Export and import of cryp­to technology

What needs to be considered?

Cryp­to tech­no­lo­gy is not only used to ensu­re the con­fi­den­tia­li­ty of infor­ma­ti­on through encryp­ti­on. It is also cri­ti­cal for pro­ving the inte­gri­ty of infor­ma­ti­on. In the wrong hands, howe­ver, cryp­to­gra­phic pro­ces­ses can crea­te signi­fi­cant dan­gers. For this reason, cryp­to tech­no­lo­gy is one of the dual-use goods that can ser­ve both civi­li­an and mili­ta­ry pur­po­ses. Export and import are regu­la­ted worldwide.

Cryp­to tech­no­lo­gy in export control

Anyo­ne who exports pro­ducts that include cryp­to­gra­phic pro­ces­ses is an export­er and must com­ply with the export laws of the count­ries from which the pro­duct is to be expor­ted. In some cases, this even appli­es to re-exports. In Ger­ma­ny and the EU, export­ers must com­ply with, among other things, the For­eign Trade and Pay­ments Act and the For­eign Trade and Pay­ments Ordi­nan­ce , as well as the EU Dual-Use Regu­la­ti­on , each of which con­tain spe­ci­fic pro­hi­bi­ti­ons and licen­sing requi­re­ments for the export of arma­ments and dual-use goods. Anyo­ne export­ing cryp­to tech­no­lo­gy must check whe­ther the­re is an export ban or licen­se reser­va­tions befo­re export­ing. This is not an easy task for com­pa­nies due to the lar­ge num­ber of cryp­to­gra­phic pro­ces­ses, the speed of tech­ni­cal deve­lo­p­ments and the high degree of com­ple­xi­ty of export con­trol law. After all, under Euro­pean and US export con­trol law, excep­ti­ons app­ly to gene­ral­ly available tech­no­lo­gies, which include open source soft­ware in par­ti­cu­lar if it can be free­ly acces­sed on the Internet.

Import con­trol – a new trend?

To an incre­asing ext­ent, cryp­to­gra­phic pro­ce­du­res are also sub­ject to import rest­ric­tions, which may result in par­ti­cu­lar from the pro­hi­bi­ti­on or rest­ric­tion of encrypt­ed com­mu­ni­ca­ti­on. The People’s Repu­blic of Chi­na, for exam­p­le, has a com­pre­hen­si­ve set of import con­trol regu­la­ti­ons that impo­se dif­fe­ren­tia­ted requi­re­ments on dif­fe­rent types of cryp­to tech­no­lo­gy. The Sta­te Coun­cil of Chi­na pro­vi­des, among other things, import licen­se lists for com­mer­cial pro­ducts, which com­pa­nies should take into account. 

Prac­ti­cal imple­men­ta­ti­on – white or black list?

In the sub­se­quent prac­ti­cal imple­men­ta­ti­on of the legal requi­re­ments for the export and import of cryp­to tech­no­lo­gy, we often encoun­ter the ques­ti­on of sui­ta­ble mea­su­res, such as white or black lists. Howe­ver, given the lar­ge num­ber of cryp­to­gra­phic pro­ces­ses that com­pa­nies can use and their ongo­ing deve­lo­p­ment, it is gene­ral­ly not prac­ti­cal to make a con­clu­si­ve assess­ment of the export and import of indi­vi­du­al cryp­to­gra­phic pro­ces­ses. In our expe­ri­ence, a direc­ti­ve on the use of cryp­to­gra­phic methods that allows pro­duct deve­lo­p­ment some preli­mi­na­ry review for export and, in pro­ble­ma­tic cases, allows case-by-case con­side­ra­ti­on is often a bet­ter approach. In addi­ti­on, a dyna­mic black­list that is con­ti­nuous­ly being deve­lo­ped on the basis of indi­vi­du­al case stu­dies can be used.

An issue for sup­pli­ers as well?

Even though the export and import regu­la­ti­ons only estab­lish obli­ga­ti­ons direct­ly on export­ers and importers of cryp­to tech­no­lo­gy, in prac­ti­ce we are incre­asing­ly see­ing that sup­pli­ers are obli­ged to under­ta­ke export con­trols via con­trac­tu­al agree­ments and to pro­vi­de the infor­ma­ti­on requi­red for this pur­po­se. Not least becau­se of the high degree of com­ple­xi­ty of soft­ware sup­p­ly chains, sup­pli­ers using third-party cryp­to tech­no­lo­gy are the­r­e­fo­re advi­sed to com­pi­le a list of all soft­ware com­pon­ents used and any asso­cia­ted export rest­ric­tions. At the same time, this enables com­pa­nies to meet the requi­re­ments of the plan­ned Cyber Resi­li­ence Act, incre­asing cyber secu­ri­ty in the sup­p­ly chain.


Stay up-to-date

We use your email address exclusively for sending our newsletter. You have the right to revoke your consent at any time with effect for the future. For further information, please refer to our privacy policy.