated: May 16, 2024

Yes.  Section 560.540(a)(1) of the ITSR authorizes the provision to Iran of fee-based cloud computing services that support the exchange of communications over the internet.  In addition, paragraph (a)(2)(i) of 31 CFR § 560.540 authorizes the provision to Iran of software that is incident to, or enables services incident to, the exchange of communications over the internet, and paragraph (a)(3) authorizes the provision to Iran of software described in the 31 CFR § 560.540 List of Services, Software, and Hardware Incident to Communications and services necessary for the operation of such software, in both cases provided that such software is designated EAR99 or classified by the U.S. Department of Commerce on the CCL under ECCN 5D992.c or, in the case of software that is not subject to the EAR, would be designated EAR99 if it were located in the United States or would meet the criteria for classification under ECCN 5D992.c if it were subject to the EAR.  Please see FAQs 1087–1089 for additional guidance. 

Date Updated: May 16, 2024

Yes.  Fee-based desktop publishing software and productivity software suites have been determined to fall within the scope of fee-based software that enables services incident to the exchange of communications as described in 31 CFR § 560.540(a)(2), provided that the software meets the additional criteria in those paragraphs (e.g., for software subject to the EAR, the software is designated EAR99 or is classified by the U.S. Department of Commerce on the Commerce Control List, 15 CFR part 774, supplement No. 1 (“CCL”) under ECCN 5D992.c).  By contrast, enterprise management software has been determined not to fall within the scope of fee-based software that enables services incident to the exchange of communications as described in 31 CFR § 560.540(a)(2).

Date Updated: May 16, 2024

No.  To qualify for 31 CFR § 560.540, all individual software items in a bundled package must fall within one of the 31 CFR § 560.540 authorizations.  If some software in a bundled package is authorized by 31 CFR § 560.540 but other software is not, the portion of the software falling outside the authorizations in 31 CFR § 560.540 would need to be otherwise exempt or authorized or would require a specific license for export.  A bundle of software that included exclusively software authorized by 31 CFR § 560.540 could be exported.  Please see FAQs 1087–1088 for guidance on certain types of cloud-based software authorized by 31 CFR § 560.540.

Date Updated: May 16, 2024

No.  While the exportation of certain accessories and peripherals specified in categories (1) and (5) of the 31 CFR § 560.540 List of Services, Software, and Hardware Incident to Communications is authorized under 31 CFR § 560.540(a)(3), the exportation to Iran of hardware parts or components is not.  Hardware that requires repair or replacement may be repaired or replaced outside Iran pursuant to 31 CFR § 560.540(a)(5) or (a)(7).  Requests for specific licenses to export to Iran parts or components, including replacement parts, will be considered on a case-by-case basis.

Date Updated: May 16, 2024

Yes.  Accessories for use in conjunction with hardware specified in categories (1) and (5) of the 31 CFR § 560.540 List of Services, Software, and Hardware Incident to Communications (the “31 CFR § 560.540 List), and peripherals for use in conjunction with hardware specified in category (5) of the same are authorized for export to Iran under 31 CFR § 560.540.  Authorized accessories for mobile phones include headsets, cases, holsters, mounts, chargers, docks, display protectors, cables, adapters, and batteries.  Authorized accessories for computers include keyboards and mice; authorized peripherals for computers include consumer disk drives and other data storage devices.  As set forth in a note to the 31 CFR § 560.540 List, for the purposes of the 31 CFR § 560.540 List, the term “consumer” refers to items that are: (1) generally available to the public by being sold, without restriction, from stock at retail selling points by means of any of the following: (a) over-the-counter transactions; (b) mail order transactions; (c) electronic transactions; or (d) telephone call transactions; and (2) designed for installation by the user without further substantial support by the supplier.

