Israel’s regulatory framework governing encryption controls is undergoing a fundamental transformation. After decades during which encryption-related activities were subject to broad and comprehensive regulation across the field, the Ministry of Defense has decided to repeal Israel’s unique domestic regime and adopt an export control framework aligned with internationally accepted standards
Until now, the applicable regime was based on the Commodities and Services (Control of the Use of Encryption Items) Order, 1974, commonly referred to as the “Encryption Order.” This Order broadly defined the term “engaging in encryption items” to include development, production, modification, integration, acquisition, use, possession, transfer, import, distribution, sale, and even negotiation for export, as well as the export itself, of encryption items. Each of these activities required a license from the Ministry of Defense, except in relation to items designated as “free items” or where the use was personal.
The current reform reflects developments in e-commerce, the information technology sector, and the widespread integration of encryption products into digital environments. These developments have materially altered the rationale for maintaining comprehensive regulation of all encryption-related activities. Technological progress prompted the Ministry of Defense to re-examine the scope of regulation required and led to the conclusion that broad control over all encryption activities is no longer justified. Instead, regulatory control will now be limited to the export sphere and, in the case of defense-related transactions, also to defense marketing.
It was further recognized that indiscriminate regulation of all encryption items is no longer appropriate, given that encryption components are now embedded in a wide range of civilian products. Accordingly, control will focus solely on the export of dual-use items listed under the Wassenaar Arrangement, the internationally recognized framework governing the export of dual-use goods, software, and technologies.
On November 20, 2024, two revocation orders were published: one repealing the Encryption Order and the other repealing the related control declaration. Both revocation orders entered into force on March 20, 2025, four months after their publication.
The principal change is that, as of March 20, 2025, activities involving encryption items that do not constitute export are fully exempt from licensing requirements, and existing licenses relating to such activities are canceled. However, the export of encryption items, as well as the export of encryption-related knowledge or technology, remains subject to licensing requirements. Existing export licenses will remain valid until their expiration date or until November 19, 2026, whichever is later.
Applications for export licenses concerning encryption items, knowledge, or technology submitted on or after March 20, 2025, are processed according to the identity of the end user. Where the end user is civilian, the application must be submitted to the Ministry of Economy and Industry. Where the end user is defense-related, the application must be submitted to the Ministry of Defense, through the Defense Export Control Agency (DECA).
It is important to emphasize that applications submitted to DECA require substantial advance preparation. Exporters must complete all stages applicable to defense exports, including registration in the Defense Export Registry, product registration, obtaining a marketing license where required, and obtaining an export license. These procedures are often lengthy, and exporters are therefore advised to begin preparations well in advance.
The new framework is based on Category 5, Part 2 (“Information Security”) of the Wassenaar Arrangement. The control regime applies only to the encryption-related elements included within that category.
This category includes several important exemptions. First, products intended for personal use are exempt from control. Second, commercial mass-market products are exempt, provided that all of the following conditions are met: they are sold from stock at retail points, by mail order, through electronic transactions, or by telephone; their encryption functionality cannot easily be altered by the user; they may be installed by the user without substantial further support from the supplier; and, upon request, the manufacturer or exporter is able to provide the competent authority with the information required to assess compliance with the exemption.
A further exemption applies to hardware or software components accompanying commercial mass-market products, provided that all of the following conditions are satisfied: they are not primarily designed or modified for information security; they do not enhance or add cryptographic functionality to the existing product; they are not user-customizable; and their technical characteristics may be made available for review by the relevant authorities.
The items covered under the new control regime include a range of encryption items, subject to the applicable exemptions, and exporters are strongly advised to review the relevant classification chapter carefully. Among the controlled items are those designed or modified for use in cryptography for data confidentiality, namely, the use of digital techniques to encrypt or decrypt information, excluding specified functions such as authentication, digital signatures, rights management, entertainment broadcasting, or banking transactions, where such uses fall outside the relevant control parameters.
Control also extends to cryptographic activation tokens, namely, items designed to convert a non-controlled product into a controlled product or to enable a controlled cryptographic function. In addition, control applies to items designed or modified for quantum cryptography, to cryptographic techniques used to generate channel codes, scrambling codes, or network identification codes for systems employing ultra-wideband modulation techniques, and to cryptographic techniques used to generate spreading codes for spread-spectrum systems.
The control regime applies not only to the encryption product itself, but also to related testing, inspection, and production equipment, as well as to associated software and technology. Each of these terms carries a specific technical and legal meaning, and exporters must therefore assess each component separately and carefully.
Recommended preparatory steps for exporters include the following: (1) determine whether an exemption under Category 5, Part 2 applies; (2) determine whether the relevant product falls within Category 5, Part 2 of the Wassenaar Arrangement; (3) if the product, software, or technology is controlled under Category 5, Part 2, obtain the required export license; and (4) where the end user is defense-related, begin the process of registration in the Defense Export Registry and product registration with DECA.
It should be emphasized that, as of March 20, 2025, all applications must be submitted under the new regulatory framework rather than under the previous regime. Exporters are therefore strongly advised to begin preparations as early as possible and not wait until the last moment. The relevant procedures, particularly those involving DECA, may be time-consuming, and early preparation is essential to ensure compliance and avoid disruption to business operations.
In conclusion, the reform of encryption controls introduces substantial relief by eliminating licensing requirements for non-export activities, while at the same time preserving a detailed and rigorous licensing regime for the export of encryption items, software, and technology. The transition to a Wassenaar Arrangement-based framework brings Israel’s regime into closer alignment with international standards. At the same time, it requires Israeli exporters to become familiar with the applicable technical classifications and procedural requirements and to prepare accordingly. Early action is advisable in order to ensure business continuity and full compliance with the law.
The content in this update is provided for informational purposes only and is not intended to be comprehensive. It does not serve to replace professional legal advice required on a case by case basis.
