Export Compliance of Software & Apps

Companies that develop and distribute apps must also comply with US regulations. Anyone who develops an app in Germany for the German market is supposedly not subject to any export restrictions, as the software is not exported from the USA. This can be a misconception for several reasons. Firstly, most app store operators are legally based in the US and therefore the market platform and all products traded on it are automatically subject to US export rules as US products. Secondly, even if the app is not offered for download via US platforms and servers, developer kits and program libraries whose manufacturers or licensors are based in the USA are often used in software development. If these are essential components or technologies for the development or functionality of the app, this can also lead to the finished software product being considered "US controlled" due to the US components, so that the US re-export rules apply in this case.

In addition, encryption technology is used in apps to make information unreadable, prevent unauthorized duplication or modification of the app and prevent data misuse. Depending on the encryption methods used, encryption depths and the actual functionality made available to the end user, it is decided whether the finished software product may fall under the export control rules for information security and cryptography. This may involve reporting obligations, country restrictions or licensing procedures for the export of such software. As the regulations in the EU differ slightly from those in the USA in this respect, it is important to determine which export rules the software falls under.

For any product that contains encryption components above a certain key depth, an encryption registration, classification application and/or self-classification report may need to be submitted. For companies and developers, these requirements can present complex curtains that are difficult to navigate without professional advice and support.

The widespread use of open source software (OSS), which may be subject to US export controls (e.g. open source license registered with US university), is also usually not considered by companies in connection with US export controls.

Encryption technologies and other EAR-relevant software and OSS find their way into companies and products in various ways:

• In-house product development uses libraries and developer kits that use encryption technology
• Export control content is used by contract developers
• Standard software
• Purchased OEM versions
• Resale of hardware with firmware
• Purchase of hardware components, drivers, reference implementation with SW/OSS
• Customer specifications during development
• SW/OSS project changes the previously used (acceptable) encryption technology

Problems can arise for companies in the course of export control of software/OSS if software subject to classification has not been classified or has been classified incorrectly, or the software was made available to end users, although the correct classification implied an authorization requirement or a ban.

Compliance measures for US re-export security

It is crucial for companies to establish appropriate internal procedures for dealing with SW/OSS in order to comply with US export control regulations and avoid penalties. Exportwirtschaft ICS can provide you with expert advice on US re-export control and support you in setting up tools and processes for SW/OSS management.
Illegal exports occur when companies fail to comply with reporting and licensing requirements. Experience has shown that this is caused by a lack of clear process structures and responsibilities in companies. Exportwirtschaft ICS provides efficient and competent advice in areas such as material classifications, goods list checks and application submission. Our experts help you to set up the right structures in your company so that all country-specific customs and export law requirements are met.

Please feel free to contact us.