Export permits for cryptographic items

Table of Contents

Introduction

Guide to Canada's Export Controls

The Export Control List (ECL) describes goods and technology that are subject to export controls. Exports of such items must be authorized by an export permit before they may be exported from Canada to any country (other than, with some exceptions, the United States).

The complete text of the Export Control List is published in the Guide to Canada's Export Controls. Cryptography controls are outlined in Category 5 - Part 2 ("Information Security") of Group 1 (the Dual-Use List). If your product meets the criteria for control described in this section, or if you are unsure but believe it might be included on the ECL, you should apply for a permit.

Permits are not required to export cryptography and information security goods or technology from Canada to the United States. Exports of Canadian goods or technology from the United States or other countries are subject to export controls of that country. However, foreign consignees who intend to re-export such goods or technology should state that in the end-use statement, if one is required.

Exporters may also refer to our list of Frequently Asked Questions about cryptography exports. These address specific issues and assume a familiarity with the information in the Guide to Canada's Export Controls, the Export Controls Handbook, and other information contained on this website.

Export Controls Handbook

The Export Controls Handbook is a reference document. It describes how to apply for export permits and includes guidance on issues such as:

  • use of Export Controls Online (NEXCOL)
  • how an applicant should describe items in their export permit application
  • mandatory supporting documents, in particular technical description and end-use statements
  • destination and origin considerations.

General Export Permits

Pursuant to the Export and Import Permits Act, the Minister of Foreign Affairs has issued two (2) General Export Permits (GEPs) relating to the export or transfer of cryptography.

GEPs are intended to be used to facilitate trade in defined circumstances and are issued generally to all residents of Canada to allow the export or transfer of specific goods and technology that are included in the Export Control List (ECL) to certain specified destinations, subject to terms and conditions. GEPs do not require an individual application to be submitted to Foreign Affairs, Trade and Development Canada for purposes of export or transfer.

For more information on the applicability and limitation of these GEPs, please consult the following weblink:

Exporters wishing to utilize these GEPs must prior to their first exporting a calendar year, provide in writing to the Export Controls Division of Foreign Affairs, Trade and Development Canada:

  • their name, address, telephone number, facsimile number and electronic mail address
  • in the case of a corporation, the name of a contact person and their address, telephone number, facsimile number and electronic mail address, the business number assigned to the corporation by the Minister of National Revenue, and
  • (in the case of GEP 45) a description of the products whose production and development will be facilitated by the exports or transfers.

Individual export permits

An individual permit allows exports of goods and technology described therein to specified consignees in a single country. Individual permits may authorize exports of any cryptographic items controlled in Group 1: Category 5 – Part 2 of the Export Control List (ECL). An application must be submitted to the Export Controls Division in order to obtain an individual permit. Once it has been issued to an applicant, this type of permit generally does not require that actual exports be reported (in contrast to some other permit types).

Applications

Export permit applications for information security goods/technology and goods/technology employing cryptography consist of the following:

  • complete application form (generally done through our online system NEXCOL)
  • Cover letter or notes in the “Applicant/exporter comments” field of the NEXCOL application form explaining the overall nature of the proposed transaction, including the roles of the parties involved and the end-use of the product. This information informs the Export Controls Division's review of the application by providing a clear picture of the particulars of the proposed export.
  • a completed cryptography and information security product questionnaire
  • technical description of the goods/technology. The Export Controls Division undertakes a technical assessment of the goods or technology listed in the export permit application to determine under which Export Control List Item(s) they fall. For this purpose, technical specifications of the export must be detailed and adequately describe the characteristics of the goods and services. Enough details must be provided to establish the true nature of the items. These could be provided in the form of drawings, data sheets, manuals, component lists, and so on. Marketing brochures may also provide useful additional information. The information that is submitted should make clear the type and function of the goods and provide key technical parameters.
  • signed end-use statement from the final consignee to whom the export shipment is destined – exporters may use the template provided or submit other documents which contain the same information required in the template. When alternative end-use documents are provided, the applicant must clearly indicate in their application where in those documents each of the elements of the end-use statement template are met.

As noted above, general information that is required in an export permit application form submitted through NEXCOL can be found in the Export Controls Handbook.

