Sophos Compliance Overview
Sophos is committed to complying with the laws and regulations relating to export controls. As part of this compliance policy, Sophos agreements contain provisions requiring Sophos customers and partners to ensure compliance with these laws and regulations. In order to assist our customers and partners, Sophos uses this portion of its web site to communicate export control information specific to its products to our customers and partners. This information may be required for shipping documentation, record keeping, or post-shipment reporting.
Customers and partners are encouraged to familiarize themselves with the import regulations of their country to ensure compliance with their specific regulations and to ensure timely delivery of Sophos products they may purchase. As a Business Partner, customers and partners are also expected to abide by relevant laws and regulations, inclusive of all business transactions with Sophos. As such, Sophos requires that any party we conduct business with becomes familiar with, and ensure compliance with U.S. and EU export regulations, and applicable export/import regulations in the countries which it operates. Non-compliance with Global Trade regulations can subject Sophos, and its Business Partners to criminal and civil penalties, the seizure of assets, and the denial of import or export privileges.
Any person or entity exporting or re-exporting Sophos products directly or indirectly and via any means, including electronic transfer, is wholly responsible for doing so in accordance with the U.S. Export Administration Regulations and the laws of host countries.
When exporting, or re-exporting Sophos products (hardware, software & technology), U.S. export controls apply and it is your responsibility to ascertain your compliance obligations and ensure adherence to US export controls and the country of actual export / re-export whether they be tangible or in-tangible movements.
On occasion, Sophos will send communications to highlight important regulatory information to reinforce any related parties’ education on certain topics.
Sophos products may not be exported, in their entirety or in part, for (I) military purposes, or (ii) use in connection with the development, production, handling, operation, maintenance, storage, detection, identification or dissemination of chemical, biological or nuclear weapons, or other nuclear explosive devices, or the development, production, maintenance or storage of missiles capable of delivering such weapons.
An Embargo is a government order that restricts commerce or exchange with a specified country. An embargo is usually created as a result of unfavorable political or economic circumstances between nations. The restriction looks to isolate the country and create difficulties for its governing body, forcing it to act on the underlying issue.
Embargoes can take a number of forms, but the most relevant types of sanctions for businesses are financial sanctions and trade sanctions.
- Financial sanctions generally involve asset-freeze measures affecting the provision of funds and economic resources to certain entities or individuals ('designated persons'). They may also include restrictions on the use of assets by designated persons, receipt and transfers of funds to particular types of persons - for example, Iranian nationals - and prohibitions on the provision of financing or financial assistance connected to designated persons and prohibited transactions.
- Trade sanctions prohibit trade in certain goods from affected countries, usually arms and commodities such as oil, timber, gold and diamonds; and equipment for use in the nuclear, oil and gas or petrochemical sector. Activities related to such trade may be prohibited.
It is also prohibited to engage in any activities the object or effect of which is to circumvent sanctions. As a consequence, Sophos does not structure transactions to avoid international sanctions.
Breach of financial or trade sanctions law can result in the commission of a criminal offence punishable by imprisonment, a fine or both.
In order to avoid breaching embargoes, Sophos has a compliance program based around a robust policy on sanctions and comprehensive systems to implement the policy effectively.
This program includes
- customer and transaction due diligence and screening against applicable financial sanctions target lists, including HM Treasury’s Consolidated List, and OFAC’s SDN List; along with other lists pre-defined by the business
- assessing if equipment and products are on export control lists such as the UK's Strategic Export Control List and ensuring that all necessary licenses to export are obtained;
- checking if goods are in any way restricted;
- maintaining a list of countries which are subject to wider embargoes and ensuring that equipment, good and services are not supplied to persons and entities in those countries, including via a third party distributor or otherwise indirectly, unless an exemption applies;
- contractual controls, including sanctions exclusions and warranties;
- training in policies and procedures; and
- regular monitoring of transactions and periodic audits of sanctions compliance.
Current Embargoes in operation that Sophos adheres to are:-
- Iran, North Korea, Cuba, Sudan (including South Sudan) & Syria
Please note that even though Iran sanctions have been eased by the EU enforcement are still place from the USA. So even though Sophos is a UK limited company, as our products fall under the USA extra territorial reach we still cannot permit any such exports or re-exports to Iran.
A trade sanctions is a trade penalty imposed by one nation onto one or more other nations. Sanctions can be unilateral, imposed by only one country on one other country, or multilateral, imposed by one or more countries on a number of different countries. Often allies will impose multilateral sanctions on their foes.
