bmad-plus 0.4.4 → 0.6.0

package/src/bmad-plus/packs/pack-shield/references/dpdpa/sections-reference.md

@@ -0,0 +1,319 @@
+# DPDPA — Section-by-Section Reference
+
+Digital Personal Data Protection Act, 2023. Presidential Assent: 11 August 2023.
+44 Sections across 9 Chapters.
+
+---
+
+## Chapter I — Preliminary (Sections 1–3)
+
+### Section 1 — Short Title, Extent, Commencement and Application
+Establishes the short title: "Digital Personal Data Protection Act, 2023."
+- Extends to the whole of India
+- Commencement by phased notification in the Official Gazette
+- Applies to digital personal data processing within India AND processing outside India
+  related to offering goods or services to individuals located in India
+
+### Section 2 — Definitions
+28 defined terms including:
+
+| Term | Definition |
+|------|-----------|
+| **Appellate Tribunal** | Telecom Disputes Settlement and Appellate Tribunal (TDSAT) |
+| **Board** | Data Protection Board of India |
+| **Child** | Individual who has not completed **18 years of age** |
+| **Consent Manager** | Body corporate registered by the Board enabling Data Principals to manage consent across multiple Data Fiduciaries via a single interoperable platform |
+| **Data Fiduciary** | Any person who alone or jointly with others determines the **purpose and means** of processing of digital personal data (= GDPR "controller") |
+| **Data Principal** | The individual to whom the personal data relates (= GDPR "data subject") |
+| **Data Processor** | Any person who processes digital personal data on behalf of a Data Fiduciary under a contract (= GDPR "processor") |
+| **Data Protection Officer (DPO)** | Individual appointed by a Significant Data Fiduciary as representative before the Board and grievance contact |
+| **Digital personal data** | Personal data in digital form |
+| **Personal data** | Any data about an individual who is identifiable directly or indirectly from such data |
+| **Personal data breach** | Unauthorised processing or accidental disclosure causing loss of confidentiality, integrity, or availability of digital personal data |
+| **Processing** | Any automated operation on digital personal data including collection, recording, storage, retrieval, use, sharing, transmission, erasure, and destruction |
+| **Significant Data Fiduciary (SDF)** | Data Fiduciary notified by Central Government based on volume/sensitivity, risk to rights, impact on sovereignty, electoral democracy, state security, or public order |
+| **Specified purpose** | The purpose mentioned in the Data Fiduciary's notice for which the Data Principal provided personal data |
+
+### Section 3 — Application (Territorial Scope)
+The Act applies to:
+- Processing of digital personal data **within India**, and
+- Processing **outside India** if it relates to offering goods or services to individuals
+  located in India at the time the personal data is collected
+
+Partial exemption: Processing under contracts with foreign entities of data of
+Data Principals **not located in India** is exempt from most obligations (Section 17(g)).
+
+---
+
+## Chapter II — Obligations of Data Fiduciary (Sections 4–10)
+
+### Section 4 — Grounds for Processing Personal Data
+Two and only two lawful bases:
+- **(a) Consent** as specified in Section 6
+- **(b) Certain legitimate uses** as enumerated in Section 7
+
+No other lawful basis exists. Processing outside these two grounds is unlawful.
+
+### Section 5 — Notice to Data Principal
+Before or at the time of requesting consent, Data Fiduciaries must provide a notice:
+- In clear and plain language (implemented by Rule 3 of DPDP Rules 2025)
+- As a standalone, independent document (not bundled in T&Cs)
+- Containing: purposes; data categories; recipients; retention period; Data Principal rights; Board complaint mechanism; consent withdrawal procedure
+
+**Key obligation:** Notice must be retrievable at any time from the Data Fiduciary's platform or website.
+
+**Existing data (Section 5(2)):** For data collected before the Act's commencement but still being processed, Fiduciaries must provide a notice of the same content within prescribed time after the Act takes effect.
+
+### Section 6 — Consent
+Consent must be:
+- **Free** — not conditioned on acceptance of services
+- **Specific** — for a particular specified purpose
+- **Informed** — given after receiving the Section 5 notice
+- **Unconditional** — no conditions or coercion
+- **Unambiguous** — expressed by clear affirmative action
+
+**Section 6(3):** Consent may be given through a Consent Manager registered by the Board.
