- Latest available (Revised)
- Point in Time (31/12/2014)
- Original (As adopted by EU)
Council Regulation (EC) No 428/2009 of 5 May 2009 setting up a Community regime for the control of exports, transfer, brokering and transit of dual-use items (Recast)
After exit day there will be three versions of this legislation to consult for different purposes. The legislation.gov.uk version is the version that applies in the UK. The EU Version currently on EUR-lex is the version that currently applies in the EU i.e you may need this if you operate a business in the EU.
The web archive version is the official version of this legislation item as it stood on exit day before being published to legislation.gov.uk and any subsequent UK changes and effects applied. The web archive also captured associated case law and other language formats from EUR-Lex.
Version Superseded: 16/12/2017
Point in time view as at 31/12/2014.
There are currently no known outstanding effects for the Council Regulation (EC) No 428/2009, Division PART 2 — “ INFORMATION SECURITY ” .
Revised legislation carried on this site may not be fully up to date. At the current time any known changes or effects made by subsequent legislation have been applied to the text of the legislation you are viewing by the editorial team. Please see ‘Frequently Asked Questions’ for details regarding the timescales for which new effects are identified and recorded on this site.
Note 1 : The control status of “information security” equipment, “software”, systems, application specific “electronic assemblies”, modules, integrated circuits, components or functions is determined in Category 5, Part 2 even if they are components or “electronic assemblies” of other equipment. U.K.
Note 2 : Category 5 – Part 2 does not control products when accompanying their user for the user’s personal use. U.K.
Note 3 : Cryptography Note U.K.
5A002 and 5D002 do not control items as follows:
Items that meet all of the following:
Generally available to the public by being sold, without restriction, from stock at retail selling points by means of any of the following:
Over-the-counter transactions;
Mail order transactions;
Electronic transactions; or
Telephone call transactions;
The cryptographic functionality cannot easily be changed by the user;
Designed for installation by the user without further substantial support by the supplier; and
When necessary, details of the goods are accessible and will be provided, upon request, to the competent authorities of the Member State in which the exporter is established in order to ascertain compliance with conditions described in paragraphs 1. to 3. above;
Hardware components or ‘ executable software ’ , of existing items described in paragraph a. of this Note, that have been designed for these existing items, meeting all of the following:
“ Information security ” is not the primary function or set of functions of the component or ‘ executable software ’ ;
The component or ‘ executable software ’ does not change any cryptographic functionality of the existing items, or add new cryptographic functionality to the existing items;
The feature set of the component or ‘executable software’ is fixed and is not designed or modified to customer specification; and
When necessary as determined by the competent authorities of the Member State in which the exporter is established, details of the component or ‘ executable software ’ and details of relevant end-items are accessible and will be provided to the competent authority upon request, in order to ascertain compliance with conditions described above.
For the purpose of the Cryptography Note, ‘ executable software ’ means “ software ” in executable form, from an existing hardware component excluded from 5A002 by the Cryptography Note.
Note : ‘Executable software’ does not include complete binary images of the “software” running on an end-item. U.K.
The item is of potential interest to a wide range of individuals and businesses; and
The price and information about the main functionality of the item are available before purchase without the need to consult the vendor or supplier.
Note 4 : Category 5 – Part 2 does not control items incorporating or using “cryptography” and meeting all of the following: U.K.
The primary function or set of functions is not any of the following:
“ Information security ” ;
A computer, including operating systems, parts and components therefor;
Sending, receiving or storing information (except in support of entertainment, mass commercial broadcasts, digital rights management or medical records management); or
Networking (includes operation, administration, management and provisioning);
The cryptographic functionality is limited to supporting their primary function or set of functions; and
When necessary, details of the items are accessible and will be provided, upon request, to the appropriate authority in the exporter’s country in order to ascertain compliance with conditions described in paragraphs a. and b. above.
“ Information security ” systems, equipment and components therefor, as follows:
Systems, equipment, application specific “ electronic assemblies ” , modules and integrated circuits for “ information security ” , as follows, and components therefor specially designed for “ information security ” :
N.B. : For the control of Global Navigation Satellite Systems (GNSS) receiving equipment containing or employing decryption, see 7A005 and for related decryption “software” and “technology” see 7D005 and 7E001. U.K.
