Export Control Compliance for Indian Software Companies

Published: March 9, 2026 | By: TariffWolf Team

India’s IT industry generates over $250 billion in annual exports, making it one of the country’s largest foreign exchange earners. Yet most Indian software companies have minimal awareness of export controls - the assumption being that software and services do not fall under strategic trade controls. This assumption is wrong, and it is increasingly dangerous.

When Does Software Trigger SCOMET Controls?

Software can trigger SCOMET export controls in several scenarios:

• Encryption software - SCOMET Categories 7 and 8 control information security systems and software employing cryptographic algorithms above specific thresholds (key lengths, algorithm types). If your software product includes encryption functionality, it may require classification.
• Software specially designed for controlled equipment - software designed to operate, control, or maintain equipment listed in any SCOMET category is itself controlled. For example, software for operating a CNC machine that meets Category 3 or 4 specifications.
• Source code for controlled technology - sharing source code that enables the production of SCOMET-controlled items constitutes a technology transfer.
• Intrusion software - software designed to defeat protective countermeasures or avoid detection on computer systems falls under Category 7 controls.
• Nuclear simulation software - software for modelling nuclear reactions, enrichment processes, or reactor behaviour is controlled under Category 0.

Encryption - The Most Common Trigger

Encryption is embedded in almost every modern software product - from messaging apps to enterprise SaaS platforms, from payment gateways to cloud services. The critical question is whether your encryption exceeds the thresholds that trigger SCOMET controls.

Key factors that determine whether encryption triggers controls:

• Symmetric key length - algorithms using key lengths above specified bits.
• Asymmetric key length - RSA, ECC, and other public-key algorithms above specified parameters.
• Mass market exemption - software that is generally available to the public at retail, uses encryption solely for personal authentication or data integrity, and cannot be easily modified for other uses may qualify for a mass market exemption. However, this exemption has specific conditions that must be carefully evaluated.
• Cryptographic activation - software that has the capability of encryption but requires activation before the encryption functionality can be used.

Deemed Exports for IT Companies

Indian IT companies face significant deemed export risks due to their multinational workforce. If a foreign national working at your Indian facility accesses source code, technical data, or designs related to SCOMET-controlled technology, this constitutes a deemed export.

Common scenarios for Indian IT companies:

• A foreign developer on an H-1B equivalent visa accessing controlled encryption source code at your Bengaluru development centre.
• Sharing design specifications for a defence project with a foreign subcontractor’s engineers during an onsite engagement.
• Foreign employees at your Indian office accessing cloud repositories containing controlled technical data.
• Joint development with a foreign university on cybersecurity tools that include intrusion detection capabilities.

Practical Compliance Steps for IT Companies

1. Audit your product portfolio - identify all products and services that incorporate encryption, operate controlled equipment, or involve controlled technical data.
2. Classify encryption levels - determine the key lengths and algorithm types used in each product. Map these against SCOMET Category 7 and 8 thresholds.
3. Evaluate mass market exemptions - if your product qualifies, document the basis for the exemption thoroughly.
4. Implement access controls - restrict access to controlled source code and technical data based on nationality and project assignment.
5. Screen foreign employees and contractors - before granting access to sensitive projects, verify that no deemed export violation will occur.
6. Establish a Technology Control Plan (TCP) - document how controlled technology is stored, accessed, shared, and protected within your organisation.
7. Train your teams - developers, project managers, and HR teams must understand the basics of export control compliance.

Cloud Services and Cross-Border Data

Cloud-hosted software presents unique export control challenges. If your application processes or stores controlled technical data, and the data can be accessed from servers or endpoints outside India, this may constitute an export. Similarly, if foreign clients access your SaaS platform and the platform includes controlled encryption capabilities, the cross-border provision of that functionality may require analysis.

Not sure if your software product is SCOMET-controlled? Try the SCOMET AI Assistance chatbot for a quick classification check.

Disclaimer: This article is for informational purposes only and does not constitute legal advice. Software export control classification involves complex technical and legal analysis - consult a qualified professional for specific product assessments.

Software Export SCOMET Encryption IT Compliance Deemed Export