Export Controls and AI: What Enterprises Need to Know About ECCN 3A090

The US Bureau of Industry and Security (BIS) regulates the export of dual-use technologies, including advanced semiconductor chips and AI accelerators, through the Export Administration Regulations (EAR). Since October 2022, BIS has progressively tightened controls on the export of high-performance computing chips to certain destinations, with a particular focus on preventing the diversion of AI-capable hardware to entities of concern. The regulatory framework operates through a classification system: every controlled item is assigned an Export Control Classification Number (ECCN), and exports are evaluated against the Commerce Control List (CCL), the Entity List, and destination-specific restrictions. For AI accelerators, the relevant ECCNs are 3A090 (for chips exceeding certain performance thresholds) and 4A003.z (for complete computer systems containing controlled chips). For enterprises seeking to use GPU cloud services, understanding these controls is essential. Even cloud-based access to controlled hardware can trigger export control obligations, particularly when the end-user or end-use involves restricted activities or destinations. A compliant GPU cloud provider must have robust processes in place to screen customers, verify end-use, and maintain auditable records of all transactions.

ECCN 3A090 applies to integrated circuits that exceed specified performance thresholds for AI training and inference. The current thresholds, as amended in the October 2023 and subsequent rules, capture chips with total processing performance (TPP) above 4800 TOPS (INT8 equivalent) or performance density above 5.92 TOPS/mm2. NVIDIA's H100, A100, and the Rubin R100 all fall within this classification. ECCN 4A003.z covers complete computer systems, assemblies, and electronic equipment containing chips classified under 3A090. This means that an NVL72 rack — which contains 72 R100 GPUs — is classified as a 4A003.z item. The classification triggers specific licensing requirements depending on the destination country, end-user, and end-use of the equipment. Importantly, Kazakhstan is not on the US embargo or restricted-destination lists (Country Groups D:1, D:4, or D:5). This means that exports of 3A090/4A003.z items to Kazakhstan are permissible under a standard license exception or general authorization, provided the end-user is not on the Entity List and the end-use is not related to weapons of mass destruction, military-intelligence applications, or other prohibited activities.

For the import of controlled GPU hardware, Qube Compute is required to provide End-User Certificates (EUCs) to the exporter (typically NVIDIA's authorized distribution partner). The EUC is a legally binding document that specifies the identity of the end-user, the intended end-use of the hardware, the physical location where the equipment will be installed, and a commitment not to re-export or divert the hardware without proper authorization. The EUC process involves coordination between multiple parties: Qube Compute as the consignee and end-user, the authorized distributor as the exporter, and BIS as the regulatory authority. NVIDIA's compliance team also conducts independent due diligence on end-users before authorizing shipments through their distribution channel. This multi-layered process ensures that controlled hardware reaches only verified, legitimate users. Qube Compute maintains a dedicated compliance function that manages the EUC process, liaises with NVIDIA's compliance team, and ensures that all documentation is current and accurate. Our facility in SEZ Alatau has been inspected and approved as a compliant installation site, with physical security measures including 24/7 surveillance, biometric access controls, and hardware asset tracking systems that meet BIS requirements for controlled items.

Beyond export control compliance, Qube Compute implements rigorous Know Your Customer (KYC) and Anti-Money Laundering (AML) processes for all cloud customers. Every customer undergoes identity verification, beneficial ownership screening, and sanctions checking before being granted access to GPU compute resources. This is not only a regulatory requirement but also a condition of our agreements with NVIDIA and our investors. Our KYC process follows a risk-based approach. Low-risk customers (established enterprises in non-restricted jurisdictions) undergo standard screening, which includes identity verification, sanctions list checking, and adverse media screening. High-risk customers (those in higher-risk jurisdictions, politically exposed persons, or customers requesting unusually large compute allocations) undergo enhanced due diligence, including source-of-funds verification and on-site visits where appropriate. All KYC and AML screening is documented and retained for a minimum of five years, in accordance with both AIFC regulations and international best practices. Ongoing monitoring ensures that any changes in a customer's risk profile — such as a sanctions listing or adverse media report — are detected and acted upon promptly.

Qube Compute's compliance framework is designed to be comprehensive yet operationally efficient, so that legitimate customers experience minimal friction while robust controls prevent misuse. The framework operates on three pillars: customer screening, usage monitoring, and regulatory reporting. Customer screening occurs at onboarding and is refreshed periodically. We screen all customers and their beneficial owners against global sanctions lists (OFAC SDN, EU Consolidated List, UN Security Council), the BIS Entity List, and adverse media databases. Customers in sensitive industries (defense, nuclear, advanced manufacturing) undergo additional scrutiny to verify that their intended use of GPU compute is consistent with permitted activities. Usage monitoring leverages our Kubernetes-based orchestration platform to track compute consumption patterns and flag anomalies. For example, a customer whose stated use case is natural language processing but whose actual workload signatures resemble molecular dynamics simulation would trigger a review. This technical monitoring layer complements the financial and legal compliance checks, providing defense-in-depth against both deliberate misuse and inadvertent violations.

To automate and scale our compliance operations, Qube Compute has integrated ComplyAdvantage's AI-powered risk intelligence platform into our customer onboarding and monitoring workflows. ComplyAdvantage provides real-time screening against a continuously updated database of sanctions lists, PEP (Politically Exposed Person) databases, adverse media sources, and enforcement actions. The integration works as follows: when a new customer submits their onboarding application through our portal, the customer data is automatically transmitted to ComplyAdvantage's API for screening. Results are returned in real-time, with matches flagged for human review by our compliance team. For existing customers, ComplyAdvantage's ongoing monitoring service continuously scans for new risk indicators and alerts our team to any changes that require action. This automated approach enables Qube Compute to process customer applications in hours rather than days, while maintaining a higher detection rate than manual screening processes. The integration also provides a complete audit trail of all screening decisions, which is essential for regulatory examinations and investor due diligence.