The Brief:
The U.S. House passed H.R. 2683, the Remote Access Security Act, on January 12, 2026, by a 369–22 vote, marking the first legislative effort to bring cloud computing access under U.S. export controls. The bill amends the Export Control Reform Act of 2018 to give the Bureau of Industry and Security authority to regulate, license, and penalize foreign remote access to controlled U.S. technology — including AI-class GPUs and advanced semiconductors — closing a two-decade regulatory gap that allowed adversaries such as China to rent compute capacity through offshore data centers without triggering export restrictions. Now pending before the Senate Banking, Housing, and Urban Affairs Committee, the legislation would impose significant compliance burdens on hyperscale cloud providers and data center operators while carrying projected private-sector costs exceeding $206 million annually, according to the Congressional Budget Office.
The U.S. House of Representatives passed H.R. 2683, the Remote Access Security Act (RASA), on January 12, 2026, by a 369–22 margin — extending federal export controls to cloud computing for the first time in the nation’s history. The bill amends the Export Control Reform Act of 2018 to authorize BIS to regulate, license, and penalize foreign remote access to controlled U.S. technology, including AI-class GPUs and advanced semiconductors.
The Statutory Gap
The Export Administration Regulations definition of “export” was designed for a world of physical shipments and on-premise equipment — not one in which a foreign customer can rent time on controlled chips hosted in an offshore data center and access them over a network. Chinese firms exploited that gap extensively: INF Tech rented 2,300 Blackwell GPUs through an Indonesian data center, while Tencent secured $1.2 billion in contracts for 15,000 Blackwell processors via Japanese provider Datasection — both arrangements circumventing direct chip export restrictions without violating existing law.
What the Bill Does
RASA defines remote access as access by a foreign person to a U.S.-jurisdiction item through a network connection, including the internet or a cloud computing service, from a location other than where the hardware is physically located. The bill expands BIS authority to cover SaaS and IaaS environments providing functional access to controlled technology and authorizes licensing requirements and civil penalties for violations.
Compliance and Financial Impact
The policy implications extend beyond hardware manufacturers to cloud service providers, data center operators, and technology platforms offering remote computing capabilities. The Congressional Budget Office determined that compliance costs and revenue losses would exceed the UMRA private-sector mandate threshold of $206 million annually. Hyperscalers including AWS, Google Cloud, Microsoft Azure, Oracle Cloud, and Meta have built their foreign AI compute revenue lines on two decades of regulatory precedent treating cloud access as a non-export — a foundational assumption RASA would dismantle. Industry stakeholders warn the legislation could push foreign customers toward non-U.S. cloud ecosystems.
Legislative Pathway
An earlier version of the bill passed the House in September 2024 but stalled in the Senate. Rep. Mike Lawler (R-N.Y.) reintroduced it in April 2025; the House Foreign Affairs Committee approved it 51–0 before the full chamber passed it 369–22 in January 2026. A companion measure, S. 3519, carried bipartisan Senate support from Senators McCormick, Wyden, Cotton, and Coons. The bill now awaits action in the Senate Banking, Housing, and Urban Affairs Committee. Export-control specialists expect the legislation to shape future BIS rulemaking regardless of its ultimate fate in the Senate.
References
- U.S. Congress. H.R. 2683 — Remote Access Security Act, 119th Congress. Congress.gov. https://www.congress.gov/bill/119th-congress/house-bill/2683
- GovTrack.us. H.R. 2683 — Remote Access Security Act (Passed the House version). https://www.govtrack.us/congress/bills/119/hr2683
- Congressional Budget Office. H.R. 2683, Remote Access Security Act — Cost Estimate. April 2025. https://www.cbo.gov/publication/61369
- Latham & Watkins LLP. What the Remote Access Security Act Means for Export Controls Compliance Programs. March 20, 2026. https://www.lw.com/en/insights/what-the-remote-access-security-act-means-for-export-controls-compliance-programs
- Baker McKenzie. US House Passes Remote Access Security Act. Global Sanctions and Export Controls Blog. January 14, 2026. https://sanctionsnews.bakermckenzie.com/us-house-passes-remote-access-security-act/
- Crowell & Moring. House Passes Remote Access Security Act to Limit Adversaries’ Remote Access to Critical Technology. CM Trade Law. January 14, 2026. https://www.cmtradelaw.com/2026/01/house-passes-remote-access-security-act-to-limit-adversaries-remote-access-to-critical-technology/
- Washington Trade & Tariff Letter. Bill Extends Export Controls to Cloud. January 15, 2026. https://www.wttlonline.com/stories/untitiled,14696
- Introl. Remote Access Security Act: Cloud Loophole, Export Controls, 2026. January 23, 2026. https://introl.com/blog/remote-access-security-act-cloud-loophole-export-controls-2026
- eeNews Europe. AI Chip Export Controls: House Targets Cloud GPU Rentals. January 13, 2026. https://www.eenewseurope.com/en/ai-chip-export-controls-cloud-remote-access-security-act/
- Lexology / Mondaq. House Passes Remote Access Security Act. January 14–19, 2026.
Wyoming Data Center Facts Staff | Photo: Cisco