Calder & Vance International Sanctions & Compliance Counsel

Export Controls & Dual-Use · BIS / EAR

BIS / EAR vs EU: Encryption export controls compared

A software company headquartered in California ships an encrypted collaboration platform to a European subsidiary, then on to a joint-venture partner in Singapore. Its compliance team assumes the US licence exception it used last quarter still covers the transfer. It does not check whether the EU's own export-control rules impose a parallel obligation on the European entity. Six weeks later, a customs audit surfaces the gap. Two regimes, two sets of obligations, one shipment – and the consequences now run in both directions.

Encryption export controls under the EAR (the US Export Administration Regulations, administered by BIS – the Bureau of Industry and Security) and the EU's dual-use regime operate from different legal foundations, use different classification methods, and grant different licence exceptions. A product that moves freely under one regime may require a formal authorisation under the other. Understanding where the regimes converge and where they diverge is the first step in building a defensible cross-border compliance position.

This analysis maps the two regimes criterion by criterion – legal basis, classification, the treatment of licence exceptions, end-user controls, and enforcement posture – and identifies the practical steps a cross-border business should take before shipping encrypted technology across either border.

What are the legal foundations of each regime?

The EAR rests on the Export Control Reform Act and is implemented through the Commerce Control List ("CCL"), which assigns each controlled item an Export Control Classification Number (ECCN – a five-character alphanumeric code that determines the control reasons, destinations, and licence requirements for a given item). BIS, a bureau within the US Department of Commerce, administers the regime, issues licences, maintains the Entity List (a list of parties subject to heightened or denied export privileges), and pursues enforcement actions. Encryption items sit primarily within Category 5, Part 2 of the CCL.

The EU dual-use regime is grounded in a directly applicable Council Regulation – most recently updated by what practitioners refer to as EU Regulation 2021/821 – and is supplemented by national implementing measures in each Member State. There is no single EU licensing authority: the competent authority of the Member State where the exporter is established handles licence applications, and enforcement sits with national customs and regulatory bodies. The EU Dual-Use List mirrors the Wassenaar Arrangement annexes, meaning the two lists share a common ancestor. That shared lineage creates convergence at the category level but significant divergence in procedural treatment.

Why does the legal foundation matter for daily compliance? Because the EAR has extraterritorial reach that the EU regime does not replicate in the same form. BIS can assert jurisdiction over a re-export of US-origin technology by a non-US entity – a European company transferring US-origin encryption software to a third-country partner remains subject to EAR jurisdiction. The EU regime does not follow the same "US-origin" thread; it focuses instead on the location of the exporter at the point of export from EU territory.

How do the classification systems compare?

Both regimes use tiered classification, but the granularity differs in ways that matter for encryption. Under the EAR, encryption items controlled for EI (encryption items) and AT (anti-terrorism) reasons occupy specific ECCNs in Category 5, Part 2. The classification exercise requires the exporter to assess key length, algorithm type, proprietary versus open-standard implementation, and whether the item is "publicly available" – a defined term in the EAR with specific conditions. Mass-market encryption products meeting defined criteria can qualify for a streamlined treatment, but the path to that treatment involves an initial technical review and, in some cases, a submission to BIS.

The EU Dual-Use List assigns encryption items to Category 5 Part 2 in equivalent terms. Because both lists derive from Wassenaar, the technical parameters – key lengths, algorithm references, the treatment of public-domain software – are broadly comparable. In practice, however, the EU list is implemented by 27 Member States, and national customs authorities interpret technical parameters with varying levels of sophistication. An item classified as non-controlled by one Member State's competent authority may attract scrutiny in another. In our cross-border practice, we regularly advise clients to seek a written classification determination from the relevant national authority rather than rely on an informal consensus position across Member States.

One important structural difference: the EAR's de minimis rule means that a foreign-made product incorporating more than a defined threshold of US-controlled encryption content is itself caught by the EAR, even if the product would otherwise fall outside US jurisdiction. The EU has no direct equivalent of this rule. For a European manufacturer integrating a US-origin encryption library into its own product, the EAR's de minimis provision is a live compliance issue that the EU rules alone would not surface.

Where do the licence exceptions and general authorisations diverge?

Licence exceptions under the EAR are a defined feature of the system: they are standing authorisations allowing specified exports, re-exports, or transfers without a case-by-case licence, subject to conditions. For encryption, the most relevant exception is ENC – a dedicated encryption exception with distinct treatment for mass-market products, retail products, and products for government end-users. The ENC exception involves an annual self-classification report submitted to BIS and the NSA, and in some cases requires a 30-day review period before shipment. That review period is a compliance deadline that practitioners must track.

