1. General Compliance and Proven Track Record. The VEU must have a credible plan to meet or demonstrated track record of meeting established physical, cyber, and personnel security standards for large-scale data center operations and of complying with U.S. export control laws, a credible plan to or demonstrated track record of respecting human rights, as well as a clear and feasible plan for doing so in a destination that is not Macau, specified in Country Group D:5, or listed in paragraph (a) to Supplement No. 5 to Part 740.

2. Foreign Military and Intelligence Ties.

a. The VEU, to include all subsidiary and parent entities (as well as their personnel in their professional capacities), must be free of ties to any `military end users' (as that term is defined in § 744.21(g)) or `military-intelligence end users' (as that term is defined in § 744.22(f)(2)).

b. Ties include research and development agreements and joint activities.

3. Foreign Technology Ties. The VEU, to include all subsidiary and parent entities (as well as their personnel in their professional capacities), must adhere to the U.S. rules on outbound investment at 31 CFR part 850 as applied to U.S. persons regardless of whether such VEU, entity, or individual is a U.S. person, without giving effect to any exception under 31 CFR 850.501(g), except that non-U.S. persons must submit materials to BIS, not the Department of the Treasury. Any notifications or other information that, because of this paragraph, would be required to be submitted in order to adhere to 31 CFR part 850 should be submitted to BIS as part of the VEU application. (For the avoidance of doubt, any notification or other information that would be required to be submitted pursuant to 31 CFR part 850 should continue to be submitted to the Department of the Treasury). The VEU must also adhere to determinations, including any prohibitions and mitigations, made under Commerce's Information Communication Technology Services program at 15 CFR part 791, and the VEU must demonstrate that it has eliminated supply chain dependencies on advanced semiconductors specified in ECCN 3A090.a, 4A090.a, or .z derivatives meeting or exceeding the parameters of ECCN 3A090.a or 4A090.a and advanced networking equipment specified in ECCN 4A003.g, 5A001, 5A002.a, or 5A992.a. produced by any entities headquartered in Macau or destinations specified in Country Group D:5. The VEU must also demonstrate that it has eliminated supply chain dependencies on equipment and services listed by the Federal Communications Commission as covered by Section 2 of the Secure and Trusted Communications Networks Act of 2019. The VEU must also notify the U.S. Government, through the VEU program, of all cooperative activities, such as joint ventures, with any entities headquartered in Macau or a destination specified in Country Group D:5 or any individuals or entities that are on the EAR's Entity List or OFAC's Specially-Designated Nationals and Blocked Persons List. The VEU must report to BIS all equity interests (including contingent equity interests) or ownership stakes in the VEU by, or debt or obligations of the VEU from similar financial arrangements to, any entity. headquartered in Macau or a destination specified in Country Group D:5 or any individual or entities that are on the EAR's Entity List or OFAC's Specially-Designated Nationals and Blocked Persons List, with the exception of investments under 1 percent or $1 million, whichever is lower, individually or as aggregated across (a) entities that are affiliated or have formal or informal arrangements to act in concert, or (b) departments, agencies, or instrumentalities of, or that are controlled by, the national or subnational governments of Macau or a destination specified in Country Group D:5, in a VEU whose equity securities are primarily traded on an exchange in a country listed in paragraph (a) to Supplement No. 5 to Part 740.

4. Transfer of Chips. The VEU may not, without authorization from BIS, transfer chips, assemblies, or computers that meet or exceed the scope of ECCN 3A090.a, 4A090.a, or .z items meeting or exceeding the parameters of ECCN 3A090.a or 4A090.a to any of the following:

a. Any entity located in, or headquartered in, Macau or a destination specified in Country Group D:5;

b. Persons of any nationality working for or on behalf of a party on the EAR's Entity List, ISN's nonproliferation sanctions lists, or OFAC's Specially Designated Nationals and Blocked Persons List;

c. Persons of any nationality employed by a government entity of Macau or a government entity of a destination specified in Country Group D:5 or presenting a high risk of facilitating diversion to Macau or a destination specified in Country Group D:5.

