The early 2020s were marked by turbulence, and the resulting economic sanctions have profoundly impacted exporting companies around the world. At the same time, groundbreaking advancements in digital infrastructure, such as generative AI and intelligent automation, have sparked debates about regulations governing software and technology export controls in leading nations. These discussions aim to protect competitive advantages and shield nations from emerging threats such as advanced cybercrime and electronic surveillance by foreign entities. As a result, export control restrictions are becoming increasingly complex. I have taken up this topic to help the company that I work for to make sense of these complex regulatory issues.
Challenge: Understanding the Regulatory Framework
Given the lack of maturity in multilateral processes and national regulations, companies in the software and technology sectors must proactively prepare for new restrictions and controls. Non-compliance with foreign trade laws can lead to legal, financial, and reputational risks. Moreover, macroeconomic trends, including the global economic shift and rising protectionism, will continue to impact organizations involved in export activities. Ignoring exports, that are intangible in nature, is no longer an option. What the technology industry should have learned from the unprecedented economic sanctions of 2022 and the uncertainties surrounding global treaties is that proactive trade compliance is essential.
Master´s Thesis Offers an Approach
My Master’s thesis offers a thorough review of existing knowledge on software technology export controls, regulatory frameworks, and best practices in both the United States (US) and the European Union (EU). This information has been synthesized into a conceptual framework to help co-create an export compliance framework tailored to software offerings. The goal is to mitigate the risk of non-compliance within the sponsor organization and to clarify the roles and responsibilities of stakeholders in the export compliance process. This process involves business conduct due diligence and adherence to export control regulations, which typically cover four main categories: product controls, end-user controls, export destination controls and controls on the actual end-use.
The Wassenaar Arrangement serves as the umbrella for export control regulations. It is a multilateral, non-binding international forum that facilitates the exchange of views and information on international trade in conventional arms and dual-use goods and technologies. The EU and the US have integrated the Wassenaar Arrangement control lists into their legislative frameworks and operational practices. The US has more comprehensive legislation regarding software product-related controls, while the EU has delegated most software-specific regulations to its member states.
Key Considerations in Software Technology
When it comes to software technology classification, important aspects include encryption features and the functionality of software embedded in dual-use classified end products. The US also monitors the re-export of US-made technology in exports outside its borders. Therefore, all software product development should consider both US and EU legislation when working in international markets. A common element across the Wassenaar Arrangement, the US, and the EU concerning software and technology is the inclusion of information security within their respective national regulations.
Solution: A Tool for Export Compliance
Drawing from the information security domain, a tool for further content analysis was selected; the People, Process, and Technology framework introduced by Information Security and Privacy expert Bruce Schneier in 1999. This framework became a foundational concept in cybersecurity, emphasizing that when one element changes, the other two must also adapt to maintain a balanced and effective response to change. Schneier (2013) stressed that security should not solely rely on technology but should also incorporate people and processes into a comprehensive security system. The same principle applies to the export compliance landscape.
To prevent confusion regarding Technology terminology in export control regulations, the Technology element was modified in the thesis to represent the actual end product, transforming the framework into the People, Process, and Product (PPP) matrix. During the co-creation process with stakeholders, the PPP elements were evaluated through the four categories of export control. Identified findings and related regulatory aspects were consolidated into a matrix, with each cell color-coded to identify the responsible entity. This matrix was designed as a tool to assist in risk mitigation within the export compliance process for software offerings at the sponsor organization. It aims to verify and monitor software exports and clarify the roles and responsibilities of different stakeholders.
Preparing for the Future
To thrive, businesses must accelerate innovation, enhance risk management, and meet increasingly demanding expectations. Effectively designing and managing their people, processes, and product controls during times of change can provide the necessary insight and understanding to achieve these goals. Consequently, companies engaged in the software and technology business should proactively prepare to adopt new restrictions and controls as they are introduced. By doing so, they can navigate the complex landscape of export controls and ensure compliance in an ever-evolving global market.
About the author
Aino Herranen is a graduate of Master´s degree program in Business Informatics. Aino has a keen interest in technologies and export compliance, and has selected this area for doing her Master´s thesis.
References:
Herranen, Aino. 2024. Building an Export Compliance Framework: Intangible Technology Transfer – Software offerings. Metropolia University of Applied Sciences. Master’s Thesis.
https://www.theseus.fi/handle/10024/856483
Schneier, Bruce. 2013. ”People, Process, and Technology”. Blog. Pulished 30/01/2013.
https://www.schneier.com/blog/archives/2013/01/people_process.html
This document benefited from the use of OpenAI’s ChatGPT for grammar and style checks.
Ei kommentteja