Exporters of information security goods/technology and goods/technology employing cryptography should note the following guidelines on identifying items in an export permit application:

  • Descriptions of finished products should use the following format: [brand name or name of manufacturer] [model name] [part number]. This information should be consistent with packaging labels, invoices, and shipping documents.
  • Descriptions of software should use the following format: [software developer or publisher name] [software name] [version number x.x] [means of export – eg, on CD or by FTP]. This format assumes that, in the version number, changes to the right of the decimal (eg, from version 3.0 to 3.1) will only be updates, patches, or fixes with no change to the cryptographic functionality, and that any other change to the software, including a change to the cryptographic functionality, will result in a change from version 3 to version 4.
  • Item descriptions should not describe the purpose, use, or physical appearance of the product (this should be provided instead in the field “Overall Description of Goods and End-Use” in the NEXCOL application form) nor include references to the Export Control List (self-assessments should be provided in the field “ECL No.” in the NEXCOL application form).
  • The Description is how the goods or technology will be identified on the export permit, which will also be verified against the Export Declaration submitted to the Canada Border Services Agency at the time of export.

An export permit issued for software will generally include the version number, as noted above (eg, version 1.x). Changes to the version number to the left of the decimal (ie, from version 1.x to version 2.x) require a new permit to be issued. In other words, if a permit is issued for version 1.1, the exporter may also use that permit to export versions 1.2 and 1.3 (assuming there has been no change to the cryptographic functionality). However, that permit may not be used to export version 2.1 of the same software. A new permit application should be submitted.

Application review period

The Export Controls Division makes every effort to review export permit applications as quickly as possible. The Export Controls Division has established service delivery targets for applications to export in order to provide applicants with timely service. Review times may vary according to the complexity of an application, the adequacy and completeness of the information presented in it, and the number of applications under review at any given time. Under normal circumstances:

  • complete applications for many destination countries, including most European countries, Japan, South Korea, Australia and New Zealand, will be reviewed within 10 business days from the submit date in NEXCOL or from the date of receipt in the Export Controls Division;
  • complete applications to other destinations will be reviewed within eight weeks from the submit date in NEXCOL or from the date of receipt in the Export Controls Division.

Permits are not required to export cryptography and information security goods or technology from Canada to the United States.
Applicants whose applications are incomplete will be asked to provide additional information within a specific time period. Incomplete applications may be returned without action in order for them to be submitted again at a later date when the required information is available to the applicant.

Validity periods for individual export permits

The default validity period for individual export permits for cryptography is two years. Exporters may request shorter or longer validity periods, up to 5 years. Individual applications may also be amended to extend the validity period by up to one year at a time (applications must be made through NEXCOL at least 2 weeks before the expiry date of the existing permit – refer to the Export Controls Handbook for more information).

Multidestination export permits

The Export Controls Division issues several types of “multidestination” export permits for cryptographic items. These allow for exports to multiple destination countries without consignees being specified in the application. These permits differ according to the cryptography products that are intended to be exported and the terms and conditions that apply to the use of these permits. The following multidestination permits are currently issued by the Export Controls Division:

  • EU+5 cryptography permit: this type of permit may authorize exports of hardware, software, source code or other technology controlled under Export Control List Group 1 Category 5 – Part 2: “Information Security”. Eligible destinations include all countries within the European Union (except Cyprus), Australia, Japan, New Zealand, Norway and Switzerland. There are no regular reporting requirements but export records must be maintained and provided to the Export Controls Division if requested.
  • Broadbased permit: this type of permit is generally available to those applicants to whom an export permit has been issued in the past. It allows the export of hardware, executable software, and associated information and enhancements to a wide range of countries; it requires that all exports or transfers made using the permit be reported every six months. Applicants who have a history of non-compliance with previously issued export permits may apply for broadbased permits but will be subject to a shorter validity period.

Applications

Please contact the Export Controls Division if you wish to submit an application for a multidestination permit using NEXCOL and have not done so before. You should send an email to tie.reception@international.gc.ca and request that your NEXCOL profile to be set to enable applications for multidestination cryptography permits.