These requirements should not be read as allowing any transfers that otherwise require a license.

5. Intra-company Transfer Notification. [Only for VEUs accredited via a UVEU] The UVEU must notify the BIS 60 days in advance of its intention to transfer any chips between countries in which the UVEU is using the UVEU authorization for such transfer, as well as any planned construction or installations of data centers in countries not previously included in prior notifications to BIS. BIS retains the right to impose licensing requirements for transfers of chips and/or to require additional conditions for entry into these countries.

6. Geographic allocations. Only for entities headquartered in countries listed in paragraph (a) to Supplement no. 5 to Part 740 with UVEU status: The UVEU cannot transfer or install more than 25% of its total AI computing power, measured as the aggregate Total Processing Power (TPP) of chips that meet or exceed the scope of ECCN 3A090.a and are owned by the entity and all its subsidiary and parent entities, to or in locations outside of countries listed in paragraph (a) to Supplement No. 5 to Part 740, and cannot transfer or install more than 7% of its total AI computing power to or in any single country outside of those listed in paragraph (a) to Supplement No. 5 to Part 740). Only for U.S.-headquartered entities with UVEU status: The UVEU cannot transfer or install more than 50% of its total AI computing power outside of the United States, as measured on the reporting dates outlined in Section 10.

7. Advanced AI Training. The VEU, to include all subsidiary and parent entities, may not, without authorization from BIS, train an AI model specified in ECCN 4E091, in whole or in part, in a location outside of, or as Infrastructure-as-a-Service (IaaS) for an entity headquartered outside of, countries listed in paragraph (a) to Supplement No. 5 to Part 740. Fine-tuning an AI model specified in ECCN 4E091 is permitted if such fine-tuning constitutes no more than 25 percent of the training operations of the original AI model specified in ECCN 4E091. Provision of application programming interface (API) access to AI models or infrastructure-as-a-service (IaaS) access for AI inference are not prohibited, and would only become prohibited if equivalent restrictions are put in place for U.S.-based computing resources.

8. Model Weight Storage. The VEU may only store or transfer the model weights of an advanced AI model specified in ECCN 4E091 to facilities located in countries listed in paragraph (a) to Supplement No. 5 to Part 740, or to facilities located in jurisdictions other than Macau or those specified in Country Group D:5, provided such facilities are owned or operated by entities headquartered in, or with an ultimate parent headquartered in countries listed in paragraph (a) to Supplement No. 5 to Part 740, and provided the facility complies with the provisions of paragraphs 14, 15, and 18 of Supplement No. 10 to this part by January 15, 2026.

9. Prohibited Uses and Human Rights Safeguards. The VEU is responsible for ensuring that no items subject to the EAR are used to support any of the following:

a. Activities described in part 744 and all relevant supplemental notices;

b. Military and intelligence entities headquartered, or located in, Macau, destinations specified in Country Group D:5, and military and intelligence entities whose activities BIS informs the VEU could pose an unacceptable risk to U.S. national security or could enable human rights abuses or repression of democracy; or

c. Activities that enable human rights abuses and/or repression of democracy including through censorship; arbitrary or unlawful surveillance; and abusive genetic collection and analysis schemes.

10. Reporting of Chip Installations. The VEU will report to BIS and other agencies on a semi-annual basis (each February 1 and August 1), a complete facility-specific chip accounting for itself and all parent and subsidiary entities, including:

a. The quantities and types of chips that meet or exceed the parameters of 3A090.a, purchased, approved for export to facilities in given countries, reexported, transferred to relevant destinations and entities to which transfers have occurred, and installed in all data center facilities in destinations except Macau, destinations specified in Country Group D:5, and countries not listed in paragraph (a) to Supplement No. 5 to Part 740.

b. A breakdown of the VEU's total aggregate compute for chips, assemblies, and computers specified in 3A090.a, 4A090.a, or .z derivatives meeting or exceeding the parameters of ECCN 3A090.a or 4A090.a, in destinations except Macau and destinations specified in Country Group D:5 (including chips transferred but not yet installed). This accounting must also include information about chip attrition due to factors such as loss, damage, failure, relocation, and resale.

