Export and import of cryp­to technology

What needs to be considered?

Cryp­to tech­no­lo­gy is not only used to ensu­re the con­fi­den­tia­li­ty of infor­ma­ti­on through encryp­ti­on. It is also cri­ti­cal for pro­ving the inte­gri­ty of infor­ma­ti­on. In the wrong hands, howe­ver, cryp­to­gra­phic pro­ces­ses can crea­te signi­fi­cant dan­gers. For this reason, cryp­to tech­no­lo­gy is one of the dual-use goods that can ser­ve both civi­li­an and mili­ta­ry pur­po­ses. Export and import are regu­la­ted worldwide.

Cryp­to tech­no­lo­gy in export control

Anyo­ne who exports pro­ducts that include cryp­to­gra­phic pro­ces­ses is an export­er and must com­ply with the export laws of the count­ries from which the pro­duct is to be expor­ted. In some cases, this even appli­es to re-exports. In Ger­ma­ny and the EU, export­ers must com­ply with, among other things, the For­eign Trade and Pay­ments Act and the For­eign Trade and Pay­ments Ordi­nan­ce , as well as the EU Dual-Use Regu­la­ti­on , each of which con­tain spe­ci­fic pro­hi­bi­ti­ons and licen­sing requi­re­ments for the export of arma­ments and dual-use goods. Anyo­ne export­ing cryp­to tech­no­lo­gy must check whe­ther the­re is an export ban or licen­se reser­va­tions befo­re export­ing. This is not an easy task for com­pa­nies due to the lar­ge num­ber of cryp­to­gra­phic pro­ces­ses, the speed of tech­ni­cal deve­lo­p­ments and the high degree of com­ple­xi­ty of export con­trol law. After all, under Euro­pean and US export con­trol law, excep­ti­ons app­ly to gene­ral­ly available tech­no­lo­gies, which include open source soft­ware in par­ti­cu­lar if it can be free­ly acces­sed on the Internet.

Import con­trol – a new trend?

To an incre­asing ext­ent, cryp­to­gra­phic pro­ce­du­res are also sub­ject to import rest­ric­tions, which may result in par­ti­cu­lar from the pro­hi­bi­ti­on or rest­ric­tion of encrypt­ed com­mu­ni­ca­ti­on. The People’s Repu­blic of Chi­na, for exam­p­le, has a com­pre­hen­si­ve set of import con­trol regu­la­ti­ons that impo­se dif­fe­ren­tia­ted requi­re­ments on dif­fe­rent types of cryp­to tech­no­lo­gy. The Sta­te Coun­cil of Chi­na pro­vi­des, among other things, import licen­se lists for com­mer­cial pro­ducts, which com­pa­nies should take into account. 

Prac­ti­cal imple­men­ta­ti­on – white or black list?

In the sub­se­quent prac­ti­cal imple­men­ta­ti­on of the legal requi­re­ments for the export and import of cryp­to tech­no­lo­gy, we often encoun­ter the ques­ti­on of sui­ta­ble mea­su­res, such as white or black lists. Howe­ver, given the lar­ge num­ber of cryp­to­gra­phic pro­ces­ses that com­pa­nies can use and their ongo­ing deve­lo­p­ment, it is gene­ral­ly not prac­ti­cal to make a con­clu­si­ve assess­ment of the export and import of indi­vi­du­al cryp­to­gra­phic pro­ces­ses. In our expe­ri­ence, a direc­ti­ve on the use of cryp­to­gra­phic methods that allows pro­duct deve­lo­p­ment some preli­mi­na­ry review for export and, in pro­ble­ma­tic cases, allows case-by-case con­side­ra­ti­on is often a bet­ter approach. In addi­ti­on, a dyna­mic black­list that is con­ti­nuous­ly being deve­lo­ped on the basis of indi­vi­du­al case stu­dies can be used.

An issue for sup­pli­ers as well?

Even though the export and import regu­la­ti­ons only estab­lish obli­ga­ti­ons direct­ly on export­ers and importers of cryp­to tech­no­lo­gy, in prac­ti­ce we are incre­asing­ly see­ing that sup­pli­ers are obli­ged to under­ta­ke export con­trols via con­trac­tu­al agree­ments and to pro­vi­de the infor­ma­ti­on requi­red for this pur­po­se. Not least becau­se of the high degree of com­ple­xi­ty of soft­ware sup­p­ly chains, sup­pli­ers using third-party cryp­to tech­no­lo­gy are the­r­e­fo­re advi­sed to com­pi­le a list of all soft­ware com­pon­ents used and any asso­cia­ted export rest­ric­tions. At the same time, this enables com­pa­nies to meet the requi­re­ments of the plan­ned Cyber Resi­li­ence Act, incre­asing cyber secu­ri­ty in the sup­p­ly chain.