Export Information on Sophos Products
General rules governing, and information relating to, the export of Sophos products.
Sophos is committed to complying with the laws and regulations relating to export controls. As part of this compliance effort, Sophos agreements contain provisions requiring Sophos customers and partners to ensure compliance with these laws and regulations. In order to assist our customers and partners, Sophos uses this portion of its web site to communicate export control information specific to its products to our customers and partners. This information may be required for shipping documentation, record keeping, or post-shipment reporting.
Customers and partners are encouraged to familiarize themselves with the import regulations of their country to ensure compliance with their specific regulations and to ensure timely delivery of Sophos products they may purchase.
NOTE: The contents on this website are not tailored to the needs of a specific entity or a particular export scenario. The information provided below is for general information purposes only. Exportation of restricted goods is a complex area and while Sophos will make reasonable efforts to maintain the information on this website, you are responsible for seeking your own legal advice and ensuring your compliance in relation to such matters.
Global Export Controls
Sophos is required to adhere to the laws and regulations of the United States, European Union, and every country in which it conducts business. Non-compliance with Global Trade regulations can subject Sophos, and its Business Partners to criminal and civil penalties, the seizure of assets, and the denial of import or export privileges.
As a Business Partner, customers and partners are also expected to abide by relevant laws and regulations, inclusive of all business transactions with Sophos. As such, Sophos requires that any party we conduct business with becomes familiar with, and ensure compliance with U.S. and EU export regulations, and applicable export/import regulations in the countries which it operates.
On occasion, Sophos will send communications to highlight important regulatory information to reinforce any related parties education on certain topics.
In response to the annexation of the Crimea region of the Ukraine, please be aware that the recent restrictions on transactions with the Crimea region imposed by the United States and European Union require Sophos and any related parties to cease transactions and communications with business partners and/or customers in the Crimea region.
The following activities are expressly prohibited under the U.S. sanctions:
- New investment in the Crimea region of Ukraine;
- The importation, directly or indirectly, of any goods, services, or technology from the Crimea region of Ukraine;
- The exportation, re-exportation, sale, or supply, directly or indirectly, of any goods, services, or technology to the Crimea region of Ukraine; and
- Any approval, financing, facilitation, or guarantee of a transaction.
The scope of the restrictions includes the prohibition of any service or support for existing equipment in the Crimean region. Additionally, certain parties in Crimea have been added to the U.S. list of Specially Designated Nationals.
U.S. license applications for exports, re-exports or transfers of U.S. EAR-regulated items will be subject to a presumption of denial, unless the item is included in the Office of Foreign Asset Control’s (OFAC) General License No. 4, which covers medical supplies and related replacement parts.
The U.S. Department of Commerce known as the Bureau of Industry and Security (BIS) also amended the U.S. EAR to restrict the availability of License Exceptions for exports and re-exports to the Crimea region. U.S. license exception “ENC”, which is used for many Sophos products, may no longer be used for exports to Crimea.
Although the E.U. has not imposed a comprehensive embargo on Crimea and Sevastopol, trade and investment is severely curtailed, details on regulatory compliance are found here:
United States Export Controls
Sophos products are subject to US export regulations. In the United States, a branch of the U.S. Department of Commerce known as the Bureau of Industry and Security regulates exports through the Export Administration Regulations (EAR). These regulations spell out the export restrictions on a wide variety of goods, software, and technologies. Sophos products may not be exported to Cuba, Iran, North Korea, Syria, or Sudan, but most products may be exported to other countries subject to the applicable import regulations of such country.
The US export classification control numbers for Sophos products are set out in the Product Classification page.
Some Sophos products are subject to export restrictions because they include encryption technology. In the case of Sophos products containing encryption, a one-time government technical review is usually required prior to export. Once a review has been completed, products may become eligible for a particular license exception, such as ENC. This exception may then be used by other exporters, as provided by the U.S. EAR.
Government End-Users: Restricted Encryption Products (UTM, Red, Access Points)
Certain government entities not located in the member countries of the EU, Australia, Canada, Japan, New Zealand, or the United States require a U.S. export license in order to obtain the noted Sophos restricted encryption products.
It must be noted that due to the current situation within Ukraine, the USA require additional validation on any transactions with Ukrainian or Russian businesses. As part of this process is the screening of not only the company itself, but all its Directors & Shareholders.
If any individual or company owning 51% or above of this company is highlighted on the Sectorial Sanctions list then the transaction isn’t permitted to proceed.
For any further information in regard to the Sectorial Sanctions in place by the U.S. Department of Commerce known as the Bureau of Industry and Security (BIS) please see the following link:
All government end users in the Russia and Ukraine
require a U.S. export license in order to obtain the noted Sophos restricted encryption products.
With the exception of Russia and Ukraine, Sophos’s encryption licensing arrangement (ELA), Export License No. D1009384, permits Local, State and Provincial government end users, as well as to National, Federal and Royal government end users that provide the civil government services listed below, to obtain the noted restricted encryption products:
- Census and Statistics Services;
- Civil Public Works Infrastructure Services (Construction, Maintenance, Repair, Regulation and Administration) as follows: Buildings, Public Transportation, Roads and Highways, Trucking;
- Civil Service Administration and Regulation, including Human Resources and Personnel/Labor Management;
- Clean Water Infrastructure Services (Treatment, Supply and Testing);
- Economic (Trade/Commerce/Investment), Business and Industrial Development, Promotion, Regulation and Administration; excluding the following end-users/end-uses:
- Agencies, Departments, Boards and Councils for Science and Technology,
- Research, Development and National Laboratories (other than as authorized in paragraphs (K) (Measurements and Standards) and (L) (Meteorology / Weather / Atmospheric Services) below)
- National Telecommunications and Information Technology Agencies, Boards, Councils and Development Authorities (including National Information Center, and Information Communications Technology (ICT) / Telecommunications Infrastructure / Spectrum Planning, Policy, Regulations and Testing);
- Elections, Balloting and Polling Services;
- Energy Regulation and Administration, including Oil, Gas and Mining Sectors;
- Environmental/ Natural Resources Regulation, Administration and Protection, including Wildlife, Fisheries and National Parks;
- Food/ Agriculture Regulation and Administration;
- Labor/Community/Social Services Planning, Regulation and Administration, including: Housing and Urban Development, Municipality And Rural Affairs;
- Measurements and Standards Services;
- Meteorology (Weather, Atmospheric) Services;
- National Archives/Museums;
- Pilgrimage and Religious Affairs;
- Postal Services;
- Public and Higher Education (Excluding Government Research Institutions and any agency, institution or affiliate engaged in the manufacture or distribution of items or services controlled on the Wassenaar Munitions List);
- Public Health and Medicine/Pharmaceutical Regulation and Administration;
- Public Libraries;
- Sports/Culture (Includes Film, Commercial Broadcasting and the Arts) Promotion, Regulation and Administration;
- Travel/Tourism Promotion, Regulation and Administration.
Note that the applicable definition of “government partner or end user” covers certain government organizations at the central, regional, and local levels, which are departments, agencies, or entities performing government functions, including governmental corporations that manufacture or distribute items or services controlled on the Wassenaar Munitions List, governmental research institutions and international governmental organizations. However, the definition of government end-users for US export purposes does not include:
- Utility providers (such as providers of gas, electricity, telecommunications and internet service);
- Transport agencies and entities (such as bus, train, and airport authorities);
- Entertainment or broadcast entities (such as radio or television organizations);
- Education organizations (such as schools, colleges and universities or other organizations that have direct contact with students);
- Health and medical organizations (such as hospitals and clinics);
- Retail & Manufacturing entities (such as retail or wholesale firms; and manufacturers or industrial entities that do not manufacture or distribute Wassenaar Munitions List items or services).
* The above restrictions do not apply to the following Sophos specific product versions: UTM 100, Red 10, Access Point (AP) 10, 30 & 50.
See the following URLs for more information on US export regulations:
EU Export Controls
Sophos products are subject the EU Dual Use export control regime is governed by Regulation (EC) No 428/2009 (hereunder "the Regulation"), which provides for common EU control rules, a common EU control list and harmonized policies that as a business Sophos must adhere to.
Under the EU regime, the export of dual-use items is subject to control and dual-use items may not leave the EU customs territory without an export authorization. The requirement for an export authorization applies to: - dual-use items listed in the EU Control List, in Annex I to the Regulation.
The EU Control List is based on decisions adopted by the following international export control regimes:
- Australia Group (AG),
- Nuclear Suppliers Group (NSG)
- Wassenaar Arrangement and the Missile Technology Control Regime (MTCR).
Non-listed items may also be controlled under the so-called catch-all clause, under certain conditions, when there is reason to believe such items are intended for use in connection with a biological, chemical, nuclear weapons or ballistic missile weapons programme, or for use in violation of an arms embargo
EU Member States may exceptionally impose additional controls on non-listed dual-use items for reasons of public security or human rights consideration.
In specific cases, the export of dual-use items may be subject to additional EU restrictive measures (sanctions). Such restrictive measures currently apply with respect to trade of dual-use items with DPRK, Iran, and Syria.
The EU Regulation is binding and directly applicable throughout the EU.
Dual-Use products within the EU may be traded freely within the EU.
There are four types of export authorizations in place in the EU export control regime:
EU General Export Authorizations (EU GEAs) allow for the export of dual-use items to certain destinations under certain conditions. There are currently 6 EU GEAs in place:
- Exports to Australia, Canada, Japan, New Zealand, Norway, Switzerland (including Liechtenstein) and United States of America
- Export of certain dual-use items to certain destinations
- Export after repair/replacement
- Temporary export for exhibition or fair
Global export control licenses are granted by national authorities to one exporter and may cover multiple items to multiple countries of destination or end users. Individual licenses are granted by national authorities to one exporter and cover exports of one or more dual-use items to one end-user or consignee in a third country.
Please note the products stated in the Product Classification page may not be exported to the following countries unless export licensing is acquired by Sophos:
Afghanistan, Angola, Armenia, Azerbaijan, Belarus, Burma (Myanmar), Burundi, Cote d'Ivoire, Cuba, Democratic Republic of Congo, Eritrea, Ethiopia, Guinea, Iraq, Iran, Lebanon, Liberia, Libya, Mozambique, Nigeria, North Korea, Pakistan, Somalia, Sudan, South Sudan, Syria, Tanzania, Uganda, Uzbekistan, Yemen & Zimbabwe.
In addition to the above, sales to Government end users and any Military, Para Military, Police, Secret Service (and related organizations) end users are only permitted if the relevant export licenses are held by Sophos.
UK Export Controls
Certain products have also been classified in accordance with UK export controls, as noted in Product Classification, and may be exported in accordance with the Community General Export Authorization (CGEA) and Open Individual Export Licences (OIEL). Such restrictions apply when Sophos products are exported from the UK or by the Sophos UK entity.
In regard to the above mentioned Open Individual Export Licenses, the UK Government requires completion of a Consignee Undertaking from parties-to these transactions as a condition of Sophos’s country license agreement (OIEL). This should be prepared by the ship-to partner, as defined in UK government guidance note which can be viewed on the below link:-
Any orders for Sophos Hardware as defined in the list below are controlled products, and the below mentioned Sophos products are controlled as per the UK strategic export control lists and in accordance with EU Council Regulation 428/2009.
Sophos controlled hardware 5A002 that can include loaded controlled software 5D002 are included on this strategic export control list, and when shipping from the EU will be export held until this form is completed to ensure Sophos corporate compliance policy is adhered to.
- Sophos Unified Threat Management Systems
- Sophos Remote Ethernet Devices
- Sophos Access Point Appliances
Without preparation and submission of these forms, Sophos Ltd could lose its bulk or by country export license privileges, resulting in all future orders of encryption products requiring individual export licenses.
German Export Controls
The Sophos products listed in Product Classification have also been classified in accordance with German export controls and may only be exported in accordance with the AGG16 and EU001 general licenses.
See the following URL for more information on German export controls: http://www.bafa.de/bafa/en/export_control/index.html
Military and military-related organizations not located in the member countries of the EU, Australia, Canada, Japan, New Zealand, or the United States may require an export license in order to obtain Sophos products.
Sophos products may not be exported, in their entirety or in part, for (i) military purposes, or (ii) use in connection with the development, production, handling, operation, maintenance, storage, detection, identification or dissemination of chemical, biological or nuclear weapons, or other nuclear explosive devices, or the development, production, maintenance or storage of missiles capable of delivering such weapons.
Products Appearing in More Than One Table
If a product appears in multiple tables, the applicable export controls of all such countries must be complied with in regards to the exportation of such product.
As noted above, exportation of restricted goods is a complex area and you are responsible for seeking your own legal advice and ensuring your compliance in relation to such matters in the context of your specific export scenario.
From time-to-time, Sophos may rename or rebundle various products. If you are unsure which of the product names below reflect your purchase, please contact your Sophos Account Manager and they will review your purchase and, upon consultation with the Sophos Legal Department, provide you with the relevant information.
Export Control Classification Number assigned by the U.S. Department of Commerce, Bureau of Industry and Security (BIS) in the Commerce Control List (CCL). This is the fundamental designation indicating the level of control for an item.
Please review the current Commerce Control List Overview and the Country Chart for up to date information on the current countries to which exports are restricted for the referenced ECCNs. Currently, unless otherwise restricted by another country's more restrictive controls, mass market items may be exported without a license to any destination, except to embargoed/sanctioned countries (Cuba, Iran, North Korea, Sudan, and Syria) or to prohibited end-users or for prohibited end-uses.
License Exception ENC
Sophos received a License Exception from the U.S. Department of Commerce for each of the appliance products after submitting each to a one-time significant technical review by the National Security Agency (NSA). See the following URL for further information on the ENC License Exception: https://www.sophos.com/en-us/legal/export.aspx
CCATS (Commodity Classification Automated Tracking System)
This is the code number assigned by BIS to products that it has classified against the CCL. If no CCATS number is provided, this indicates that the products have been classified under the Department of Commerce, Bureau of Industry and Security self-classification regulations.
This abbreviation indicates that UK Export Control Organization ("ECO") has indicated that the product does not require a license for export from the UK ("No License Required").
Subject to German Export Control
The LanCrypt products are subject to German export controls as 5A002 or 5D002 products and may only be exported in accordance with the AGG16 and EU001 general licenses as further detailed above.