EU publishes ‘guidance’ on controls on Information Security items and the Cryptography Note



On 25 October 2016 the EU published its brief Guidance Note 1/2016 concerning FAQ on controls of ‘Information Security’ items and implementation of the Cryptography note exemption.

By Gerard Kreijen and Bert Gevers, 16 November 2016

As is commonly known, ‘Information Security’ items (such as software, application specific electronic assemblies, modules, and integrated circuits) employing cryptography may be controlled under Category 5 Part 2 of Annex I to the Dual-use Regulation (Regulation (EC) 428/2009).

In recognition of the general commercial availability to the public of encryption, which has become a common functionality of information and communication technology, Note 3 to Category 5 Part 2 (the ‘Cryptography Note’) provides that the controls set out in 5A002 and 5D002 of the EU Dual Use control list, do not apply to exports of goods or software that meet all of the following:

a) Generally available to the public by being sold, without restriction, from stock at retail selling points by means of any of the following:

  1. Over-the-counter transactions;
  2. Mail order transactions;
  3. Electronic transactions; or
  4. Telephone call transactions;

b) The cryptographic function cannot easily be changed by the user;

c) Designed for installation by the user without further substantial support by the supplier; and

d) When necessary, details of the goods are accessible and will be provided, upon request to the competent authorities of the Member State in which the exporter is established, in order to ascertain compliance with conditions described in paragraphs a. to c. above.

The EU Cryptography note, which originates in the Wassenaar Arrangement, has unfortunately often led to discussions and uncertainties. This is not only due to the complexity of the items, but to a large extent also to the lack of guidance. The EU regulator itself did not provide any specific guidance on key concepts in the Note such as ‘without restriction’ or ‘substantial support’ and the different national regulators often adhered to conflicting interpretations of the Note.

Operators who had hoped that the EU Commission would not wait for the Recast of the Dual Use Regulation to speed up the process of harmonizing the varying interpretations of the regulation held by each Member State, may be disappointed as this guidance does not provide any clarification of the concepts embedded in the Note. Nevertheless, the clarifications provided by the Guidance Note may prove useful to many exporters as it basically explains the obligations of the exporter, who is ultimately responsible to determine whether an item is controlled or not, and those of the competent national authorities in situations where they are called upon to assess the applicability of the Cryptography Note.

If things are not already complicated enough, another layer of ‘cryptography complexity’ can be found in the fact that export control authorities outside the EU have sometimes broader exemptions, which can lead to situations where (foreign) companies that operate in the EU wrongly assume that because an export license for a particular item is not required in their home jurisdiction, an EU license is not required either. That could, for example, be the case for products that come under the ECCN 5A992 in the US (e.g. no license is required because the item is considered “mass market”), but for which no equivalent classification exists in the EU. Needless to say that this can easily lead to compliance gaps within a company’s trade control compliance program. In its recent Recast proposal, the EU commission intends to ‘repair’ these gaps via the introduction of a new open license (UGEA) for encryption.

Authors of this post are:

Gerard Kreijen
Bert Gevers

Gerard Kreijen

Gerard co-heads the Loyens & Loeff International Trade Team . He specializes in public international law, with a particular focus on sanctions and export controls, the law of foreign investment, and anti-bribery and corruption issues. With respect to sanctions and export controls he advises companies active in e-commerce, aircraft manufacturing, the defense industry, the shipping and logistics sector, software development, and the renewables sector.

Gerard is a regular speaker at international trade conferences and a guest lecturer at the University of Amsterdam and the Radboud University. He has published two treatises on international law, State, Sovereignty, and International Governance (Oxford University Press, 2002) and State Failure, Sovereignty, and Effectiveness. Legal Lessons from the Decolonization of Sub-Saharan Africa (Brill Academic Publishers - Martinus Nijhoff Publishers, 2004).

Gerard took a PhD in international law (with honours) from the University of Leiden (2003). He was educated at the University of Edinburgh (European law and legal theory) and the University of Leiden (Dutch law and public international law).

Previous Story

The Wait is Almost Over: What Will Happen with US Sanctions under the Incoming Trump Administration

Next Story

Modernization of the EU export control system: What’s next ? (II)

Latest from Dual use items