Their principal purpose is usually to change the behavior of the target country’s regimes, individuals or groups in a direction which will improve the situation in that country. All recent UN and EU sanctions contain information as to why they have been imposed and specify what their aim is.
The ultimate objective of a sanction varies according to the situation. For instance, an arms embargo and a ban on the export of certain items or raw materials could be aimed at supporting a peace process and restricting the financing of weapons by the combatants. Sanctions may also be aimed at preventing weapons from falling into the wrong hands, disrupting terrorist operations, or trying to change the policies and actions of the ‘target’.
- The EU imposes sanctions to further its Common Foreign and Security Policy (CFSP) objectives. EU measures can also be imposed to uphold respect for human rights, democracy and the rule of law.
- In addition to UN and EU sanctions, sanctions may be put in place by the Organization for Security and Co-operation in Europe, who can also impose national arms embargoes.
- The USA imposes sanctions through The Office of Foreign Assets Control ("OFAC") of the US Department of the Treasury administers and enforces economic and trade sanctions based on US foreign policy and national security goals against targeted foreign countries and regimes, terrorists, international narcotics traffickers, those engaged in activities related to the proliferation of weapons of mass destruction, and other threats to the national security, foreign policy or economy of the United States.
USA Iran Sanctions
You may have heard in the news recently that sanctions have been lifted against Iran. What is less clear however, is that there were 2 categories of sanctions related to Iran and for all intents and purposes, despite the lifting, allowable interactions for those considered a “U.S. Person” remains essentially the same.
The lifted sanctions went into effect on January 16, 2016 under the Joint Comprehensive Plan of Action (JCPOA), which was an agreement created to ensure a peaceful nuclear program in Iran and was agreed to by the U.S., U.K., E.U., China, France, Germany, Russia, and Iran. Known as “Implementation Day,” it marked the International Atomic Energy Agency’s (IAEA) verification that Iran implemented its nuclear related commitments under the JCPOA.
The general prohibition to engage in transactions with Iran remains virtually the same. On Implementation Day the U.S. lifted what are known as “secondary sanctions” and not what are commonly referred to as the “primary sanctions” which arose from the Iranian trade embargo declared back in 1995.
The primary sanctions broadly prohibit U.S. Persons from engaging in transactions or dealings with Iran or its government, as do the U.S. controls on the exportation or re-exportation of goods, technology and services pursuant to the Export Administration Regulations, and others. These remain in effect
In response to the annexation of the Crimea region of the Ukraine, please be aware that the recent restrictions on transactions with the Crimea region imposed by the United States and European Union require Sophos and any related parties to cease transactions and communications with business partners and/or customers in the Crimea region.
Please click here for the Sophos business guidance note communicated to our Business Partners in this region in regard to this matter.
The following activities are expressly prohibited under the U.S. sanctions:
- New investment in the Crimea region of Ukraine;
- The importation, directly or indirectly, of any goods, services, or technology from the Crimea region of Ukraine;
- The exportation, re-exportation, sale, or supply, directly or indirectly, of any goods, services, or technology to the Crimea region of Ukraine; and
- Any approval, financing, facilitation, or guarantee of a transaction.
The scope of the restrictions includes the prohibition of any service or support for existing equipment in the Crimean region. Additionally, certain parties in Crimea have been added to the U.S. list of Specially Designated Nationals.
U.S. license applications for exports, re-exports or transfers of U.S. EAR-regulated items will be subject to a presumption of denial, unless the item is included in the Office of Foreign Asset Control’s (OFAC) General License No. 4, which covers medical supplies and related replacement parts.
The U.S. Department of Commerce known as the Bureau of Industry and Security (BIS) also amended the U.S. EAR to restrict the availability of License Exceptions for exports and re-exports to the Crimea region. U.S. license exception “ENC”, which is used for many Sophos products, may no longer be used for exports to Crimea.
Although the E.U. has not imposed a comprehensive embargo on Crimea and Sevastopol, trade and investment is severely curtailed, details on regulatory compliance are found here:
USA - http://www.treasury.gov/resource-center/sanctions/Programs/Pages/ukraine.aspx
EU - http://eur-lex.europa.eu/legal-content/EN/TXT/?uri=OJ:JOL_2015_040_R_0003
Restricted Party Screening
Restricted party screening is a compliance control that prevents doing business with sanctioned governments, entities or individuals. Governments of various countries, as well as international organizations, e.g., United Nations, maintain a variety of lists of these types of entities. Screening means checking to see if an entity of interest to the organization appears on one or more of these lists. Depending on the nature of the list and transaction, it may be legally prohibited to engage in certain activities with listed entities.