+
+**Section 6(4):** Data Principals may withdraw consent at any time. Ease of withdrawal must match ease of giving consent. Prior processing remains lawful; post-withdrawal processing must stop.
+
+**Section 6(5):** The burden of proving valid consent lies on the Data Fiduciary.
+
+**Section 6(6):** Consent obtained in violation of these requirements is void.
+
+### Section 7 — Certain Legitimate Uses (Closed List)
+Eight enumerated legitimate uses where consent is NOT required:
+
+1. Purpose the Data Principal voluntarily provided data for (unless specifically objected)
+2. State benefits, subsidies, services, certificates, licenses, or permits
+3. State functions under Indian law or interests of sovereignty/security/integrity
+4. Legal obligation to disclose to State or its instrumentalities
+5. Employment purposes or safeguarding employer against loss/liability — including prevention of corporate espionage, IP theft, and classified information leakage by employees
+6. Disaster management per the Disaster Management Act, 2005
+7. Medical emergencies and safeguarding individuals during disasters or epidemics
+8. Other prescribed purposes as notified by Central Government
+
+> **Precision note:** The employment category (Section 7(e)) covers both routine HR processing AND the employer's interest in preventing corporate espionage/IP theft by employees. These are part of a single clause — not separate categories. A prior version of this file incorrectly listed a duplicate "prevention of corporate espionage" as a ninth item; that entry has been removed.
+
+This list is **exhaustive**. No general "legitimate interests" balancing test.
+
+### Section 8 — General Obligations of Data Fiduciary
+Every Data Fiduciary must:
+
+1. **Appoint Data Processors under contract** — valid written contract per Rule 16
+2. **Ensure data quality** — accuracy, completeness, consistency for data used in decisions or shared with other Fiduciaries
+3. **Implement security safeguards** — appropriate technical and organisational measures per Rule 7
+4. **Erase data** when: purpose fulfilled; consent withdrawn; Data Principal exercises erasure right; retention no longer necessary
+5. **Direct Processors to erase** data upon termination of processing engagement
+6. **Notify personal data breach** to the Board without delay and in detail within 72 hours per Rule 6
+7. **Grievance mechanism** — Establish effective, accessible grievance mechanism and respond within prescribed period
+
+**Section 8(7) — Retention and Erasure:**
+Data Fiduciaries must erase data from their systems and from Processors' systems upon:
+- Withdrawal of consent (unless retention required by law)
+- Purpose fulfilment
+- Section 12(3) erasure request
+
+### Section 9 — Processing of Children's Personal Data
+**Age threshold:** Under 18 years.
+
+**Section 9(1):** Verifiable parental/lawful guardian consent required before any child data processing.
+
+**Section 9(2) — Prohibited processing (no exceptions unless prescribed):**
+- Tracking or behavioural monitoring of children
+- Targeted advertising directed at children
+- Any processing likely to cause detrimental effect on child's well-being
+
+**Section 9(3) — Exemptions:** May be prescribed for certain classes of Data Fiduciaries (health, safety, education, essential services).
+
+**Penalty:** Maximum ₹200 crore per violation. One of the highest penalty tiers.
