Export Controls: Cryptography controls – AES 256
AES 256 shows as 5A on the CLC Search but my licence application has just come back as NLR.
How can we further understand the Cryptography controls, are you able to advise please?
(This question was asked at one of our recent webinars on Export Controls. You can listen to this webinar on our recent webinars page at https://opentoexport.com/info/webinars/)
Please see the general answer to the current status of the Cryptographic Note copied below. While goods with AES 256 are controlled under entry 5A002.a.1.a, the Mass Market note can exempt certain items. If your product meets the exemptions in Note 3 or Note 4, they will be classified as No Licence Required. I am unable to give further guidance on the interpretation of these exception Notes and it is hoped the Tech UK activity will result in clearer guidance.
Note 3 to Category 5 Part 2 is also known as the Cryptography Note. There are also other notes at the beginning of Category 5 Part 2 that try to exempt goods that have encryption in them but encryption is not the main function of the equipment. The interpretation of this Note in the UK has tended to be that it covers goods that can be purchased from outlets such as PC World. But you need to ensure that all of the other conditions in the Note, including a.3., are met before Note 3 can be used. And please note that a ‘user’ can be different from an installer/maintainer. This release only applies to goods that are available to almost any end user and would include items such as broadband modems for home use.
In the last 18 months, the USA has changed it’s interpretation of this Note and now exempts from control a wide range of components and products with encryption that the UK still maintains under control. Tech UK is working to try to get a level playing field on the interpretation of the Note and is in discussions with the Export Control Organisation. It is hoped that when these discussions have concluded, there will be a clearer statement on what goods are subject to this Note.
Thank you for your response.
With the CN exemptions in mind, the .gov website (https://www.gov.uk/guidance/export-of-cryptographic-items) states the records which must be kept for exporting products which have been decontrolled by the CN notes.
Like any other business we would certainly be keeping all possible/required records of how we rated our goods etc. But I can see how it may be difficult for businesses purchasing 3rd party items and keeping the records stated. They have noted keeping records ‘that you can reasonably be expected to obtain’ but how are these records audited, checked and validated?