Export permits for cryptographic items

EU+5 Cryptography export permit

Summary: This type of permit may authorize exports of hardware, software, source code or other technology controlled under Export Control List Group 1 Category 5 – Part 2: “Information Security”. Eligible destinations include all countries within the European Union (except Cyprus), Australia, Japan, New Zealand, Norway and Switzerland. There are no regular reporting requirements but export records must be maintained and provided to the Export Controls Division if requested.

Coverage

EU+5 Cryptography permits may authorize the export by any means (including electronic transfer) of the following:

  • Items (including hardware, software, source code or other technology), as specified on the permit, that incorporate cryptography that is controlled in Category 5, Part 2 of Group 1 of the Export Control List;

This permit may not be used to authorize the export of goods or technology which fall under the following Items, as defined in the Guide to Canada’s Export Controls. Applications which include goods or technology that are controlled in these Items will be returned without action.

  • 1-5.A.2.a.2: Systems, equipment, application specific “electronic assemblies”, modules and integrated circuits for “information security”, as follows, and other specially designed components therefor:designed or modified to perform cryptoanalytic functions
  • 1-5.A.2.a.4: Systems, equipment, application specific “electronic assemblies”, modules and integrated circuits for “information security”, as follows, and other specially designed components therefor: specially designed or modified to reduce the compromising emanations of information-bearing signals beyond what is necessary for health, safety and electromagnetic interference standards
  • 1-5.A.2.a.9: Systems, equipment, application specific “electronic assemblies”, modules and integrated circuits for “information security”, as follows, and other specially designed components therefor: designed or modified to use “quantum cryptography”

EU+5 Cryptography permits authorize exports to final consignees in the following countries:

  • Australia
  • Austria
  • Belgium
  • Bulgaria
  • Czechia
  • Denmark
  • Estonia
  • Finland
  • France
  • Germany
  • Greece
  • Hungary
  • Ireland
  • Italy
  • Japan
  • Latvia
  • Lithuania
  • Luxembourg
  • Malta
  • Netherlands
  • New Zealand
  • Norway
  • Poland
  • Portugal
  • Romania
  • Slovakia
  • Slovenia
  • Spain
  • Sweden
  • Switzerland
  • United Kingdom

The validity period for the EU+5 Cryptography permit is 5 years. Permit amendment requests may be made through EXCOL to extend the validity of export permits up to 3 weeks before the expiry date. Exporters may request in the EXCOL application form shorter validity periods. Applicants whose product development cycles are shorter than 5 years may wish to request shorter validity periods since new versions of a cryptography item require the submission of a new application (and these new applications may include all previous versions of the same product).

Prohibitions

EU+5 Cryptography permits explicitly exclude, in the terms and conditions stated on each permit, exports:

  • to countries that are included in the Area Control List; that are subject to Canadian economic sanctions (including those implemented under the United Nations Act or the Special Economic Measures Act); that are excluded from the application of General Export Permit No. 12; and that are subject to sanctions under the Export and Import Permits Act;
    • As of July  2015, the countries that are subject to these measures are the following: Afghanistan, Belarus, Burma (Myanmar), Central African Republic, Côte d'Ivoire, Cuba, Democratic Republic of the Congo, Egypt, Eritrea, Guinea, Iran, Iraq, Lebanon, Liberia, Libya, North Korea, Pakistan,  Russia,  Somalia, South Sudan, Sudan, Syria, Tunisia, Ukraine, Yemen and Zimbabwe.
  • for end-use that is directly or indirectly related to research, development or production of chemical, biological or nuclear weapons, or any missile programmes for such weapons.

Applications

Please contact the Export Controls Division if you wish to submit an application for a multidestination permit using EXCOL and have not done so before. You should send an email to tie.reception@international.gc.ca and request that your EXCOL profile to be set to enable applications for multidestination cryptography permits.

Applications for EU+5 Cryptography permits must include the following:

  • complete application form (generally done through our online system EXCOL)
  • a completed cryptography and information security product questionnaire
  • technical description of the goods/technology. The Export Controls Division undertakes a technical assessment of the goods or technology listed in the export permit application to determine under which Export Control List Item(s) they fall. For this purpose, technical specifications of the export must be detailed and adequately describe the characteristics of the goods and services. Enough details must be provided to establish the true nature of the items. These could be provided in the form of drawings, data sheets, manuals, component lists, block diagrams, exploded view drawings, and so on. Marketing brochures may also provide useful additional information. The information that is submitted should make clear the type and function of the goods and provide key technical parameters.
  • cover letter using the template provided and confirming the exporter agrees to abide by the terms and conditions of the permit

Applicants should note the following guidelines on identifying cryptographic goods and technology in an export permit application:

  • Descriptions of finished products should use the following format: [brand name or name of manufacturer] [model name] [part number]. This information should be consistent with packaging labels, invoices, and shipping documents.
  • Descriptions of software should use the following format: [software developer or publisher name] [software name] [version number x.x] [means of export – eg, on CD or by FTP]. This format assumes that, in the version number, changes to the right of the decimal (eg, from version 3.0 to 3.1) will only be updates, patches, or fixes with no change to the cryptographic functionality, and that any other change to the software, including a change to the cryptographic functionality, will result in a change from version 3 to version 4.
  • Item descriptions should not describe the purpose, use, or physical appearance of the product (this should be provided instead in the field “Overall Description of Goods and End-Use” in the EXCOL application form) nor include references to the Export Control List (self-assessments should be provided in the field “ECL No.” in the EXCOL application form).
  • The Description is how the goods or technology will be identified on the export permit, which will also be verified against the Export Declaration submitted to the Canada Border Services Agency at the time of export.

An export permit issued for software will generally include the version number, as noted above (eg, version 1.x). Changes to the version number to the left of the decimal (ie, from version 1.x to version 2.x) require a new permit to be issued. In other words, if a permit is issued for version 1.1, the exporter may also use that permit to export versions 1.2 and 1.3 (assuming there has been no change to the cryptographic functionality). However, that permit may not be used to export version 2.1 of the same software. A new permit application should be submitted.

Compliance

After issuance of an EU+5 Cryptography permit, the exporter must:

  • comply with other terms and conditions that may be stated on an export permit. Exporters are obliged to comply with these conditions when they export under the authority of the permit. Exporters must review the terms and conditions upon receipt of the export permit and prior to exporting, and may contact the Export Controls Division (email tie.reception@international.gc.ca) for more information.
  • comply with provisions of the Export and Import Permits Act which require, inter alia, the keeping of records for at least six years after the end of the year to which they relate, and that such records be provided upon demand to an officer of the Export Controls Division. Exporters using this permit must retain documentation which demonstrates that the exporter has undertaken due diligence. Such documentation may include contracts, invoices, requests for products, statements of work, specific correspondence, (if applicable) vendor/reseller/distributor agreements, and bills of lading. The purpose of due diligence is to verify that the transaction adheres to the permit and its specific terms and conditions.