The IRAN Act designates the Secretary of State as the lead U.S. official for promoting internet freedom and coordinating federal activities to expand access to information in Iran. It amends the Iran Threat Reduction and Syria Human Rights Act’s strategy requirement to add explicit evaluation of VPNs, direct‑to‑cell (DTC) satellite technologies, eSIMs, and plans to circumvent nationwide internet blackouts while directing Treasury and Commerce to reduce sanctions‑related barriers to civilian access.
The bill also places a licensing condition on U.S. satellite and DTC operators by directing the FCC to require new licensees to refrain from intentionally disabling, degrading, or geo‑blocking coverage over Iran except in narrowly defined cases. Complementary provisions fund State Department cybersecurity training and tools for Iranian civil society, require multi‑year reporting and GAO evaluation, and contain saving clauses preserving sanctions and export‑control authority.
The result: clearer U.S. policy support for circumvention technologies, paired with fresh regulatory and compliance obligations for industry and agencies.
At a Glance
What It Does
Designates the Secretary of State as the principal coordinator for U.S. internet‑freedom activities targeting Iran and mandates specific updates to the existing Iran internet‑freedom strategy. It directs the FCC to attach a non‑exclusion condition to licenses issued after enactment prohibiting intentional disabling or geo‑blocking of satellite/DTC coverage over Iran, with limited exceptions, and requires State to push opposing measures at the ITU.
Who It Affects
U.S. licensed satellite and direct‑to‑cell (DTC) operators, FCC license applicants and enforcement staff, the Departments of State, Treasury, and Commerce, VPN/eSIM vendors that serve circumvention markets, and Iranian journalists, activists, and civil‑society actors who would receive training and tools.
Why It Matters
The bill shifts responsibility for Iran internet‑freedom policy to State, creates a novel FCC licensing obligation that can create cross‑cutting compliance tensions with sanctions and export controls, and injects modest targeted funding for digital‑safety programs — a combination that will change how operators, regulators, and vendors assess legal risk in serving Iranian users.
More articles like this one.
A weekly email with all the latest developments on this topic.
What This Bill Actually Does
The IRAN Act reorganizes how the U.S. government approaches internet access in Iran by making the Secretary of State the central official charged with promoting open access and coordinating interagency efforts. It requires a near‑term review and update of the existing statutory strategy for Iran (codified at 22 U.S.C. 8754), and it builds new, operational focus into that strategy: examining VPNs, eSIMs, and DTC satellites, coordinating with Treasury and Commerce to limit sanctions‑related barriers for civilian users, and developing tactics to circumvent regime‑imposed blackouts.
On the regulatory side, the bill instructs the Federal Communications Commission to make a new, affirmative licensing condition for any licenses or market‑access grants issued after enactment. That condition prohibits the licensee from intentionally disabling, degrading, or geofencing satellite or DTC coverage over Iran except where required to prevent harmful interference, compelled by law or FCC order, or for short, network‑integrity measures during imminent threats.
The statute also directs diplomatic advocacy at multilateral fora (notably the ITU) to resist proposals that would institutionalize geographic exclusion of Iran.To support on‑the‑ground resilience, the State Department — through the Bureau of Democracy, Human Rights, and Labor — must stand up programs (within 180 days) to provide remote and in‑person cybersecurity training, vetted digital‑safety tools (VPNs, end‑to‑end messaging), and multilingual guidance that warns Iranians about regime‑controlled apps and phishing. The bill mandates quarterly aggregate reporting of program metrics to Congress and requires the Government Accountability Office to evaluate program effectiveness within three years.
It authorizes $15 million per year for two fiscal years to deliver these activities and leaves in place multiple saving clauses that preserve OFAC, export‑control, and presidential emergency authorities.
The Five Things You Need to Know
The bill makes the Secretary of State the single federal official with primary responsibility for promoting internet freedom in Iran and for updating and executing the strategy required under 22 U.S.C. 8754.
It amends the statutory strategy to add three new focal points: evaluating VPNs and DTC satellite use by civil society, coordinating with Treasury and Commerce to prevent sanctions from blocking civilian access, and developing plans to circumvent complete internet blackouts.
The FCC must condition any license or market‑access grant issued after enactment on a requirement that the licensee not intentionally disable, degrade, or geo‑block satellite or DTC coverage over Iran, except to comply with law, prevent harmful interference, or for limited network‑integrity responses.
The Secretary of State must oppose ITU proposals that would single out Iran for geographic exclusion and must submit an initial update to the amended strategy to congressional committees within 120 days of enactment; State must also provide annual reports for five years on advocacy and instances of operator exclusion.
The Act authorizes $15 million for each of fiscal years 2027 and 2028 to fund cybersecurity training, vetted digital‑safety tools (including VPN access), quarterly program metrics to Congress, and a GAO effectiveness evaluation due within three years.
Section-by-Section Breakdown
Every bill we cover gets an analysis of its key sections.
Secretary of State designated lead for Iran internet freedom
This subsection names the Secretary of State as the principal federal official responsible for promoting internet freedom in Iran and coordinating related federal efforts. Practically, that consolidates policy authority (and political accountability) at State rather than diffusing it across multiple agencies — which should speed decision making but also concentrates interagency friction points within one department.
Amendments to the statutory Iran internet‑freedom strategy
The bill inserts new, specific tasks into the existing statutory strategy (22 U.S.C. 8754): evaluate VPN and DTC satellite technologies, work with Treasury and Commerce to prevent sanctions from unintentionally blocking civilian access, and craft plans to circumvent complete regime blackouts. It also requires ongoing review and explicit submission of a first updated strategy to Congress in 120 days, in unclassified form with an optional classified annex, tightening timelines and adding new content priorities to the preexisting strategy.