11. Monitoring, Recordkeeping, and Reporting. The VEU must perform ongoing monitoring, evaluation, and end user due diligence of all the vetting requirements, export restrictions, acceptable use policies, and security requirements herein. The VEU must further notify BIS if, at any time, any requirements have not been met and it must maintain for five years all records in conjunction with these conditions. These records must be made available pursuant to a request from BIS, whether through an end use check or otherwise. The VEU must also cooperate with BIS's auditing of records and facilities described in this document. Failure to comply with BIS may result in revocation of VEU status.

12. Certification as VEU. An entity is certified as a VEU through the process described in Supplement No. 9 to this part. Entities headquartered in countries listed in paragraph (a) to Supplement No. 5 to Part 740 are eligible if they meet the standards provided in Section I and II. Entities in destinations except Macau, destinations specified in Country Group D:5, or those listed in paragraph (a) to Supplement No. 5 to Part 740 are eligible if they meet the appropriate standards outlined in Supplement No. 10 to part 748 and, for NVEUs, if there is a government-to-government arrangement between their government and the United States. If a government-to-government arrangement is rescinded by either party, the NVEU status of NVEUs and, as appropriate, the ability of a UVEU to operate in that country may be revoked.

13. Ownership Security of VEUs: The VEU, to include all subsidiary and parent entities, must meet ownership security standards to ensure there are no Foreign Ownership, Control, or Influence (FOCI) factors related to Macau or a destination specified in Country Group D:5. Factors relating to the entity, its relevant foreign interest, and the government of such foreign interest shall be assessed against the requirements outlined in National Industrial Security Program Operating Manual (NISPOM) 32 CFR 117.11(b) and additional factors to include:

a. The VEU's financial viability;

b. Counterintelligence concerns, especially regarding key management or leadership personnel and company owners with regard to the government of Macau or the government of a destination specified in Country Group D:5, or to entities headquartered in, or nationals of, Macau or a destination specified in Country Group D:5;

c. Record of enforcement and/or engagement in unauthorized technology transfer;

d. The nature of any relevant bilateral and multilateral security agreement and information exchange agreements; and

e. Any other factor that demonstrates a capability on the part of foreign interests to control or influence the operations or management of the VEU of concern.

14. Baseline Security of Chips and Data. The VEU's datacenters must be compliant with NIST 800-53 in a fashion certified as appropriate for compliance with these conditions and consistent with the security requirements associated with FedRAMP High, as well as with controls AC-3(7), AT-2(1), CA-8(3), CM-7(4), CM-11(2), IR-4(14), PE-3(3), PM-3, and PS-7 from NIST 800-53. This includes:

a. Advanced AI model weights and proprietary techniques used for advanced AI training must be treated as an information type with FIPS-199 security category {(confidentiality, HIGH), (integrity, HIGH), (availability, HIGH)}.

b. Certification of compliance with the above NIST 800-53 requirements must be attested annually by a Third-Party Assessment Organization (3PAO) and made available to BIS. 3PAOs must be accredited and recognized by the FedRAMP Program Management Office, and have successfully completed the certification of a FedRAMP-high Cloud Service Provider;

c. The VEU must have procedures in place to address and prevent seizure of chips;

d. The VEU must put in place software and hardware mechanisms to detect and defeat tampering, such as illicit modification;

e. Plans for the secure operation of data centers supporting a VEU shall be implemented in accordance with a security management defense-in-depth framework that includes a review of the following factors:

i. Threat analysis. Assess the capabilities, intentions, and opportunity of an adversary to exploit or damage assets or information.

ii. Vulnerability analysis. Assess the inherent susceptibility to attack of a procedure, facility, information system, equipment, or policy.

iii. Probability analysis. Assess the probability of an adverse action, incident, or attack occurring.

