Cryptography Controls in EU Dual-Use Regulation: Current and Future

Cryptography, the practice of secure communication in the presence of adversaries, has become an integral part of modern digital life. It underpins the security of everything from online banking and secure messaging to protecting sensitive government and military communications. However, the same powerful tools that protect our privacy and security can also be used for malicious purposes, leading to the need for regulatory control.

 

Why is Cryptography Controlled?

 

Cryptography is controlled for several reasons:

1. National Security: Strong encryption can protect sensitive government and military communications, but it can also be used by hostile states or terrorist organizations to hide their activities.
2. Law Enforcement Concerns: Encrypted communications can hinder criminal investigations, leading to debates about balancing privacy with public safety.
3. Strategic Trade Control: Advanced cryptographic technologies can provide a strategic advantage, so nations aim to control their export to maintain technological superiority.
4. Dual-Use Nature: Many cryptographic tools and technologies have both civilian and military applications, making them subject to dual-use regulations.
5. International Obligations: Many countries, including EU member states, have agreed to control cryptography exports as part of international agreements like the Wassenaar Arrangement.

 

The European Union’s Dual-Use Regulation controls the export of items that can be used for both civilian and military purposes, including cryptographic systems and technologies. This article explains the current controls on cryptography and highlights the changes that will come into effect at the end of 2024.

 

Current Controls

 

Scope of Control

 

The current regulation (Category 5, Part 2 – “Information Security”) controls:

1. Systems, equipment, and components designed or modified to use ‘cryptography for data confidentiality’ with a ‘described security algorithm’.
2. Items with “information security” as a primary function.
3. Digital communication or networking systems using cryptography.
4. Computers and items with information storage or processing as a primary function using cryptography.

 

Key Definitions

 

– ‘Cryptography for data confidentiality’: Uses digital techniques for any cryptographic function other than authentication, digital signature, data integrity, non-repudiation, digital rights management, encryption for entertainment or medical records, or key management for these functions.

– ‘Described security algorithm’: Includes symmetric algorithms with key length over 56 bits, and various asymmetric algorithms based on factorization, discrete logarithms, or post-quantum methods.

 

Exemptions

 

The regulation includes several exemptions, notably:

1. Items for personal use accompanying the user.
2. Products meeting specific criteria of public availability and limited user modification (Cryptography Note).
3. Certain smart cards and readers.
4. Some mobile and cordless phones for civil use.
5. Customized devices for specific civil industry applications.

 

Non-Cryptographic Controls

 

The regulation also covers:

1. Systems for detecting intrusion in communication cables.
2. Equipment designed to reduce compromising emanations.
3. Systems for defeating, weakening, or bypassing information security.

 

Changes Coming in Late 2024

 

The new version of the regulation, set to come into force at the end of 2024, maintains much of the current structure but introduces some notable changes:

 

1. Expanded Definition of ‘Cryptography for Data Confidentiality’:

– Now includes cryptography that is “usable or can be made usable”.

– Adds exemptions for wireless “personal area network” functionality and banking/money transaction uses.

 

2. Cryptographic Activation:

– Introduces the concept of ‘cryptographic activation’, where cryptographic functions can be activated or enabled through secure means.

 

3. Mobile Telecommunications Equipment:

– Increases the limit on concurrent users for controlled Radio Access Network (RAN) equipment from 16 to 32.

 

4. Connected Civil Industry Applications:

– Provides more detailed exemptions for devices and networking equipment designed for specific civil industry applications.

 

5. Quantum Cryptography:

– Maintains controls on systems designed to use or perform “quantum cryptography” (also known as Quantum Key Distribution).

 

6. Post-Quantum Algorithms:

– Explicitly mentions post-quantum cryptographic algorithms, indicating increased attention to emerging cryptographic technologies.

 

 

While the core structure of cryptography controls remains largely unchanged, the updates coming in late 2024 reflect the evolving nature of cryptographic technologies and their applications. The new regulation provides more nuanced controls and exemptions, particularly for civil and industrial uses, while maintaining strict oversight on advanced cryptographic capabilities.

These controls reflect the ongoing challenge of balancing the benefits of strong cryptography for legitimate uses with the need to prevent its misuse. As cryptographic technologies continue to advance, particularly in areas like post-quantum cryptography, regulations will likely continue to evolve to address new capabilities and potential risks.

Exporters and users of cryptographic technologies should carefully review these changes to ensure compliance with the updated EU Dual-Use Regulation when it comes into effect. Additionally, they should stay informed about the broader global context of cryptography controls, as regulations can vary between different countries and regions.

 

First published on www.patrick.goergen.com on 11 September 2024