Encryption items can be used to maintain the secrecy of information, and thereby may be used by persons abroad to harm U.S. national security, foreign policy and law enforcement interests. The United States has a critical interest in ensuring that important and sensitive information of the public and private sector is protected. Consistent with our international obligations as a member of the Wassenaar Arrangement, the United States has a responsibility to maintain control over the export and reexport of encryption items. As the President indicated in Executive Order 13026 and in his Memorandum of November 15, 1996, exports and reexports of encryption software, like exports and reexports of encryption hardware, are controlled because of this functional capacity to encrypt information, and not because of any informational or theoretical value that such software may reflect, contain, or represent, or that its export or reexport may convey to others abroad. For this reason, export controls on encryption software are distinguished from controls on other software regulated under the EAR .
(a) Licensing requirements and policy—(1) Licensing requirements. A license is required to export or reexport encryption items (“EI”) classified under ECCN 5A002, 5A004, 5D002.a, .c.1 or .d (for equipment and “software” in ECCN s 5A002 or 5A004, 5D002.c.1); or 5E002 for “technology” for the “development,” “production,” or “use” of commodities or “software” controlled for EI reasons in ECCN s 5A002, 5A004 or 5D002, and “technology” classified under 5E002.b to all destinations, except Canada. Refer to part 740 of the EAR , for license exceptions that apply to certain encryption items, and to § 772.1 of the EAR for definitions of encryption items and terms. Most encryption items may be exported under the provisions of License Exception ENC set forth in § 740.17 of the EAR . Following classification or self-classification, items that meet the criteria of Note 3 to Category 5—Part 2 of the Commerce Control List (the “mass market” note), are classified under ECCN 5A992 or 5D992 and are no longer subject to this Section (see § 740.17 of the EAR ). Before submitting a license application, please review License Exception ENC to determine whether this license exception is available for your item or transaction. For exports, reexports, or transfers (in-country) of encryption items that are not eligible for a license exception, you must submit an application to obtain authorization under a license or an Encryption Licensing Arrangement.
(2) Licensing policy. Applications will be reviewed on a case-by-case basis by BIS, in conjunction with other agencies, to determine whether the export, reexport, or transfer (in-country) is consistent with U.S. national security and foreign policy interests. Encryption Licensing Arrangements (ELAs) may be authorized for exports, reexports, or transfers (in-country) of unlimited quantities of encryption commodities and software described in § 740.17 (b)(2)(i)(A) that have been classified by BIS to “more sensitive government end users,” in all destinations, except countries listed in Country Groups E:1 or E:2 of supplement no. 1 to part 740. ELAs for “more sensitive government end users” may be authorized for encryption commodities and software described in § 740.17(b)(2)(ii) through (iv) under certain circumstances. ELAs are valid for four years and may require pre-shipment notification. Applicants seeking authorization for Encryption Licensing Arrangements must specify the sales territory on their license applications.
(b) Publicly available encryption source code—(1) Scope and eligibility. Subject to the notification requirements of paragraph (b)(2) of this section, publicly available (see § 734.3(b)(3) of the EAR ) encryption source code classified under ECCN 5D002 is not subject to the EAR . Such source code is publicly available even if it is subject to an express agreement for the payment of a licensing fee or royalty for commercial production or sale of any product developed using the source code.
(2) Notification requirement for “non-standard cryptography.” For publicly available encryption source code classified under ECCN 5D002 that provides or performs “non-standard cryptography” as defined in part 772 of the EAR , you must notify BIS and the ENC Encryption Request Coordinator via email of the internet location (e.g., URL or internet address) of the source code or provide each of them a copy of the publicly available encryption source code. If you update or modify the source code, you must also provide additional copies to each of them each time the cryptographic functionality of the source code is updated or modified. In addition, if you posted the source code on the internet, you must notify BIS and the ENC Encryption Request Coordinator each time the internet location is changed, but you are not required to notify them of updates or modifications made to the encryption source code at the previously notified location. In all instances, submit the notification or copy to [email protected] and to [email protected].
[73 FR 57507, Oct. 3, 2008, as amended at 75 FR 36494, June 25, 2010; 75 FR 43821, July 27, 2010; 76 FR 1063, Jan. 7, 2011; 76 FR 29619, May 20, 2011; 78 FR 13469, Feb. 28, 2013; 78 FR 37383, June 20, 2013; 81 FR 64673, Sept. 20, 2016; 86 FR 16488, Mar. 29, 2021; 88 FR 73494, Oct. 25, 2023; 89 FR 23885, Apr. 4, 2024]