The UK has issued guidance to assist exporters to make their own assessment on the application of the “Cryptography Note” – Note 3 to Category 5 Part 2, Information Security as it appears in Annex I to Council Regulation (EC) No. 428/2009 (as last amended by Regulation (EU) No. 2268/2017).
Products that use cryptography are usually controlled under the dual-use list. The guidance explains how the Cryptography Note is intended to exclude such goods from control in circumstances where (1) the goods can be easily acquired by the general public, (2) the cryptography functionality cannot be easily changed by the user and (3) the goods are designed for installation by the user without further substantial support by the supplier.
If an exporter is unsure whether the Cryptography Note applies to one of its products, it should consider applying for an export licence. Upon receipt of a licence application, the licensing authority may request further information as evidence of eligibility.