Notice to exporters 2018/07: guidance on the ‘Cryptography Note’

3 April 2018


This guidance is provided to assist exporters to make their own assessment on the application of the ‘Cryptography Note’ – Note 3 to Category 5 Part 2, Information Security as it appears in Annex I to Council Regulation (EC) No. 428/2009 (as last amended by Regulation (EU) No. 2268/2017).

Products that use cryptography are typically controlled under the dual use list. Note 3 is intended to exclude goods from control that:

  • can be easily acquired by the general public
  • require little or no support to install
  • where the cryptographic functionality cannot be easily changed by the user

Note 3 also relaxes controls on certain components and software of such items.

Note 3 is found at the beginning of Category 5 part 2, ‘Information Security’, of the EU dual use list. There are various other notes within Category 5 part 2, which decontrol specific technologies, but are separate and distinct from Note 3.

If you’re not sure whether Note 3 applies to one of your products, you can consider applying for an export licence. Include in your application all product details that are relevant to issues discussed here. As stated in Note 3, the licensing authority may request more information as evidence of eligibility.

If Note 3 applies to a hardware or software item, then it is released from control under sections 5A002 and 5D002 of Category 5 Part 2. But it may still be controlled elsewhere in the EU Dual Use or UK Military Lists and may still be subject to end-use controls, ‘catch all’ controls and sanctions. If none of these apply, then no licence is required to export that item from the UK.

A very important general principle of control in Category 5 Part 2 is that a product is classified on the basis of its functionality and characteristics and considered as a standalone item. The item’s control list classification cannot be worked out solely from the classifications of individual component parts. For example, a product using freely available open-source cryptographic software libraries may still be controlled. This is despite the fact that such libraries are often decontrolled in their own right (by the General Software Note, for example).

Equally, if a product uses an algorithm for which the specification is public, such as AES (Advanced Encryption Standard) or RSA (Rivest–Shamir–Adleman), the product may still be controlled, and is not removed from control solely because the encryption algorithm it uses is freely available.

The note is subdivided into two parts, 3a and 3b.

For more information, visit


Follow Chamber International on Twitter @ChamberInt and on Facebook for the latest in international trade.

Chamber International edge - One of the most powerful technologies available to make exporting simple.