Date Updated: May 16, 2024

SSLs, as described in category (11) of the 31 CFR § 560.540 List of Services, Software, and Hardware Incident to Communications (“31 CFR § 560.540 List”) encompass “provisioning and verification software for Secure Socket Layer (SSL) certificates designated EAR99 or classified under ECCN 5D992.c, and services necessary for the operation of such software.”  Additional provisioning and verification software not subject to the EAR may be included under 31 CFR § 560.540’s authorization for, in relevant part, software not subject to the EAR that is exported, reexported, or provided, directly or indirectly, by a U.S. person located outside the United States, that is of a type described in the 31 CFR § 560.540 List, provided that it would be designated as EAR99 or would meet the criteria for classification under the relevant ECCN specified therein if it were subject to the EAR.

Date Updated: May 16, 2024

Yes.  Section 560.540(a)(3) authorizes the exportation of certain anti-virus, anti-malware, anti-tracking, anti-censorship software, and related services, as specified in categories (6), (7), and (9) of the31 CFR § 560.540 List of Services, Software, and Hardware Incident to Communications.

Date Updated: May 16, 2024

The exportation to Iran of apps that are designated EAR99 or classified under export control classification number (ECCN) 5D992.c, as specified in category (8) of the 31 CFR § 560.540 List of Services, Software, and Hardware Incident to Communications, is authorized under 31 CFR § 560.540(a)(3), including apps downloaded via online app stores, to the extent not authorized under 31 CFR § 560.540(a)(1) or (2) or exempt.

Date Updated: May 16, 2024

No.  Section 560.540 of the ITSR does not authorize the employment of persons in Iran to facilitate sales, the maintenance of a physical sales presence in Iran, or the utilization of Iranian marketing services.  However, the exportation of certain copy-ready advertising materials is exempt from the prohibitions of the ITSR to the extent they qualify as information or informational materials pursuant to 31 CFR § 560.210(c).  

Date Updated: May 16, 2024

U.S. sanctions on Iran do not impose any restrictions as to the use of the Farsi language. See FAQ 337.

Date Updated: May 16, 2024

Due diligence programs should be tailored to the particular risks encountered by exporters. 

As a general matter, companies selling fee-based services, software, or hardware authorized by 31 CFR § 560.540 should undertake reasonable, risk-based measures designed to ensure that they do not export their products to persons whose property and interests in property are blocked pursuant to any sanctions program administered by OFAC, regardless of whether the Government of Iran or other end-user appears on OFAC’s Specially Designated Nationals and Blocked Persons List or any of OFAC's other sanctions lists. 

See FAQ 1088 for more information regarding OFAC’s due diligence expectations for cloud-based service or software providers whose services and software support communications tools are authorized by 31 CFR § 560.540. 

Date Updated: May 16, 2024

In general, the payment requirements under 31 CFR § 560.540 are the same as for all other general licenses under the Iranian Transactions and Sanctions Regulations (ITSR).  Section 560.540(c) of the ITSR provides that U.S. depository institutions or U.S. registered brokers or dealers in securities may process transfers of funds from Iran or for or on behalf of a person in Iran that are in furtherance of a transaction authorized under 31 CFR § 560.540, provided the transfer is consistent with § 560.516, which does not allow debiting or crediting an Iranian account.  See 31 CFR § 560.516(a).

Date Updated: May 16, 2024

Yes.  Section 560.540 of the ITSR authorizes the exportation, reexportation, or provision to Iran and the importation into the United States by an individual entering the United States directly or indirectly from Iran, of hardware and software authorized by paragraphs 31 CFR § 560.540(a)(2) or (a)(3).  See Note 1 to paragraphs (a)(2) and (a)(3) of 31 CFR § 560.540.  Section 560.540 also authorizes the importation into the United States by an individual entering the United States, directly or indirectly, from Iran, of hardware or software authorized by 31 CFR § 560.540(a)(2) or (a)(3), provided the items were previously exported, reexported, or provided to Iran under an authorization issued pursuant to the ITSR.  See 31 CFR § 560.540(a)(5).  See also FAQ 1110.

