15 C.F.R. § 740.17
License Exception ENC authorizes export, reexport, and transfer (in-country) of systems, equipment, commodities, and components therefor that are classified under ECCN 5A002, 5B002, equivalent or related software and technology therefor classified under 5D002 or 5E002, and “cryptanalytic items” and digital forensics items (investigative tools) classified under ECCN 5A004, 5D002 or 5E002. This License Exception ENC does not authorize export or reexport to, transfer (in-country) in, or provision of any service in any country listed in Country Groups E:1 or E:2 in supplement no. 1 to part 740 of the EAR, or release of source code or technology to any national of a country listed in Country Groups E:1 or E:2. Reexports and transfers (in-country) under License Exception ENC are subject to the criteria set forth in paragraph (c) of this section. Paragraphs (b) and (d) of this section set forth information about classifications required by this section. Items described in paragraphs (b)(1) and (b)(3)(i), (b)(3)(ii) or (b)(3)(iv) of this section that meet the criteria set forth in Note 3 to Category 5—Part 2 of the Commerce Control List (the “mass market” note) are classified under ECCN 5A992 or 5D992 following self-classification or classification by BIS and are no longer subject to “EI” and “NS” controls. Paragraph (e) sets forth reporting required by this section. For items exported under paragraphs (b)(1), (b)(3)(i), (ii), or (iv) of this section and therefore excluded from paragraph (e) reporting requirements, exporters are reminded of the recordkeeping requirements in part 762 of the EAR and that they may be required to make such records available upon request. All classification requests, and reports submitted to BIS pursuant to this section for encryption items will be reviewed by the ENC Encryption Request Coordinator, Ft. Meade, MD.
(a) No classification request or reporting required. License Exception ENC authorizes the export, reexport, or transfer (in-country) to the end users and for the end uses set forth in paragraphs (a)(1) through (3) of this section, without submission of a classification request, self-classification report or sales report to BIS.
(ii) Certain exports, reexports, transfers (in-country) to related parties, not involving “development” or “production” of new products. For internal end uses among 'private sector end users' other than the “development” or “production” of new products, License Exception ENC authorizes exports, reexports, and transfers (in-country) of non-U.S.-origin items, described in paragraph (a) of this section, to 'private sector end users' wherever located provided that:
(b) Classification request or self-classification. For certain products described in paragraph (b)(1) of this section that are self-classified, a self-classification report in accordance with paragraph (e)(3) of this section is required from specified exporters, reexporters and transferors; for products described in paragraph (b)(1) of this section that are classified by BIS via a CCATS, a self-classification report is not required. For products described in paragraphs (b)(2) and (3) of this section, a thirty-day (30-day) classification request is required in accordance with paragraph (d) of this section. An exporter, reexporter, or transferor may rely on the producer's self-classification (for products described in (b)(1), only) or CCATS for an encryption item eligible for export or reexport under License Exception ENC under paragraph (b)(1), (2), or (3) of this section. Exporters are still required to comply with semi-annual sales reporting requirements under paragraph (e)(1) or (2) of this section, even if relying on a CCATS issued to a producer for specified encryption items described in paragraphs (b)(2) and (b)(3)(iii) of this section.
(2) Classification request required. Thirty (30) days after the submission of a classification request with BIS in accordance with paragraph (d) of this section and subject to the reporting requirements in paragraph (e) of this section, this paragraph under License Exception ENC authorizes certain exports, reexports, and transfers (in-country) of the items specified in paragraph (b)(2) and submitted for classification.
(i) Cryptographic commodities, software, and components. License Exception ENC authorizes exports, reexports, and transfers (in-country) of the items in paragraph (b)(2)(i)(A) of this section to “less sensitive government end users” and non- “government end users” located or headquartered in a country not listed in supplement no. 3 to this part, and the items in paragraphs (b)(2)(i)(B) through (H) to non “government end users” located or headquartered in a country not listed in supplement no. 3.