The EU equivalent is a system of general export authorisations at the Union level (known as EU General Export Authorisations, or EU GEAs) plus national general authorisations issued by individual Member States. The EU GEA for dual-use items – including certain encryption products – covers exports to a list of approved destination countries. A business exporting from Germany, France, and the Netherlands simultaneously may find that all three operations can use the Union-level authorisation for some destinations, but that national-level authorisations apply differently for others. Maintaining three parallel records of authorisation use is a workload that firms sometimes underestimate.

The ENC exception under the EAR is available for both commercial and government end-users in many destinations, but government end-use triggers a separate licence requirement in a number of cases. The EU system handles government end-users through end-use certificate requirements rather than a separate exception category. That procedural difference changes the documentation burden: under the EAR, the government end-user question shapes which exception applies; under the EU rules, it typically generates an end-use certificate request at the time of the transaction.

The position above covers the standard classification and exception analysis. Your specific situation – the destination countries your platform reaches, the encryption parameters of your product, the nature of your end-users – will change the analysis materially. For a confidential review of your encryption classification and authorisation position across both regimes, contact Calder & Vance at info@caldervance.com.

How does the Entity List compare with EU end-user controls?

BIS maintains the Entity List – a list of foreign parties subject to a licence requirement for all items subject to the EAR, including encryption products that would otherwise qualify for an exception. The Entity List is maintained separately from the OFAC SDN List (OFAC's list of Specially Designated Nationals and blocked persons) and operates under a distinct legal basis: an entity may appear on the Entity List without being a sanctions target. For encryption exports, the Entity List is a pre-transaction check that must run in parallel with sanctions screening. An encrypted product shipped under a valid ENC exception to an Entity List party is still a violation.

The EU dual-use regime does not maintain a single consolidated end-user list equivalent to the Entity List. End-user controls in the EU operate through a "catch-all" provision: even if an item is not on the Dual-Use List, an export may be prohibited if the exporter knows, or has been informed by the competent authority, that the item may be used in connection with prohibited activities. This is a risk-based, information-dependent test rather than a list-based mechanical check. In practice, EU exporters conduct end-user screening against the UN Consolidated List, EU restrictive-measures lists, and national lists, but there is no BIS-equivalent list of denied or elevated-risk entities that applies uniformly across all Member States.

For a business operating from both US and EU locations, the practical implication is layered screening: BIS Entity List plus denied-persons checks on the US side; EU and Member State restrictive-measures lists plus catch-all due diligence on the EU side. Neither check substitutes for the other. We have acted for technology exporters who discovered, during a diligence review before a contract renewal, that a distributor had appeared on the Entity List while remaining absent from EU lists. The two screening runs must run independently.

What is the extraterritorial reach of each regime?

The EAR's extraterritorial reach is its most consequential feature for cross-border encryption compliance. US-origin encryption technology does not lose its EAR classification when it crosses the first border. A European software house that integrates a US-origin encryption module into its own product and then exports that product to a third country must assess whether the EAR continues to apply to the combined item. BIS applies a de minimis rule and a separate foreign direct product rule to determine jurisdiction over foreign-made items. The foreign direct product rule has been extended in recent years and now covers a wider range of situations than many exporters expect, as currently in force – verify the current scope before relying on any prior assessment.

The EU regime does not project jurisdiction in the same way. Once an item of EU origin has been lawfully exported from EU territory, the EU regime's direct obligations generally do not follow it. A third-country re-exporter is not bound by EU dual-use rules in the way that the EAR binds foreign recipients of US-origin items. This structural difference is significant for businesses that serve as an intermediate distribution hub: a Singapore entity receiving US-origin encryption technology from a European intermediary must apply the EAR's re-export analysis; it does not face a parallel EU obligation.

The cross-border divergence also arises in the context of deemed exports – the transfer of controlled technology to a foreign national on US soil, which is treated as an export to that person's home country under the EAR. The EU regime has no direct equivalent of the deemed-export rule for intra-EU transfers, though some Member States have domestic rules addressing technology transfers to non-EU nationals. For multinational technology teams with staff of mixed nationality working on encryption development, the EAR's deemed-export rule is a standing compliance issue that the EU framework does not replicate. Further analysis of the EAR's deemed-export provisions is set out in our Deemed Export Technology – BIS / EAR service page.

If a transaction has already been flagged under either regime, or a filing has been refused, an early review can preserve options that narrow with time. Contact Calder & Vance at info@caldervance.com for a prompt assessment.

How do enforcement postures differ between BIS and EU authorities?

