Comprehensive Guide: Navigating Cryptographic Means Authorization

ANSSI cryptography authorization: Learn how to navigate the regulatory landscape for importing and exporting cryptographic products in France. This comprehensive guide covers the necessary steps, deadlines, and documentation required to comply with both national and European standards. Read on to ensure your operations meet all legal requirements.

2024 Articles Technical News

Best 2FA MFA Solutions for 2024: Focus on TOTP & HOTP

October 8, 2024

2024 Articles Technical News

New Microsoft Uninstallable Recall: Enhanced Security at Its Core

October 3, 2024

2024 Technical News

AES-256 CBC, Quantum Security, and Key Segmentation: A Rigorous Scientific Approach

August 26, 2024

2024 Digital Security Spying Technical News

Side-Channel Attacks via HDMI and AI: An Emerging Threat

August 20, 2024

2024 EviKey & EviDisk Technical News

IK Rating Guide: Understanding IK Ratings for Enclosures

August 10, 2024

2024 Technical News

Satellite Connectivity: A Major Advancement for DataShielder NFC HSM Users

July 21, 2024

2024 Technical News

Fix BitLocker Access Issues After Faulty Crowdstrike Update

July 20, 2024

2024 Digital Security Technical News

Apple M chip vulnerability: A Breach in Data Security

March 25, 2024

Stay informed with our posts dedicated to Cyberculture to track its evolution through our regularly updated topics.

Complete Guide: Declaration and Application for Authorization for Cryptographic Means

In France, the import, export, supply, and transfer of cryptographic products are strictly regulated by Decree n°2007-663 of 2 May 2007. This decree sets the rules to ensure that operations comply with national and European standards. At the same time, EU Regulation 2021/821 imposes additional controls on dual-use items, including cryptographic products.

This guide explains in detail the steps to correctly fill in the declaration or authorization request form, as well as the deadlines and documents to be provided to comply with the ANSSI cryptography authorization requirements.

Download the XDA Form

Click this link to Download the declaration and authorization application form

Regulatory Framework: Decree No. 2007-663 and Regulation (EU) 2021/821

Decree No. 2007-663 of 2 May 2007 regulates all operations related to the import, export, supply, and transfer of cryptographic means. It clearly sets out the conditions under which these operations may be carried out in France by defining declaration and authorization regimes. To consult the decree, click this link: Decree n°2007-663 of 2 May 2007.

At the European level, Regulation (EU) 2021/821 concerns dual-use items, including cryptographic products. This regulation imposes strict controls on these products to prevent their misuse for military or criminal purposes. To view the regulation, click this link: Regulation (EU) 2021/821.

By following these guidelines, you can ensure that your operations comply with both national and European standards for cryptographic products. If you need further assistance or have any questions, feel free to reach out!

Fill out the XDA PDF Form

The official form must be completed and sent in two copies to the ANSSI. It is essential to follow the instructions carefully and to tick the appropriate boxes according to the desired operations (declaration, application for authorisation or renewal).

Address for submitting forms

French National Agency for the Security of Information Systems (ANSSI)Regulatory Controls Office51, boulevard de La Tour-Maubourg75700 PARIS 07 SP.

Contact:

• Phone: +33 (0)1 71 75 82 75
• Email: controle@ssi.gouv.fr

This form allows several procedures to be carried out according to Chapters II and III of the decree.
You can download the official form by following this PDF link.

• Declaration of supply, transfer, import or export from or to the European Union or third countries.
• Application for authorization or renewal of authorization for similar operations.

Paperless submission: new simplified procedure

Since 13 September 2022, an electronic submission procedure has been put in place to simplify the formalities. You can now submit your declarations and authorisation requests by email. Here are the detailed steps:

Steps to submit an online application:

1. Email address: Send your request to controle@ssi.gouv.fr.
2. Subject of the email: [formalities] Name of your company – Name of the product. Important: The object must follow this format without modification.
3. Documents to be attached:
   • Completed form  (electronic version).
   • Scanned  and signed form.
   • All required attachments (accepted formats: .pdf, .xls, .doc).
4. Large file management: If the size of the attachments exceeds 10 MB, divide your mailing into several emails according to the following nomenclature:
   • [Formalities] Name of your company – Product name – Part 1/x
   • [Formalities] Your Company Name – Product Name – Part 2/x

1. Choice of formalities to be carried out

The form offers different boxes to tick, depending on the formalities you wish to complete:

• Reporting and Requesting Authorization for Any Cryptographic Medium Operation: By ticking this box, you submit a declaration for all supply, transfer, import or export operations, whether inside or outside the European Union. This covers all types of operations mentioned in the decree.
• Declaration of supply, transfer from or to a Member State of the European Union, import and export to a State not belonging to the European Union of a means of cryptology: Use this box if you are submitting only a simple declaration without requesting authorisation for the operations provided for in Chapter II of the Decree.
• Application for authorisation to transfer a cryptographic method to a Member State of the European Union and export to a State that does not belong to the European Union: This box is specific to operations that require prior authorisation, pursuant to Chapter III of the Decree.
• Renewal of authorisation for the transfer to a Member State of the European Union and for the export of a means of cryptology: If you already have an authorization for certain operations and want to renew it, you will need to check this box.

