Encryption Export Controls: ECCN 5A002, 5D002, and the ENC License Exception

Introduction

Encryption is one of the most heavily regulated areas of the U.S. Export Administration Regulations (EAR). Products that incorporate cryptographic functionality — from routers and VPNs to cloud software and mobile applications — often fall under Category 5, Part 2 of the Commerce Control List.

The two most important ECCNs in this space are:

• 5A002 — Information security systems and equipment (hardware)
• 5D002 — Information security software

This guide explains what triggers classification under these ECCNs, how the ENC license exception works, and what the mass-market classification pathway means for commercial software.

What Makes an Item "5A002" or "5D002"?

ECCN 5A002 — Hardware

ECCN 5A002 covers systems, equipment, and components designed or modified to use cryptography for "information security" that meet the following criteria:

• Employ cryptography using a symmetric algorithm with a key length exceeding 56 bits (excluding authentication-only functions)
• Employ an asymmetric algorithm where the security of the algorithm is based on factorization of integers exceeding 512 bits, discrete logarithms in a multiplicative group exceeding 512 bits, or similar

In practice, virtually any modern hardware product that performs encryption (routers, firewalls, HSMs, encrypted storage devices, secure phones) at standard key lengths (128-bit AES, 2048-bit RSA) will meet the 5A002 threshold.

ECCN 5D002 — Software

ECCN 5D002 covers software that:

• Has the characteristics or performs the functions of equipment controlled under 5A002
• Certifies, authenticates, or manages encryption keys for functions controlled under 5A002
• Is designed to perform cryptanalysis

This encompasses encryption libraries, VPN clients, secure messaging applications, disk encryption software, SSL/TLS implementations, and key management systems.

What Does NOT Trigger 5A002/5D002?

Items performing ONLY the following functions are generally NOT controlled under 5A002/5D002:

• Authentication only (password verification, digital signatures, access control) — may be EAR99 or classified under 5A992/5D992
• Copy protection / DRM — excluded from 5A002 if limited to content protection
• Banking and money transactions — specific exclusions for financial messaging systems
• Items limited to fixed data compression or coding techniques — not considered "cryptography" under the EAR

However, these exclusions have precise technical boundaries. If an authentication system also provides confidentiality (e.g., encrypts transmitted data beyond what is needed for the auth handshake), it may still be controlled.

Reasons for Control and the Country Chart

Encryption items under 5A002/5D002 are controlled for:

• EI (Encryption Items) — the primary reason for control
• NS (National Security) — Column 1 applies to many encryption items
• AT (Anti-Terrorism) — Column 1

The EI reason for control interacts differently with the Commerce Country Chart than other reasons. Notably, EI-controlled items cannot use the STA (Strategic Trade Authorization) license exception. Instead, they have their own dedicated pathway: License Exception ENC (Section 740.17).

License Exception ENC (Section 740.17)

The ENC license exception is the primary mechanism by which encryption products are exported without individual licenses. It has evolved significantly since the "Crypto Wars" of the 1990s and now covers most commercial encryption products.

ENC Eligibility Tiers

ENC has multiple paragraphs that provide authorization at different levels:

#### Section 740.17(b)(1) — Certain "Mass Market" Encryption

Authorizes exports of certain mass-market encryption commodities and software (meeting the criteria of Note 3 to Category 5, Part 2) to all destinations except Country Group E:1 (Cuba, Iran, North Korea, Syria) and E:2 countries — without a classification review or reporting requirement, after submission of a self-classification report to BIS.

#### Section 740.17(b)(2) — Encryption to Non-Government End-Users

Authorizes exports to non-government end-users in most destinations (excluding E:1/E:2), subject to:

• A 30-day classification review submission to BIS (or one-time notification)
• Semi-annual sales reporting for certain items

#### Section 740.17(b)(3) — Encryption to Government End-Users

Government end-users in Country Group B countries (broadly, most non-embargoed countries) may receive encryption items under this paragraph, subject to the same classification review.