Applications for multidestination permits must include the following:

  • Complete application form (generally done through our online system NEXCOL)
  • A completed cryptography and information security product questionnaire
  • Technical description of the goods/technology. The Export Controls Division undertakes a technical assessment of the goods or technology listed in the export permit application to determine under which Export Control List Item(s) they fall. For this purpose, technical specifications of the export must be detailed and adequately describe the characteristics of the goods and services. Enough details must be provided to establish the true nature of the items. These could be provided in the form of drawings, data sheets, manuals, component lists, and so on. Marketing brochures may also provide useful additional information. The information that is submitted should make clear the type and function of the goods and provide key technical parameters.
  • Cover letter using the template provided and confirming the exporter agrees to abide by the terms and conditions of the permit.

Some types of multidestination permits may require other supporting documents or information. Please refer to the detailed descriptions of each for more information.

Applicants/exporters must indicate the approximate quantity for each of the items they intend to export during the validity period of the proposed permit. Such quantity must be reasonable and within the commercial prospects of the intended exports.  The applicant/exporter may be able to further justify their proposed quantity in their Cover Letter. Quantities that merely reflect “inventory numbers”, “catalog inventory” or “maximum possible quantities” will not be accepted and the corresponding application will be returned without action.

Application review period

The Export Controls Division makes every effort to review export permit applications as quickly as possible. The Export Controls Division has established service delivery targets to process permit applications in order to provide applicants with timely service. Review times may vary according to the complexity of an application, the adequacy and completeness of the information presented in it, and the number of applications under review at any given time. Under normal circumstances:

  • complete applications for multidestination permits will be reviewed within 8 weeks from the submit date in NEXCOL or from the date of receipt in the Export Controls Division.

Permits are not required to export cryptography and information security goods or technology from Canada to the United States.
Applicants whose applications are incomplete will be asked to provide additional information within a specific time period. Incomplete applications may be returned without action in order for them to be submitted again at a later date when the required information is available to the applicant.

Validity periods for multidestination permits

The validity period for multidestination export permits for cryptography is 2 years. Applicants whose product development cycles are shorter than 2 years may wish to request shorter validity periods since new versions of a cryptography item require the submission of a new application (and these new applications may include all previous versions of the same product).

Export Control Compliance Plan

A statement is required in the cover letter indicating that the exporter has implemented an export control compliance plan. Multidestination permits allow greater flexibility to exporters than individual permits, but also impose different conditions on them, in particular the requirement to submit certain reports at regular intervals. Failure to comply with these conditions may result in the suspension or cancellation of a multidestination permit. When this happens, an exporter cannot use the corresponding permit until full compliance has been restored and must apply for individual permits in the interim. Export control compliance plans may reduce the risk and consequences of non-compliance.

In general terms, an export control compliance plan consists of defined or prescribed processes and procedures to ensure that employees at all levels of a company understand and act in accordance with the letter and spirit of the Export and Import Permits Act, the Customs Act, other trade-related legislation (for example, on sanctions) and their related regulations.

The export control compliance plan should establish the steps and due diligence processes a company follows when planning, marketing, and shipping items included in the Export Control List to foreign clients, and should also cover download practices (if applicable). An important provision of such a plan is a defined process to provide a reasonable level of assurance (due diligence) that goods or technology may not be exported to unauthorized or illegitimate end-uses or end-users.

Attached to an export permit may be terms and conditions that constitute legal obligations on the company that uses that permit. An export control compliance plan should ensure that those terms and conditions are recorded and that internal company processes reflect and meet those obligations.

Other obligations on exporters of goods and technology subject to export controls are prescribed in the following sections of the Export and Import Permits Act:

  • Subsection 10.2 (which requires exporters to make records available for inspection)
  • Subsection 10.3 (which requires records to be kept)
  • Section 13 (which prohibits exports of goods or technology included in the Export Control List except in accordance with an export permit)
  • Section 16 (which prohibits the transfer of an export permit)
  • Section 17 (which prohibits the furnishing of false or misleading information or any misrepresentation in relation to an export permit application)
  • Section 18 (which prohibits any person from assisting another to contravene the Act or its regulations)

An export control compliance plan should also address procedures to deal with instances of non-compliance. For example, the Export Controls Division of Foreign Affairs, Trade and Development Canada should be promptly notified of any failure to comply with the provisions of the Export and Import Permits Act or the terms and conditions of any export permit issued under the authority of that Act.