(A) 'Network Infrastructure.' 'Network infrastructure' commodities and software, and components therefor, meeting any of the following with key lengths exceeding 80-bits for symmetric algorithms:
(1) WAN, MAN, VPN, backhaul and long-haul. Aggregate encrypted WAN, MAN, VPN, backhaul or long-haul throughput (including communications through wireless network elements such as gateways, mobile switches, and controllers) equal to or greater than 250 Mbps;
(2) [Reserved]
(3) Satellite infrastructure. Transmission over satellite at data rates exceeding 10 Mbps;
(4) Media gateways and other unified communications (UC) infrastructure, including Voice-over-Internet Protocol (VoIP) services. Media (voice/video/data) encryption or encrypted signaling to more than 2,500 endpoints, including centralized key management therefor; or
(5) Terrestrial wireless infrastructure. Air interface coverage (e.g., through base stations, access points to mesh networks, and bridges) exceeding 1,000 meters, where any of the following applies:
(i) Maximum transmission data rates exceeding 10 Mbps (at operating ranges beyond 1,000 meters); or
(ii) Maximum number of concurrent full-duplex voice channels exceeding 30;
(C) Customized items. Encryption software, commodities and components therefor, where any of the following applies:
(1) Customized for government end users or end uses. The item has been designed, modified, adapted, or customized for “government end user(s);” or
(2) Custom or changeable cryptography. The cryptographic functionality of the item has been designed or modified to customer specification or can be easily changed by the user;
(iv) Specific encryption technology. Specific encryption technology as follows:
(3) Classification request required for specified commodities, software, and components. Thirty (30) days after a classification request is submitted to BIS in accordance with paragraph (d) of this section and subject to the reporting requirements in paragraph (e) of this section, this paragraph authorizes exports, reexports, and transfers (in-country) of the items submitted for classification, as further described in this paragraph (b)(3), to any end user, provided the item does not perform the functions, or otherwise meet the specifications, of any item described in paragraph (b)(2) of this section. Items described in paragraph (b)(3)(ii) or (iv) of this section that meet the criteria set forth in Note 3 to Category 5—Part 2 of the CCL (the “mass market” note) are classified under ECCN 5A992 or 5D992 following classification by BIS.
(i) Non-“mass market” “components,” toolsets, and toolkits. Specified components classified under ECCN 5A002.a, or z.1, and equivalent or related software classified under ECCN 5D002 that do not meet the criteria set forth in Note 3 to Category 5—Part 2 of the CCL (the “mass market” note) and are not described by paragraph (b)(2) or (b)(3)(ii) of this section, as follows:
(iii) Advanced network vulnerability analysis and digital forensics. Encryption commodities and software not described by paragraph (b)(2) of this section, that provide or perform vulnerability analysis, network forensics, or computer forensics functions characterized by any of the following:
(d) Classification request procedures—(1) Submission requirements and instructions. To submit a classification request to BIS, you must submit an application to BIS in accordance with the procedures described in §§ 748.1 and 748.3 of the EAR and the instructions in paragraph (r) of supplement no. 2 to part 748 “Unique Application and Submission Requirements,” along with other required information as follows:
(2) Action by BIS.
(ii) For items requiring classification by BIS under paragraphs (b)(2) and (3) of this section.
(e) Reporting requirements—(1) Semiannual reporting requirement. Semiannual reporting is required for exports to all destinations other than Australia, Canada, or the United Kingdom, and for reexports from Australia, Canada, or the United Kingdom for items described under paragraphs (b)(2) and (b)(3)(iii) of this section. Certain encryption items and transactions are excluded from this reporting requirement (see paragraph (e)(1)(iii) of this section). For information about what must be included in the report and submission requirements, see paragraphs (e)(1)(i) and (ii) of this section, respectively.
