Legal:Regulation on Notification
Annexes 2, 3, 4 and 5 to the regulation on import of encryption (cryptographic) means to the customs territory of the Eurasian Economic Union and their export from the customs territory of the Eurasian Economic Union
Regulation on notification
Annex 2 to the regulation on import of encryption (cryptographic) means to the customs territory of the Eurasian Economic Union and their export from the customs territory of the Eurasian Economic Union
Regulation on notification of characteristics of encryption (cryptographic) means and of products containing such means
1. This regulation specifies the procedure of:
- а) issuing of the notification of characteristics of encryption (cryptographic) means and of products containing such means (hereinafter – the notification);
- b) submission of the notification to the national security state body of Eurasian Economic Union member state authorized to approve licenses, to draw conclusions (permits) and to register notifications under the law of this state (hereinafter, approving authority, member state, The Union);
- c) generating and submission of information on registered notifications to the Eurasian Economic Commission (hereafter – The Commission) by approving authority;
- d) publishing of the common register of notifications of characteristics of encryption (cryptographic) means and of products containing such means (hereafter – the common register of notifications) on the Union official website;
- e) cancellation of the notification.
2. The notification is drawn up according to the form specified in annex № 3 to the Regulation on import of encryption (cryptographic) means to the customs territory of the Eurasian Economic Union and their export from the customs territory of the Eurasian Economic Union (annex № 9 to the Decision of the Board of the Eurasian Economic Commission No 30 of 21 April 2015). The notification is drawn up in Russian language. The names of technologies, protocols, cryptographic algorithms, their common abbreviations and information about the manufacturer may be written with Latin characters.
3. Notification is issued on a one-time basis by the manufacturer or by the person authorized by the manufacturer (hereinafter – the applicants) upon manufacturer’s own evidence . The applicant fills out articles 1-9 of the notification.
4. The notification may include the information about single product or group of products of one type that contain identical encryption (cryptographic) means (i.e. functionally completed products using the same cryptographic algorithm, having the same maximum length of the cryptographic operational key, the same operational functions that provide the same output sequence given the same cryptographic key and input sequence).
5. Article 1 shall specify the trade, commercial or other name of the product or a group of products of the same type that contain identical encryption (cryptographic) means (precise names should be listed), as well as information about trademarks , models, articles, standards and other technical and commercial characteristics.
Version used should be specified (for software).
Product name may include the phrase “and its spare parts”.
The name of each product from a group of products of the same type should be written on a new line. The notes (to the listed terms) may be written after the name of the product on a new line.
6. Article 2 of the notification shall specify the description and intended purpose of the product, as well as intended purpose of encryption (cryptographic) functions used.
7. Article 3 of the notification shall specify the name and the address of the manufacturer of the product, its head office address, telephone and fax numbers, as well as its e-mail address and official website (if any).
8. Article 4 of the notification shall specify the following information:
- name of the encryption (cryptographic) protocols used;
- name and intended purpose of the cryptographic algorithms (functions) used by the product, maximum length of each cryptographic key used;
- name and version of the software;
- maximum wireless range without signal amplification and retransmission according to manufacturer’s specifications (if cryptographic algorithm (function) is used in wireless electronic equipment);
- encryption (cryptographic) function blocked by the manufacturer (if any).
Names of the encryption (cryptographic) protocols and algorithms used should be listed separately for each operational function. Designated box on the right shall contain the number of the relevant article (the number of the category) of the annex №4 to the regulation on import of encryption (cryptographic) means to the customs territory of the Eurasian Economic Union and their export from the customs territory of the Eurasian Economic Union (Annex № 9 to the Decision of the Board of the Eurasian Economic Commission No 30 of 21 April 2015).
9. Article 5 shall specify:
- a) undeclared operational functions of the product (if any), use of which may cause:
- breach of confidentiality and accessibility and violation of integrity of the processed data;
- breach of the authentication procedures;
- interference in digital signature mechanism;
- b) capabilities of investigative activities (“police” mode).
10. Article 6 of the notification shall specify the notification expiration date ( in DD.MM.YYYY format) until which the manufacturer guarantees the unchangeability of encryption (cryptographic) functions.