+
+### Section 10 — Additional Obligations of Significant Data Fiduciaries
+
+**Designation:** Central Government notifies entities as SDFs based on:
+- Volume and sensitivity of data processed
+- Risk of harm to Data Principals' rights
+- Impact on India's sovereignty, integrity, security
+- Risk to electoral democracy or public order
+
+**Additional obligations (beyond Section 8):**
+- **India-based Data Protection Officer** — individual resident in India; sole Board representative; Data Principal grievance contact
+- **Annual Data Protection Impact Assessment (DPIA)** — evaluates compliance, Data Principal rights exercise, safeguard adequacy, large-scale processing risks
+- **Annual independent data audit** — by qualified external auditor; report submitted to the Board
+- **Data localization** — specified data categories must remain within India (when notified)
+- **Comply with any other prescribed measures** as directed by government
+
+---
+
+## Chapter III — Rights and Duties of Data Principal (Sections 11–15)
+
+### Section 11 — Right to Access Information
+Data Principals may request, and Data Fiduciaries must provide (within prescribed period):
+- Summary of personal data being processed
+- Description of the processing activities (purpose, legal basis, duration)
+- Identities and contact details of all Data Fiduciaries and Processors holding or processing the data
+- Description of personal data shared with each recipient
+
+### Section 12 — Right to Correction, Completion, Updating, and Erasure
+Data Principals may:
+- **(12(1)(a))** Request correction of inaccurate or misleading personal data
+- **(12(1)(b))** Request completion of incomplete personal data
+- **(12(1)(c))** Request updating of outdated personal data
+- **(12(3))** Request erasure of personal data no longer necessary for the specified purpose
+
+**Limitations on erasure (Section 12(4)):**
+Data Fiduciaries may refuse erasure where:
+- Retention necessary for the specified purpose
+- Retention required by law (statutory record-keeping)
+- Retention necessary to enforce/defend legal rights or claims
+
+### Section 13 — Right of Grievance Redressal
+- Data Principals must have access to an effective grievance mechanism provided by the Data Fiduciary or Consent Manager
+- Mechanism must be accessible, responsive, and as prescribed by rules
+- Data Fiduciaries must respond within the prescribed timeframe
+- **Mandatory exhaustion:** Data Principals must exhaust the Fiduciary's grievance mechanism before filing a complaint with the Data Protection Board
+
+### Section 14 — Right to Nominate
+Data Principals may nominate an individual to exercise their Section 11, 12, and 13 rights in the event of:
+- Death of the Data Principal, or
+- Incapacity (defined as unsoundness of mind or infirmity of body rendering the Principal unable to exercise rights)
+
+Nominees exercise rights as if they were the Data Principal.
+
+### Section 15 — Duties of Data Principal
+Data Principals must:
+- Comply with all applicable laws when exercising rights
+- Not register false or frivolous complaints with Fiduciaries or the Board
+- Not furnish false particulars or suppress material information
+- Not impersonate another individual
+- Not misuse their rights to harass Data Fiduciaries
+
+Breach of these duties: penalty up to **₹10,000** (personal liability).
+
+---
+
+## Chapter IV — Special Provisions (Sections 16–17)
+
+### Section 16 — Transfer of Personal Data Outside India
+**Mechanism: Blacklist approach**
+
+Data Fiduciaries may transfer personal data outside India to **any country or territory**, EXCEPT those specifically **notified by the Central Government as restricted**.
+
+**Current status (April 2026):** No countries have been notified. All transfers currently permitted.
+
+**Government notification power:** Central Government may restrict transfers based on national security concerns, weak data protection frameworks, public policy considerations. Monitor MeitY Official Gazette.
+
+**Operational guidance:**
+- Transfers permitted to all countries absent a notification
+- Apply contractual safeguards with recipients regardless
+- Do not assume permanent unrestricted status; plan for potential future restrictions
+- Sensitive data categories: apply enhanced protection even when transfer is technically permitted
+
+### Section 17 — Exemptions
+Exemptions from Chapters II, III, and Section 16:
+
+| # | Category | Scope of Exemption |
+|---|----------|-------------------|
+| (a) | Legal rights enforcement | Processing to enforce legal rights or claims, or defend legal proceedings |
+| (b) | Judicial/regulatory functions | Courts, tribunals, regulatory/supervisory bodies in official capacity |
+| (c) | Law enforcement | Prevention, detection, investigation, prosecution of offences |
+| (d) | State security (notified) | State instrumentalities notified by Central Government — sovereignty, integrity, security, public order, friendly foreign relations |
+| (e) | Financial defaults | Financial institutions processing data when individual has defaulted on loan repayment |
+| (f) | Research and statistics | Research, archiving, statistical processing — provided individual identity cannot be inferred (anonymisation/pseudonymisation required) |
+| (g) | Extra-territorial / foreign contracts | Processing outside India of non-resident Data Principals under contracts with foreign entities |
+| (h) | Voluntarily provided (notified) | Data voluntarily provided for notified public benefit purposes |
+| (i) | Partial state exemptions | State processing exempt from erasure/correction rights in specific circumstances |
+| (j) | Startups and small entities | Central Government may exempt notified classes from sub-sections of Sections 5, 8, 10, 11 |
+
+---
+
+## Chapter V — Data Protection Board of India (Sections 18–26)
+
+### Section 18 — Establishment
+Creates the Data Protection Board of India as a **body corporate** with perpetual succession; power to acquire/hold/dispose property; to contract; to sue and be sued.
