Thought Leadership
Christopher Salmon clearBorder CEO in dark blazer and white shirt against white background

Christopher Salmon

Chief Executive

TLDR

This article explores why encryption has transformed export controls from a technical compliance issue into a senior-level strategic risk. We’ll examine how software, cloud services, and embedded cryptography are regulated, why missteps attract sharper enforcement protocols, the questions leadership teams must ask to safeguard market access and maintain trust, and how to integrate legal, engineering, and product functions into global trade governance.

The practice of encryption – and how it materially changes the logic of export controls – is a reality trade regulators have been grappling with for the past decade.

Export controls were originally designed for visible, finite goods crossing physical borders – but the advance of technology, including digital encryption, has evolved that logic. It is intangible, embedded by default, continuously updated, and distributed globally, in real time.

Undeniably, encryption helps to protect data, intellectual property, and commercial trust. However, it also potentially removes state visibility over how information is secured, transferred, and accessed. That loss of visibility – more than the mere presence of “security features” – is what places encryption squarely in the sights of export control regimes worldwide.

Today, encryption is no longer confined to specialist products, as it sits inside widely-used enterprise software, cloud platforms, connected devices, development tools, and internal systems. Regulators in the UK, EU, US, and allied jurisdictions increasingly view encryption as strategic infrastructure; and it is that shift which explains why enforcement, licensing expectations, and disclosure obligations have tightened, even as digital trade accelerates.

Encryption export compliance now sits at the intersection of national security, data governance, market access, and trust in global digital trade. Organisations that understand this reality are better equipped to unearth exposure before a transaction, collaboration, or product launch triggers regulatory scrutiny.

Why this matters

No longer a niche technical concern, encryption is a structural factor shaping global trade governance. Mismanaged or misclassified encryption can expose organisations to regulatory penalties, market restrictions, and reputational damage. Unlike tangible goods, software and embedded cryptography move instantaneously across borders, magnifying oversight gaps; leadership teams must understand where encryption resides in products, cloud services, and R&D collaborations, and ensure classification, licensing, and risk management processes keep pace with real-world usage. 

Treating encryption strategically – integrating legal, engineering, product, IT security, and trade compliance – transforms export compliance from a reactive obligation into a tool for market access, operational resilience, and trust in the digital supply chain.

Seeking assistance with export controls compliance?

Contact the clearBorder team today →

What counts as encryption under export control rules

(It’s broader than you might think)

Encryption export compliance does not apply only to companies that “sell cryptography.” 

Controls extend to any technology that performs encryption functions, regardless of how incidental they may appear to the commercial offering. This includes: 

  • Software
  • Firmware
  • Source code that encrypts data
    • At rest or in transit
  • Hardware products with embedded cryptographic modules
  • Cloud-based services or APIs that provide: 
    • Secure communications
    • Authentication
    • Key management

Crucially, even partial or supporting elements of cryptography (that is, the technical practice of encoding information into an unreadable format) can fall within scope. For instance, key generation, key exchange, identity verification, and access-control mechanisms are all routinely assessed alongside core encryption functions. In practice, the assertion that “we don’t sell encryption!” is likely to collapse under regulatory scrutiny, once a product’s architecture is examined end-to-end. For trade leaders, the risk lies less in intent and more in capability.

Compliance grey zones | Open source, updates, configuration choices
Myth  Reality Impact
“Open source is automatically exempt” Open-source encryption can still be controlled, depending on functionality and distribution False assumptions here can lead to uncontrolled releases or cross-border access
“Mass market means low risk” Mass-market status reduces licensing friction, not compliance responsibility Ongoing reporting and governance obligations remain
“Updates and patches are operational noise” Technical updates can materially change encryption strength or scope Classification can shift without commercial teams noticing
“Only enabled features matter” Regulators assess what a product can do, not just what is switched on Architecture decisions create export exposure upstream

 

The key takeaway? Product architecture increasingly defines export compliance risk. Encryption decisions made by engineering or product teams can, quietly, reshape regulatory obligations long before legal or trade teams are consulted.

Encryption export compliance codes (without legalese)

ECCNs, dual-use codes, and what boardrooms need to know

Encryption export compliance can often become clouded by dense classification frameworks, but the commercial implications are relatively straightforward (in theory, at least). 