BIS enforcement of the EAR is centralised, administratively powerful, and increasingly active in the encryption and semiconductor sectors. Civil penalties for EAR violations can reach significant amounts per transaction, and the enforcement programme includes both administrative penalties and, in serious cases, referral to DOJ for criminal prosecution. BIS publishes a schedule of aggravating and mitigating factors that shapes penalty outcomes, and a VSD (voluntary self-disclosure to a regulator) is a formal mitigating factor that can materially reduce the penalty in an unintentional-violation scenario. The US enforcement architecture means that a single systemic failure – a product incorrectly classified and shipped to multiple customers over several years – can produce a significant consolidated penalty exposure.

EU enforcement is decentralised. Each Member State's competent authority and customs service enforces the dual-use regime within its own jurisdiction. Penalty levels, prosecution thresholds, and enforcement activity vary materially across Member States. A business that makes the same classification error in Germany, the Netherlands, and Sweden faces three separate enforcement proceedings under three national legal systems with different penalty maxima and procedural rights. This creates an asymmetry: a single BIS investigation can resolve all US-side exposure in one proceeding; EU-side exposure may require engagement with multiple national authorities simultaneously.

In our practice, we regularly advise on VSD strategy for EAR violations and on parallel engagement with national competent authorities for EU dual-use matters. The timing and sequencing of disclosures across the two regimes require careful management: a disclosure to BIS that describes the facts in detail may create a record that national EU authorities then use. Coordinating the disclosure strategy across regimes is one of the more complex aspects of multi-regime encryption enforcement defence.

Practical risk flags for cross-border encryption compliance

The most consistent risk pattern we observe is a business that has classified its product under one regime and assumed the classification holds for the other. It does not. A self-classification exercise under the EAR using the CCL does not produce an EU classification – and vice versa. Both exercises are required, and both must be documented.

A second persistent risk is reliance on a licence exception or general authorisation without checking the destination against the list of approved countries for that authorisation. Both regimes maintain positive lists of eligible destinations for their standing authorisations. Those lists change. An authorisation that covered a destination last year may not cover it today.

Third: the government end-user issue. Technology businesses that sell to both commercial and government customers using the same product often process both under the same classification path. Under both the EAR and the EU regime, government end-use can change the authorisation requirement. The question of whether a customer is a "government end-user" is sometimes less obvious than it appears – state-owned enterprises, quasi-governmental research bodies, and mixed public-private entities all require a fact-specific assessment.

A common objection is that open-source encryption software is always exempt from export-control requirements. This is not accurate. Both the EAR and the EU dual-use regime have conditions under which software in the public domain, or published in open-source repositories, retains controlled status. The "publicly available" or "public domain" exception under each regime has specific conditions that must be met affirmatively; the mere fact that code is accessible on a public repository does not satisfy those conditions without further analysis.

Related practices

Frequently asked questions

Where do the regimes diverge on encryption export controls?
The principal divergences are extraterritorial reach, enforcement architecture, and end-user controls. The EAR follows US-origin encryption technology across borders through the de minimis and foreign direct product rules; the EU regime does not assert equivalent reach over EU-origin items after lawful export. BIS enforcement is centralised and administratively powerful; EU enforcement is decentralised across 27 Member States with varying penalty regimes. The Entity List provides a BIS-specific party-screening layer with no direct EU equivalent. Both regimes require independent classification and authorisation analysis: a product cleared under one regime is not automatically cleared under the other.
Which regime is stricter on encryption export controls?
Neither regime is uniformly stricter across every dimension. The EAR is stricter in extraterritorial reach: it follows US-origin encryption technology through re-exports and foreign-made derivatives in ways the EU regime does not. The EAR also applies a specific deemed-export rule for technology transfers to foreign nationals that the EU framework does not replicate. The EU regime, however, applies to a wider geographic footprint through its 27 national enforcement systems, and the catch-all provision creates a risk-based obligation that extends beyond the Dual-Use List itself. For a business exporting US-origin encryption technology, the EAR's reach is typically the dominant constraint; for a purely EU-origin product distributed within EU territories, the EU regime governs.
What should a cross-border business do about encryption export controls?
A cross-border business should first conduct a classification exercise under both the EAR and the EU Dual-Use List independently, as the two analyses are not interchangeable. It should then identify the applicable licence exception or general authorisation for each relevant destination and confirm that those authorisations cover each destination country currently in effect. It must run parallel screening checks: BIS Entity List and denied-persons checks on the US side; EU and Member State restrictive-measures lists and catch-all due diligence on the EU side. Documentation of classification decisions, authorisation reliance, and screening results should be maintained for the applicable record-keeping period under each regime. Where any element of this analysis is uncertain, counsel should be involved before the shipment, not after it.

Talk to Caldervance

For a scoped view of your exposure, contact info@caldervance.com.

Discuss your matter

This publication is general information and does not constitute legal advice. For advice on your situation, contact info@caldervance.com.