+
+### Section 19 — Composition
+- **Chairperson** — Appointed by Central Government; expertise in data governance, IT, cyber law, public administration
+- **Members** — Notified number; appointed by Central Government; similar qualification criteria
+
+### Section 20–21 — Tenure and Removal
+Fixed terms; removal possible only for misconduct, incapacity, or insolvency.
+
+### Section 22–23 — Officers, Employees, and Public Servant Status
+Board members and officers are **deemed public servants** under Indian Penal Code — enabling criminal liability for breach of duty.
+
+### Section 24 — Chairperson's Powers
+Executive and administrative powers of the Chairperson including agenda-setting, proceedings management.
+
+### Section 25 — Powers and Functions of the Board
+- Receive and adjudicate complaints from Data Principals
+- Investigate personal data breaches
+- Issue financial penalties
+- Issue binding compliance directions
+- Facilitate alternate dispute resolution
+- Accept voluntary undertakings from Data Fiduciaries
+
+### Section 26 — Procedure
+Board establishes hearing rules including evidence presentation, witness examination, and natural justice (right to be heard, impartial adjudication).
+
+---
+
+## Chapter VI — Appeals and ADR (Sections 27–32)
+
+### Section 27 — Appeal to TDSAT
+Orders of the Board may be appealed to the **Telecom Disputes Settlement and Appellate Tribunal (TDSAT)** within prescribed period.
+
+### Section 28 — TDSAT Orders Executable as Civil Decree
+TDSAT orders have the force of a civil court decree — enforceable through civil execution proceedings.
+
+### Section 29 — Alternate Dispute Resolution
+Board may facilitate mediation/conciliation between Data Principals and Data Fiduciaries.
+
+### Section 30 — Voluntary Undertaking
+Data Fiduciaries may offer voluntary undertakings to remedy violations. Board may accept. Breach of voluntary undertaking: penalty up to **₹50 crore**.
+
+### Section 31 — Limitation for Filing Complaint
+Prescribed time limits for Data Principals to file complaints after becoming aware of a violation.
+
+### Section 32 — Protection of Actions Taken in Good Faith
+Board members and staff protected from civil/criminal liability for good faith actions.
+
+---
+
+## Chapter VII — Penalties (Sections 33–34)
+
+### Section 33 — Financial Penalties
+**Penalty Schedule:**
+
+| Violation | Maximum Penalty |
+|-----------|----------------|
+| Failure to implement reasonable security safeguards (Section 8(3)) | ₹250 crore |
+| Failure to notify personal data breach to Board (Section 8(6)/Rule 6) | ₹200 crore |
+| Violation of children's data obligations (Section 9) | ₹200 crore |
+| SDF non-compliance with additional obligations (Section 10) | ₹150 crore |
+| Breach of voluntary undertaking (Section 30) | ₹50 crore |
+| Other violations | ₹50 crore |
+| Data Principal duty violation (false complaints, impersonation) | ₹10,000 |
+
+**Section 33(2) — Seven factors for penalty determination:**
+1. Nature and gravity of the violation
+2. Scale of impact on Data Principals
+3. Frequency (first-time vs. repeated)
+4. Promptness of remediation and cooperation
+5. Proportionality to violator's financial condition
+6. Intentionality vs. negligence
+7. Other prescribed factors
+
+### Section 34 — Crediting of Penalties
+All penalty amounts credited to the Consolidated Fund of India.
+
+---
+
+## Chapter VIII — Miscellaneous (Sections 35–44)
+
+### Section 35 — Power to Make Rules
+Central Government has plenary power to make rules to carry out the provisions of the Act. Rules subject to Parliament laying (approval/modification by Parliament if tabled).
+
+### Section 36–44
+Cover: power to give directions; delegation to officers; protection from legal proceedings against the Board; amendments to other laws (IT Act 2000, RTI Act 2005); maintenance of confidentiality; publication of Board procedures; interpretation provisions; repeal and savings.
