We require an ECCN to be provided when the APP CONTAINS ENCRYPTION and you are (1) a US Vendor; OR (2) the app was developed in the US; OR (3) the app was developed with or using US technology. 'Developed' for purposes of this question includes, but is not limited to incorporating software from US companies and code developed by US employees. If you are a US vendor without any encryption in your app, then you should indicate this in your answer to Question 1 and you will not be required to provide an ECCN.
We do not consider using code signing keys for API access to be encryption.
An Export Control Classification Number (ECCN) is an alphanumeric designation (i.e., 5D992 or 5D002) used in the Commerce Control List of the US Export Administration Regulations to identify items for export control purposes. An ECCN categorizes items based on the nature of the product, i.e. type of commodity, technology or software and its respective technical parameters, including the type of encryption contained within an item.
You can get an ECCN in one of two ways:
1) Self-Classifying: You can self classify your application by determining the correct ECCN through reading the Bureau of Industry and Security’s (the “Bureau”) documentation, phoning the Bureau, or consulting an export lawyer (see the “Resources” section).
However, not all encryption items are eligible for self-classification. Some encryption items require registration with the Bureau, at which time you will receive an Encryption Registration Number (“ERN”). Please see other the “Other Rules” section for when we require an ERN.
2) Applying for Classification: Alternatively, you can request a classification from the Bureau by applying for a Commodity Classification (“CCATS”) and the CCATS will contain the ECCN.
For further information on an ECCN, you can start with the Wikipedia Entry: http://en.wikipedia.org/wiki/ECCN
These export regulations are issued by the US Government, and RIM does not add additional requirements. If you are outside of Canada, and submitting your app to BlackBerry World, you are making an export, and your app is being considered for re-export from Canada to other destinations.
Presently, unfortunately, we do have a known issue in the portal where vendors CANNOT submit the ECCN of EAR99. For these vendors, there is a method to support EAR99 which can be provided through BlackBerry World’s support team in the following manner:
· Mark ‘No Encryption’ in the Vendor Portal and continue with your app submission process
· Contact us for support using this form: https://www.blackberry.com/profile/?eventId=8109 with the following information:
· Tell us in the form that you marked ‘No Encryption’ in the portal but do indeed have encryption but that you have the ECCN of EAR99 that is not accepted by the form.
· We will then contact you with the next steps.
· To ensure this doesn’t slow down the approval process, please submit the support form the same day you submit the app – or even before.
RESOURCES FOR VENDORS TO DETERMINE CORRECT ECCN
If vendors need help assessing the appropriate ECCN for their app, the following links may be of help, and it’s highly suggested that you simply call the Bureau (202-482-0707) to get instant live help. Many vendors have been successful with a single phone call.
US Export Administration Regulations: http://www.access.gpo.gov/bis/ear/ear_data.html
US Regulatory Guidance: http://www.bis.doc.gov/encryption/question1.htm
US Department of Commerce, Bureau of Industry and Security Contacts: http://www.bis.doc.gov/encryption/technologycontac
- We cannot help determine which ECCN is correct for a given app.
- Vendors should take notice of Note 4 of Category 5, Part II, of Export Administration Regulations (http://www.bis.doc.gov/encryption/ccl5pt2.pdf) when assessing the app under the US Export Administration Regulations.
- We cannot accept applications that do not meet Note 3, the Cryptography Note of Category 5, Part II of the Export Administration Regulations (http://www.bis.doc.gov/encryption/ccl5pt2.pdf). Therefore, ECCNs must also be appropriate and correctly correspond to the requirements of Note 3.
In question 1, we ask the vendor what the encryption is used for. In many instances encryption is for theoverall purpose of data confidentiality, HOWEVER, you can think of choices 1-3 (Authentication, Password Protection, Digital Signature / Copy Protection / Banking and Money Transactions) as subsets of that, and if you are limited to one of those subsets (i.e. you only use encryption for authentication, and/or banking) simply choose those and NOT data confidentiality. Data confidentiality is for instances where you are encryption more than what we outline in the first 3 choices.
If your app does provide encryption for more than authentication, password protection, digital signature, copy protection or banking and money transactions, you will be required provide:
1) An ERN # OR
2) A CCATS (by applying for a classification) OR
3) Sufficient detail as to why an ERN or CCATS is not required.