Prohibited activities could include contracting with, selling to, shipping to, allowing download or software from a network, receiving payment from, making payment to, or conveying technology to prohibited/restricted parties. Additionally, as a matter of reputation and policy.
Sophos may choose not to engage in certain transactions with listed entities, even if not legally prohibited.
In general, ‘denied persons’ do not have the privilege of making or participating in exports because they have violated export laws or regulations. Companies are prohibited from selling products/services to, or otherwise dealing with, a denied person in a transaction involving export or re-export of US-origin items.
The specific restrictions imposed on a ‘denied person’ vary.
EU Export Controls
Sophos products are subject the EU Dual Use export control regime is governed by Regulation (EC) No 428/2009 (hereunder "the Regulation"), which provides for common EU control rules, a common EU control list and harmonized policies that as a business Sophos must adhere to.
Under the EU regime, the export of dual-use items is subject to control and dual-use items may not leave the EU customs territory without an export authorization. The requirement for an export authorization applies to: - dual-use items listed in the EU Control List, in Annex I to the Regulation.
The EU Control List is based on decisions adopted by the following international export control regimes:
- Australia Group (AG),
- Nuclear Suppliers Group (NSG)
- Wassenaar Arrangement and the Missile Technology Control Regime (MTCR).
Non-listed items may also be controlled under the so-called catch-all clause, under certain conditions, when there is reason to believe such items are intended for use in connection with a biological, chemical, nuclear weapons or ballistic missile weapons program, or for use in violation of an arms embargo
EU Member States may exceptionally impose additional controls on non-listed dual-use items for reasons of public security or human rights consideration.
In specific cases, the export of dual-use items may be subject to additional EU restrictive measures (sanctions). Such restrictive measures currently apply with respect to trade of dual-use items with DPRK, Iran, and Syria.
The EU Regulation is binding and directly applicable throughout the EU.
Dual-Use products within the EU may be traded freely within the EU.
There are four types of export authorizations in place in the EU export control regime:
EU General Export Authorizations (EU GEAs) allow for the export of dual-use items to certain destinations under certain conditions. There are currently 6 EU GEAs in place:
- Exports to Australia, Canada, Japan, New Zealand, Norway, Switzerland (including Liechtenstein) and United States of America
- Export of certain dual-use items to certain destinations
- Export after repair/replacement
- Temporary export for exhibition or fair
Global export control licenses are granted by national authorities to one exporter and may cover multiple items to multiple countries of destination or end users. Individual licenses are granted by national authorities to one exporter and cover exports of one or more dual-use items to one end-user or consignee in a third country.
UK Export Controls
Certain products have also been classified in accordance with UK export controls, and may be exported in accordance with the Community General Export Authorization (CGEA) and Open Individual Export Licenses (OIEL). Such restrictions apply when Sophos products are exported from the UK or by the Sophos UK entity or agreed EU Sophos entity as stated in the export license conditions.
All granted Sophos Open Individual Export Licenses are Dual Use which permits the export to commercial & government end users for controlled products per the agreed countries.
Click here to view the End User declaration that Sophos would request, for any tangible exports on controlled Sophos products from an EU jurisdiction.
Any orders for Sophos Hardware as defined in the list below are controlled products, and the below mentioned Sophos products are controlled as per the UK strategic export control lists and in accordance with EU Council Regulation 428/2009.
Sophos controlled hardware 5A002 that can include loaded controlled software 5D002 are included on this strategic export control list, and when shipping from the EU will be export held until this form is completed to ensure Sophos corporate compliance policy is adhered to.
- Sophos Unified Threat Management Systems
- Sophos Remote Ethernet Devices
Without preparation and submission of these forms, Sophos Ltd could lose its bulk or by country export license privileges, resulting in all future orders of encryption products requiring individual export licenses.
German Export Controls
The Sophos products are also classified in accordance with German export controls and may only be exported in accordance with the AGG16 and EU001 general licenses.
See the following URL for more information on German export controls: http://www.bafa.de/bafa/en/export_control/index.html
USA Export Controls
Sophos products are subject to US export regulations. In the United States, a branch of the U.S. Department of Commerce known as the Bureau of Industry and Security regulates exports through the Export Administration Regulations (EAR).