(i) Information required. Exporters must include, for each item, the Commodity Classification Automated Tracking System (CCATS) number and the name of the item(s) exported (or reexported from Australia, Canada, or the United Kingdom), and the following information in their reports:
(ii) Submission requirements. For exports occurring between January 1 and June 30, a report is due no later than August 1 of that year. For exports occurring between July 1 and December 31, a report is due no later than February 1 the following year. These reports must be provided in electronic form. Recommended file formats for electronic submission include spreadsheets, tabular text or structured text. Exporters may request other reporting arrangements with BIS to better reflect their business models. Reports may be sent electronically to BIS at crypt@bis.doc.gov and to the ENC Encryption Request Coordinator at enc@nsa.gov, or disks and CDs containing the reports may be sent to the following addresses:
(iii) Exclusions from reporting requirement. Reporting is not required for the following items and transactions:
(2) Key length increases. Reporting is required for commodities and software that, after having been classified and authorized for License Exception ENC in accordance with paragraphs (b)(2) or (3) of this section, are modified only to upgrade the key length used for confidentiality or key exchange algorithms. Such items may be exported, reexported or transferred (in-country) under the previously authorized provision of License Exception ENC without a classification resubmission.
(i) Information required.
(ii) Submission requirements.
(3) Self-classification reporting for certain encryption commodities, software, and components. This paragraph (e)(3) sets forth requirements for self-classification reporting to BIS and the ENC Encryption Request Coordinator (Ft. Meade, MD) of certain encryption commodities, software, and components exported or reexported meeting the criteria specified in paragraph (b)(1) of this section. Specifically, this reporting requirement applies to “mass market” encryption components and 'executable software' that meet the criteria of the Cryptography Note—Note 3 to Category 5—Part 2 of the CCL (“mass market” note) and are classified under ECCN 5A992 or 5D992 following self-classification, as well as to non-“mass market” encryption commodities and software that remain classified in ECCN 5A002, 5B002, or 5D002 following self-classification, provided these items are not further described by paragraph (b)(2) or (3) of this section.
(ii) How to report. Encryption self-classification reports must be sent to BIS and the ENC Encryption Request Coordinator via email or regular mail. In your submission, specify the timeframe that your report spans and identify points of contact to whom questions or other inquiries pertaining to the report should be directed. Follow these instructions for your submissions:
(B) Submissions on disks and CDs. The self-classification report may be sent to the following addresses, in lieu of email:
(1) Department of Commerce, Bureau of Industry and Security, Office of National Security and Technology Transfer Controls, 14th Street and Pennsylvania Ave. NW., Room 2099B, Washington, DC 20230, Attn: Encryption Reports, and
(2) Attn: ENC Encryption Request Coordinator, 9800 Savage Road, Suite 6940, Ft. Meade, MD 20755-6000.
(f) End-use restrictions. Notwithstanding the other provisions and authorizations of this section, License Exception ENC is not authorized for any of the following items if the exporter, reexporter, or transferor “knows” or has “reason to know” at the time of export, reexport, or transfer (in-country), including deemed exports and reexports, that the item will be used to affect the confidentiality, integrity, or availability of information or information systems, without authorization by the owner, operator, or administrator of the information system (including the information and processes within such systems):
Note to paragraph (a)(1): A 'private sector end user' is either: An individual who is not acting on behalf of any foreign government; or a commercial firm (including its subsidiary and parent firms, and other subsidiaries of the same parent) that is not wholly owned by, otherwise controlled by or acting on behalf of, any foreign government.
Note to paragraphs (a)(1) and (2): All items produced or developed with items exported, reexported, or transferred (in-country) under paragraphs (a)(1) or (2) of this section are subject to the EAR. These items may require the submission of a classification request before sale, reexport or transfer to non-“U.S. subsidiaries,” unless otherwise authorized by license or license exception.
Note to paragraph (a)(3): This exception from classification and reporting requirements does not apply to non-U.S.-origin products exported from the United States.