+
+**Notable:** Section 43 and 44 amend the **Information Technology Act, 2000** — removing IT Act's data protection provisions (Sections 43A and 72A) and replacing them with DPDPA. This clarifies that DPDPA is the lex specialis for digital personal data; IT Act no longer applies to personal data protection.

package/src/bmad-plus/packs/pack-shield/references/ear/ccl-eccn-guide.md

@@ -0,0 +1,250 @@
+# EAR Commerce Control List (CCL) and ECCN Classification Guide
+
+## How to Use This Reference
+
+This guide covers: (1) detailed ECCN lookup methodology, (2) key ECCNs by category, (3) Commerce Country Chart usage, and (4) jurisdiction determination between EAR and ITAR.
+
+---
+
+## ECCN Classification Methodology
+
+### Step 1: Determine if the Item is "Subject to the EAR" (§ 734.3)
+
+An item is subject to the EAR if it is:
+- All items **physically in the United States** (including in Foreign Trade Zones)
+- All items of **US origin** (manufactured in the US), regardless of location
+- **Foreign-made items** that incorporate controlled US-origin content above the de minimis threshold (§ 734.4) — 10% or 25% depending on destination
+- **Foreign direct products** of US technology/software that meet the FDPR criteria (§ 736.2(b)(3))
+- Items the president has placed under EAR jurisdiction by executive order
+
+**Not subject to EAR:** Publicly available information (§ 734.7), basic scientific research (fundamental research exclusion, § 734.8), patent applications, and items exclusively controlled by another US agency (ITAR/USML, NRC, FDA, etc.)
+
+---
+
+### Step 2: Apply the Order of Review (§ 732.3)
+
+| Step | Check | If Yes |
+|------|-------|--------|
+| 1 | Is the item on the USML (22 CFR Part 121)? | → ITAR jurisdiction; stop here |
+| 2 | Is it exclusively controlled by another US agency? | → That agency's regulations |
+| 3 | Is it subject to the EAR per § 734.3? | → Continue to CCL lookup |
+| 4 | Is it on the CCL? | → Assign ECCN |
+| 5 | Not on CCL | → EAR99 designation |
+
+---
+
+### Step 3: Search the CCL (Part 774, Supplement No. 1)
+
+Search strategies (in order of preference):
+1. **Interactive CCL** at bis.gov/regulations/ear/interactive-commerce-control-list
+2. **Self-classification:** Compare item's technical parameters (frequency, performance, materials) to CCL entry technical notes and parameters
+3. **CCATS request:** Submit BIS-748P-A via SNAP-R for official classification determination
+4. **CJ request to DDTC:** If jurisdiction between ITAR and EAR is unclear
+
+**Reading a CCL Entry:**
+Each ECCN entry contains:
+- **Entry heading:** ECCN number and title
+- **List of Items Controlled:** Specific technical parameters that determine if item falls under this ECCN
+- **Unit:** The unit of measure for reporting
+- **Reasons for Control (RFCs):** NS, AT, CB, NP, MT, etc.
+- **Country Chart columns:** Which RFC columns on the Country Chart to check
+- **License Exceptions:** Which exceptions (LVS, GBS, CIV, etc.) are available
+- **List of Items Controlled — Related Controls:** References to other ECCNs or USML categories
+- **Technical Notes:** Clarifications on measurement and interpretation
+
+---
+
+### Step 4: EAR99 — When to Use
+
+If after searching the CCL you cannot find an ECCN that covers the item:
+- The item is **EAR99**
+- EAR99 items **do not appear on the CCL** and have no ECCN number
+- They are subject to EAR jurisdiction but generally do not require a license for export
+
+**EAR99 items still require a license if:**
+- Destined for **embargoed countries** (Cuba, Iran, North Korea, Syria — Part 746)