In the United States, most encryption technologies fall under the Export Administration Regulations (EAR), typically within ECCNs such as 5A002 / 5D002 (more sensitive encryption) or 5A992 / 5D992 (mass-market encryption). That distinction determines where products can be sold, whether licences are required, and what disclosures must be made to regulators.

Across the EU, encryption is governed under the Dual-Use Regulation (EU) 2021/821, while in the UK it sits within the Export Control Order and Strategic Export Controls framework. While terminology and procedures may differ on certain points, the underlying logic is aligned, through widely-accepted prioritisation of nations’ security.

→ Ultimately, classification decisions shape market access: affecting licensing timelines, potentially restricting sales into certain jurisdictions or triggering reporting obligations, and influencing how products can be bundled, deployed, or updated. 

Why “mass market” and licence exceptions still carry risk

Licence exceptions and “mass-market” classifications are often misunderstood as a green light for frictionless global distribution. In reality, they reduce licensing burden; they do not remove compliance responsibility. 

Exceptions such as ENC in the US still require ongoing reporting, record-keeping, and internal controls, particularly when products evolve or encryption functionality changes.

Regulators are also shifting focus: instead of asking whether a company technically qualifies for an exception, enforcement increasingly examines whether the organisation operates a mature, repeatable export compliance programme. Weak change management, poor documentation, or lack of oversight around updates and releases can attract scrutiny even where legal eligibility exists.

Where compliance often breaks down

Cloud tech and SaaS at the border

In digital environments, exports don’t happen at the shipping terminal. Remote access to encrypted software, cloud platforms, or administrative interfaces can constitute an export at the moment an overseas user is granted access. Cross-border permissions, DevOps pipelines, support tools, and even monitoring dashboards increasingly fall within export control scope.

As a result, encryption compliance intersects directly with: 

  • Identity management
  • Access management
  • Cloud architecture
  • Vendor permissions

Decisions made by IT and engineering teams (often for speed or resilience) can invisibly create regulated export events, without anyone labelling them as such.

R&D, collaboration, and the spread of controlled code

Encryption exposure can also expand through collaboration: joint ventures, academic partnerships, outsourced development, and distributed engineering teams may all routinely share source code, test builds, and technical documentation across borders. When that code includes controlled encryption functionality, even temporary access for “review” or “testing” can trigger deemed export or re-export obligations.

These risks are frequently overlooked because they sit outside traditional trade workflows. However, regulators increasingly expect organisations to be proactive, and to understand how controlled code moves within their ecosystems – not just how finished products are sold.

The strategic fallout: why regulators treat encryption failures differently

Invariably, encryption failures are not viewed by regulators as isolated hiccups, glitches, or contained technical errors. Rather, they are seen as more profound structural breakdowns in governance. When encryption is misclassified, shared without control, or deployed without oversight, for instance, the regulatory concern is a tangible loss of state visibility into how sensitive technologies move across borders (not simply “non-compliance.”)

From an enforcement perspective, poorly governed encryption can enable sanctions evasion, frustrate lawful interception, and amplify downstream risk across supply chains, platforms, and jurisdictions. A single lapse may scale globally in minutes, not in shipments. This is why penalties in encryption cases are often framed as governance failures rather than administrative mistakes.

There is also a deeper trust dimension. Encryption sits close to the heart of digital sovereignty and national security. Failures, therefore, erode confidence that organisations can be relied upon to self-govern powerful, often-opaque technologies. In that sense, encryption compliance breaches are treated more like breaches of institutional responsibility – which explains the sharper tone, higher penalties, and lower tolerance for “we didn’t realise” defences.

Questions for the boardroom 

Encryption export compliance should not be delegated wholesale to technical or engineering teams. It directly affects governance, risk, and strategy – and therefore deserves boardroom-level visibility. Leadership teams should be asking:

  • Where is encryption embedded across our products and services, including default, inherited, or third-party components?
  • Who can access controlled code, keys, or administrative functions, and from which jurisdictions?
  • How do product updates, patches, or configuration changes alter our export classification or licensing posture?
  • Are acquisitions, partnerships, or joint ventures introducing new encryption exposure we have not mapped?

These are questions of accountability, market access, and regulatory resilience… and they become considerably harder to answer once enforcement begins.

