An Ownership Test Replaces a Destination Test
For most of the past decade, US semiconductor export controls asked a simple question: where is this chip physically going? On May 31, 2026, the Bureau of Industry and Security rewrote the question. In guidance clarifying the scope of the Export Administration Regulations, BIS confirmed that a license is required to export advanced computing items — the category covering Nvidia's most powerful AI accelerators — to any entity headquartered in, or whose ultimate parent company is headquartered in, Country Group D:5 (which includes China) or Macau, "even if the entities themselves are located outside" those jurisdictions. The rule traces to EAR § 742.6(a)(6)(iii)(A); BIS framed the guidance as a clarification of standing law rather than a new rule, but its practical effect on compliance teams was immediate: geography stopped being a safe harbor.
The case that made the guidance necessary was already public. Megaspeed, a Singapore-based firm that spun off from a Chinese gaming company in 2023, used its Malaysian subsidiary, Speedmatrix Sdn Bhd, to buy nearly $2 billion worth of Nvidia's most advanced chips, receiving more than 200 restricted shipments between June 2024 and June 2025. Those chips were installed in data centers in Malaysia — and in Indonesia — that appeared to remotely serve clients in China, according to reporting on the ongoing US and Singapore investigation. Bain Capital evicted Megaspeed from its Malaysian computing hub in April 2026 once the exposure became public. Indonesia never bought a chip in this story; it was simply where some of the compute ended up running.
Steelmanning the Crackdown
The case for the ownership test is genuinely strong. Destination-only controls invited exactly the workaround Megaspeed is accused of: incorporate a shell subsidiary in a jurisdiction with lighter scrutiny, buy the chips there, and let the compute serve customers back in China without a single restricted item ever touching Chinese soil. If national security policy is going to restrict Chinese access to frontier AI compute — a goal with bipartisan support in Washington and a rationale that doesn't require alleging bad faith on Nvidia's part — then a control regime that Chinese firms can defeat by filing incorporation papers in Kuala Lumpur isn't much of a control at all. Malaysia's own government reached a similar conclusion a year earlier: on July 14, 2025, its Ministry of Investment, Trade and Industry issued a directive under the Strategic Trade Act 2010 requiring a permit for any export, transshipment, or transit of high-performance AI chips of US origin — an acknowledgment, from the region itself, that unpoliced transshipment was a real problem, not a hypothetical one.
Nvidia's response on July 14, 2026 followed the same logic: the company cut its list of approved Asian buyers by more than half, replacing blanket regional access with a compliance whitelist built on data-center site visits, contract review, and end-user interviews, concentrated on Singapore, Malaysia, and Japan — the three jurisdictions most implicated in chip-diversion cases to date.
Where the Net Gets Too Wide
The problem is what "more than half" actually captures. A buyer-list purge on that scale cannot plausibly be reaching only firms with proven China-ownership links; it is sweeping in legitimate cloud operators, neo-clouds, and AI infrastructure investors who happened to be domiciled in the same three countries as Megaspeed, on the theory that geography is now a rough proxy for risk even as the underlying rule insists ownership, not geography, is what matters. That's a coherent legal position and an incoherent compliance one.
Indonesia sits furthest from any lever to fix this. Malaysia has its own Strategic Trade Act permitting regime and a government that has publicly moved to police transshipment; Singapore has an active law-enforcement investigation generating its own paper trail of due diligence. Indonesia has neither — no equivalent chip-transshipment permit system, and, in the record reviewed for this piece, no public regulatory response to being named as a destination in the Megaspeed case at all. That leaves Indonesian data-center operators in the worst possible position: guilty by association with a scheme they were not party to, without a whitelist application process, a permit regime, or even an acknowledging statement from Jakarta that would let a legitimate Indonesian AI infrastructure investor demonstrate compliance rather than simply hope Nvidia's next buyer-list cut doesn't land on them.
The Proportionate Fix
Closing the ownership loophole was the right call; BIS's May 31 guidance targets the actual mechanism of evasion rather than a symbolic gesture, and it deserves support on those terms. But proportionate enforcement means the compliance burden should track evidence of risk — ownership stakes, shipment volumes, transaction patterns — not a country's bad luck in hosting a data center that a Singapore-incorporated shell company happened to lease. Nvidia's own diligence upgrades, site visits and contract verification rather than geographic exclusion, are the right template; a wholesale halving of the approved-buyer list is a blunter instrument than the ownership rule it's meant to enforce.
Indonesia's most useful move now is not to wait. Jakarta could adopt something close to Malaysia's Strategic Trade Act permitting model, giving legitimate Indonesian data-center operators a documented compliance path and, eventually, standing to negotiate their own place on Nvidia's whitelist rather than being defined entirely by a case in which no Indonesian entity was ever the buyer.