Posted: 20 Apr. 2018 5 min. read

Changes to the controls on ‘Information security’ products

Category 5 Part 2 updates

The information security section of the EU dual-use regulations, Category 5 Part 2, has been modified to provide a positive list of controls to improve transparency and clarity around the applicability of these controls. The previous versions of Category 5 Part 2 had applied a broad brush control to encryption items and then sought to decontrol by exception.

However, with the advancement of technologies and the use of encryption becoming commonplace in numerous products, software and technologies, this list of exceptions had become too complex for exporters to interpret. Consequently, although a number of changes have been made as a result of re-structuring the list, the control status of most information security items is not expected to change. The modifications to this category have been implemented into the UK Strategic Export Control Lists. Corresponding changes are being adopted by other jurisdictions.

The changes are as follows:

For additional information about the updated regulations and the implications of these modifications to your business, please contact our Global Export Controls & Sanctions team

Modifications to Note 3

Note 3, the cryptography note, has been revised to clarify that it is not applicable to 5A003 or 5A004.

Removal of Note 4

Note 4 has been removed and replaced with positive language in 5A002.a, which clearly defines the items subject to control. The old text was a negative list, which omitted an item from control if the primary function was not listed in the regulations (information security, networking, sending, receiving or storing information, or computing).

Changes to 5A002a

5A002a has been modified to limit the scope of control to items and their primary function.

i. The item’s primary functions must be information security, digital communication, networking, computers or other information storage or processing functions.

ii. The category only controls items with the following functions:

  • Designed or modified to use ‘cryptography for data confidentiality’
  • Having a symmetric key length in excess of 56 bits of, or equivalent
  • Whose cryptographic capability can be used without being activated, or has been activated

iii. However, if an item’s primary function is not controlled but the component or software of an item that performs the cryptographic function is controlled under 5A002a, the control would apply to the overall item.

iv. This category now states that cryptography is only controlled when used for data confidentiality. The following list of cryptographic functions are not considered to be used for confidentiality purposes:

  • “Authentication”
  • Digital signing
  • Data integrity
  • Non-repudiation
  • Digital rights management

v. The definition of ‘in excess of 56 bits of symmetric key length, or equivalent’ has been updated and moved to technical Note 2. The definition specifies that 5A002a controls “systems, equipment and components”…designed or modified to use “cryptography for data confidentiality”, having “in excess of 56 bits of symmetric key length, or equivalent”.

Restructuring of 5D002

To allow software with information security functionalities to be classified more easily, 5D002 has been reworded so that 5D002a and 5D002c each have three subsections. These updates relate to software with the characteristics of items listed in 5A002, 5A003 and 5A004.

New definition of authentication

The definition of ‘authentication’ has been added to address the following:

i. Often before providing access to the information system, the identity of a user, process or device must be verified. Where files or data are not encrypted, the source or content of a message or other data and all aspects of access control must be validated. However, this is not applicable where the information relates to the protection of passwords, personal identification numbers or similar data to prevent unauthorised access.

For additional information about the updated regulations and the implications of these modifications to your business, please contact our Global Export Controls & Sanctions team.

Sign up for the latest updates

Key contacts

Julia Bell

Julia Bell

Senior Manager

As a Manager on the Global Export Controls & Sanctions team in London, Julia has worked on compliance-enhancing projects for clients in a variety of industries, including oil and gas, aerospace & defence, manufacturing and the technology, media and telecommunications industries. She is experienced in US, EU, UK, French, German and other EU Member State military, dual-use and sanctions regulations. Julia’s experience includes conducting trade compliance risk reviews and audits and assisting clients with the development of internal compliance programmes. She specialises in identifying areas of risk and opportunity in relation to management of trade sanctions, particularly in relation to US and EU sanctions on Russia and Iran. Julia has been involved in conducting ITAR audits in UK, France, Poland, and Brazil for non US Aerospace & Defense companies. Julia holds a degree in French and German and a Master of Arts from the University of Cambridge.