Encryption: a new fault line in global trade governance

Code now moves faster than goods, updates outpace licensing cycles, and access permissions matter more than fact-of-ownership. As a result, encryption export compliance sits uniquely at the intersection of legal interpretation, engineering design, product strategy, IT security, and trade governance.

Organisations that are able to smoothly integrate these functions (rather than managing encryption in silos) are best-positioned to reduce operational friction, protect global market access, and move faster with confidence and capability. 

Those that do not risk discovering – usually, too late – that software now carries significant geopolitical weight.

Safeguard your technological export control compliance with clearBorder →

Other interesting reads

Visit Our Insights Hub
Thought Leadership

The great eCommerce reset: EU Customs reform, the Data Hub, and a farewell to de minimis exemption

Executive summary In a recent Borders for the Boardroom podcast, we sat down with Tracy Doyle of AEB – a technology intermediary operating at the Customs–trader interface – to unpack what EU eCommerce reforms mean in practice. Drawing on AEB’s experience supporting scalable eCommerce compliance, Tracy shared a nuanced and grounded perspective of where operational pressure points are emerging, how the Data Hub could reshape data ownership, and why early architectural decisions will matter more than tactical fixes. Listen to episode 1, episode 2, or subscribe to Borders for the Boardroom today!  → Available free on Spotify and Apple Music Last updated: 27th May 2026 More than 4.5 billion “low-value” items now enter the EU each year – up dramatically from around 1.5 billion in 2021 – with volumes still growing at an estimated 35-40% each year. This surge, driven in no small part by Chinese marketplaces such as Temu and Shein, had been accelerated by the IOSS (the Import One Stop Shop) and the €150 de minimis duty exemption. However, what began as consumer convenience has become an industrialised and unprecedented parcel economy. Borders for the Boardroom x AEB Listen to episode 1   Customs for eCommerce on Spotify →  on Apple → Listen to episode 2 →  EU customs reform: latest updates on Spotify →  on Apple → For customs authorities, this is a structural strain. Twenty-seven EU member states operate fragmented systems under rising pressure from valuation disputes, product safety concerns, and capacity bottlenecks at key air freight gateways. Trade flows are already shifting eastward within the EU, and globally, governments are converging on a tougher stance: the US already removed de minimis in August 2025, with the UK set to follow suit (by March 2029 at the latest, after the conclusion of policy consultation in March 2026). Similarly in the EU, from 1st July 2026 an interim duty regime will remove de minimis, introduce a proposed €3 flat duty, a €2 handling fee (set to become effective from November 2026), and begin the transition toward a deemed importer model. These measures will be followed by the full implementation of the centralised EU Data Hub – expected by mid‑2028 – which will enable multi-party data submission and transform Customs compliance into a systemic, rather than transactional, process. The key question for businesses? Not whether reform is coming – it is – but what role they intend to play inside this new architecture. The context The movement of eCommerce parcels has exploded in recent times – from ~1.4bn in 2022 to ~4.6bn in 2024, as low‑value imports soared. The EU is removing the €150 duty exemption in 2026, introducing a €3 flat duty and a handling fee, and building a central Data Hub to modernise Customs. Other economies (US, UK) are aligning with similar structural reforms. Key watchpoints  Implementation of EU flat duty & handling fee Launch and scope of the EU Customs Data Hub Deemed importer liability frameworks UK de minimis reform milestones Cross‑border data & documentation standards reach out to clearBorder now →   For the EU, the challenge of execution is considerable The destination is clear; the journey, unlikely to be smooth Industry consensus supports the logic behind a centralised EU Customs architecture. But the scale of implementation is significant. The Customs Data Hub represents one of the EU’s most ambitious trade-technology projects in decades. It combines regulatory harmonisation, large-scale data integration, AI interfacing, and operational coordination across 27 member states.  → The key take: expect some implementation friction, phased disruption, and early operational challenges as the system matures.   The role of the customs broker is evolving From processors to compliance guardians As multi-party data submission expands, customs brokers are increasingly becoming validators of data integrity, classification accuracy, and compliance readiness across the entire supply chain. This raises operational expectations considerably; particularly where production or shipping information originates from multiple commercial actors, all with varying levels of data maturity and visibility. → The key take: moving forward, Customs intermediaries are set to become more significant as a cornerstone of commercial compliance architecture.   Data accuracy is the commercial differentiator Unreliable trade data creates new friction points The gap between businesses with mature trade data and those without is likely to widen – significantly. “The level of data maturity is all over the place” across the supply chain, says Tracy; yet classification accuracy, valuation precision, duty visibility, and clean product data increasingly determine everything from inspection risk and delivery speed to customer experience and compliance exposure. → The key take: for retailers, marketplaces, brokers, and logistics providers, trade data quality is an operational capability. In the next phase of eCommerce trade, inaccurate data is a direct source of commercial friction.   