Designed or modified to use “ cryptography ” employing digital techniques performing any cryptographic function other than authentication, digital signature or the execution of copy-protected “ software ” , and having any of the following:
A “symmetric algorithm” employing a key length in excess of 56 bits; or
In Category 5 — Part 2, parity bits are not included in the key length.
An “ asymmetric algorithm ” where the security of the algorithm is based on any of the following:
Factorisation of integers in excess of 512 bits (e.g., RSA);
Computation of discrete logarithms in a multiplicative group of a finite field of size greater than 512 bits (e.g., Diffie-Hellman over Z/pZ); or
Discrete logarithms in a group other than mentioned in 5A002.a.1.b.2. in excess of 112 bits (e.g., Diffie-Hellman over an elliptic curve);
Designed or modified to perform cryptanalytic functions;
Note : 5A002.a.2. includes systems or equipment, designed or modified to perform cryptanalysis by means of reverse engineering. U.K.
Not used;
Specially designed or modified to reduce the compromising emanations of information-bearing signals beyond what is necessary for health, safety or electromagnetic interference standards;
Designed or modified to use cryptographic techniques to generate the spreading code for “ spread spectrum ” systems, other than those specified in 5A002.a.6., including the hopping code for “ frequency hopping ” systems;
Designed or modified to use cryptographic techniques to generate channelising codes, scrambling codes or network identification codes, for systems using ultra-wideband modulation techniques and having any of the following:
A bandwidth exceeding 500 MHz; or
A “ fractional bandwidth ” of 20 % or more;
Non-cryptographic information and communications technology (ICT) security systems and devices that have been evaluated and certified by a national authority to exceed class EAL-6 (evaluation assurance level) of the Common Criteria (CC) or equivalent;
Communications cable systems designed or modified using mechanical, electrical or electronic means to detect surreptitious intrusion;
Note : 5A002.a.8. only controls physical layer security. U.K.
Systems, equipment, application specific “ electronic assemblies ” , modules and integrated circuits, designed or modified to enable an item to achieve or exceed the controlled performance levels for functionality specified by 5A002.a. that would not otherwise be enabled.
Note : 5A002 does not control any of the following:
Smart cards and smart card ‘ readers/writers ’ as follows:
A smart card or an electronically readable personal document (e.g., token coin, e-passport) that meets any of the following:
The cryptographic capability is restricted for use in equipment or systems excluded from 5A002 by Note 4 in Category 5 – Part 2 or entries b. to i. of this Note, and cannot be reprogrammed for any other use; or
Having all of the following:
It is specially designed and limited to allow protection of ‘ personal data ’ stored within;
Has been, or can only be, personalized for public or commercial transactions or individual identification; and
Where the cryptographic capability is not user-accessible;
‘ Personal data ’ includes any data specific to a particular person or entity, such as the amount of money stored and data necessary for authentication.
Not used;
Not used;
Cryptographic equipment specially designed and limited for banking use or ‘ money transactions ’ ;
‘ Money transactions ’ in 5A002 Note d. includes the collection and settlement of fares or credit functions.
Portable or mobile radiotelephones for civil use (e.g., for use with commercial civil cellular radio communication systems) that are not capable of transmitting encrypted data directly to another radiotelephone or equipment (other than Radio Access Network (RAN) equipment), nor of passing encrypted data through RAN equipment (e.g., Radio Network Controller (RNC) or Base Station Controller (BSC));
Cordless telephone equipment not capable of end-to-end encryption where the maximum effective range of unboosted cordless operation (i.e. a single, unrelayed hop between terminal and home base station) is less than 400 metres according to the manufacturer’s specifications;
Portable or mobile radiotelephones and similar client wireless devices for civil use, that implement only published or commercial cryptographic standards (except for anti-piracy functions, which may be non-published) and also meet the provisions of paragraphs a.2. to a.4. of the Cryptography Note (Note 3 in Category 5, Part 2), that have been customised for a specific civil industry application with features that do not affect the cryptographic functionality of these original non-customised devices;
Not used;
Wireless “ personal area network ” equipment that implement only published or commercial cryptographic standards and where the cryptographic capability is limited to a nominal operating range not exceeding 30 metres according to the manufacturer’s specifications, or not exceeding 100 metres according to the manufacturer’s specifications for equipment that cannot interconnect with more than seven devices;
Equipment, having no functionality specified by 5A002.a.2., 5A002.a.4., 5A002.a.7., or 5A002.a.8., where all cryptographic capability specified by 5A002.a. meets any of the following:
It cannot be used; or
It can only be made useable by means of “cryptographic activation”; or
N.B. : See 5A002.a. for equipment that has undergone “cryptographic activation”. U.K.
