Dassault Systèmes (3DS) develops, markets, and makes available various types of enterprise and industrial software, listed in Appendix I (the “Software”). 3DS has several Chinese subsidiaries that undertake development and marketing activities.

The Software is not considered to fall under Annexes I and IV of EU Regulation 2021/821. While not listed as dual-use goods, it may still be controlled under the catch-all clause. This Software also meets the EAR99 classification requirements under the US EAR regulations.

The Software incorporates cryptographic components or technologies. These provide cryptographic functionalities for authentication and digital signatures. However, these functionalities are not the primary function of the Software. The key lengths used vary between 256 bits (ECDSA algorithm) and 1024 bits (RSA).

3DS wishes to assess the impact of the new Chinese export control regulations on Software, and has asked us for our opinion on the following questions:

1. Do you consider that our products may be subject to export control under the Chinese regulations, particularly whether they appear on the List of Dual-Use Items?
2. Is the use of dual-use software via a cloud service considered an export activity?
3. In the EC List, Part 1, Section 2 “The Normative Description”, item (iii) note on “software” states that:

““Software” means a collection of one or more “programs” or “microprograms” contained in a tangible medium. Controls on the transfer of “software” do not apply to the following “software”:

1. “Software” that is normally made available to the public in the following ways:
   (1) Sold in retail outlets where there are no restrictions;
   (2) Dedicated to the user’s own installation without further specific support from the supplier;
2. In the public domain.”

Could you please elaborate on this point, and in particular the notion that export controls on the transfer of software do not apply to software that is generally made available to the public, especially when it is sold through “retail outlets where there are no restrictions”? How to define « retail outlets where there are no restrictions » in this context?

4. Can we consider that products classified as EAR99 or equivalent, falling under the General Software Note, be considered eligible for the above exemption?
5. Could you confirm whether the catch-all rule also applies to deemed exports?
6. If Chinese individuals or companies have contributed to the development of the code of an open-source product, do the prohibitions set out in Article 49 of the PRC Export Control Regulation apply?
7. Could you clarify the concept of “exporter” under the Chinese regulations? For example, in our case, if Dassault Shanghai is the contracting entity, Dassault France is the licensor, and Dassault Singapore is the entity sending the keys to access the software, who would be considered the exporter?
8. How do Chinese laws define affiliation or related-party relationships? For example, can two “sister” entities such as Dassault Americas and Dassault China be considered affiliated under the relevant regulations, or does the definition apply exclusively to parent–subsidiary relationships? Furthermore, if Dassault Americas has commercial dealings with a company listed by the Chinese authorities, would Dassault China be exposed to legal risk if a corporate affiliation is established between the two entities?
9. Do Chinese regulations prohibit Dassault Systèmes from supplying its customers in China with products containing components from American companies listed on China’s UEL?
10. What are the legal and regulatory criteria defining the notion of “Made in China,” and what is its current scope of application?
11. What measures or policies implemented in China are likely to encourage State-Owned Enterprises (SOEs) to exclusively prioritize sourcing products of Chinese origin (“Made in China”)?

 

Question 1: Do you consider that our products may be subject to export control under the Chinese regulations, particularly whether they appear on the List of Dual-Use Items?

Through our verification of the Chinese Dual-Use Items (DUI) Export Control List (the “EC List”), we conclude that none of the Software matches with a software described in EC List.

Amongst the list, we separated those for the use of dual-use items from those for the production/development of dual-use items. We understand from your Software that none of it relates to the use of items. So we discarded those codes. Software dual-use entries that could be relevant are:

ECC	Section	Code description
1D003	1 – Specialised materials and related equipment, chemicals, micro-organisms and toxins	Software specially designed or modified for the development and productions for test, inspection and pro­duction equipment of titanium, aluminium and their alloys for the manufacture of superplastic forming for aircraft, aerospace engines and equipment.
2D101	2 – Material Processing	Software specially designed or modified for the development and productions of process control units for pyrolytic deposition and densification processes.
2D202		Software specially designed or modified for the development of machine tools for cutting or cutting metals, ceramics or composite materials with an electronic device. However, they would only be controlled if they are specifically designed or modified for the sole purpose of developing the above mentioned machine tools.
4D102	4 – Computers	Software specially designed for modeling, simulation, or integration of missile or rocket systems.
5D002	5 – Telecommunications and information security	Software specially designed or modified for the development of cryptographic equipment, however they would only be controlled if they are specifically designed or modified for the sole purpose of developing this cryptographic equipment.
7D105	7 – navigation and avionics	Software specifically designed or modified for the design and development for navigation processors of non-civil aircraft.
9D001	9 – Aerospace and propulsion	Software specifically designed or modified for the development of turbine engines related equipment or related tools, moulds, jigs and fixtures.

 

The control is however subject to the condition of being “specially designed”. In the EC List, Chapter 1, Section 2 “The Normative Description”, item (viii) – note on “specially designed” states that:

“Specially designed” refers to systems, equipment, components, assemblies, materials, or software that are developed for a specific purpose and have unique features. For example, equipment specifically designed for use in missiles, if it has no other function or use, should be considered as “specially designed” equipment. Similarly, manufacturing equipment specifically designed to produce a particular component, if it cannot be used to produce other components, should also be regarded as “specially designed” equipment.

In your case, we understand that the software products under analysis are not specially designed for any specific application, but instead are intended for broader, general-industrial applications. Therefore, we are of the opinion that the eight software products in question should not, in themselves, fall under the current Chinese EC List.

If, however, a client of 3DS requires a made-to-measure version of a Software, the latter would be specially modified for the purpose indicated by the client, and potentially covered in the EC List based on the modified function.

Notes regarding cryptography

Cryptographic equipment, software and technologies are subject to an additional regulation in China: the PRC Cryptography Law[1] and the Commercial Cryptography Regulation[2].

The “cryptography” is defined under the PRC Cryptography Law as the technologies, products and services that apply specific transformation methods to provide encryption-based protection or security authentication for information and other data.

Under the Commercial Cryptography Regulation, import control appears to be explicitly limited to commercial cryptography that has encryption-based protection functions:

“Article 31 Para. 1: Commercial cryptography with encryption-based protection functions that involves national security or public interest shall be included in the commercial cryptography import licensing list and be subject to import licensing.”

China implements a list of hardware equipment containing cryptographic properties, which are controlled at importation (see Appendix II). This list does not concern the Software.

For export control, the regulation does not restrict the control to cryptography with encryption-based protection functions that do not involve national security:

“Article 31 Para. 2: Commercial cryptography that involves national security, public interest, or China’s international obligations shall be subject to export control.”

From a strict reading of the law, regardless of whether the primary function of a cryptographic product is authentication (or another basic function) or encryption protection, the determination of whether a cryptographic product is subject to export control should, in our opinion, rely solely on the technical descriptions provided in the EC List (Section 5 – Part 2 of the EC List – see free English translation in the Appendix III) comparing with the product’s actual technical characteristics.

We did not identify any technology or software described in Section 5 – Part 2 of the EC List that meets your Software.

At last,, the Commercial Cryptography Regulation provides that commercial cryptography used in mass consumer products is exempt from import or export control. Regarding the concept of “commercial cryptography used in mass consumer products”, the State Cryptography Administration provided an explanation stating that:

“Commercial cryptography used in mass consumer products refers to products or technologies that the general public can purchase without restriction through regular retail channels, are intended for personal use, and whose cryptographic functions cannot be easily modified.”

 

Question 2: Is the use of dual-use software via a cloud service considered an export activity?

Under the PRC Export Control Law[3]and the PRC DUI Export Control Regulation[4] (together referred to as the “export control regulations”), “export” refers to the following activities:

• Transferring the items from within the Chinese territory[5] to outside the territory. That includes the case where 3DS China stores the software on a cloud platform located outside China;
• Providing the items by Chinese citizens or organizations to foreign individuals or organizations (deemed export).

The above definition should be interpreted broadly. In particular, the Guidelines for Internal Compliance of Dual-Use Items Export Control issued by MOFCOM specify that storing or transmitting software and technology using online storage methods like “cloud” services fall under the control.

Therefore, we consider that the following activities (non-exhaustive) might be considered as an export under the PRC export control regulations:

• 3DS China stores the Software on a cloud platform located within China, and allows its client to access this cloud platform, then the Software, from outside China;
• 3DS China stores the Software on a cloud platform located within China, while the client accessing the cloud and the Software, who is also based in China, is a foreign national;
• 3DS China uploads/transfers the software to a cloud platform located outside China and the client accesses the cloud and the Software.

Please note that, under the export control regulations, the ownership of the software and purely contractual arrangements are irrelevant when determining whether an activity constitutes an “export”. Also, the Chinese export control regulations do not specifically control brokering activities. Therefore, the following activity (non-exhaustive and provided that Article 49 on ‘second exportation’ is not triggered) is not considered as a export to our view:

• 3DS China enters into the commercial contract with a client based outside or inside China, while the Software is directly stored/uploaded by 3DS France onto a cloud platform which is located outside China, with no cross-boundary transfer of the Software or source code from China during this given transaction.

 

Question 3: In the EC List, Part 1, Section 2 “The Normative Description”, item (iii) note on “software” states that:

““Software” means a collection of one or more “programs” or “microprograms” contained in a tangible medium. Controls on the transfer of “software” do not apply to the following “software”:

• “Software” that is normally made available to the public in the following ways:
  (1) Sold in retail outlets where there are no restrictions;

(2) Dedicated to the user’s own installation without further specific support from the supplier;

• In the public domain.”

Could you please elaborate on this point, and in particular the notion that export controls on the transfer of software do not apply to software that is generally made available to the public, especially when it is sold through “retail outlets where there are no restrictions”? How to define « retail outlets where there are no restrictions » in this context?

The Chinese regulations do not provide further definition regarding the above criteria, including the meaning of “retail outlets where there are no restrictions”, nor have any official interpretations been issued by the relevant authorities. We have also looked into other Chinese regulations and law, such as distribution law or consumer law. There is not legal definition of this concept under Chinese law.

According to us, the nearest legal reference is the mass market concept defined in the Commercial Cryptography Regulation. As noted in Question 1 above, such mass consumer products are officially interpreted as “products or technologies that the general public can purchase without restriction through regular retail channels, are intended for personal use […]”.

This “retail outlet” concept was newly introduced with the promulgation of the EC List in December 2024 and is largely modeled on the wording used in US and EU export control regulations. We believe that interpretations made under US and EU export control laws, as well as PRC Commercial Cryptography Regulation, for mass-market products would be applied similarly for the Chinese concept of retail outlets as laid in the PRC Export Control Law. In this sense, “retail outlets” are to be understood to include various forms such as over-the-counter transactions, mail order transactions, electronic transactions or telephone call transactions. The conditions of “availability to the public” and “no need for support from the supplier” would suggest that it applies to commercial off-the-shelf software, whose installation is straightforward and does not require specific technical support from the seller.

 

Question 4: Can we consider that products classified as EAR99 or equivalent, falling under the General Software Note, be considered eligible for the above exemption?

The PRC export control regulations are to be read strictly. The exemption above described meets to your view §1 and 2 of the EAR General Software Note. Provided that no divergent interpretations from the Chinese legislator or authorities is made official (at the moment there is none), a product meeting §1 and/or §2 of the EAR General Software Note would, in principle, also fall within the scope of the software exemption provided under the PRC export control regulations.

It is our view that §3 of the EAR General Software Note does however not, for now, have an equivalence in PRC export control regulations. Hence the export of “the minimum necessary “object code” for the installation, operation, maintenance (checking) or repair of those items whose export has been authorized”, is not eligible to the exemption above.

 

Question 5: Could you clarify the concept of “exporter” under the Chinese regulations? For example, in our case, if 3DS Shanghai is the contracting entity, 3DS France is the licensor, and 3DS Singapore is the entity sending the keys to access the software, who would be considered the exporter?

Under the PRC export control regulations, “export” refers to transfer of items from Chinese territory to outside the territory, as well as provision of items by Chinese citizens or organizations (including legal entities and unincorporated organizations) to foreign individuals or organizations.

Accordingly, the “exporter” refers to the person or entity that physically or electronically transfers the items (whether tangible or intangible) across the Chinese national border, or, in the case of a deemed export, the Chinese citizen or organization providing the items.

For the cloud, the PRC export control regulations do not contain specifications. A relevant reference with the Chinese cybersecurity law can however be made. Under the cybersecurity law, an ‘exit of data’ includes ‘giving access to server within China to a person or an entity based outside China’.

By analogy, a person who gives access to a China-hosted cloud-based software to a foreign national or a person located outside of China would be seen as exporter. We believe that this is a prudent approach, that we recommend to follow, until MOFCOM or other Chinese authorities disclose official interpretations.

In the context of export control regulations, purely contractual arrangements and ownership of the software should not be considered determinative factors when identifying who is the “exporter”.

The PRC export control regulations do not include provisions restricting or controlling the provision of brokering services pertaining to dual-use items.

In the scenario described here, 3DS Shanghai will then only be seen as exporter where it has an effective role in:

• The transfer of the Software outside of China to the client;
• The granting of access to a Software hosted in China to a foreign entity or a foreign national located in China.

From our understanding, it seems that in the illustrated scenario, the transfer of Software is undertaken by 3DS, while access is ensured by 3DS Singapore. In this case, 3DS Shanghai would not be seen as exporter.

 

Question 6: Could you confirm whether the catch-all rule also applies to deemed exports?

Yes. The entire export control regime, including the catch-all provision, applies to both physical exports and deemed exports.

 

Question 7: If Chinese individuals or companies have contributed to the development of the code of an open-source product, do the prohibitions set out in Article 49 apply?

Article 49 of the PRC DUI Export Control Regulation governs second exports as follows:

“When organizations and individuals outside the PRC transfer or provide the following products, technologies, and services to specific countries and regions, or to specific organizations and individuals, MOFCOM may require the relevant operators to comply with the requirements of this regulation:

• Foreign-made BDUs containing, integrating, or blending specific BDUs of Chinese origin.
• Foreign-made BDUs using specific technologies of Chinese origin.
• Specific BDUs of Chinese origin”.

We understand that the scenario you are referring to is as follows:

• 3DS develops an open-source product outside China;
• Chinese individuals or companies (ex. 3DS employees in China) remotely contribute to the development of the source code for that product.

Your question appears to be whether the portions of the code developed by Chinese individuals or entities could be considered as items or technology of Chinese origin, thereby triggering the application of the Article 49 when 3DS export the open-source product.

Unlike the case of tangible goods, the Chinese regulations are, so far, silent on the how to define the Chinese origin of software or source code. In the absence of specific guidance, and based on a prudent approach, we recommend to consider that the portions of code contributed by Chinese individuals, individuals acting on behalf of Chinese entities, or individuals located in China, are, indeed, considered as originating from China, noting that Article 49 does not provide for a de minimis rule.

However, we would like to remind Article 49 is selective and case-driven, rather than automatic. Thus, it does not universally apply to all destinations or end-uses. To be enforced:

• The control of the export of the open-source product which includes a source code developed in China and classified as dual-use software or technology would need to be anticipated in the license delivered by MOFCOM for the export of the source code;
• The control of the export of the open-source product which includes a source code developed in China, not classified as dual-use software or technology, would need to be anticipated in public announcements or individual notifications.

Question 8: How do Chinese laws define affiliation or related-party relationships? For example, can two “sister” entities such as Dassault Americas and Dassault China be considered affiliated under the relevant regulations, or does the definition apply exclusively to parent–subsidiary relationships? Furthermore, if Dassault Americas has commercial dealings with a company listed by the Chinese authorities, would Dassault China be exposed to legal risk if a corporate affiliation is established between the two entities?

The definition is context-dependent because different laws and regulations (company law, tax and accounting laws, etc.) may define affiliation or related-party relationships. Basically, control, common ownership or substantial influence are key factors, and sister entities under the same parent or common indirect shareholder are typically considered related.

That being said, in China, current export control regulations focus primarily on the movement of controlled items and the compliance obligations of the exporter, importer, and end-user. The regulations do not specifically provide for the rules or penalization of affiliated entities of a non-compliant party (including those placed on the Watchlist or Control List). As a reminder, the Watchlist applies to importers and end-users who do not cooperate with the competent authorities in a verification or in providing relevant supporting materials, thereby preventing the identification of the end-user or end-use of dual-use items. Operators exporting dual-use items to importers and end-users on the Watchlist cannot use general licenses or simplified procedures for said exports, but may only apply for individual license and subject to stricter application review and longer processing deadlines. The Control List targets importers and end-users who violate end-use management requirements. Importers and end-users on the Control List may be banned or restricted from trading in dual-use items.

If your question refers to the Chinese Unreliable Entities List (“UEL”) regulation[6], the latter provides that for foreign entities included in the UEL, the Chinese government may, depending on the circumstances, restrict or prohibit their investment within the territory of China. In our view, such investment includes new investments through capital increases in an existing subsidiary or invested entity in China. However, these restrictions or prohibitions do not automatically extend to the subsidiary’s own business activities, unless those activities are expressly restricted or prohibited (e.g., import/export transactions involving the listed entity).

In the specific scenario you described, the mere fact that 3DS Americas has commercial dealings with a company placed on the Chinese UEL should not, in itself, penalize 3DS China, provided that 3DS China is not involved in those dealings (for example exporting software from China to that listed company) and that the application of Article 49 (‘second export’) is not triggered.

 

Question 9: Do Chinese regulations prohibit 3DS from supplying its customers in China with products containing components from American companies listed on China’s UEL?

Pursuant the Chinese UEL regulation, the Chinese government may, depending on the circumstances, restrict or prohibit foreign entities included in the UEL from engaging in import/export and investment activities related to China.

The regulation does not explicitly address the scenario in which a non-listed company exports to China products that contain components from a listed entity, and no official interpretation has been given on this point to date.

In our view, there is no legal basis under current regulations to prohibit a non-listed company from exporting products to China that contain components from a listed entity, unless the arrangement constitutes a fraudulent circumvention designed to mitigate the effect of the designation.

 

Question 10: What measures or policies implemented in China are likely to encourage State-Owned Enterprises (SOEs) to exclusively prioritize sourcing products of Chinese origin (“Made in China”)?

Firstly, the PRC Government Procurement Law expressly provides that the government shall procure domestic goods, engineering and services, except in any of the following circumstances:

• The required goods, engineering or services cannot be obtained or cannot be obtained under reasonable commercial conditions within China;
• The procurement is for use outside of China;
• Other circumstances as provided by laws or administrative regulations.

However, an SOE, though it is ultimately owned by the government, is not considered as “government” under the Government Procurement Law. Therefore, the above restriction does not apply to the procurement launched by an SOE.

Basically, there is no regulation that obliges or encourages SOEs to prioritize Chinese products. Instead, where a project is subject to a mandatory bidding process according to the law, the project owner, including SOEs, shall adhere to the principle of transparency, fairness and impartiality, and must not discriminate against non-Chinese bidders or products.

This being said, one cannot rule out the possibility that the SOEs, particularly those owned by the Chinese central government (compared to those owned by local governments), may have internal policies or informal rules that encourage the prioritization of domestic products, like what is done in government procurement.

It should be noted that the term “domestic products” under the Government Procurement Law lacks a clear definition, particularly with respect to non-tangible items such as technology and software. An outdated regulation, the Software Product Administration Measures, once defined “domestic software” as “software developed and produced within China”. However, that definition was vague, and the measures have since been repealed without replacement. Nowadays, in practice, “domestic software” is generally (but not officially) interpreted to refer to software that is independently developed and produced by Chinese domestic enterprises and for which they hold independent intellectual property rights – an interpretation which remains ambiguous but typically refers to Chinese-brand software.

 

Question 11: What are the legal and regulatory criteria defining the notion of “Made in China,” and what is its current scope of application?

If the question concerns software in general, there is no legal definition or established criteria in China for determining the “origin” of software. As explained in the previous question, the Government Procurement Law and certain other policies rather refer to “domestic products” – which is not clearly defined with respect to software. And in practice, “domestic software” is generally interpreted to mean software that is independently developed and produced by Chinese domestic enterprises and for which they hold independent intellectual property rights. It typically refers to Chinese-brand software. Under this interpretation, in our opinion, the Software cannot be considered as Chinese domestic software if the core research and development are conducted outside China and ownership remains with an entity outside China, even if 3DS China has contributed to the R&D or localization.

If the question refers to the famous “Made in China 2025” policy, it is a strategic initiative launched by the Chinese central government in 2015 to transform China from a low-cost manufacturing hub into a global leader in high-tech industries. The “Made in China 2025” does not aim, at least officially, to promote purchase or use of “made in China” products or services by Chinese companies, but rather aims to reduce China’s reliance on foreign technology and promote innovation across key sectors. Regarding the information technology sector, the policy encourages C­hina to develop software independently and holding their own intellectual property rights, which basically aligns with the practical interpretation of “domestic software” as mentioned above.

Appendix I – Software covered by this advice.

Product	Main use	Main sectors of use	Key features	Product description and accessibility
CATIA	CAO / 3D product design	Aerospace, automotive, engineering	Advanced 3D modeling, complex assemblies, simulation	Acronym for “computer-aided three-dimensional interactive application”. Originally developed for the aviation industry, this advanced design and modeling software enables structural and fluid simulations to virtually test the designed product in real-life conditions, without the need for a physical prototype. The software also integrates the management of mechanical and electronic systems. The software is linked to the 3DEXPERIENCE platform, enabling several users to work simultaneously. The software runs entirely in the cloud. The target market is large companies and heavy industry. A CATIA version designed specifically for students is also available.
SOLIDWORKS	CAO 3D for mechanical design	Industry, SMEs, manufacturing	3D/2D design, simulation, product data management (PDM)	SOLIDWORKS is a more intuitive and less sophisticated version of CATIA, which can still be used for 3D modeling and simulations, but does not integrate systems engineering. The core target is small and medium-sized businesses, or students. The software can be used locally, but also browser-based. The software can also be purchased online by individuals.
ENOVIA	PLM (Product Lifecycle Management)	All industrial sectors	Collaboration, governance, document management and life cycle	Software for managing product design and development processes, taking into account all aspects of the product development cycle including: file management; regulatory compliance monitoring; business modeling and planning.
DELMIA	Industrial simulation and planning	Manufacturing industry, logistics	Manufacturing processes, robotics, scheduling	Software portfolio (with different line of software) for modeling, optimization and execution of supply chain, manufacturing and logistics. DELMIA Quintiq – focused on supply chain; DELMIA Ortems – focused on manufacturing execution and workflow systems; DELMIA Apriso – focused on manufacturing operations management and manufacturing execution systems (including business process lifecycle) worldwide; DELMIA Augmented Experience – efficient manufacturing and maintenance operations with real-time monitoring of physical product performance indicators; DELMIAWorks – ERP platform and workflow management tools.
SIMULIA	Digital simulation and engineering	Aerospace, mechanical engineering, automotive	Element Analysis, including mechanics, thermic and optimization	Cloud-based virtual prototyping and simulation, product fatigue analysis capabilities.
3DEXPERIENCE	Integrated collaborative platform (cloud)	All industries	Integration of 3DS tools, centralized data	Interface on which all products run. This platform is in the cloud.
BIOVIA	Scientific modeling	Pharmaceutical, biotech & chemical industries	Molecular simulation, lab management, chemical modeling	Software for modeling, research, development, quality & regulatory control and manufacturing in the biology, chemistry, materials and pharmaceuticals sectors, with around 18 product lines, including: BIOVIA Generative Therapeutics Design – AI-driven drug design; BIOVIA TURBOMOLE – Modeling and simulation of molecules and crystals; BIOVIA COSMO-RS – Modeling and prediction of liquid phase properties.
GEOVIA	Geological and mining modeling	Mining, geology, environment	Mine planning, mapping, sustainable development	Software portfolio (with different line of software) for the mining, geology and the environment sector, including: GEOVIA Surpac – 3D geological modeling, drilling data analysis, statistics and geostatistics, mine designs and mine mapping; GEOVIA MineSched – tactical mine plan creation, and operations scheduling ; GEOVIA Whittle – mineral deposit financial viability analysis and mining strategy, extraction, mine life optimization.

 

Appendix II – Commercial Cryptography Import License List

No	Product Name	Description	Customs code
1	Encrypted Telephone	A fixed-line or mobile telephone that uses cryptographic technology to provide encryption protection for data transmission. The device contains one or more of the following: –          a symmetric encryption algorithm with a key length of more than 64 bits; –          an asymmetric encryption algorithm based on integer factorization with a key length of more than 768 bits; –          an asymmetric encryption algorithm based on elliptic curve cryptography with a key length of more than 128 bits.	8517110010 8517180010
2	Encrypted Facsimile Machine	A facsimile machine that uses cryptographic technology to provide encryption protection for data transmission. The device contains one or more of the following: –          a symmetric encryption algorithm with a key length of more than 64 bits; –          an asymmetric encryption algorithm based on integer factorization with a key length of more than 768 bits; –          an asymmetric encryption algorithm based on elliptic curve cryptography with a key length of more than 128 bits.	8443311010 8443319020 8443329010
3	Cryptographic Device (Cryptographic Card)	A device (including cryptographic cards) whose primary function is to perform cryptographic operations and which meets both of the following criteria:   i)       Contains one or more of the following: –          a symmetric encryption algorithm with a key length of more than 64 bits; –          an asymmetric encryption algorithm based on integer factorization with a key length of more than 768 bits; –          an asymmetric encryption algorithm based on elliptic curve cryptography with a key length of more than 128 bits;   ii)      Has a symmetric encryption algorithm encryption/decryption rate exceeding 10 Gbps.	8543709950
4	Encrypted VPN Device	A device primarily used for IPSec/SSL VPN functions, which meets both of the following criteria:   i)       Contains one or more of the following: –          a symmetric encryption algorithm with a key length of more than 64 bits; –          an asymmetric encryption algorithm based on integer factorization with a key length of more than 768 bits; –          an asymmetric encryption algorithm based on elliptic curve cryptography with a key length of more than 128 bits;   ii)      Has an encrypted communication rate exceeding 10 Gbps.	8517622920 8517623920

 

Appendix III

Export Control List – Section 5 – Part 2 – Information Security

5A2 Systems, equipment, and components

5A002

Information Security Systems, Equipment and Components:

1. Integrated circuit chips (security chips) that perform, in whole or in part, cryptographic operations, key management, random number generation, and have any of the following characteristics:

• Contain symmetric cryptographic algorithms with key lengths greater than 64 bits, asymmetric cryptographic algorithms based on integer factorization with key lengths greater than 768 bits, or asymmetric cryptographic algorithms based on elliptic curves with key lengths greater than 128 bits, specifically used in sectors such as electricity, taxation, public security, and finance;
• Contain symmetric cryptographic algorithms with key lengths greater than 64 bits, asymmetric cryptographic algorithms based on integer factorization with key lengths greater than 768 bits, or asymmetric cryptographic algorithms based on elliptic curves with key lengths greater than 128 bits, and either: Symmetric cryptographic algorithm encryption/decryption speed exceeds 10 Gbps; or Asymmetric cryptographic algorithm signing speed exceeds 50,000 transactions per second (tps);

 

1. Devices (cryptographic machines, cryptographic cards) with both of the following characteristics, primarily designed for cryptographic operations

• Contain symmetric cryptographic algorithms with key lengths greater than 64 bits, asymmetric cryptographic algorithms based on integer factorization with key lengths greater than 768 bits, or asymmetric cryptographic algorithms based on elliptic curves with key lengths greater than 128 bits;
• Either symmetric cryptographic algorithm encryption/decryption speed exceeds 10 Gbps; or Asymmetric cryptographic algorithm signing speed exceeds 50,000 tps;

 

1. Devices primarily designed for IPSec/SSL VPN functions (encrypted VPN devices), with both of the following characteristics:

• Contain symmetric cryptographic algorithms with key lengths greater than 64 bits, asymmetric cryptographic algorithms based on integer factorization with key lengths greater than 768 bits, or asymmetric cryptographic algorithms based on elliptic curves with key lengths greater than 128 bits;
• Encrypted communication speed exceeds 10 Gbps;

 

1. Server-side devices or systems (key management products) used for key generation, distribution, storage, or other management of symmetric or asymmetric keys, with both of the following characteristics:

• Contain symmetric cryptographic algorithms with key lengths greater than 64 bits, asymmetric cryptographic algorithms based on integer factorization with key lengths greater than 768 bits, or asymmetric cryptographic algorithms based on elliptic curves with key lengths greater than 128 bits;
• Support managing more than 10,000 cryptographic objects;

 

1. Equipment (dedicated cryptographic devices) containing symmetric cryptographic algorithms with key lengths greater than 64 bits, asymmetric cryptographic algorithms based on integer factorization with key lengths greater than 768 bits, or asymmetric cryptographic algorithms based on elliptic curves with key lengths greater than 128 bits, specifically used in sectors such as electricity, taxation, public security, and finance;
2. Devices (quantum cryptographic devices) based on quantum mechanics and cryptography that utilize quantum technology to perform cryptographic functions.

5A004

Analysis Equipment for Defeating, Weakening, or Bypassing Cryptographic Technology, Products, or Systems (Cryptanalysis Equipment):

Equipment designed for cryptanalysis purposes.

5B2 Testing, inspection and production equipment

5B002

5B002 – Information Security Testing, Inspection, and Production Equipment:

1. Equipment specially designed for the development or production of items controlled under 5A002 or 5A004 (i.e., cryptography R&D and production equipment);
2. Equipment specially designed for measuring, testing, evaluating, or verifying items controlled under 5A002 or 5A004 (i.e., cryptography testing and verification equipment).

5C2 Materials

N/A

5D2 Software

5D002

Software specially designed or modified for the development, production, or use of items controlled under 5A002, 5A004, or 5B002.

5E2 Technology

5E002

Technology specially designed or modified for the development, production, or use of items controlled under 5A002, 5A004, 5B002, and 5D002.

[1] The PRC Cryptography Law (《密码法》), entered into force on January 1^st, 2020

[2] The Regulation on the Administration of Commercial Cryptography (《商用密码管理条例》), revised version entered into force on July 1^st, 2023

[3] The Export Control Law (《出口管制法》), entered into force on December 1^st, 2020

[4] The Dual Use Items Export Control Regulation (《两用物项出口管制条例》), entered into force on December 1^st, 2020

[5] “Chinese territory” refers to mainland China and excludes the regions of Hong Kong, Macau, and Taiwan.

[6] The Provisions on the Unreliable Entity List (《不可靠实体清单规定》), entered into force on September 9^th, 2020