Customs declarations become “living” data flows Compliance obligation travels upstream Under the future Data Hub model, Customs declarations will materialise gradually, through multi-party data contribution, rather than single-point submission. Today, shipment data is typically consolidated into one declaration at one stage in the process. Under the new model, marketplaces, manufacturers, logistics providers, brokers, and other actors will each “inject their piece into a rolling ball of data,” in the shape of a continuously evolving Customs record. This in itself is more systemic – but introduces new questions around data ownership, accountability, sequencing, and validation. → The key take: compliance is shifting toward shared supply chain data governance.   A central authority for EU Customs Fragmentation makes way for coordination A new EU Customs Authority (EUCA) has been formally established (in Lille, after some wrangling) to oversee implementation of the reforms and supervise the future Customs Data Hub. Historically, Customs enforcement and administration remained fragmented across 27 member states – creating inconsistencies in enforcement, interpretation, data handling, and operational standards. The reforms aim to centralise strategic oversight while improving harmonisation across the bloc. → The key take: Customs governance is moving from nationally fragmented administration toward a coordinated, system-wide management model.   Reforms move from proposal to implementation Legislation formally passed Following legislation signed in April 2026, the legal framework for the reforms is now active, with phased rollout beginning over the coming years. This marks an important shift; what was previously viewed by many as long-range policy discussion is now an operational transition programme involving technology, governance, data architecture, and liability redesign. → The key take: conversations have turned to how businesses will operationalise around reform from a practical perspective.   The shock of scale  Parcel volumes no longer manageable The EU now processes more than 4.5 billion low-value items annually – triple 2021 levels – with growth still running at 35-40% year on year. What Customs authorities once treated as marginal B2C flow has become a dominant channel. Inspection capacity, valuation controls, and safety checks designed for containerised trade are now confronting fully industrialised parcel traffic. → The key take: the sheer scale of parcel volume is the driving force behind rapid structural redesign.   An end to de minimis immunity From facilitation to fiscal recalibration As of July 2026, the EU will remove de minimis exemptions in an effort to address undervaluation concerns and reduce micro‑shipment fraud. Moreover, the €150 duty exemption is also set to be removed, replaced by a proposed €3 flat duty per item. Add a €2 handling fee from November 2026, and the economics of ultra-low-value shipments begin to shift. The policy signal is clear – low-value does not mean low-impact. Governments are moving from facilitation to revenue protection and market fairness. → The key take: pricing models built on seamless border entry will now need to absorb new structural costs.   The EU Customs Data Hub A new system of shared accountability At the centre of reform sits the EU’s new Customs Data Hub: a move from fragmented national systems toward centralised, multi-party data submission. Instead of one declarant filing a consolidated entry, product, valuation, and logistics data may be injected at multiple points along the supply chain. Visibility becomes systemic rather than transactional. → The key take: the fact of data ownership is set to be increasingly influential in the next phase of eCommerce trade.   The deemed importer shift Liability anchored inside the Union The proposed deemed importer model – that is, a platform or online marketplace facilitating the sale of non-EU goods, responsible for collecting VAT and Customs duties at the point of sale – reassigns responsibility within the EU, placing fiscal and compliance liability closer to the consumer market. For major marketplaces already building EU warehousing capacity, this accelerates a pivot from pure B2C shipping to hybrid B2B distribution models. → The key take: concerns surrounding the structure of risk and liability are driving a supply chain redesign.   Gateway arbitrage Trade flows follow friction As Western European air hubs strain under parcel volume, flows are shifting toward Eastern European entry points (including Warsaw, Prague, and Budapest) where cost and capacity dynamics differ. The reforms aim to neutralise regulatory arbitrage by standardising enforcement across 27 member states. → The key take: where friction persists, trade reroutes. Harmonisation seeks to close those gaps.   The compliance question for traders Cost absorption versus margin erosion While reforms target high-volume marketplaces, smaller traders will likely feel the downstream effects. Flat duties and handling fees disproportionately impact low-margin goods; classification accuracy, valuation discipline, and Incoterm clarity become margin protection tools rather than administrative formalities. → The key take: precision in data is no longer a matter of good housekeeping or compliance hygiene, but a direct commercial defence.   A signal of global convergence Major economies moving in parallel The US has already removed de minimis. The EU will do the same (as of July 2026). The UK is reviewing its own position, with the stated goal of also scrapping de minimis by 2029 at the latest. While timelines vary, the direction of travel does not. Low-value parcel exemptions are being recalibrated across developed economies as fiscal and political tolerance tightens. → The key take: as with de minimis, businesses should anticipate concerted efforts from developed economies to further harmonise Customs processing.   Positioning within the new architecture What role do you want your business to play? Customs brokers, logistics providers, marketplaces, and manufacturers all face strategic choices. Enhanced AEO status, bonded warehousing, trust-and-check frameworks, and expanded data responsibilities will redefine operational positioning. Decisions taken now – on infrastructure, systems, and governance – will shape competitive advantage. → The key take: the extent of these reforms mean businesses face not an adjustment to compliance protocols, but a major supply chain strategy decision. Bookmark this page for live updates as the situation evolves.  For trade-responsive horizon scanning tailored to your business, Speak to clearBorder today →