11. Article 7 of the notification shall specify:
- for legal entities: the name of the head office, its address, telephone and fax numbers, e-mail address and official website (if any), as well as position and full name of the person authorized to sign the notification;
- for persons: full name and identity document details in accordance with the member state’s law.
The member state’s applicant should also provide the information about their registration (the name of the registration authority, registration date, registration number and identification number) in accordance with the member-state’s law.
12. Article 8 of the notification shall specify the details (date and number) of the document authorizing the applicant for issuance of the notification (power of attorney, contract , etc.) (filled in if the notification is issued by the authorized person).
13. Article 9 of the notification shall specify the date of the notification issuance in DD.MM.YYYY format.
14. The notification is signed (signature and signatory full name is required) and stamped (if applicable) by the authorized person.
15. The applicant is responsible for credibility of the submitted information and documents.
16. If there is not enough space in the notification blank for all the necessary information, rest of this information may be provided overleaf, each page of the notification should be signed and stamped (if applicable).
17. The software that facilitates filling in the articles 1-8 of the notification in electronic form is available on the official website of the Union and allows the applicant to:
- a) fill out the notification form as specified in this regulation;
- b) issue the electronic form of the notification and print it;
- c) issue the electronic copy of the notification in accordance with data file structure as specified in annex № 1;
- d) save an issued printed and electronic copy of the notification to the file.
18. Registration of the notification implies that the following documents are submitted by the applicant to the approving authority along with the cover letter:
- a) 2 copies of the notification drawn up as per this regulation;
- b) electronic data storage device (CD, USB flash drive) with the electronic copy of the notification as per data file structure described in annex No 1 to this regulation;
- c) document authorizing the person to issue the notification certified (legalized) under the law of the manufacturer’s state. If this document is issued in a foreign language, its translation to the official language of the approving authority member state, certified under the law of that member state is attached to the original document (its notarized copy).
19. Notification issued by the manufacturer from the non-member state should be legalized.
20. The notification and documents may be submitted in electronic form in a manner, provided by the member state law.
Documents may also be submitted in a scanned form signed with the applicant’s electronic signature if such procedure is prescribed in the member state law.
21. The approving authority registers (refuses the registration of) the notification not later than 7 working days after the submission of the documents for registration and submits the information about the registered notifications to the Commission as per the data file structure described in annex No 2.
The approving authority is responsible for credibility and completeness of the information about the registered and cancelled notifications.
22. The Commission puts the registered notifications into the common register of notifications published on the official website of the Union not later than 3 working days after receiving the information.
The notification is valid since the date when the information about its registration is included in the common register of notifications.
23. The notification registration (registration refusal) and inclusion of the information to the common register may not be longer than 10 working days since the of submission of the documents for registration to the approval authority.
24. The Commission is responsible for credibility and completeness of the information about the registered and cancelled notifications published on the official website of the Union.
25. The official site of the Union shall allow to search and examine the information about the registered notifications.
26. During the period since submission of the documents for registration till the registration of the notification the applicant may amend the notification provided that all the amendments are approved by the person authorized to issue the notification. In this case the notification registration period starts over from the date when the notification was amended last.
27. If the documents submitted for registration of the notification do not meet the requirements of this regulation the approving authority shall refuse to register the notification.
28. The approving authority may decide to cancel the notification if:
- a) the applicant submits the application to cancel the notification containing the reason for cancellation;
- b) the approving authority reveals false or incomplete information specified in the notification;
- c) encryption (cryptographic) functions not mentioned in the notification were revealed or the parameters of encryption (cryptographic) means differ from those described in the notification;
29. The approving authority informs the Commission of the notification cancellation within 3 working days.
30. The notification becomes invalid since the date of inclusion of the information about its cancellation in the common register or since the date of its termination.
