Guest

EU Dual-Use Export Regulations and Encryption - Global Export Trade

EU Dual-Use Export Regulations and Encryption

Introduction

Among the 28 member states of the European Union (EU), the circulation of goods and people has been free since 1993. However, to respect the international commitments of the EU and its members and to avoid the proliferation of nuclear, chemical, biological, and ballistic arms, the export of dual-use items is still subject to control. It is mainly carried out on the basis of European regulation.

On May 5th, 2009, the Council of the European Union passed the revision of Regulation 1334/2000 setting up a Community regime for the control of exports of dual use items and technologies. This regulation is replaced by the EC Regulation No 428/2009 setting up a Community regime for the control of exports, transfer, brokering and transit of dual-use items. It entered into force August 27th, 2009.
The EC Council Regulation No 428/2009 has been updated on December 30, 2014 by the Council Regulation (EC) No 388/2012.

The regulation:

  • Defines (in Article 2) what is meant by "dual-use items" (which include software and technology), "export", "exporter", "export declaration", "broker" and "brokering services", "transit" the "Community General Export Authorization" and other types of export authorization that can be granted at national level;
  • Describes the scope of the Regulation:
    In addition to the dual-use items listed in Annex I to the regulation, Article 4, known as the "catch-all clause" requires authorization for exports of any items which are or may be intended for use in connection with weapons of mass destruction, as well as conventional arms if these are to be exported to destinations under an arms embargo;
  • Creates a Community General Export Authorization (Article 9(1) and Annex II) for all but the most sensitive listed dual-use items for seven "like-minded" third countries;
  • For all other exports for which an authorization is required under the Regulation, leaves to the national authorities the final decision as to whether to grant a national, global or individual export license (Article 9(2)).

1. Links to the Regulations

2. Cisco Licenses

Netherlands

In the Netherlands, the Ministry of Foreign Affairs is in charge of export compliance.
All Cisco dual-use items 5A002 and 5D002 exported from the European Union by Cisco Systems International BV need an export license from the Ministry of Foreign Affairs.
Cisco Systems International BV holds several Global Licences (bulk licenses) which cover the export or transfer of products, software and/or technology to multiple countries of destination. The condition of the Cisco BV Licenses is the End User Statement which must be provided by the end-customer prior to ship the controlled item outside of EU. Dutch (Netherlands) export regulation: http://www.government.nl/issues/export-controls-of-strategic-goods

United Kingdom

In the UK, the Export Control Organization, under the Department for Business Innovation and Skills (BIS), is in charge of export compliance.


All Cisco dual-use items 5A002, 5D002 and 5E002 exported from the European Union by Cisco International Limited UK need an export license from UK BIS.

Cisco International Limited (CIL) UK holds several Open Individual Export Licenses (bulk licenses) which cover the export or transfer of products, software and/or technology to multiple countries of destination. The condition of CIL UK Licenses is the UK Consignee Undertaking which must be provided by the Ship to Party prior to ship the controlled item outside of EU. UK export regulation: http://www.bis.gov.uk/ http://www.businesslink.gov.uk/bdotg/action/detail?type=RESOURCES&itemId=1084461094 http://www.legislation.gov.uk/uksi/2008/3231/contents/made


3. Encryption

Cisco products containing encryption – enabled features are classified 5A002a1 and 5D002c1.

The European Union has Common dual-use goods list (including encryption items in Category 5) defined by EC Regulation No 428/2009.
Each member State may have additional regulations concerning the import, supply, use or export of encryption items.

France

In France, dual use items for cryptology products are subject to obtaining a specific export authorization issued by the French Network and Information Security Agency (FNISA), in French “Agence Nationale de la Sécurité des Systèmes d’Information” (ANSSI).
The ANSSI determines the classification of each product. Exporters of cryptology products must obtain an authorization from ANSSI prior to export.
Cisco does not export encryption items from France but obtains these authorizations for our partners.
As per article 30-I from the law number 2004-575 dated 21 June 2004 on confidence in the digital economy; the use of encryption items in France is free. The supply, import and export are subject either to declaration or authorization. List of ANSSI Declarations and Authorizations for Cisco products you can see in this website: http://www.cisco.com/web/about/doing_business/legal/global_export_trade/docs/French_ANSSI.xls

French National Regulation :