The great eCommerce reset: EU Customs reform, the Data Hub, and a farewell to de minimis exemption
Thought Leadership

Europe’s defence sovereignty and drone race foreshadow a new supply chain era

In this article Hide 01 Executive summary 02 Key insights 03 Defence sovereignty becomes a supply chain issue 04 Procurement systems are struggling to keep pace 05 The future of defence will be cheaper, faster – and harder to govern 06 How can businesses navigate the collapse of old defence-industrial assumptions? Executive summary Europe’s push for defence sovereignty accelerates a shift in supply chain strategy, procurement, and industrial policy. For businesses, the implications extend beyond any single weapon under production, but include components and technology too. As governments prioritise resilience, trusted supply ecosystems, and sovereign capability, defence supply chains are no longer being designed for efficiency, but for trust. Key insights Procurement systems, export controls, and compliance frameworks struggle to keep pace with rapid defence-tech acceleration. Defence supply chains are now built around trust, resilience, and politics. Not just cost and efficiency. New UK sanctions end-use controls (introduced May 2026) signal greater scrutiny of where products, components, and technologies ultimately end up. The future of defence manufacturing will be cheaper and faster – but harder to govern. Europe’s defence sovereignty push is a supply chain story. Prompted by the Ukraine war, geopolitical fragmentation, and uncertainty around NATO under Donald Trump, European governments are racing to expand domestic defence capability and reduce reliance on foreign suppliers. “Supply chains are no longer being designed for efficiency, but for trust.” The EU has pledged €800bn in defence spending over four years, while the UK faces pressure to accelerate its own defence investment plans, with a $24bn increase in spending expected. Across Europe, startups building drones, autonomous systems, and low-cost interception technologies are scaling rapidly – often faster than governments can adapt procurement, regulation, or industrial policy. For businesses in aerospace, defence, manufacturing, technology, and regulated supply chains involving complex goods, the message is this: defence supply chains are no longer being designed for efficiency, but for trust. Why this matters As Europe prioritises defence sovereignty, businesses will increasingly encounter new expectations around supplier transparency, domestic content, allied-country sourcing, and export control readiness. What was once a policy and military concern is now a wider cross-border commercial issue. Independent, expert trade strategy & horizon scanning → Defence sovereignty becomes a supply chain issue “In defence-adjacent sectors, visibility and allied-country sourcing will become commercial prerequisites.” Sovereign capability has expanded its definition to include control over components, software, cloud infrastructure, engineering data, semiconductors, rare earths, and supplier ecosystems. Not only domestic military arms. As one executive at a weapons startup (quoted in The Guardian) put it: “if you buy things off the shelf from elsewhere you are always ceding some control.” That carries major implications for cross-border trade and sourcing strategies. European governments are increasingly sensitive to: Foreign-controlled components Adversarial-country dependencies Dual-use technologies and end-use screening Offshore manufacturing exposure Cloud and data-hosting arrangements Trusted supplier status and third-party risk The UK is already consulting on how much domestic content a product requires in order to qualify as “sovereign”. Plus, recent defence export coordination agreements and expanded end-use controls suggest capability will increasingly depend on demonstrable visibility over supply, end-users, and onward transfers. This represents a departure from globally optimised supply chains toward politically resilient supply chains. For many manufacturers, particularly those operating in defence-adjacent sectors, supply chain visibility and allied-country sourcing may