Even with no apparent military application, software can be a dual-use product. There are strict legal requirements for importing or exporting dual-use software.
Dual-use items are products that can have both a civil and military application, which makes them strategically important for state security. Foreign trade of such products is controlled and requires export permits, and import of dual use items has to be reported. It also involves other obligations, such as keeping internal records and annual reports. Specific obligations depend on the type of dual-use product and the country with which trade in the product takes place. Failure to observe these legal requirements may result in criminal liability.
Dual-use products are mainly armaments, including for example nuclear technologies, etc. Interestingly, however, software products can be also be dual-use items, despite having no apparent connection with defense or military technologies.
The key legal act applicable to dual-use products in the EU is Council Regulation (EC) No 428/2009 of 5 May 2009 setting up a Community regime for the control of exports, transfer, brokering and transit of dual-use items. The comprehensive classification of dual-use items in this regulation, consistent with the American classification of these products, is the primary point of reference when assessing whether a given product is a dual-use item. There are also additional national Polish regulations in this regard.
The feature of a software product that may cause it to be classified as a dual-use product is a cryptographic function, i.e. encryption, even if it is not the main purpose or application of the software.
Producers of software that has encryption functions and that is exported from Poland or imported into Poland need to consider whether their product uses an encryption protocol with a symmetric key length exceeding 56 bits or equivalent (many commonly used protocols exceed this key length). If so, the software may constitute a dual-use product, unless it falls under the exclusions specified in Regulation 428/2009. Certain software products, sold universally and easy to use (typically COTS) may be excluded if they meet the following criteria: a wide range of buyers, universal availability in retail outlets, the possibility of self-installation, and a cryptographic function that cannot be modified.