  1. Law number 2004-575 dated 21 June 2004 on confidence in the digital economy.
  2. Decree number 2007-663 dated 2 Mai 2007 on application of art. 30, 31 and 36 of the Law number 2004-575 dated 21 June 2004 on confidence in the digital economy.
  3. Decree number 2001-1192 dated 13 December 2001 on export, import and transfer controls of dual-use items and technologies, modified by Decree number 2010-292 dated 18 March 2010.
  4. Ordinance dated 13 December 2001 on controls of dual-use items and technologies exports to non member States and the transfer to the Member States of the European Union, modified by Ordinance dated 18 March 2010.
  5. Ordinance dated 13 December 2001 on issuance of an international import certificate and a certificate of delivery verification for import of dual-use items and technologies, modified by Ordinance dated 18 March 2010.
Cisco ANSSI product questions? Email: ilcrypto@cisco.com ilcrypto@cisco.com
  • Overview of the French Regulations Use, Transfer from an EU Member States Import and Supply of encryption in France.
Encryption item (Annex 1 of Decree 2007-663)
Use
Import & Transfer from EU Member State
Supply
Hand carry for personal use (cat. 8)
Hand carry for demonstration (cat. 12).
Free
Free
N/A
Authentication or integrity control   (cat. 1 to 7; 9 & 10; 11).
Free
Free
Free
Not covered by any of the categories above.
Free
Declaration
Declaration
  • Overview of the French Regulations Export, Transfer from France of encryption item.
Encryption item   
(See Annexes of Decree 2007-663)
Transfer to EU  Member  States
Export to 1 of the 7 countries  (Australia, Canada, Japan, New Zealand, Norway, Switzerland and USA)
Export to other countries
Item performing only authentication or integrity control (cat. 1 to 7; 8; 13 of annex)
Free
Free
Free

Mass Market (cat. 3 of annex 2)

Declaration
Declaration
Declaration

Using encryption key of large size (cat. 1 of annex 2)

Declaration
Declaration CGEA (Community General Export Authorisation) License
Authorization Individual or Global Export License

  Crypto analytic items

Authorization
Individual or Global Export License
Authorization
Individual or Global Export License
Authorization Individual or Global Export License


Russia

In the Russian Federation, the importation of dual-use items with functional encryption capacity is subject to the Russian encryption regulations (APPENDIX No. 9 to the Resolution of the Board of the Eurasian Economic Commission No. 30, dated April 21, 2015). Depending on each product’s level of encryption, there are three types of Russian encryption filings upon import of cryptographic items into Russia:

  1. Notifications to the FSB,
  2. FSB import permits, and
  3. Minpromtorg (Ministry of Industry and Trade) import licenses.

If you have questions pertaining to the import into Russia of dual-use items with functional encryption capacity, please reach out to il-crypto@cisco.com.


Israel

In Israel, both the exportation and importation of items with functional encryption capacity is subject to national regulations. Israel regulates use of encryption items through the Order Governing the Control of Commodities and Services (Engagement in Encryption Items) from 1974.

Cisco is responsible for obtaining all required export and import licenses when a Cisco entity is the Exporter or Importer of Record. Although Cisco International Israel Limited is the owner of the licenses, other Israeli Cisco (owned) entities are permitted to use the licenses issued to Cisco International Israel Limited.

IMoD encryption licenses are valid for specific products. Products with an encryption strength of 128-bit are controlled under the IMOD encryption regulations. If the encryption strength is below 128-bit, then the product is not controlled under IMOD encryption regulations.

IMoD offers two types of encryption licenses:
  1. ‘Free Means’ encryption licenses – these are general encryption licenses which formally decontrol a product family. Products with ‘Free Means’ encryption licenses in place are permitted to be imported/exported freely by anyone in Israel (including Palestine Territory).
  2. ‘Restricted’ encryption licenses – these authorize the import, sale, and distribution of a controlled product family in Israel (excluding Palestine Territory). Only Cisco (owned) entities are permitted to use the restricted licenses held by Cisco International Limited.
Please refer to the following government website for more information about encryption controls in Israel: http://www.mod.gov.il/English/Encryption_Controls/Pages/default.aspx.

If you have questions pertaining to the export from or import into Israel of dual-use items with functional encryption capacity, please reach out to il-crypto@cisco.com.