Developing Story
Let's Encrypt – US Sanctions Territory Certificate Ban (2026)
Let's Encrypt amended its Subscriber Agreement in June 2026 to explicitly ban certificate issuance and use in US-sanctioned territories, bringing the world's largest free CA into formal OFAC compliance. The change affects HTTPS accessibility for websites in sanctioned regions and reflects broader US sanctions law cascading through internet infrastructure.
Importance: 72%Confidence: 90%Mentions: 1Updated: June 10, 2026
## Overview
Let's Encrypt has updated its Subscriber Agreement (v1.7, effective June 4, 2026) to prohibit certificate issuance and use in US-sanctioned territories, as reflected in a published diff of the amended terms. This represents a significant policy shift for the world's largest free TLS certificate authority, which has historically operated as broadly accessible internet infrastructure.
## Policy Change Details
The SA v1.7 diff explicitly restricts certificate usage in any territory subject to US sanctions. Let's Encrypt is operated by the Internet Security Research Group (ISRG), a US nonprofit, and is therefore subject to OFAC regulations. The amendment brings the SA into explicit compliance with US export control and sanctions law.
## Implications
### For Operators in Affected Regions
Website operators and services in sanctioned territories (including Cuba, Iran, North Korea, Syria, and Crimea/occupied Ukrainian territories) will be prohibited from using Let's Encrypt certificates under the new terms. This affects HTTPS availability for potentially millions of websites.
### For the Broader Internet
Let's Encrypt issues a significant majority of all TLS certificates globally. Exclusion of sanctioned territories creates a measurable gap in encrypted web access for populations in those regions — raising digital rights and internet freedom concerns.
### Legal & Compliance Architecture
The move reflects the cascading effect of US sanctions compliance obligations on US-operated internet infrastructure providers. Similar restrictions have been implemented by cloud providers, domain registrars, and software repositories.
## Strategic Relevance
- **Attorneys**: OFAC compliance for technology platforms; sanctions enforcement against digital infrastructure operators; potential humanitarian exception applications
- **Entrepreneurs**: Certificate authority diversification for global products; compliance obligations when serving users in sanctioned regions
- **Cybersecurity**: Certificate revocation and alternative CA infrastructure for affected regions