Form of Notification
Annex 3 to the regulation on import of encryption (cryptographic) means to the customs territory of the Eurasian Economic Union and their export from the customs territory of the Eurasian Economic Union
FORM OF NOTIFICATION FOR CHARACTERISTICS OF ENCRYPTION (CRYPTOGRAPHIC) MEANS AND EQUIPMENT WITH CRYPTOGRAPHIC FUNCTIONS Recorded in the register on "__" _____________ 20__ . No __________________ Stamp here _________________________________________________ ______________ (Signature of the official of the approving authority) (Full name) --------------------------------------------------------------------------- NOTIFICATION For characteristics of ____________________________________________________ (encryption (cryptographic) means and (or) products with cryptographic functions – choose appropriate variant) 1. Name of the product ____________________________________________________ ___________________________________________________________________________ 2. Intended use of the product ____________________________________________ ___________________________________________________________________________ 3. Information about the manufacturer of the product ______________________ ___________________________________________________________________________ 4. Used cryptographic algorithms (functions) No of category and their purpose from annex N 4 ┌──────┐ a) _______________________________________________________________ __________________________________________________________________ └──────┘ ┌──────┐ b) _______________________________________________________________ __________________________________________________________________ └──────┘ ┌──────┐ c) _______________________________________________________________ __________________________________________________________________ └──────┘ 5. Product’s functions not mentioned in the operational documentation provided to the user_______________________________________________________ ___________________________________________________________________________ 6. Notification expiration date __/__/____ 7. Information about the applicant ________________________________________ ___________________________________________________________________________ 8. Information about the document from the manufacturer that authorizes the applicant to issue the notification (if necessary) ________________________ ___________________________________________________________________________ 9. Notification issue date __/__/____ Credibility and completeness of information included in the notification is confirmed by: Stamp here ________________________________ _______________________ (Signature of the applicant) (Full name)
List of categories of cryptographic products which are subject to notification
Annex 4 to the regulation on import of encryption (cryptographic) means to the customs territory of the Eurasian Economic Union and their export from the customs territory of the Eurasian Economic Union
List of product categories that are qualified as encryption (cryptographic) means or that include encryption (cryptographic) means, technical and cryptographic characteristics of which are subject to notification
1. Products that include encryption (cryptographic) means that contain any of the following:
- 1) symmetric cryptographic algorithm using cryptographic key not longer than 56 bits;
- 2) asymmetric cryptographic algorithm based on any of the following methods:
- factorization of integers not longer than 512 bits;
- calculation of discrete logarithms in multiplicative group of the finite field with elements no longer than 512 bits;
- discrete logarithm in the group of the finite field different from those mentioned in the third paragraph of this clause with elements no longer than 112 bits.
- 1. Key length does not include parity bits
- 2. The term “cryptography” does not refer to the fixed data compression or encoding methods
2. The products that include encryption (cryptographic) means and have the following restricted functions:
- 1) authentication, comprising all the aspects of access control without the encryption of files and texts except for the encryption directly related to protection of passwords, personal identification numbers and other similar data from unauthorized access;
- 2) digital signature (e-signature).
Note: Authentication and digital signature (e-signature) functions include related key distribution function.
3. Encryption (cryptographic) means included in software operating systems, cryptographic functions of which cannot be altered by users, designed to be installed by users themselves without significant further manufacturer’s support and technical specification (description of cryptographic transformation algorithms, interaction protocols, declarations of interfaces, etc.) for which is freely available to the users.
4. Personal smart cards:
- 1) with cryptographic capabilities restricted to use in product categories from clauses 5-8 of this List;
- 2) generally available for use, with cryptographic capabilities inaccessible to user and that are specially designed to have limited stored data protection abilities.
Note: If the personal smart card supports several functions, control status of each one is defined separately.
5. Receivers for radio broadcasting, commercial TV or similar commercial equipment for broadcasting to limited audience without encryption of the digital signal, with exception of encryption being used only for video and audio channels management, delivery of invoices or sending the information related to the program back to the broadcast provider.
6. Equipment with cryptographic capabilities inaccessible to user that is purposely designed and restricted for use in any of the following ways:
- 1) copy protected software;
- 2) access to any of the following:
- Copy protected content stored on read-only electronic data storage device;
- Encrypted information stored on electronic data storage devices publicly sold in identical complete sets;
- 3) copy control of copyright protected audio and video information.
