Selling technology items or software in or from France?

Introduction

Companies selling encryption items in France or from France should be mindful that France maintains specific controls on encryption items. These controls apply not only to exports from France but also to imports as well as certain other transactions with a French nexus. This means that items such as software, including Software as a Service (“SaaS”), hardware, IT goods, and technology, having encryption functions might be subject to mandatory filings.

These controls are an autonomous regime, in particular these controls apply in addition to the EU Dual-Use Regulations. Thus, it should not be assumed that items exempted from dual-use controls are automatically exempted from French encryption controls.

We have provided a summary below of the relevant definitions and key mandatory fillings that companies selling products on the French market, or exporting encryption products from France should be aware of.

What is covered by the French encryption controls regulations?

Encryption items

Under French encryption controls law, an “encryption item” means “any hardware or software designed or modified to alter data, whether information or signals, using secret protocols, or to perform the reverse operation with or without secret protocols. The main purpose of the encryption items is to guarantee the security of data storage or transmission, by ensuring their confidentiality, authentication or integrity control” (Article 29 of Law No 2004-575 dated 21 June 2004, hereafter referred to as “Law No 2004-575”).

In practice, the definition has largely the same scope as the encryption items listed under Category 5, Part 2 of Annex I of EU Dual-Use Regulation, however there are some differences. A case-by-case assessment should always be taken to determine whether an item falls within the scope of Law No 2004-575 even where it is determined the item does not fall within the scope of EU Dual-Use Regulation.

Transactions and operations

As a general rule, using encryption items in France is allowed and is not subject to any restrictions.

However, providing encryption items in France; importing, transferring and exporting encryptions items from/into France; and providing encryption services to third parties is subject to prior registration.

There are a few exemptions, where encryption items will not be subject to French encryption controls if the encryption functions meets the required conditions, such as an encryption being strictly limited to authentication purposes.

The three types of registration depending on the activities and classification involved.

1. Prior declaration

Declaration is the fastest and least burdensome type of registration. It applies to the provision, import and transfer of encryption items in France. It also applies to the provision of encryption services. Prior declaration should be made to the French National Agency for the Security of Information Systems ("ANSSI").

2. Prior authorisation

Exports and transfers of encryption items from France are subject to prior authorisation from ANSSI. The authorisation is granted for a specific period of time and has to be renewed before it expires.

The export of encryption items which also fall within the scope of the EU Dual-Use Regulation must also separately be authorised by the French export control authority (“SBDU”). Exporters must first apply and get an authorisation from ANSSI before applying for an export licence to SBDU.

3. Mass-market classification

The mass-market classification is relevant for businesses who intend to export or transfer encryption items from France to several countries. Instead of applying for several authorisations, the mass-market classification will cover all exports or transfers from France.

Mass-market classifications will be granted by ANSSI for encryption items meeting the following three criteria: (i) the item is generally available to the public, (ii) users cannot modify the cryptographic functions, and (iii) the item was designed to be used without significant assistance from the provider.

Getting your registration over the line

Companies should carefully consider what information they will be legally required to provide when filing the registration form as incorrect information process will lead to the registration being rejected.

The filing and registration process usually takes between 3 to 6 months. The length of the process also depends on whether ANSSI is required to ask follow-up questions and further clarification. Therefore, it is crucial that you prepare the filings with care and ensure that all the required information is provided to ANSSI.

ANSSI deals with a significant amount of cases and it might be difficult to reach to them by phone, especially if this is not done in French. ANSSI may accept to a certain extent submissions in English, provided some conditions are met and that submissions strictly follow templates provided by ANSSI.

New versions of registered products and renamed products: when is a new declaration required?

It is worth noting that launching a renamed product or a new version of the same product would not necessarily trigger a new registration obligation, unless the encryption functions were modified since the initial registration. Guidance from ANSSI contains a list of the conditions required to benefit from this exception and what information should be provided to ANSSI in each situation,

As a key takeaways, we note that it is important for companies to

1. Assess whether they need to file a declaration or obtain a prior authorisation from the competent authorities when selling, importing and/or exporting encryption items in France.

   1. A product not registered in France cannot be legally placed on the French market or exported from France The same applies for products with an expired registration which has not been renewed.

   2. Non-compliance will expose businesses to a risk of being fined or prosecuted by the French customs and criminal authorities

2. When filing a registration we recommend ensuring ANSSI is provided with enough information to reduce the number of, and ultimately avoid, any follow-up questions from the authorities during the filing process .

3. Businesses should not assume that US classifications analysis automatically apply  for the French filing process. For example items classified as 5A992 in the US might not always be classified as mass-market in France and, provided it is, importers must still request a French mass-market classification document where conducting specific activities in France

4. Businesses should not assume that an item not controlled under the EU Dual-Use Regulation is also not controlled for French encryption regulations' purposes.

How can we help?

The HL Trade Team regularly assists the world’s leading companies with registering their encryption products in France and dealing with  ANSSI. We can guide you through the registration process and help you anticipate and mitigate the risks ensuring a seamless and efficient registration.

Authored by Aline Doussin and Pierre Estrabaud.