Note to paragraph (b) introductory text: Mass market encryption software that would be considered publicly available under § 734.3(b)(3) of the EAR, and is authorized for export under this paragraph (b), remains subject to the EAR until all applicable classification or self-classification requirements set forth in this section are fulfilled.
Note to paragraph (b)(2) introductory text: Immediately after the classification request is submitted to BIS in accordance with paragraph (d) of this section and subject to the reporting requirements in paragraph (e) of this section, this paragraph also authorizes exports, reexports, and transfers (in-country) of: 1. All submitted encryption items described in this paragraph (b)(2), except “cryptanalytic items,” classified in ECCN 5A004.a, 5D002.a.3.a or c.3.a, or 5E002, to any end user located or headquartered in a country listed in supplement no. 3 to this part; 2. Encryption source code as described in paragraph (b)(2)(i)(B) to non-“government end users” in any country; 3. “Cryptanalytic items,” classified in ECCN 5A004.a, 5D002.a.3.a or c.3.a, or 5E002, to non-“government end users,” only, located or headquartered in a country listed in supplement no. 3 to this part; and 4. Items described in paragraphs (b)(2)(iii) and (b)(2)(iv)(A) of this section, to specified destinations and end users.
Notes to paragraph (b)(2)(i)(A): 1. The License Exception ENC eligibility restrictions of paragraphs (b)(2)(i)(A)(3) (satellite infrastructure) and (b)(2)(i)(A)(5) (terrestrial wireless infrastructure) do not apply to satellite terminals or modems meeting all of the following: a. The encryption of data over satellite is exclusively from the user terminal to the gateway earth station, and limited to the air interface; and b. The items meet the requirements of the Cryptography Note (Note 3) in Category 5—Part 2 of the Commerce Control List. 2. 'Network infrastructure' (as applied to encryption items). A 'network infrastructure' commodity or software is any “end item,” commodity or “software” for providing one or more of the following types of communications:” (a) Wide Area Network (WAN); (b) Metropolitan Area Network (MAN); (c) Virtual Private Network (VPN); (d) Satellite; (e) Digital packet telephony/media (voice, video, data) over Internet protocol; (f) Cellular; or (g) Trunked.
Note 1 to paragraph 2: 'Network infrastructure' end items are typically operated by, or for, one or more of the following types of end users: (1) Medium- or large- sized businesses or enterprises; (2) Governments; (3) Telecommunications service providers; or (4) Internet service providers.
Note 2 to paragraph 2: Commodities, software, and components for the “cryptographic activation” of a 'network infrastructure' item are also considered 'network infrastructure' items.
Note to paragraph (b)(2): Commodities, components, and software classified under ECCNs 5A002.b, z.2, or 5D002.b or z.5, for the “cryptographic activation” of commodities or software specified by paragraph (b)(2) of this section are also controlled under paragraph (b)(2) of this section.
Note to introductory text of paragraph (b)(3): Immediately after the classification request is submitted to BIS in accordance with paragraph (d) of this section and subject to the reporting requirements in paragraph (e) of this section, this paragraph also authorizes exports, reexports, transfers (in-country) of the items described in this paragraph (b)(3) to any end user located or headquartered in a country listed in supplement no. 3 to this part.
Note to introductory text of paragraph (e)(3): For the purposes of this paragraph (e)(3), 'executable software' means “software” in executable form, from an existing hardware component excluded from ECCN 5A002 by the Cryptography Note. 'Executable software' does not include complete binary images of the “software” running on an end item.
Note to paragraph (f): See also § 740.22(c)(4).
[81 FR 64669, Sept. 20, 2016, as amended at 82 FR 27110, June 14, 2017; 83 FR 53750, Oct. 24, 2018; 85 FR 62587, Oct. 5, 2020; 86 FR 16487, Mar. 29, 2021; 87 FR 31951, May 26, 2022; 88 FR 73492, Oct. 25, 2023; 89 FR 28599, Apr. 19, 2024]