+- Destined for **Russia or Belarus** under enhanced controls (Part 746.8)
+- The end-user is on the **Entity List** (Supplement 4, Part 744)
+- The end-use is for **WMD development** (§ 744.2–744.6)
+- Exporter has **knowledge** of prohibited end-use or end-user
+
+---
+
+## Key ECCNs by Category
+
+### Category 0 — Nuclear Materials, Facilities, and Equipment
+
+| ECCN | Description |
+|------|-------------|
+| 0A001 | Nuclear reactors and specially designed equipment |
+| 0B001 | Nuclear test/measurement equipment |
+| 0C001 | "Natural uranium," "depleted uranium," special nuclear material |
+| 0D001 | Software for items controlled in Category 0 |
+| 0E001 | Technology for nuclear items |
+
+### Category 1 — Chemicals, Microorganisms, and Toxins
+
+| ECCN | Description |
+|------|-------------|
+| 1C350 | Chemical weapons precursors (Schedule 2 and 3 chemicals) |
+| 1C351 | Human and zoonotic pathogens (Select Agents) |
+| 1C352 | Animal pathogens not in 1C351 |
+| 1C354 | Plant pathogens |
+| 1C810 | Ammonium nitrate (precursor concerns) |
+
+### Category 3 — Electronics
+
+| ECCN | Description |
+|------|-------------|
+| 3A001 | Electronic components (advanced semiconductors, MMICs, SAW devices) |
+| 3A090 | Integrated circuits for advanced computing (high-bandwidth memory) |
+| 3B001 | Equipment for manufacturing electronic components (wafer fab) |
+| 3D001 | Software for Category 3 equipment |
+| 3E001 | Technology for Category 3 items |
+
+### Category 4 — Computers
+
+| ECCN | Description |
+|------|-------------|
+| 4A003 | Electronic computers and related equipment (performance thresholds) |
+| 4A090 | Computers/electronic assemblies for advanced computing (AI chips) |
+| 4D001 | Software for high-performance computers |
+| 4E001 | Technology for Category 4 items |
+
+### Category 5 — Telecommunications and Information Security
+
+| ECCN | Description |
+|------|-------------|
+| 5A002 | Telecommunications systems (secure comms equipment) |
+| 5B002 | Telecom test equipment |
+| 5D002 | Software for telecommunications/encryption |
+| 5E002 | Technology for encryption and telecom |
+| 5A992 | Telecommunications not controlled by 5A002 (lower performance) |
+| 5D992 | Mass-market software for telecom |
+
+### Category 7 — Navigation and Avionics
+
+| ECCN | Description |
+|------|-------------|
+| 7A001 | Accelerometers with specific performance |
+| 7A004 | Star trackers and attitude control equipment |
+| 7A101 | Gyroscopes and accelerometers for missiles |
+| 7E001 | Technology for navigation items |
+
+### Category 9 — Aerospace and Propulsion
+
+| ECCN | Description |
+|------|-------------|
+| 9A001 | Aerojet engines and components |
+| 9A004 | Space launch vehicles and spacecraft |
+| 9A515 | Spacecraft and related items (satellites) |
+| 9E003 | Technology for turbofan and turboprop engines |
+
+---
+
+## Commerce Country Chart — How to Use (Part 738, Supplement 1)
+
+### Purpose
+The Country Chart determines if a license is required based on the combination of the item's **Reason(s) for Control** and the **destination country**.
+
+### Reading the Chart
+1. Find the destination country (rows, alphabetical)
+2. Find the RFC column(s) for your item's ECCNs (e.g., NS Column 1, AT Column 1, CB Column 1)
+3. If the cell shows an "**X**" → a license is generally required
+4. If blank → generally no license required for that RFC/country combination
+
+### Important: Multiple RFCs
+If your ECCN has multiple RFCs (e.g., NS and AT), check **all applicable columns** for the destination. A license is required if any RFC/country cell shows "X" **unless** a license exception applies for that specific RFC.