1.1 Time Limits for Review and Notification of Decisions

This section should begin by explaining the time limits for the processing of applications or declarations based on the operation being conducted. Each subsequent point must address a specific formal procedure in the order listed in your request.

1.1.1 Declaration and Application for Authorization of Any Transaction Relating to a Means of Cryptology

This relates to general declarations for any cryptographic operation, whether it involves supply, transfer, import, or export of cryptographic means.

• Examination Period: ANSSI will review the declaration or application for 1 month (extended to 2 months for cryptographic services or export to non-EU countries).
• Result: If the declaration is compliant, ANSSI issues a certificate.
• In Case of Silence: You may proceed with your operation and request a certificate confirming that the declaration was received if no response is provided within the specified time frame.

1.1.2 Declaration of Supply, Transfer, Import, and Export to Non-EU Countries of a Means of Cryptology

This section involves simple declarations of cryptographic means being supplied, transferred within the EU, imported, or exported outside the EU.

• Examination Period: For supply, transfer, import, or export operations, ANSSI has 1 month to review the file. For services or exports outside the EU, the review period is 2 months.
• Result: ANSSI will issue a certificate if the file is compliant.
• In Case of Silence: After the deadlines have passed, you may proceed and request a certificate confirming compliance.

1.1.3 Application for Authorization to Transfer Cryptographic Means within the EU and Export to Non-EU Countries

This applies to requests for prior authorization required for transferring cryptographic means within the EU or exporting them to non-EU countries.

• Examination Period: ANSSI will examine the application for authorization within 2 months.
• Notification of Decision: The Prime Minister will make a final decision within 4 months.
• In Case of Silence: If no response is provided, you receive implicit authorization valid for 1 year. You can also request a certificate confirming this authorization.

1.1.4 Application for Renewal of Authorization for Transfer within the EU and Export of Cryptographic Means

This relates to renewing an existing authorization for the transfer of cryptographic means.

• Review Period: ANSSI will review the renewal application within 2 months.
• Notification of Decision: The Prime Minister will issue a decision within 4 months.
• In Case of Silence: If no decision is made, an implicit authorization valid for 1 year is granted. You can request a formal certificate to confirm this authorization.

1.1.5 Example Response from ANSSI for Cryptography Authorization Requests

When you submit a declaration or request for authorization, ANSSI typically provides a confirmation of receipt, which includes:

• Subject: Confirmation of Receipt for Cryptography Declaration/Authorization
• Date and Time of Submission: For example, “Monday 23 October 2022 13:15:13.”

The response confirms that ANSSI has received the request and outlines the next steps for review.

A: Information on the Registrant and/or Applicant, Person in charge of the administrative file and Person in charge of the technical elements.

This section must be filled in with the information of the declarant or applicant, whether it is a legal person (company, association) or a natural person. You should include information such as:

• The name and address of the entity or individual.
• Company name and SIRET number for companies.
• Contact details of the person responsible for the administrative file and the person in charge of the technical aspects of the cryptology product.

Person in charge of technical aspects: This person is the direct contact with the ANSSI for technical questions relating to the means of cryptology.

B: Cryptographic Medium to which the Declaration and/or Application for Authorization Applies

This part concerns the technical information of the cryptology product:

B.2.1 Classify the medium into the corresponding category(ies)

You must indicate whether the product is hardware, software, or both, and specify its primary role (e.g., information security, network, etc.).

B.2.2 General description of the means

The technical part of the form requires a specific description of the cryptographic means. You will need to provide information such as:

• Generic name of the medium (photocopier, telephone, antivirus software, etc.).
• Brand, trade number, and product version .
• Manufacturer and date of release.

Comments in the form:

• The cryptographic means must identify the final product to be reported (not its subsets).
• Functional description: Describe the use of the medium (e.g., secure storage, encrypted transmission).

