Export Controls and Start-ups

Mansfeld-Südharz, Germany - December 6, 2025

A founder-friendly reading of the EU Dual-Use Regulation, ITAR shadows and German licence practice for cyber-security tooling

The first time a foreign customer asked us for a “no ITAR” statement we laughed, because we had spent three years believing that export controls were someone else’s problem. Our code was open source, our servers were in Frankfurt, and our investors loved the phrase “sovereign European stack.” Then a Swiss distributor forwarded an e-mail from a Canadian MSSP that needed a signed declaration before it could integrate our fuzzing engine into its SOC, and we discovered that laughter is not a recognised exemption under Regulation 2021/821. That afternoon we learnt three things: every cyber-security product is guilty until classified, the classification is retroactive, and the penalty for guessing wrong is not a fine but a cessation of all shipments accompanied by a very public customs seal. The lesson felt personal, so we turned the Alliance into a living laboratory for export compliance small enough to fit inside a Series-A budget.

The starting point is taxonomy. The EU Dual-Use Regulation lists cyber items in Category 4.A.4, “Intrusion software,” and Category 5.A.2, “Systems for generating, commanding or controlling malicious code.” Both descriptions are broad enough to catch anything that can inject a payload into a remote process, which means fuzzers, deception agents, red-team frameworks and even some telemetry collectors sit inside the net. The decisive filter is intent: if the tool is designed to defeat protective measures, it is controlled; if it merely analyses traffic without bypassing defences, it is not. Intent, however, lives in documentation, not in source code. A function that unpacks a packed PE can be labelled “malware unpacking for defensive research” or “packer bypass for evasion”; the difference is a comment block and a README paragraph, but those paragraphs are what customs officers photograph when they open your laptop at the border. We therefore require every repository in the Alliance to carry a two-sentence header that states the lawful defensive purpose and references the relevant NIS2 article. It sounds trivial, yet during a recent spot check at Frankfurt-Hahn the officer waived the shipment through after reading the header, saving us a two-week detention that would have cost the customer 40 000 EUR in lost revenue.

The second filter is destination. The regulation attaches the country code to the end-user, not to the shipping address. A French cloud provider that spins up a sandbox for a Moroccan university must therefore obtain an export licence even if the VM never leaves the AWS eu-central-1 region. The workaround is to containerise the controlled software inside a sovereign cloud that is physically located within the EU and contractually restricted to EU entities. The Alliance’s Helm charts therefore include a geo-fence annotation that refuses to deploy if the Kubernetes node carries a non-EU topology label. The check is enforced by admission controller policy, which means a developer cannot accidentally export by selecting the wrong region in a drop-down menu. The same controller logs the denial to an immutable audit trail that we can hand to auditors when they ask for evidence of “adequate technical means” to prevent diversion. Since implementing the controller we have recorded 1 800 blocked deployments, none of which resulted in a licence violation, and the Bundesamt für Wirtschaft und Ausfuhrkontrolle (BAFA) has cited the pattern as best practice in its 2025 guidance note on cloud-hosted dual-use software.

Licensing itself is less frightening once you realise that BAFA issues three flavours of general licence for cyber items: EU001 for intra-EU transfers, EU002 for transfers to close allies such as Canada and Japan, and a national general licence for specific low-risk destinations. The trick is to map your customer list to those licences before the purchase order arrives, because retro-fitting compliance after signature is like adding brakes while the car is moving. We maintain a JSON file that encodes every customer jurisdiction against the applicable licence and embed the file into the CRM so that a sales rep literally cannot create a quote for a destination that lacks a licence path. If the destination is not covered, the system triggers an automatic individual licence application that pre-fills the end-user undertaking and technology description from the git tag that corresponds to the release. The first time we used the workflow for South Korea the paperwork was submitted within 24 hours and the licence granted in 18 days, a BAFA record for cyber items that previously averaged 55 days.

"Export control is not the border that blocks us; it is the handshake that proves we belong to the network of trusted suppliers."

The invisible shadow over every European licence is ITAR, the United States International Traffic in Arms Regulations. Even if your product is engineered in Dessau, the moment you incorporate an American library under a licence that carries export clauses you inherit the US munitions list. The safest defence is architectural: do not link against US-origin crypto libraries that are labelled ECCN 5D002, and avoid GitHub repositories that are hosted on US servers if the issue tracker contains vulnerability exploits. We mirror all dependencies to a Gitea instance inside the Alliance sovereign cloud and run a weekly scan that flags any new commit containing a US e-mail domain or a CLA that references US export law. When a flag appears we either replace the component or isolate it behind a well-defined API that can be removed without breaking core functionality. The exercise is tedious but cheaper than the alternative: a single ITAR violation can trigger a denial order that cuts you off from US cloud regions overnight, a death sentence for a start-up whose backup environment is AWS Dublin.

Sanctions add another layer of volatility. The EU maintains twenty-eight separate sanctions regimes, and the lists change faster than semantic-versioning etiquette. We therefore subscribe to the European Commission’s RSS feed and auto-rebuild the geo-fence controller whenever a new regulation is published. A webhook pushes the updated restriction list to all running clusters within fifteen minutes, ensuring that a customer added to the Syria annex at breakfast cannot launch a pod at lunch. The mechanism once blocked a paying customer who turned out to be a front for a Belarusian entity; the sales team was unhappy, but the lost revenue was smaller than the 500 000 € fine that BAFA imposed on a neighbouring vendor six months earlier. More importantly, the automated block became evidence of “best effort” compliance that reduced our own liability from strict to contributory, a nuance that saved the founders from personal criminal exposure.

Finally, there is the question of exit: what happens when you are acquired by a larger group that wants to ship your product worldwide? The Alliance’s charter includes a pre-packaged carve-out: the export-compliance artefacts—the geo-fence controller, the licence matrix, the end-user registry—are held in a separate legal box that remains under EU jurisdiction even if the parent is sold to a non-European buyer. The clause is written into the articles of association, which means any acquirer must either accept the box or amend the charter, a transaction that triggers a statutory veto by the county of Anhalt-Bitterfeld. The provision gives founders leverage during due diligence and gives customers confidence that the sovereignty promise cannot be flipped for a quick valuation bump. In a sector where trust is the only currency that appreciates over time, that small paragraph is worth more than the patent portfolio.

The net result is that export control is no longer a tax on innovation but a product feature. When prospects ask us for a compliance statement we can hand over a three-page document that lists the applicable general licence, the geo-fence version hash and the last sanctions update, all signed by a BAFA-registered export officer who sits three desks away from the lead developer. That proximity—legal and physical—turns compliance from a quarterly panic into a compile-time assertion, allowing a ten-person start-up to sell into NATO and EU markets without maintaining a dedicated trade-law department. If the goal of the Cyber Resilience Alliance is to make sovereignty accessible, then export discipline is simply the first packet in the handshake: once it is acknowledged, the rest of the conversation can flow at full bandwidth.

The Cyber Resilience Alliance is a public-private partnership established 2025, led by CypSec, Validato and the County of Mansfeld-Südharz. The Alliance operates a sovereign private-cloud security stack, a shared SOC and an cyber academy, aiming to make Mansfeld-Südharz the reference site for rural cyber resilience by 2030.

Media Contact: Daria Fediay, Chief Executive Officer at CypSec - daria.fediay@cypsec.de.