Posted: 20 Apr. 2018 5 min. read

Changes to the controls on ‘Information security’ products

Category 5 Part 2 updates

The information security section of the EU dual-use regulations, Category 5 Part 2, has been modified to provide a positive list of controls to improve transparency and clarity around the applicability of these controls. The previous versions of Category 5 Part 2 had applied a broad brush control to encryption items and then sought to decontrol by exception.

However, with the advancement of technologies and the use of encryption becoming commonplace in numerous products, software and technologies, this list of exceptions had become too complex for exporters to interpret. Consequently, although a number of changes have been made as a result of re-structuring the list, the control status of most information security items is not expected to change. The modifications to this category have been implemented into the UK Strategic Export Control Lists. Corresponding changes are being adopted by other jurisdictions.

The changes are as follows:

For additional information about the updated regulations and the implications of these modifications to your business, please contact our Global Export Controls & Sanctions team

Modifications to Note 3

Note 3, the cryptography note, has been revised to clarify that it is not applicable to 5A003 or 5A004.

Removal of Note 4

Note 4 has been removed and replaced with positive language in 5A002.a, which clearly defines the items subject to control. The old text was a negative list, which omitted an item from control if the primary function was not listed in the regulations (information security, networking, sending, receiving or storing information, or computing).

Changes to 5A002a

5A002a has been modified to limit the scope of control to items and their primary function.

i. The item’s primary functions must be information security, digital communication, networking, computers or other information storage or processing functions.

ii. The category only controls items with the following functions:

  • Designed or modified to use ‘cryptography for data confidentiality’
  • Having a symmetric key length in excess of 56 bits of, or equivalent
  • Whose cryptographic capability can be used without being activated, or has been activated

iii. However, if an item’s primary function is not controlled but the component or software of an item that performs the cryptographic function is controlled under 5A002a, the control would apply to the overall item.

iv. This category now states that cryptography is only controlled when used for data confidentiality. The following list of cryptographic functions are not considered to be used for confidentiality purposes:

  • “Authentication”
  • Digital signing
  • Data integrity
  • Non-repudiation
  • Digital rights management

v. The definition of ‘in excess of 56 bits of symmetric key length, or equivalent’ has been updated and moved to technical Note 2. The definition specifies that 5A002a controls “systems, equipment and components”…designed or modified to use “cryptography for data confidentiality”, having “in excess of 56 bits of symmetric key length, or equivalent”.

Restructuring of 5D002

To allow software with information security functionalities to be classified more easily, 5D002 has been reworded so that 5D002a and 5D002c each have three subsections. These updates relate to software with the characteristics of items listed in 5A002, 5A003 and 5A004.

New definition of authentication

The definition of ‘authentication’ has been added to address the following:

i. Often before providing access to the information system, the identity of a user, process or device must be verified. Where files or data are not encrypted, the source or content of a message or other data and all aspects of access control must be validated. However, this is not applicable where the information relates to the protection of passwords, personal identification numbers or similar data to prevent unauthorised access.

For additional information about the updated regulations and the implications of these modifications to your business, please contact our Global Export Controls & Sanctions team.

Sign up for the latest updates

Key contacts

Julia Bell

Julia Bell


Julia leads Deloitte’s Global Export Controls & Sanctions team in London. She has led compliance-enhancing projects for a number of years in a variety of industries, including financial services, consumer products, oil and gas, aerospace & defence, manufacturing and the technology, media and telecommunications industries. She is a specialist in US, EU, UK, French, German and other EU Member State military, dual-use and sanctions regulations. Julia has a thorough understanding of the export control challenges faced by companies involved in international trade activities. More broadly, Julia supports her clients in developing integrated compliance programmes to manage their regulatory compliance requirements (including export controls, ABAC and data privacy), with a focus on lean business requirements to manage regulatory obligations. Julia has also been involved in the development of a number of different technology solutions to manage export compliance requirements, and has supported clients to develop and implement their digital strategies for effective compliance management.