Mobile telecommunications Radio Access Network (RAN) equipment designed for civil use, which also meet the provisions of paragraphs a.2. to a.4. of the Cryptography Note (Note 3 in Category 5, Part 2), having an RF output power limited to 0,1 W (20 dBm) or less, and supporting 16 or fewer concurrent users.
“ Information security ” test, inspection and “ production ” equipment, as follows:
Equipment specially designed for the “ development ” or “ production ” of equipment specified in 5A002 or 5B002.b.;
Measuring equipment specially designed to evaluate and validate the “ information security ” functions of the equipment specified in 5A002 or “ software ” specified in 5D002.a. or 5D002.c.
None.
“ Software ” as follows:
“ Software ” specially designed or modified for the “ development ” , “ production ” or “ use ” of equipment specified in 5A002 or “ software ” specified in 5D002.c.;
“ Software ” specially designed or modified to support “ technology ” specified in 5E002;
Specific “ software ” , as follows:
“ Software ” having the characteristics, or performing or simulating the functions of the equipment, specified in 5A002;
“ Software ” to certify “ software ” specified in 5D002.c.1.
“ Software ” designed or modified to enable an item to achieve or exceed the controlled performance levels for functionality specified by 5A002.a. that would not otherwise be enabled.
“ Technology ” as follows:
“ Technology ” according to the General Technology Note for the “ development ” , “ production ” or “ use ” of equipment specified in 5A002, 5B002 or “ software ” specified in 5D002.a. or 5D002.c.
“ Technology ” to enable an item to achieve or exceed the controlled performance levels for functionality specified by 5A002.a. that would not otherwise be enabled.
Note : 5E002 includes “information security” technical data resulting from procedures carried out to evaluate or determine the implementation of functions, features or techniques specified in Category 5-Part 2.]
Textual Amendments
F1Substituted by Commission Delegated Regulation (EU) 2020/1749 of 7 October 2020 amending Council Regulation (EC) No 428/2009 setting up a Community regime for the control of exports, transfer, brokering and transit of dual-use items.
The Whole Regulation you have selected contains over 200 provisions and might take some time to download. You may also experience some issues with your browser, such as an alert box that a script is taking a long time to run.
Would you like to continue?
The Schedules you have selected contains over 200 provisions and might take some time to download. You may also experience some issues with your browser, such as an alert box that a script is taking a long time to run.
Would you like to continue?
Latest Available (revised):The latest available updated version of the legislation incorporating changes made by subsequent legislation and applied by our editorial team. Changes we have not yet applied to the text, can be found in the ‘Changes to Legislation’ area.
Original (As adopted by EU): The original version of the legislation as it stood when it was first adopted in the EU. No changes have been applied to the text.
Point in Time: This becomes available after navigating to view revised legislation as it stood at a certain point in time via Advanced Features > Show Timeline of Changes or via a point in time advanced search.
Geographical Extent: Indicates the geographical area that this provision applies to. For further information see ‘Frequently Asked Questions’.
Show Timeline of Changes: See how this legislation has or could change over time. Turning this feature on will show extra navigation options to go to these specific points in time. Return to the latest available version by using the controls above in the What Version box.
Access essential accompanying documents and information for this legislation item from this tab. Dependent on the legislation item being viewed this may include:
This timeline shows the different versions taken from EUR-Lex before exit day and during the implementation period as well as any subsequent versions created after the implementation period as a result of changes made by UK legislation.
The dates for the EU versions are taken from the document dates on EUR-Lex and may not always coincide with when the changes came into force for the document.
For any versions created after the implementation period as a result of changes made by UK legislation the date will coincide with the earliest date on which the change (e.g an insertion, a repeal or a substitution) that was applied came into force. For further information see our guide to revised legislation on Understanding Legislation.
Use this menu to access essential accompanying documents and information for this legislation item. Dependent on the legislation item being viewed this may include:
Click 'View More' or select 'More Resources' tab for additional information including: