Key Concepts and Terms Used in the Product Export Classifications Matrix
The Export Control Classification Number (ECCN) identifies the relevant category and paragraph of the Commerce Control List (CCL). The ECCN designates the level of control for an item. Citrix products are typically classified under the following ECCNs:
- 5A002 covers information security hardware "employing digital techniques performing any cryptographic function other than authentication, digital signature, or execution of copy-protected ‘software’" and having the following characteristics:
- "A 'symmetric algorithm' employing a key length in excess of 56-bits;" or
- "An 'asymmetric algorithm' where the security of the algorithm is based on any of the following:
- Factorization of integers in excess of 512 bits (e.g., RSA);
- Computation of discrete logarithms in a multiplicative group of a finite field of size greater than 512 bits (e.g., Diffie-Hellman over Z/pZ); or
- Discrete logarithms in a group other than mentioned [above] in excess of 112 bits (e.g., Diffie-Hellman over an elliptic curve)."
- 5A992 covers information security hardware that has encryption functions (e.g., cryptographic, cryptanalytic, or cryptologic) but otherwise does not meet the characteristics of 5A002 or qualifies for mass market treatment.
- 5D002(c.1) covers information security software "having the characteristics, or performing or simulating the functions of" hardware that is classified as 5A002.
- 5D992 covers information security software that has encryption functions (e.g., cryptographic, cryptanalytic, or cryptologic) but otherwise does not meet the characteristics of 5D002 or qualifies for mass market treatment.
- EAR99 covers items that are not identified elsewhere on the Commerce Control List, including Citrix products that do not use encryption and certain products that qualify for “Note 4.”
License Exception and NLR
Many Citrix products utilize a license exception, as defined in the EAR, as the authority for an export. In particular, certain Citrix products may be exported to most destinations using License Exception ENC.
Note that the designation "NLR" indicates a product for which no license is required for export to most countries.
ENC, 15 C.F.R. § 740.17(b)(1) and (b)(2)
Products classified as ECCN 5A002/5D002 generally may be exported under License Exception ENC, subject to certain restrictions.
- Certain products are self-classified by Citrix pursuant to 15 C.F.R. § 740.17(b)(1), which means they generally may be exported pursuant to License Exception ENC to most government and non-government end-users in all destinations except for those listed in country group E:1 in Supplement 1 to Part 740 of the EAR, Cuba, and the Crimea region of Ukraine. Country group E:1 currently includes: Iran, North Korea, Sudan, and Syria. Please refer to the EAR for the most current list of E:1 and other restricted countries prior to any export.
- Certain other products, including some network infrastructure products, are eligible for License Exception ENC pursuant to 15 C.F.R. § 740.17(b)(2) only after Citrix submits a classification request to BIS. In addition, these products may require a license depending upon the particular country and end-user.
- Citrix’s (b)(2) products generally may be exported without a license to most government and non-government end-users in countries listed in Supplement 3 to Part 740 of the EAR. This list includes: Austria, Australia, Belgium, Bulgaria, Canada, Croatia, Cyprus, Czech Republic, Estonia, Denmark, Finland, France, Germany, Greece, Hungary, Iceland, Ireland, Italy, Japan, Latvia, Lithuania, Luxembourg, Malta, Netherlands, New Zealand, Norway, Poland, Portugal, Romania, Slovakia, Slovenia, Spain, Sweden, Switzerland, Turkey, and the United Kingdom. Please consult the EAR for the most current list of countries.
- These (b)(2) products also may be exported without a license to most non-government end-users (as defined in the EAR) in all other countries, excluding the E:1 countries, Cuba, and the Crimea region of Ukraine. However, shipments to government end-users in these other, non-Supplement 3 countries require a license.
Following a self-classification by Citrix pursuant to its ERN or a review by BIS, certain products containing strong encryption that are mass marketed generally may be exported to most destinations without a license (i.e., NLR) under ECCN 5A992/5D992. Citrix products eligible for mass market treatment are indicated in the table below.
Certain items that incorporate encryption but that are not primarily useful for computing, communications, networking, or information security may be excluded from the EAR’s encryption controls pursuant to Note 4 of Category 5, Part 2 of the CCL.
The Commodity Classification Automated Tracking System is a reference number assigned by BIS to identify each product that it has reviewed and classified.
Exports and reexports of certain encryption products, including those described in 15 C.F.R. § 740.17(b)(2), are subject to semi-annual reporting requirements. Additional details about these reporting requirements are available at 15 C.F.R. § 740.17(e) and on BIS’s website.