What needs to be considered?
Crypto technology is not only used to ensure the confidentiality of information through encryption. It is also critical for proving the integrity of information. In the wrong hands, however, cryptographic processes can create significant dangers. For this reason, crypto technology is one of the dual-use goods that can serve both civilian and military purposes. Export and import are regulated worldwide.
Crypto technology in export control
Anyone who exports products that include cryptographic processes is an exporter and must comply with the export laws of the countries from which the product is to be exported. In some cases, this even applies to re-exports. In Germany and the EU, exporters must comply with, among other things, the Foreign Trade and Payments Act and the Foreign Trade and Payments Ordinance , as well as the EU Dual-Use Regulation , each of which contain specific prohibitions and licensing requirements for the export of armaments and dual-use goods. Anyone exporting crypto technology must check whether there is an export ban or license reservations before exporting. This is not an easy task for companies due to the large number of cryptographic processes, the speed of technical developments and the high degree of complexity of export control law. After all, under European and US export control law, exceptions apply to generally available technologies, which include open source software in particular if it can be freely accessed on the Internet.
Import control – a new trend?
To an increasing extent, cryptographic procedures are also subject to import restrictions, which may result in particular from the prohibition or restriction of encrypted communication. The People’s Republic of China, for example, has a comprehensive set of import control regulations that impose differentiated requirements on different types of crypto technology. The State Council of China provides, among other things, import license lists for commercial products, which companies should take into account.
Practical implementation – white or black list?
In the subsequent practical implementation of the legal requirements for the export and import of crypto technology, we often encounter the question of suitable measures, such as white or black lists. However, given the large number of cryptographic processes that companies can use and their ongoing development, it is generally not practical to make a conclusive assessment of the export and import of individual cryptographic processes. In our experience, a directive on the use of cryptographic methods that allows product development some preliminary review for export and, in problematic cases, allows case-by-case consideration is often a better approach. In addition, a dynamic blacklist that is continuously being developed on the basis of individual case studies can be used.
An issue for suppliers as well?
Even though the export and import regulations only establish obligations directly on exporters and importers of crypto technology, in practice we are increasingly seeing that suppliers are obliged to undertake export controls via contractual agreements and to provide the information required for this purpose. Not least because of the high degree of complexity of software supply chains, suppliers using third-party crypto technology are therefore advised to compile a list of all software components used and any associated export restrictions. At the same time, this enables companies to meet the requirements of the planned Cyber Resilience Act, increasing cyber security in the supply chain.back