The Classification Review Process

Before using ENC (paragraphs b(2) and b(3)), exporters must submit a classification request or self-classification to BIS:

• File via the SNAP-R system or email to BIS
• Include a technical description of the encryption functionality
• BIS reviews within 30 calendar days
• If no response within 30 days, the item is classified and ENC may be used

The classification review is a one-time event per product (or product version). Once classified, subsequent exports of the same item do not need re-review.

ENC Restrictions

ENC cannot be used for exports to:

• Country Group E:1 and E:2 destinations (Cuba, Iran, North Korea, Syria, and certain others)
• Prohibited end-users under Part 744
• Known military, intelligence, or "government" end-users in Country Group D:1 countries (without paragraph (b)(3) authorization)
• Items specifically designed for "cryptanalysis" (code-breaking) functions — these generally require individual licenses

Mass-Market Encryption: Note 3 to Category 5 Part 2

Note 3 provides a critical exclusion from 5A002/5D002 for "mass-market" encryption items. If an item qualifies under Note 3, it is classified as 5A992 or 5D992 (not 5A002/5D002), which carries far fewer restrictions.

Note 3 Criteria

An item qualifies as mass-market if it:

• Is generally available to the public by being sold, without restriction, from stock at retail selling points (physical or online)
• The cryptographic functionality cannot easily be changed by the user
• Is designed for installation by the user without further substantial support by the supplier
• Is not any of the excluded items (network infrastructure items exceeding certain parameters, items designed for government use, etc.)

Practical Implications

Most consumer software (web browsers, operating systems, mobile apps) and consumer hardware (laptops, phones, home routers) qualify under Note 3 and are classified as 5A992/5D992 rather than 5A002/5D002. This means:

• License Exception ENC paragraphs (b)(2)/(b)(3) are NOT needed (mass-market items use (b)(1) or are simply classified under 5A992/5D992)
• The self-classification report (filing with BIS) is still required for mass-market items under Section 742.15(b)
• Exports to E:1/E:2 countries remain prohibited regardless of mass-market status

Open Source Encryption

Publicly available (open source) encryption source code is subject to special treatment under the EAR:

• Section 742.15(b) requires a notification to BIS (email to [email protected] and [email protected]) with the URL of the source code
• After notification, the source code is classified as "publicly available" and not subject to EAR
• Object code compiled from publicly available source code does NOT automatically inherit this treatment — the compiled product must still be classified independently

This is why open-source projects like OpenSSL file a BIS notification, but commercial products incorporating OpenSSL must still classify their own product.

Compliance Checklist for Encryption Exporters

• Classify your product: Determine whether it falls under 5A002/5D002, qualifies for Note 3 (mass-market → 5A992/5D992), or is excluded from Category 5 Part 2 entirely
• File with BIS: Submit a classification request or self-classification report via SNAP-R or email
• Screen destinations and end-users: Even with ENC, you cannot export to embargoed destinations or denied parties
• Maintain records: Retain classification documentation, BIS correspondence, and export records for five years
• Report semi-annually: If required under your ENC paragraph, submit semi-annual sales reports to BIS

Recent Developments

The encryption control landscape continues to evolve:

• BIS has streamlined the ENC classification process, reducing review burdens for mass-market items
• Quantum-resistant cryptographic algorithms (post-quantum cryptography) are being evaluated for potential new classification considerations
• Cloud-based encryption services raise jurisdictional questions about where the "export" occurs

Conclusion

Encryption controls under 5A002/5D002 are among the most complex areas of the EAR, but the regulatory framework provides workable pathways for most commercial products. The key is proper classification (5A002 vs. 5A992), understanding which ENC paragraph applies, and maintaining documentation of your compliance analysis.

For specific ECCN details, search our ECCN database for entries in Category 5. For broader context on license requirements, see our Commerce Country Chart guide.