Date Updated: May 16, 2024

Yes.  Section 560.540 of the ITSR continues to authorize the exportation, reexportation, or provision to Iran by U.S. persons located outside of the United States of certain specified hardware and software items that are not subject to the EAR.  See 31 CFR § 560.540(a)(2)(ii), (a)(3)(ii) and (iii).  Section 560.540 continues to extend this authorization to an entity owned or controlled by a U.S. person and established or maintained outside the United States (“a U.S.-owned or -controlled foreign entity”), subject to the conditions set forth in 31 CFR § 560.556.  For example, an overseas branch of a U.S. company or a U.S.-owned or -controlled foreign entity may export to Iran, from a location outside the United States, certain hardware or software that is not subject to the EAR (including foreign-origin hardware or software containing less than a de minimis amount of U.S. controlled content) if the hardware or software is within the scope of the 31 CFR § 560.540 authorization.  Section 560.540 also authorizes the exportation, reexportation, or provision of certain fee-based software that is not subject to the EAR because it is described in section 734.3(b)(3) of the EAR. 

Date Updated: May 16, 2024

Yes.  For purposes of the authorities administered by OFAC, 31 CFR § 560.540 authorizes the exportation, reexportation, or provision of certain hardware and software subject to the EAR by non-U.S. persons outside the United States.  See 31 CFR § 560.540(a)(2)(i) and (a)(3).  For example, a non-U.S. person manufacturer of smartphones that are (a) subject to the EAR because they contain more than a de minimis amount of U.S.-controlled content and (b) within the scope of the 31 CFR § 560.540 authorization may export the smartphones from its third-country manufacturing facility directly or indirectly to Iran.  See FAQs 1087–1089 and 1110.

Date Updated: May 16, 2024

If you require assistance interpreting the authorizations contained in 31 CFR § 560.540 and how they apply to your situation, please contact OFAC’s Compliance Division by phone at 202-622-2490 or by email at OFAC_Feedback@treasury.gov or submit a request for interpretive guidance at the OFAC License Application Page.

Date Updated: May 16, 2024

No.  The 31 CFR § 560.540 List of Services, Software, and Hardware Incident to Communications lists software, hardware, and related services determined to be “incident to communications” for purposes of the authorization in 31 CFR § 560.540(a)(3) of the ITSR.

Date Updated: May 16, 2024

Qualifying services under 31 CFR § 560.540(a)(1) are those that are “incident to the exchange of communications over the internet,” as well as cloud-based services in support of such services or of any other transaction authorized or exempt under the ITSR.  Qualifying software under 31 CFR § 560.540(a)(2) is software that is incident to, or enables services incident to, the exchange of communications over the internet, as well as certain cloud-based services.  In addition, qualifying software under 31 CFR § 560.540(a)(2) must meet the stated export control-related criteria.  Both paragraphs provide an illustrative but not exhaustive list of the types of services that are authorized: “instant messaging, chat and email, social networking, sharing of photos and movies, web browsing, blogging, social media platforms, collaboration platforms, video conferencing, e-gaming, e-learning platforms, automated translation, web maps, and user authentication services, as well as cloud-based services in support of the foregoing or of any other transaction authorized or exempt under the ITSR.

Qualifying services or software need not be specifically listed in the 31 CFR § 560.540 List of Services, Software, and Hardware Incident to Communications in order to be authorized by 31 CFR § 560.540(a)(1) or (a)(2), provided that they otherwise meet the requirements of 31 CFR § 560.540(a)(1) or (a)(2).

Date Updated: May 16, 2024

Yes, transactions that were authorized under 31 CFR § 560.540 of the ITSR as of May 16, 2024 or GL D 2 (as well as its predecessors, GLs D and D-1) continue to be authorized pursuant to the version of 31 CFR § 560.540 revised on May 17, 2024.  See FAQs 338–343 and 1110 for additional information on transactions authorized pursuant to 31 CFR § 560.540.  

Date Updated: May 16, 2024