Export of cryptographic items
Exemptions from strategic export controls as detailed in the cryptographic note of the EU Dual-Use List.
The UK, like other countries worldwide, controls the export of cryptography in the interests of national security.
Cryptographic items subject to export controls are listed in Category 5 Part 2 of the European Union (EU) Dual-Use List. The list forms part of the UK Strategic Export Control Lists - the consolidated list of strategic military and dual-use items.
If cryptographic items, including components, are included on this list, then they will need an export licence, unless they fall under an exemption.
All licence applications should made using SPIRE, the Export Control Organisation’s export licensing database.
Details of what cryptography is exempt from export licensing requirements are outlined in the cryptographic note (CN) found under Category 5 Part 2 of the list. The CN is intended to decontrol cryptographic items sold to the general public for home, office or business use.
Conditions of the cryptographic note
The CN reads as follows:
5.A.2 and 5.D.2 do not control items that meet the following 4 conditions:
- the item is generally available to the public by being sold, without restriction, from stock at retail selling points by means of any of over-the-counter transactions, mail order transactions, electronic transactions or telephone order transactions
- the cryptographic functionality cannot easily be changed by the user
- the item is designed for installation by the user without further substantial support by the supplier
- when necessary, details of the items are accessible and will be provided, upon request, to the appropriate authority in the exporter’s country in order to ascertain compliance with conditions described in the three points above
All 4 conditions have to be met for the decontrol to apply
The fact that an item is marketed over the internet - eg business-to-business - does not in itself mean that it qualifies for decontrol. For example, cryptographic software and hardware products used to provide high-end backbone infrastructure services - such as high-capacity backbone routers - do not qualify as these items would normally require substantial support by the supplier.
Interpretation of the cryptographic note
The following interpretation is applied to the main phrases found in the CN:
‘Retail selling points’ are places where cryptographic items are readily available - eg high street and warehouse shops which facilitate over-the-counter sales, or companies which make sales via mail order, telephone, fax or internet transaction. Purchases from such companies are made by reference to a mail order catalogue, magazine or newspaper advertisement, website, etc - media which are generally available in their own right.
‘Without restriction’ means that a buyer may acquire a product by paying a standard fee to the seller. ‘Restriction’ in this context means either that some persons are excluded from being allowed to buy, or that they are subject to conditions or limitations at the time of purchase, other than those normally arising from copyright - eg conditions imposed in a software licence. Other examples of forms of ‘restriction’ include a requirement to be an EU member state resident before purchase can be authorised, or a requirement for the purchaser to undertake that the goods will not be re-sold or given to any person or company from or in a particular country, or that installation must be undertaken only by authorised engineers.
‘The cryptographic functionality cannot easily be changed by the user’ means that the manufacturer has taken reasonable steps to ensure that the cryptographic functionality in the product can only be used according to their specification.
‘Installation by the user without further substantial support’ - most mass-market products meet this requirement. ‘Substantial support’ does not include purely nominal installation support, such as provision of a telephone or an email helpline to resolve user problems.
When necessary, details of the items must be accessible and provided, on request, to the appropriate authority in the exporter’s country in order to ascertain compliance with conditions described in the first 3 conditions of the CN.
Keeping records of cryptographic items
As an exporter, you need to keep records of those cryptographic items decontrolled by the CN that are in your possession, or that you can reasonably be expected to obtain, recognising that you may not be the manufacturer or originator of the item. Requirements based upon Schedule 4 Part II of the Export Control Order 2008 include:
- a general description of the item, such as might be contained in a product brochure
- descriptions of all relevant encryption algorithms and key management schemes, and descriptions of how they are used by the item (eg which algorithm is used for authentication, which for confidentiality and which for key exchange), and details (eg source code) of how they are implemented (eg how keys are generated and distributed, how key length is governed and how the algorithm and keys are called by the software)
- details of any measures taken to preclude user modification of the encryption algorithm, key management scheme or key length
- details of pre- or post-processing of data, such as compression of plain text or packetisation of encrypted data
- details of programming interfaces that can be used to gain access to the cryptographic functionality of the item
- a list of any standards or protocols to which the item adheres
You should also keep any installation instructions accompanying the cryptographic item.
BIS ECO Helpline
020 7215 4594 or email: firstname.lastname@example.org
Published: 15 August 2012
Updated: 12 December 2012
- Amended broken links, added related guides and updated summary description
- First published.
Related guides: Compliance and enforcement of export controls UK Strategic Export Control Lists Do I need an export licence? Controls on dual-use goods Assessment of export licence applications: criteria and policy