become commercial prerequisites. Procurement systems are struggling to keep pace The defence innovation cycle operates at software speed, but procurement systems do not. “Commercial success means combining manufacturing agility with governance, export control readiness, and allied-market positioning.” Startups working with Ukrainian frontline units iterate products continuously in response to jamming technologies, battlefield conditions, and operational feedback. Portuguese drone manufacturer Tekever reportedly developed more than 100 iterations of its flagship product during the first three years of the Ukraine war alone. For governments and large defence buyers, procurement cycles still often operate on multi-year timelines shaped by committees, funding reviews, and legacy contracting structures. That mismatch creates operational and commercial strain. British startup Skycutter – which manufactures low-cost drone interceptors – has warned publicly that delays to UK defence spending decisions could force it to relocate its HQ. For suppliers, this creates a more volatile operating environment: Demand signals are less stable Production scaling decisions carry greater risk Funding timelines remain uncertain Compliance obligations evolve mid-cycle The businesses that succeed in this environment are those capable of combining manufacturing agility with robust governance, export control readiness, and trusted allied-market positioning. The future of defence will be cheaper, faster – and harder to govern “The future is in lower-cost, software-driven, rapidly iterating weapons. This makes export controls, procurement, certification, and industrial governance much harder to apply.” The economics of warfare are changing. Tomorrow’s arms manufacturing will be cheaper and faster, but more complex to regulate. Iran’s Shahed drones (deployed by Russia in Ukraine) reportedly cost ~$30,000. By contrast, some NATO air-defence interceptors cost hundreds of thousands, or even millions, of dollars per missile. That imbalance changes military procurement logic. General Sir Roly Walker, head of the British Army, stated last year that future force structures may consist of: 20% survivable systems, 40% attritable systems, 40% consumable systems. In other words: more autonomous, expendable, rapidly replaceable technology. This signals an industrial shift. Traditional defence economics built around slower, highly expensive, long-lifecycle platforms are obsolete. The future is in lower-cost, software-driven, rapidly iterating systems. The challenge is governance. As defence technology becomes: More distributed; More software-defined; More autonomous; More dual-use; And more startup-driven; …customs controls, procurement systems, certification frameworks, and industrial governance become harder to apply consistently. As modern capabilities proliferate across allied and third-country markets, regulators face growing pressure to tighten end-use scrutiny beyond traditional military export categories. How can businesses navigate the collapse of old defence-industrial assumptions? Europe’s defence acceleration isn’t just military in nature, but industrial, regulatory, and supply chain transformation unfolding in real time. “No longer just a policy debate, defence sovereignty is a defining commercial force.” Longstanding assumptions are under pressure: That global supply chains will remain politically neutral That defence procurement can move slowly That scale matters more than agility That sovereign capability can coexist with foreign dependency The businesses best positioned are those capable of operating inside trusted allied ecosystems while simultaneously adapting to evolving geopolitical, regulatory, and procurement realities. For cross-border boardrooms, defence sovereignty is no longer a niche trade policy debate. It has become a defining commercial force. Borders For the Boardroom: the clearBorder podcast Hear more from the clearBorder team on geopolitics, industrial capacity, supply chain risks, and more. Listen now on Spotify → Listen now on Apple →

Europe’s defence sovereignty and drone race foreshadow a new supply chain era
Thought Leadership