7. Encryption (cryptographic) equipment purposely designed for and restricted to use for banking or financial operations.
Note: Financial operations include transport fees and credit/lending.
8. Portable or mobile civil radio-electronic devices (for example, designed for use in civil commercial cellular radio communication) not capable of end-to-end encryption (user-to-user).
9. Wireless radio-electronic equipment encrypting information only in radio channel with maximum range of wireless coverage less than 400m without amplification and retransmission according to manufacturer’s specifications.
10. Encryption (cryptographic) means used for protection of technological channels of information and telecommunication systems and communication networks.
11. Products with cryptographic functions blocked by the manufacturer.
12. Other products that contain encryption (cryptographic) means different from those described in clauses 1-11 of this list that:
- 1) are available at public retail sale points for purchase without restrictions under the law of Eurasian economic union member-state by:
- order by mail;
- electronic transactions;
- order by phone;
- 2) have encryption (cryptographic) functions that cannot be easily altered by users;
- 3) are designed for installation by end users without significant further manufacturer’s support;
- 4) technical documentation confirming that the products meet the requirements listed in paragraphs 1-3 of this clause is freely available and can be provided to the approving authority by the manufacturer (the person authorized by the manufacturer) upon request.
List of cyptographic products for personal use that can be imported or exported freely
Annex 5 to the regulation on import of encryption (cryptographic) means to the customs territory of the Eurasian Economic Union and their export from the customs territory of the Eurasian Economic Union
List of encryption (cryptographic) means, importation of which to the customs territory of the Eurasian Economic Union and exportation of which from the customs territory of the Eurasian Economic Union as products for personal use by private individuals do not require permit (conclusion) or information about notification
1. One of (or several) the following common software on any data medium intended for mass use, widely available and being sold freely:
- а) operating system (for example, Linux, Microsoft Windows, Mac OS X, Android, iOS, etc.);
- b) web-browser (for example, Google Chrome, Internet Explorer, Opera, Apple Safari, Mozilla Firefox, etc.);
- c) e-mail agents/software (for example, Mozilla Thunderbird, The Bat!, Opera Mail, etc.);
- d) software for online communication over the Internet (for example, WhatsApp, Viber, WeChat, Skype, etc.);
- e) programs intended for electronic document processing on a personal computer: text and graphic editors, electronic tables, programs for preparation of presentations, database management systems, accounting software, etc. (for example, OpenOffice, Microsoft Office, Kingsoft Office, 1С, Галактика-Парус, etc.);
- f) antivirus software (for example, Kaspersky, Dr. Web, NOD32, Norton Antivirus, etc.);
- g) electronic translators (for example, ABBYY Lingvo, PROMT, etc.);
- h) archivers (for example, WinRAR, 7z, WinZip, Arj, etc.);
- i) programs intended for playback (watching) and editing of music, images and video;
- j) file transfer software;
- k) games;
- l) internet-banking software;
- m) software for social networks and their services.
2. Digital signature (e-signature) means on any medium.
3. Computers (personal computers, monoblocks, PDAs, netbooks, laptops, tablets, pocket game consoles, smartphones, smart watches, bicycle computers, etc.), their electronic modules and components:
- a) with no software or with installed (preinstalled) software specified in clauses 1 and 2 of this list;
- b) with installed (preinstalled) widely available software different from software specified in clauses 1 and 2 of this list which have auxilary encryption function that cannot be altered by users.
4. Bank cards, SIM cards, discount cards, transport cards, social cards, electronic access cards, electronic identification cards and other electronic cards intended for mass use and encryption functions of which cannot be altered by users.
5. Radio and TV signal receivers and their components including receivers with communication capabilities.
6. Telephones for cellular networks and their accessories, except for specialized telephones and accessories intended for use in encrypted communication mobile networks (capable of end-to-end encryption).
7. Products including printers, multifunctional devices (printer, scanner, photocopier, etc.), photocopiers and their electronic modules, containing equipment capable of information encryption with the maximum operational range less than 400 m without gain or retransmission according to manufacturer’s technical requirements, as well routers and wireless modems for use in local networks and in the Internet.
8. Radio-navigation receivers, remote control equipment and their components.