B.2.3 Indicate which category the main function of the means (tick) relates to

• Information security (means of encryption, cryptographic library, etc.)
• Computer (operating system, server, virtualization software, etc.)
• Sending, storing, receiving information (communication terminal, communication software,
• management, etc.)
• Network (monitoring software, router, base station, etc.)
• If yes, specify:

B.3. Technical description of the cryptology services provided

B.3.2. Indicate which category(ies) the cryptographic function(s) of the means to be ticked refers to:

• Authentification
• Integrity
• Confidentiality
• Signature

B.3.3. Indicate the secure protocol(s) used by:

• IPsec
• SSH
• VoIP-related protocols (such as SIP/RTP)
• SSL/TLS
• If yes, specify:

Comments in the form:

• Cryptographic functionality: Specify how the product encrypts data (e.g., protection of files, messages, etc.).
• Algorithms: List the algorithms and how they are used. For example, AES in CBC mode with a 256-bit key for data encryption.

B.3.4. Specify the cryptographic algorithms used and their maximum key lengths:

Table to be filled in: Algorithm / Mode / Associated key size / Function

This section requires detailing the cryptographic services that the product offers:

• Secure protocol (SSL/TLS, IPsec, SSH, etc.).
• Algorithms used and key size (RSA 2048, AES 256, etc.).
• Encryption mode (CBC, CTR, CFB).

C: Case of a cryptographic device falling within category 3 of Annex 2 to Decree No. 2007-663 of 2 May 2007

This section must be completed if your product falls under category 3 of Annex 2 of the decree, i.e. cryptographic means marketed on the consumer market. You must provide specific explanations about:

• Present the method of marketing the means of cryptology and the market for which it is intended
• Explain why the cryptographic functionality of the medium cannot be easily changed by the user
• Explain how the installation of the means does not require significant subsequent assistance from the supplier

D: Renewal of transfer or export authorization

If you are applying for the renewal of an existing authorisation, you must mention the references of the previous authorisation, including the file number, the authorisation number and the date of issue.

E: Attachments (check the boxes for the attachments)

To complete your file, you must provide a set of supporting documents, including:

• General document presenting the company (electronic format preferred)
• extract K bis from the Trade and Companies Register dated less than three months (or a
• equivalent document for companies incorporated under foreign law)
• Cryptographic Medium Commercial Brochure (electronic format preferred)
• Technical brochure of the means of cryptology (electronic format preferred)
• User manual (if available) (electronic format preferred)
• Administrator Guide (if available) (electronic format preferred)

All of these documents must be submitted in accepted electronic formats, such as .pdf, .xls, or .doc.

F: Attestation

The person representing the notifier or applicant must sign and attest that the information provided in the form and attachments is accurate. In the event of a false declaration, the applicant is liable to sanctions in accordance with Articles 34 and 35 of Law No. 2004-575 on confidence in the digital economy.

G: Elements and technical characteristics to be communicated at the request of the national agency for the security of information systems (preferably to be provided in electronic format)

In addition, the ANSSI may request additional technical information to evaluate the cryptology product, such as:

1. The elements necessary to implement the means of cryptology:
2. two copies of the cryptographic medium;
3. the installation guides of the medium;
4. devices for activating the medium, if applicable (license number, activation number, hardware device, etc.);
5. key injection or network activation devices, if applicable.
6. The elements relating to the protection of the encryption process, namely the description of the measures

Techniques used to prevent tampering with encryption or management associated keys.

1. Elements relating to data processing:
2. the description of the pre-processing of the clear data before it is encrypted (compression, formatting, adding a header, etc.);
3. the description of the post-processing of the encrypted data, after it has been encrypted (adding a header, formatting, packaging, etc.);
4. three reference outputs of the means, in electronic format, made from a clear text and an arbitrarily chosen key, which will also be provided, in order to verify the implementation of the means in relation to its description.
5. Elements relating to the design of the means of cryptology:
6. the source code of the medium and the elements allowing a recompilation of the source code or the references of the associated compilers;
7. the part numbers of the components incorporating the cryptology functions of the medium and the names of the manufacturers of each of these components;
8. the cryptology functions implemented by each of these components;
9. the technical documentation of the component(s) performing the cryptology functions;
10. the types of memories (flash, ROM, EPROM, etc.) in which the cryptographic functions and parameters are stored as well as the references of these memories.

Validity and Renewal of ANSSI Cryptography Authorization

When ANSSI grants an authorization for cryptographic operations, it comes with a limited validity period. For operations that require explicit authorization, such as the transfer of cryptographic means within the EU or exports outside the EU, the certificate of authorization issued by ANSSI is valid for one year if no express decision is made within the given timeframe.

The renewal process must be initiated before the expiry of the certificate. ANSSI will review the completeness of the application within two months, and the decision is issued within four months. If ANSSI remains silent, implicit authorization is granted, which is again valid for a period of one year. This renewal ensures that your cryptographic operations remain compliant with the regulations established by Decree n°2007-663 and EU Regulation 2021/821, avoiding any legal or operational disruptions.

