Do I need an export licence from Estonia to ship dual-use software to Türkiye?

This is first an EU and Estonian export-control question, not just a customs question.

The fact that your software is encryption-enabled does not automatically mean a licence is required, but it does mean the product has to be classified properly before you deliver it, enable downloads, issue licence keys, or push remote updates. Under the EU dual-use rules, software can be a controlled item, and making it available electronically to a customer outside the EU can itself count as an export.

Classification is the decisive step.

For encryption-related products, the usual starting point is Category 5, Part 2 of the EU dual-use list. Some software remains controlled, while other products may be released from control under the cryptography note or other exclusions. The answer therefore depends on the exact functionality: what kind of encryption is built in, whether the software is mass-market, whether the cryptographic functionality can be changed by the user, whether source code is involved, and whether remote updates add or unlock protected functions.

Türkiye is not a blanket safe-destination under the standard EU general authorisation.

That matters because if your software remains controlled after classification, you usually cannot simply rely on the basic EU001 general export authorisation. Türkiye is not one of the destinations covered by EU001. In practice, that means an individual or global export licence from the Estonian Strategic Goods Commission may be required before any technical handover takes place.

Before shipping or granting access, take these steps.

Prepare a written classification memo for the product, screen the customer, end-user and intended end-use, and check whether there is any re-export or diversion risk. Make sure your commercial documents describe the product consistently: quotation, contract, invoice, statement of work and technical specification should all match. If support, implementation, configuration or remote updates could amount to controlled technical assistance, that should also be reviewed before access is given.

The document pack usually includes the following.

A technical product description, export-control classification note, customer and end-user details, end-use or end-user statement, contract or statement of work, sanctions screening results, and, where required, the Estonian dual-use export licence application. Estonia’s Ministry of Foreign Affairs publishes the dual-use export licence form and end-use statement forms, and these should be aligned with the exact product and destination.

One practical distinction is important.

If you deliver only by download or remote access, there may be no traditional physical customs event, but the export-control analysis still applies. If you send physical media or hardware, the customs export filing and any licence details must also match the shipment documents.

Practical conclusion.

Do not ship, enable access, or provide remote updates until the software has been classified and the Estonian export-control position is confirmed. In this area, the real compliance risk usually starts with the first technical transfer, not with the courier shipment.