FCC licensing condition barring intentional exclusion and ITU advocacy
This section directs the FCC to attach a condition to any license, license modification, or market‑access grant issued after enactment that prohibits intentional disabling, degrading, or geo‑blocking of satellite or DTC coverage over Iran. Exceptions are narrow: actions required by federal law, FCC orders, international coordination to prevent harmful interference, or short‑term measures to mitigate imminent threats. The provision also directs State and Commerce to oppose at the ITU any proposal forcing geographic exclusion of Iran and requires an annual five‑year report on such advocacy and any operator exclusions.
Cybersecurity training and tool provision for Iranian civil society
State (through DRL) must establish programs within 180 days to deliver remote and in‑person cybersecurity training, supply vetted open‑source or commercial digital‑safety tools (VPNs, encrypted messaging), and create multilingual educational materials warning of regime‑controlled apps and phishing. The section specifies quarterly aggregate metrics to be made available to congressional committees and mandates a GAO evaluation of program effectiveness within three years — building monitoring and accountability into implementation.
Reporting requirements on satellite/DTC coverage exclusions
State must produce an initial report within 180 days and then annual reports for five years describing diplomatic actions at the ITU and listing instances where operators intentionally excluded Iran from coverage, including the justification for each exclusion. These reports create a public oversight record and a compliance trail that committees can use to press agencies and operators.
Authorizations and availability of funds
The Act authorizes $15 million for each of fiscal years 2027 and 2028 for the State Department to carry out the cybersecurity and access programs described elsewhere in the bill; those funds remain available until expended. The authorization is targeted and modest relative to the operational challenges of distributing circumvention tools at scale.
Saving clauses and definitions
The statute includes explicit rules of construction preserving the President’s IEEPA authority, reiterates that nothing in the Act authorizes transactions prohibited by sanctions or export controls, and defines key technical terms (eSIM technology and VPN services) and the congressional committees that will receive reports. Those provisions narrow legal risk by stating intent but leave unresolved how those assurances will work in practice when compliance choices are hard.
This bill is one of many.
Codify tracks hundreds of bills on Foreign Affairs across all five countries.
Explore Foreign Affairs in Codify Search →Who Benefits and Who Bears the Cost
Every bill creates winners and losers. Here's who stands to gain and who bears the cost.
Who Benefits
- Iranian journalists and human‑rights defenders — gain access to training, vetted VPNs and encrypted messaging tools, multilingual guidance, and a U.S. policy apparatus explicitly supporting circumvention of shutdowns.
- Civil‑society organizations and diaspora groups supporting Iranians — receive clearer U.S. support, more predictable channels for digital‑safety resources, and reporting that can be leveraged for advocacy.
- Vendors of circumvention technologies (VPN providers, encrypted‑messaging apps, eSIM-enabled device services) — gain clearer political backing and a potentially expanded user base, plus reduced policy uncertainty if Treasury and Commerce act to ease sanction‑related barriers.
- U.S. diplomacy and internet‑freedom programs — benefit from centralized authority at State, which simplifies decision making, accountability, and interagency coordination for targeted Iran initiatives.
Who Bears the Cost
- U.S. licensed satellite and DTC operators — face a new affirmative compliance obligation on licenses issued after enactment and must assess, document, and justify any exclusions or mitigations, increasing legal and operational risk.
- The Federal Communications Commission — inherits enforcement and licensing tasks tied to the non‑exclusion condition, requiring rulemaking, monitoring, and potentially contested proceedings.
- Departments of Treasury and Commerce — must coordinate with State to align sanctions and export‑control enforcement with internet‑freedom goals, adding policy work and possible regulatory adjustments.
- The Department of State — must absorb program delivery, reporting, diplomatic advocacy, and coordination tasks; the authorized funding is limited, so State will need internal prioritization and trade‑offs.
- U.S. appropriations — Congress is asked to provide $30 million over two years (authorized) for implementation; actual program scale depends on appropriation decisions and interagency resource allocation.
Key Issues
The Core Tension
The central dilemma is between enabling persistent, resilient internet access for Iranian civil society (which requires actively facilitating circumvention tools and limiting operator exclusion) and maintaining robust sanctions, export‑control, and national‑security safeguards (which restrict transfer of certain technologies and create legal exposure for providers). The bill tries to advance both goals, but practical and legal frictions mean every step to increase connectivity will create compliance headaches or security trade‑offs.
The bill packs several operational trade‑offs into a short statute. First, the FCC licensing condition creates a practical enforcement question: how will the agency determine whether an exclusion or degradation is "intentional" rather than the result of technical fault, network management, or third‑party requests?
The text permits exceptions for harmful‑interference avoidance and short‑term security measures, but those carveouts will require detailed implementation guidance and potentially adjudication if operators or other states dispute the characterization.
Second, the Act attempts to thread the needle between expanding access and preserving sanctions and export controls. Multiple saving clauses reiterate that prohibited transactions remain unlawful and that the President’s IEEPA authority is unaffected, but they do not resolve how companies should sell, distribute, or remotely activate services in circumstances where Iranian end‑users are targeted.
That legal ambiguity will leave commercial vendors and nonprofit implementers dependent on Treasury and Commerce guidance, licenses, or exemptions — and could produce transaction‑by‑transaction legal risk unless agencies move quickly to clarify enforcement policy.
Finally, the programmatic elements raise questions about scale, verification, and user safety. Authorizing $15 million per year is helpful but limited relative to the scope of distributing secure tools, maintaining vetted VPN services, and countering pervasive surveillance.
Quarterly aggregate metrics and a three‑year GAO evaluation create accountability but may be insufficient to measure operational effectiveness in an adversarial environment where uptake, threat profiles, and device compromises are dynamic and often invisible to external monitors.
Try it yourself.
Ask a question in plain English, or pick a topic below. Results in seconds.