For further details on how to initiate a renewal or first-time application, refer to the official ANSSI process, ensuring all deadlines are respected for uninterrupted operations.

Legal Framework for Cryptographic Means: Key Requirements Under Decree No. 2007-663

Understanding the legal implications of Decree No. 2007-663 is crucial for any business engaged in cryptology-related operations, such as the import, export, or transfer of cryptographic products. This section outlines the legal framework governing declarations, authorizations, and specific cases for cryptographic means. Let’s delve into the essential points:

1. Formalities Under Chapters II and III of Decree No. 2007-663

Decree No. 2007-663 distinguishes between two regulatory regimes—declaration and authorization—depending on the nature of the cryptographic operation. These formalities aim to safeguard national security by ensuring cryptographic means are not misused.

• Chapter II: Declaration Regime
  This section requires businesses to notify the relevant authorities, particularly ANSSI, when cryptographic products are supplied, transferred, imported, or exported. For example, when transferring cryptographic software within the European Union, companies must submit a declaration to ANSSI. This formality ensures that the movement of cryptographic products adheres to ANSSI cryptography authorization protocols. The primary goal is to regulate the flow of cryptographic tools and prevent unauthorized or illegal uses.
• Chapter III: Authorization Regime
  Operations involving cryptographic means that pose higher security risks, especially when exporting to non-EU countries, require explicit authorization from ANSSI. The export of cryptographic products, such as encryption software, outside the European Union is subject to strict scrutiny. In these cases, companies must obtain ANSSI cryptography authorization, which evaluates potential risks before granting permission. Failure to secure this authorization could result in significant legal consequences, such as operational delays or penalties.

2. Request for Authorization or Renewal

If your operations involve cryptographic means that require prior approval, the Decree mandates that you apply for authorization or renewal. This is particularly relevant for:

• Transfers within the EU: Even though the product remains within the European Union, if the cryptographic tool is sensitive, an authorization request must be submitted. This helps mitigate risks associated with misuse or unauthorized access to encrypted data.
• Exports outside the EU: Exporting cryptographic means to non-EU countries is subject to even stricter controls. Businesses must renew their authorization periodically to ensure that all their ongoing operations remain legally compliant. This step is non-negotiable for companies dealing with dual-use items, as defined by EU Regulation 2021/821.

3. Category 3 Cryptographic Means (Annex 2)

Category 3 cryptographic means, outlined in Annex 2 of the Decree, apply to consumer-facing products that are less complex but still critical for security. These are often products marketed to the general public and must meet specific criteria:

• Unmodifiable by End-Users: Cryptographic products under Category 3 must not be easily altered by end-users. This ensures the integrity of the product’s security features.
• Limited Supplier Involvement: These products should be user-friendly, not requiring extensive assistance from the supplier for installation or continued use.

An example of a Category 3 product might be a mobile application that offers end-to-end encryption, ensuring ease of use for consumers while adhering to strict cryptographic security protocols.

Regulatory Framework and Implications

Decree No. 2007-663, alongside EU Regulation 2021/821, sets the groundwork for regulating cryptographic means in France and the broader European Union. Businesses must comply with these regulations, ensuring they declare or obtain the proper ANSSI cryptography authorization for all cryptographic operations. Compliance with these legal frameworks is non-negotiable, as they help prevent the misuse of cryptographic products for malicious purposes, such as espionage or terrorism.

Displaying ANSSI Cryptography Authorization: Transparency and Trust

Publicly showcasing your ANSSI cryptography authorization not only demonstrates regulatory compliance but also strengthens your business’s credibility. In fact, there are no legal restrictions preventing companies from making their authorization certificates visible. By displaying this certification, you reinforce transparency and trustworthiness, especially when dealing with clients or partners who prioritize data security and regulatory adherence.

Moreover, doing so can provide a competitive edge. Customers and stakeholders are reassured by visible compliance with both French and European standards, including Decree No. 2007-663 and EU Regulation 2021/821. Displaying this certificate prominently, whether on your website or in official communications, signals your business’s proactive stance on cybersecurity.

Final Steps to Ensure Compliance

Now that you understand the steps involved in ANSSI cryptography authorization, you are better equipped to meet the regulatory requirements for importing and exporting cryptographic means. By diligently completing the necessary forms, submitting the required documentation, and adhering to the outlined deadlines, you can streamline your operations and avoid potential delays or penalties. Moreover, by staying up-to-date with both French and European regulations, such as Decree No. 2007-663 and EU Regulation 2021/821, your business will maintain full compliance.

For any additional guidance, don’t hesitate to reach out to the ANSSI team or explore their resources further on their official website. By taking these proactive steps, you can ensure that your cryptographic operations remain fully compliant and seamlessly integrated into global standards.