Export Control Divergence Around Software Posing Compliance Challenges, Researchers Say
Countries, especially within the EU, should try to minimize export control compliance and enforcement challenges posed by cloud computing services, researchers said in a report this month.
Sign up for a free preview to unlock the rest of this article
Export Compliance Daily combines U.S. export control news, foreign border import regulation and policy developments into a single daily information service that reliably informs its trade professional readers about important current issues affecting their operations.
The report, published by the Stockholm International Peace Research Institute, examines how EU countries are applying controls to software as a service (SaaS), a type of cloud computing that allows people and companies to remotely use software without downloading it to a local device. SIPRI noted that even though EU states are governed by bloc-wide dual-use export control regulations, individual governments haven’t “settled on a consistent national interpretation” about whether making controlled software available through SaaS is considered an export.
“As well as creating potential loopholes and gaps, this divergence makes compliance more difficult, particularly for companies that operate in several states with different interpretations,” the report said.
The SIPRI researchers said the use of cloud computing and SaaS are “both set to increase,” including in ways that could allow potentially dangerous end-users to access and use cyber surveillance tools, and countries “need to find the right balance between ensuring regulatory control” and “limiting the burden on legitimate trade.”
While it’s unlikely that EU member states align their export controls over software in the same way, they should at least clarify whether they believe their export controls apply to cloud computing, issue guidance on those restrictions and “conduct outreach to companies to support their compliance efforts,” SIPRI said. Countries should also encourage “more exchange” between their licensing and enforcement agencies to better detect, investigate and prosecute cases involving SaaS.
The report recommends countries work on these issues together through multilateral forums, such as the Pall Mall Process, an initiative begun by the U.K. and France last year to develop guidelines for responsible uses of cyber surveillance tools. Efforts like these “could improve understanding of both the technical aspects of the trade in these tools and how export controls can complement other regulatory mechanisms.”