HMRC issues Morrisons a £4.7m warning importers can’t afford to ignore

Executive summary HMRC’s £4.7m victory against Morrisons signals a more aggressive approach to non-preferential origin enforcement. The ruling shows that supplier declarations are not enough. For importers, origin is a financial, compliance, and governance risk – especially in sectors exposed to anti-dumping duties and trade defence measures. Key insights Importers are expected to validate supplier origin claims independently.  HMRC now scrutinises wider commercial context and supply-chain intent. The ruling signals that limited processing activity is insufficient to establish non-preferential origin.   Trade origin has become a frontline enforcement issue. Liability sits with the importer – supplier assurances, certificates, and third-country processing do not transfer responsibility away from the business placing goods into the UK market. This means that procurement, legal, finance, governance, and supply-chain teams all sit inside the risk perimeter when origin assessments are challenged. A September 2025 First-tier Tribunal ruling against Morrisons gives HMRC precedent in challenging non-preferential origin declarations, with the retailer left liable for approximately £4.7m in anti-dumping duties and import VAT. The case centres on imports of aluminium foil declared as Thai origin. HMRC successfully argued that the foil was Chinese in origin, despite processing activity taking place in Thailand. For importers, the wider implication is this: origin declarations are no longer treated as routine customs administration. They are closely scrutinised as part of a broader enforcement environment shaped by anti-dumping policy, trade defence measures, and supply-chain rerouting. Why this matters Non-preferential origin is a major enforcement priority as governments tighten anti-dumping, sanctions, and industrial policy controls. Importers relying on lightly processed goods routed through third countries face financial and compliance exposure – origin risk sits firmly within wider commercial governance. Independent, expert trade strategy & horizon scanning → HMRC challenged whether Thailand processing was commercially substantive… The Tribunal concluded that activity taking place in Thailand (including heating, cutting, and packaging) did not substantially transform the product into a new good. That processing represents only ~5% of total manufacturing cost. This matters because non-preferential origin is not determined by where final handling occurs, but by whether processing is sufficiently economically justified and results in substantial transformation. In practical terms, the ruling signals that lightly modified or repackaged goods routed through third countries will face greater scrutiny going forward; particularly where anti-dumping exposure exists. … and used the supplier’s own website as evidence HMRC relied partly on statements published on the Thai manufacturer’s website, which reportedly described the facility as having been established to “eliminate anti-dumping duties.” That language proved damaging. The Tribunal agreed it undermined the argument that the processing activity was economically justified in its own right. For importers, this is an important shift in enforcement posture. HMRC no longer considers shipping documents and supplier certificates as gospel. Public-facing materials, marketing language, corporate structures, investment rationale, and wider commercial context all now feed into origin assessments. Supply-chain restructuring is colliding with trade enforcement Over recent years, many firms have diversified production away from China into Southeast Asia and other jurisdictions in response to tariffs, geopolitics, and supply-chain risk. That trend is unlikely to reverse. However, the Morrisons ruling suggests authorities are increasingly testing whether these restructurings represent genuine manufacturing transformation, or simply tariff circumvention through rerouting and minimal processing. This is especially relevant in sectors with complex goods already exposed to trade defence scrutiny, including: Metals and industrial products Aerospace and defence components Solar and clean-tech supply chains Automotive components Electronics and semiconductors Chemicals and engineered materials As anti-dumping regimes expand and CBAM-related enforcement develops, origin risk will only become more commercially significant.  Supplier assurances alone are no longer enough The clearest outcome of the ruling is that liability remains with the importer. The Tribunal makes clear that relying on supplier statements at face value does not remove responsibility for validating origin claims. That raises the bar operationally. Importers need deeper visibility into: Manufacturing processes Cost contribution by jurisdiction Component sourcing Production sequencing Commercial rationale for processing activity For many, this pushes origin out of the customs team and into wider governance, procurement, legal, and supply-chain risk management. The bigger picture The Morrisons ruling is not just about aluminium tin foil. It reflects a bigger shift in how governments enforce trade policy in a fragmented global economy. As tariffs, anti-dumping measures, sanctions, and industrial policy become more politically charged and commercially significant, customs authorities are under pressure to test origin declarations more aggressively. This means that, for corporate leadership, non-preferential origin cannot be treated as a simple logistics checkbox. It is now a material commercial risk. Borders For the Boardroom:  the clearBorder podcast Hear more from the clearBorder team on geopolitics, customs compliance, industrial capacity, supply chain risks, and more. Listen now on Spotify →  Listen now on Apple → 

HMRC issues Morrisons a £4.7m warning importers can’t afford to ignore
Secret Link