These regulations spell out the export restrictions on a wide variety of goods, software, and technologies. Sophos products may not be exported to Cuba, Iran, North Korea, Syria, or Sudan, but most products may be exported to other countries subject to the applicable import regulations of such country.
Some Sophos products are subject to export restrictions because they include encryption technology and are defined as ENC/Restricted. In the case of Sophos products containing encryption, a one-time government technical review is usually required prior to export. Once a review has been completed, products may become eligible for a particular license exception, such as ENC. This exception may then be used by other exporters, as provided by the U.S. EAR.
Civilian / Commercial End Users
ENC/Restricted products may be exported or re-exported to most civilian and commercial end users located in all territories, except embargoed destinations and countries designated as supporting terrorist activities. Countries listed in Part 746 of the EAR as embargoed destinations requiring a license are Cuba, Iran, North Korea, Sudan, and Syria.
Other specific government entities are also permitted under ENC/Restricted license exemption and are listed below: -
- Census and Statistics Services;
- Civil Public Works Infrastructure Services (Construction, Maintenance, Repair, Regulation and Administration) as follows: Buildings, Public Transportation, Roads and Highways, Trucking;
- Civil Service Administration and Regulation, including Human Resources and Personnel/Labor Management;
- Clean Water Infrastructure Services (Treatment, Supply and Testing);
- Economic (Trade/Commerce/Investment), Business and Industrial Development, Promotion, Regulation and Administration; excluding the following end-users/end-uses:
- Agencies, Departments, Boards and Councils for Science and Technology,
- Research, Development and National Laboratories (other than as authorized in paragraphs (K) (Measurements and Standards) and (L) (Meteorology / Weather / Atmospheric Services) below)
- National Telecommunications and Information Technology Agencies, Boards, Councils and Development Authorities (including National Information Center, and Information Communications Technology (ICT) / Telecommunications Infrastructure / Spectrum Planning, Policy, Regulations and Testing);
- Elections, Balloting and Polling Services;
- Energy Regulation and Administration, including Oil, Gas and Mining Sectors;
- Environmental/ Natural Resources Regulation, Administration and Protection, including Wildlife, Fisheries and National Parks;
- Food/ Agriculture Regulation and Administration;
- Labor/Community/Social Services Planning, Regulation and Administration, including: Housing and Urban Development, Municipality and Rural Affairs;
- Measurements and Standards Services;
- Meteorology (Weather, Atmospheric) Services;
- National Archives/Museums;
- Pilgrimage and Religious Affairs;
- Postal Services;
- Public and Higher Education (Excluding Government Research Institutions and any agency, institution or affiliate engaged in the manufacture or distribution of items or services controlled on the Wassenaar Munitions List);
- Public Health and Medicine/Pharmaceutical Regulation and Administration;
- Public Libraries;
- Sports/Culture (Includes Film, Commercial Broadcasting and the Arts) Promotion, Regulation and Administration;
- Travel/Tourism Promotion, Regulation and Administration.
Note that the applicable definition of “government partner or end user” covers certain government organizations at the central, regional, and local levels, which are departments, agencies, or entities performing government functions, including governmental corporations that manufacture or distribute items or services controlled on the Wassenaar Munitions List, governmental research institutions and international governmental organizations. However, the definition of government end-users for US export purposes does not include:
- Utility providers (such as providers of gas, electricity, telecommunications and internet service);
- Transport agencies and entities (such as bus, train, and airport authorities);
- Entertainment or broadcast entities (such as radio or television organizations);
- Education organizations (such as schools, colleges and universities or other organizations that have direct contact with students);
- Health and medical organizations (such as hospitals and clinics);
- Retail & Manufacturing entities (such as retail or wholesale firms; and manufacturers or industrial entities that do not manufacture or distribute Wassenaar Munitions List items or services).
Restricted Government End Users
Certain government entities not located in the member countries of the EU, Australia, Canada, Japan, New Zealand, or the United States require a U.S. export license in order to obtain the noted Sophos restricted encryption products.
Other specific government entities are deemed as restricted and export licensing would need to be in place with an additional 15 calendar day’s pre-notification to the US government prior to any export taking place.
The government sectors that fall under this remit are listed below: -
- Agencies, Departments, Boards and Councils for SCIENCE AND TECHNOLOGY (including research, development and state/national laboratories, but not including measurements and standards)
- CURRENCY AND MONETARY authorities (including departments and offices of the national/federal/royal reserve)
- EXECUTIVE AGENTS OF STATE (including offices of President/Vice President/Prime Minister, Royal Courts, National Security Councils, Cabinet/Council of Ministers/Supreme Councils/Executive Councils, Crown Princes and other deputies of the rulers, departments and offices of political/constitutional/mainland affairs
- LEGISLATIVE BODIES responsible for the enactment of laws
- IMPORT/EXPORT CONTROL, CUSTOMS AND IMMIGRATION agencies and entities
- INTELLIGENCE agencies and entities
- JUDICIARY (including Supreme Courts and other national/federal/regional/Royal High Courts and tribunals
- MARITIME, PORT, RAILWAY AND AIRPORT authorities
- MILITARY AND ARMED SERVICES (including national guard, coast guard, security bureaus and paramilitary)
- Ministries, Departments and Garrisons of DEFENSE (including defense technology agencies)
- Ministries and Departments of FINANCE AND TAXATION (including national/federal/royal budget and revenue authorities)
- Ministries and Departments of FOREIGN AFFAIRS/FOREIGN RELATIONS/CONSULATES/EMBASSIES
- Ministries of INTERIOR/HOME/MAINLAND AFFAIRS AND HOMELAND SECURITY
- State/national TELECOMMUNICATIONS AND INFORMATION TECHNOLOGY agencies, boards, councils and development authorities (including national information/critical infrastructure data centers and information and communications technology (ICT)/telecommunications infrastructure/spectrum planning, policy, regulation and testing
- POLICE, INVESTIGATION AND OTHER LAW ENFORCEMENT agencies and entities (including digital crime/computer forensics/counter narcotics/counter terrorism/counter proliferation agencies)
- PUBLIC SAFETY agencies and entities (including national/federal/royal agencies and departments of civil defense, emergency management and first responders)
It must be noted that due to the current situation within Ukraine, the USA require additional validation on any transactions with Ukrainian or Russian businesses. As part of this process is the screening of not only the company itself, but all its Directors & Shareholders.
If any individual or company owning 51% or above of this company is highlighted on the Sectorial Sanctions list, then the transaction isn’t permitted to proceed.
For any further information in regard to the Sectorial Sanctions in place by the U.S. Department of Commerce known as the Bureau of Industry and Security (BIS) please see the following link:
Sophos Product Classifications
All Sophos products will have rating reviews in all countries where a tangible or in-tangible export / re-export is completed through a Sophos entity.
In the EU this is done through licensing rating request with the relevant export control authority.
In the USA BIS uses the Commodity Classification Automated Tracking System (CCATS) to assign code numbers to products it has classified against the Commerce Control List (CCL). The CCL contains items subject to BIS export license requirements. Please refer to the Sophos Product Classification Matrix as that lists Sophos CCATS numbers on our product matrix.
Sophos Distribution Centers
Sophos hardware products can be distributed from the United Kingdom, United States of America, Singapore, Taiwan, India, Netherlands and Ireland require in-country export permits. For additional information on these requirements, please visit the appropriate government websites.
Sophos Product Classification Matrix
The following Sophos product matrix provides information as related to the relevant Strategic Lists, EAR and the CCL.
This information is suitable for use by Sophos customers in conjunction with appropriate independent legal advice. Sophos makes no representation as to the accuracy or reliability of the classifications listed in the Sophos Product Matrix is done at the user’s own risk.
Sophos Product Classifications including USA license citations can be accessed here
If you have any queries or require further clarification please contact email@example.com
Important Notice & Disclaimer
From time-to-time, Sophos may rename or re-bundle various products. If you are unsure which of the product names below reflect your purchase, please contact your Sophos Account Manager and they will review your purchase and, upon consultation with the Sophos Legal Department, provide you with the relevant information.
Products Appearing in More Than One Table
If a product appears in multiple tables, the applicable export controls of all such countries must be complied with in regards to the exportation of such product.
As noted above, exportation of restricted goods is a complex area and you are responsible for seeking your own legal advice and ensuring your compliance in relation to such matters in the context of your specific export scenario.
Sophos is providing this information as a general guidance to our customers and business partners and makes no representations as to its accuracy. All export authorities require that each company / individual exporting products be familiar with and comply with the legislative set forth for the exporting jurisdiction.
Please note that export licensing regulations are subject to change, and should be monitored accordingly.
We recommend that customers and partners obtain legal advice when attempting to export to ensure adherence with local jurisdictional licensing & controls in place.