+
+### Country Chart Column Codes
+
+| Column | Meaning |
+|--------|---------|
+| NS Column 1 | National security — sensitive items |
+| NS Column 2 | National security — less sensitive items |
+| MT Column 1 | Missile technology |
+| NP Column 1 | Nuclear nonproliferation — major suppliers group |
+| NP Column 2 | Nuclear nonproliferation — trigger list |
+| CB Column 1 | Chemical and biological — Australia Group |
+| CB Column 2 | Chemical and biological — non-Australia Group |
+| RS Column 1 | Regional stability — most items |
+| RS Column 2 | Regional stability — less sensitive |
+| CC Column 1 | Crime control — all items |
+| CC Column 2 | Crime control — shotguns |
+| CC Column 3 | Crime control — used equipment |
+| AT Column 1 | Anti-terrorism — all items |
+| AT Column 2 | Anti-terrorism — shotguns |
+| UN | UN embargo |
+
+---
+
+## Jurisdiction Determination: EAR vs. ITAR
+
+### The "Order of Review" in Detail
+
+The US government mandates exporters apply this order before determining export classification:
+
+**STEP 1 — Consult the USML (22 CFR Part 121):**
+- The USML has 21 categories (Cat. I–XXI) covering military articles
+- If the item is "specially designed" or enumerated on the USML → ITAR jurisdiction, file with DDTC
+- The "specially designed" standard is complex — items designed for civilian use that are identical to military articles may still be EAR
+
+**STEP 2 — Consult the CCL:**
+- If not on USML → check CCL
+- If found on CCL → assign ECCN
+- If not found → EAR99
+
+**When jurisdiction is unclear — Submit a CJ Request:**
+- **CJ (Commodity Jurisdiction) Request** — submitted to DDTC
+- Used when: an item has both military and commercial versions; an item was transferred from USML to CCL under Export Control Reform; or there's genuine ambiguity
+- Timeline: 45-day statutory deadline; in practice, can take longer
+- **CCATS** — BIS's equivalent for confirming an ECCN (use SNAP-R portal)
+
+### Common EAR/ITAR Boundary Areas
+
+| Item Type | Likely Jurisdiction |
+|-----------|-------------------|
+| Consumer electronics, mass-market software | EAR (usually EAR99 or 5D992) |
+| Dual-use encryption (commercial VPN, SSL) | EAR (5D002 or 5D992 ENC) |
+| Military radios, tactical communications | ITAR (Cat. XI) |
+| Satellite components (commercial comms sats) | EAR (9A515) after Export Control Reform |
+| Satellite components (military reconnaissance) | ITAR (Cat. XV) |
+| Firearms and ammunition | ITAR (Cat. I and III); some EAR (shotguns) |
+| Chemical precursors (dual-use) | EAR (Category 1) |
+| Chemical weapons agents | ITAR (Cat. XIV) |
+| Aircraft parts (commercial) | EAR (Category 9, lower threshold) |
+| Military aircraft engines | ITAR (Cat. VIII) |
+| GPS (commercial grade) | EAR (7A994, EAR99) |
+| GPS (military, high-performance) | ITAR (Cat. XV) |
+| Cybersecurity tools (commercial pen-testing) | EAR (5D002, ENC exception may apply) |
+| Cyberweapons and offensive capabilities | Likely ITAR or unilateral controls |
+
+---
+
+## EAR99 Items That Still Need Licenses — Common Mistakes
+
+| Scenario | Why License Needed |
+|----------|--------------------|
+| EAR99 electronics exported to Iran | Part 746 embargo — license required |
+| EAR99 software sold to Entity List party | Entity List requirement — license required |
+| EAR99 pump sold for nuclear programme | WMD end-use control § 744.2 |
+| EAR99 laptop reexported from Germany to Russia | Part 746.8 Russia controls apply to all items |
+| EAR99 goods with 10%+ US content to D:5 country | De minimis rule — license may be required |
+| EAR99 circuit board demonstrated to Iranian engineer in US | Deemed export to Iran — check § 734.13 |
+
+---
+
+## EAR Controls on Russia and China — Key 2022–2026 Developments
+
+### Russia and Belarus (Part 746.8)
+Following February 2022, BIS imposed broad new controls:
+- **All items subject to EAR** require a license for export to Russia/Belarus (including EAR99)
+- Extremely limited license exceptions available (humanitarian, safety of flight)
+- Entity List additions: hundreds of Russian defence and intelligence entities
+- **FDP Rule for Russia:** Expanded FDPR captures foreign-made items produced by US equipment/software used to fabricate circuits destined for Russia's military
+
+### China Advanced Computing Controls (October 2022 / October 2023)
+- New ECCNs 3A090, 4A090 control advanced AI chips above performance thresholds
+- Entity List expanded with semiconductor-related entities (Huawei, affiliates, others)
+- FDPR expanded to capture foreign-made chips using US equipment if destined for restricted Chinese entities
+- "ITAR Carve-Out" items — some satellite/military items moved from ITAR to EAR under Export Control Reform but with strict CCL controls