iv. Consequence analysis. Assess the consequences of such an action (expressed as a measure of loss, such as cost in dollars, resources, programmatic effect/mission impact, etc.)

f. The following physical and technical security requirements are required for all VEU data centers:

i. Compliance with Department of Defense Unified Facilities Criteria 4-010-05, Sections 3-4.4.1, 3-4.6.10, and 3-4.17.3;

ii. No windows permitted in server core areas; and

iii. 24/7/365 roving guard patrol or Perimeter Intrusion Detection System (PIDS) with a 15-minute response time;

15. AI-Specific Cybersecurity. The VEU will establish and bear responsibility for the following additional practices for AI security:

a. Ensure compliance with all best practices in the NSA cybersecurity information sheet “Deploying AI Systems Securely,” and the recommended actions for every CISA CPG 1.0 goal cross-referenced therein.

b. Establish accountability for usage; generate logs and other records of usage, to include logging and monitoring usage of third-party APIs and fine-tuning mechanisms;

c. Comply with the following requirements on model weights specified in ECCN 4E091, in addition to complying with the best practices listed in (a):

i. Model weights must be stored on dedicated devices not used by, or hosting the data of, other organizations.

ii. Every interface by which model weights can be accessed, directly or indirectly, must be reviewed to determine the appropriate output rate of information necessary for its legitimate functionality. The output rate must be monitored, and rate limitations must be implemented to ensure the output rate is unable to exceed the rate established for the interface's legitimate functionality.

iii. Every interface, for which the established output rate is such that the model weights may be extracted in six months or less, must provide access only through a narrow, well-defined API, such as for inference or fine-tuning. The API must be thoroughly reviewed and secured to prevent model extraction attacks.

16. Transit Security. The VEU must work with the chip provider to develop, implement, and maintain a shipment security plan, to include working with validated shipping providers, establishing a positive chain of custody, employing anti-theft and anti-tampering measures, conducting inspection/inventory upon receipt, and reporting any theft, loss, or tampering incidents to BIS within 30 days. The VEU will bear responsibility for tracking and security of chips and other items subject to export control while in transit and shall report any anomalies to BIS, as outlined in Section 11.

17. Sanitization and Disposal Procedures. The VEU must incorporate appropriate end-of-life procedures for chip sanitization and disposal that are verifiable and that ensure such chips do not enable prohibited activities, including by exceeding relevant caps.

18. Personnel Security Standards and Practices. In addition to the personnel security requirements in Section 13, the VEU must follow the below practices:

a. The VEU must develop a plan to implement a personnel vetting model covering all individuals granted access to the VEU data center facility or corresponding systems.

b. Personnel granted unescorted access to the VEU data center must be vetted under the following categories:

i. Individuals specifically named on the U.S. Department of Treasury, Office of Foreign Assets Control (OFAC) Specially Designated Nationals List (SDN) or other OFAC sanctions lists; and

ii. Individuals with employment history by a government, intelligence service, or military based in Macau or a destination specified in Country Group D:5, or with any parties on the EAR's Entity List or OFAC's SDN, Blocked Persons List, or other sanctions lists should be excluded from consideration. Individuals with employment history with entities headquartered in Macau or a destination specified in Country Group D:5 require additional vetting of their continuing ties, relationships, obligations, or other factors that could incentivize them to act on behalf of an entity headquartered in Macau or a destination specified in Country Group D:5.

c. The VEU must establish and maintain a comprehensive program for detecting, assessing, disclosing, and managing insider threats, in accordance with the Cybersecurity and Infrastructure Security Agency Insider Threat Mitigation Guide, with particular consideration for insider threats that could enable access or prohibited uses by individuals or any other entities.

19. Enforcement. Failure to adhere to this agreement may result in the revocation of VEU status on a national or global basis, denial of chip allocations or export licenses, as well as other penalties as appropriate under U.S. laws and regulations.

None of the provisions of this document shall be interpreted as to apply to or prevent intentional publication of model weights, data, or code.