Broadcom will use its 3.5D XDSiP packaging, Ethernet and PCIe technologies to enable FuriosaAI’s third‑generation Tensor Contraction Processor, built on a 2 nm process with dual‑layer HBM4(e) memory, in multi‑die system‑in‑package solutions for high‑volume AI inference.
Regulatory action → What it requires → Compliance timeline
Broadcom announced a new partnership with South Korean startup FuriosaAI to integrate the latter’s third‑generation Tensor Contraction Processor (TCP) into Broadcom’s advanced packaging and interconnect ecosystem. The announcement triggers several compliance obligations for both parties under existing semiconductor export controls and data‑protection statutes.
1. Export‑control compliance (EAR, ITAR)
- What it requires: Any shipment of the combined multi‑die system‑in‑package (SiP) that incorporates the 2 nm TCP, dual‑layer HBM4(e) memory, or Broadcom’s Tomahawk 6 (TH6) Ethernet switch must be classified under the U.S. Export Administration Regulations (EAR) Part 5, Category 3 (Semiconductors). If the product is destined for a foreign entity that appears on the Entity List, an export license is mandatory.
- Timeline: Classification must be completed within 30 days of the first prototype shipment. License applications should be submitted no later than 45 days before the planned export date to avoid delays.
2. Data‑protection obligations (GDPR, PDPA, CCPA)
- What it requires: The SiP will handle large volumes of model inference data, often containing personal information. Broadcom and FuriosaAI must implement technical and organizational measures that satisfy GDPR Art. 32 (security of processing) and similar provisions in the Korean Personal Information Protection Act (PIPA) and California Consumer Privacy Act (CCPA). This includes:
- End‑to‑end encryption of data in transit between the HBM stacks and the host system.
- Secure key management using hardware‑rooted keys stored in Broadcom’s secure enclave.
- Regular privacy impact assessments (PIAs) for each deployment scenario.
- Timeline: PIAs must be documented before the first commercial deployment, and a compliance audit report must be filed with the relevant data‑protection authority within 90 days of product launch.
3. Reporting and record‑keeping
- What it requires: Both companies must retain export‑control classification records, licensing decisions, and privacy‑impact documentation for a minimum of 5 years. Records must be made available to the U.S. Department of Commerce, the European Data Protection Board, or other competent authorities upon request.
- Timeline: Record‑keeping systems must be operational immediately upon signing the partnership agreement, with the first audit scheduled 6 months after the initial shipment.
4. Industry‑specific standards (PCI‑S, IEC 62443)
- What it requires: The integrated solution will be used in data‑center environments that often require compliance with the PCI Security Standards Council (PCI‑SSC) and IEC 62443 for industrial automation security. The SiP must undergo a security validation that includes:
- Threat modeling of the inter‑chiplet communication pathways.
- Penetration testing of the Ethernet and PCIe interfaces.
- Verification of firmware signing and secure boot processes.
- Timeline: Validation must be completed before the product receives its first sales order, with a re‑certification cycle every 12 months.
Why this partnership matters for compliance teams
The collaboration illustrates how custom AI silicon is increasingly built from modular chiplets rather than monolithic dies. While this approach reduces design risk, it multiplies the number of regulatory touch‑points:
- Each chiplet may fall under a different export‑control classification.
- Data flowing between chiplets can cross jurisdictional boundaries, invoking multiple privacy regimes.
- The use of high‑radix Ethernet switches (e.g., TH6) introduces network‑security requirements that were previously limited to traditional data‑center fabrics.
Compliance officers should therefore update their technology‑risk registers to reflect the added complexity of multi‑die AI accelerators. A practical first step is to map each component (TCP, HBM4(e), TH6, PCIe PHY) to its applicable regulatory regime and assign ownership for ongoing monitoring.
Next steps for vendors and integrators
- Conduct a joint export‑control classification with Broadcom’s legal team and FuriosaAI’s export‑compliance group.
- Initiate a privacy‑impact assessment that covers data residency, encryption, and user‑consent flows for inference workloads.
- Schedule security validation with an accredited lab familiar with IEC 62443 and PCI‑S requirements.
- Implement a continuous‑monitoring process that tracks changes in sanction lists, privacy‑law amendments, and hardware‑security advisories.
By aligning product‑development timelines with these compliance milestones, both Broadcom and FuriosaAI can avoid costly export delays, regulatory fines, and reputational damage while delivering a competitive AI inference solution to the market.
Related resources
- Broadcom XDSiP technology overview: https://www.broadcom.com/company/news/xdsp
- FuriosaAI Tensor Contraction Processor brief: https://furiosa.ai/tcp
- U.S. EAR classification guide: https://www.bis.doc.gov/index.php/regulations/ear
- GDPR article 32 guidance: https://gdpr.eu/article-32-security-of-processing/
Comments
Please log in or register to join the discussion