The review aims to upgrade, modernize, and strengthen the EU’s export control toolbox and respond effectively to evolving risks and emerging technologies. Export controls need to be updated regularly to adjust to evolving security risks and threats, rapid developments in science and technology, and changes in world trade. In this regard, the Regulation should allow the European Union to address the risk of human rights violations associated with trade in cyber-surveillance technologies not subject to prior agreement at a multilateral level. It also enhances the EU’s capacity to control the flow of trade in sensitive new and emerging technologies.
The need for this revision was indisputable. Indeed, all European institutions—as well as relevant stakeholders—considered the new Regulation necessary to adapt to changing technological, economic, and political circumstances. Thus, back in 2011, the European Commission expressed the need to revise the current Dual-Use Regulation. In 2016, the Commission submitted a proposal to modernize the European export control system (full text accessible here) and eventually, on May 20, 2021, the European Parliament and Council adopted the Regulation.
As may be noted from reading the text of the Regulation—the result of a long review and negotiation process—the Commission’s goal of effectively addressing human rights concerns and further harmonizing controls resulted in limited revision of the current Dual-Use Regulation in some areas. This has not sat well with human rights organizations, which oppose the new Regulation, deeming it ineffective and inadequate to protect and safeguard human rights (e.g., see here).
Still, the Regulation undeniably contains changes and updates from the previous dual-use regime. Below, we provide an overview of the major amendments and updates, but a thorough dissection of the changes would require a significantly greater amount of space:
Individual and global export authorizations are granted by the relevant authority of the Member State where the exporter resides or is established. When the exporter is not residing or established in the customs territory of the European Union, individual export authorizations are to be granted by the relevant authority of the Member State where the relevant dual-use items are located. Moreover, the new Regulation provides that an individual export authorization shall be subject to an end-use statement (whereas the current Dual-Use Regulation provides that it may be subject if appropriate), unless exempted by the relevant authority. Global export authorizations may be subject to end-use statements, if appropriate. Notably, exporters using global export authorizations shall implement an internal compliance program (“ICP”—for more insights on ICP please see point (b) below), unless considered unnecessary by the relevant authority based on information provided by the exporter in the authorization application.
The new Regulation introduces two new types of UGEAs: one for intra-group export of software and technology (the “EU007”—see Annex IIG) and another for encryption items (the “EU008”—see Annex IIH). The intra-group export UGEA/EU007 is available for many of the dual-use items listed in Annex I, excluding those in Section I of Annex II and a few other items as indicated in Annex IIG. For exports to some countries not covered by the EU007, the UGEA EU001 can potentially be used, or (for many fewer items) the EU002. The intra-group export authorization can be used for exports by legal persons established in a Member State when both the direct parent company and the ultimate controlling entity are established in a Member State, Australia, Canada, Iceland, Japan, New Zealand, Norway, Switzerland, Liechtenstein, the UK, or the United States. It can be used for exports to a company wholly owned and controlled by the exporter (referred to as a “subsidiary”) or a company directly and wholly owned and controlled by the same parent company as the exporter (referred to as a “sister company”). In addition, conditions apply to the use and control of the relevant software and technology, which must be returned to the exporter and deleted by the subsidiary or sister company upon completion of the development activity or if the subsidiary or sister company is acquired by another entity. In addition, exporters intending to use this specific UGEA must implement an ICP.
The encryption authorization/EU008 covers the export of a range of encryption items to all destinations except those mentioned in part 2 of Annex IIH. The authorization is subject to restrictions relating to the use of encryption items and cannot be used if the encryption items are formally approved by a Member State to transmit, process, or store certain classified information or bear a certain national security classification marking.
Lastly, the recast Regulation introduces large project authorization, a new subtype of authorization. As defined, this may consist of an individual or a global authorization granted to one exporter for a type or category of dual-use items and is valid for exports to one or more specified end-users in one or more third countries for a specified large-scale project. What exactly qualifies as such a project is not established. This type of authorization is valid for a duration determined by the relevant authority, but no longer than four years, except in duly justified circumstances based on the duration of the project.
Article 2, No. 21 of the Regulation defines an ICP as ongoing effective, appropriate, and proportionate policies and procedures adopted by exporters to facilitate compliance with the provisions of the Regulation and with the terms and conditions of authorizations (please refer to point (a) above) implemented under this Regulation (including, among others, due diligence measures assessing risks related to the export of the items to end-users and end-uses). Due diligence involves assessing the risks associated with the transactions covered by these Regulations by means of analytical review of the transactions as part of an ICP.
Article 10 of the Regulation states that an authorization is required for the export of non-listed dual-use items if: (i) another Member State requires an authorization for the export of these items; and (ii) the exporter has been informed by the relevant authority that the items in question are or may be intended for uses of concern with respect to public safety, including the prevention of acts of terrorism, or human rights.
Technical assistance providers must notify the relevant authority if they are aware that the dual-use items for which they propose to provide technical assistance are intended for such use. Member States can again choose to expand this notification obligation to cover situations in which the exporter merely has grounds for suspecting that the relevant items are or may be intended for such use. Member States may also extend the authorization requirement, but not the notification obligation, to non-listed dual-use items.
The catch-all authorization requirement for the export of non-listed cyber-surveillance items applies if the exporter has been informed by the relevant authority that the items in question are or may be intended for use in connection with internal repression and/or the commission of serious violations of human rights and international humanitarian law. If an exporter’s due diligence findings indicate that the non-listed cyber-surveillance items are intended for any of the outlined uses, it must notify the relevant authority. The relevant authority must then decide whether to subject the export to authorization. Member States can choose to expand this notification obligation to situations in which the exporter merely has grounds for suspecting that the relevant items are or may be intended for such use.
Article 5 also provides a new mechanism for coordination between Member States. In a nutshell, if a Member State imposes an authorization requirement on the export of a non-listed cyber-surveillance item, it must provide relevant information to the other Member States and the Commission.
 The Commission proposal originally sought to regulate the export of cyber-surveillance technology more comprehensively, expanding the definition of “dual-use items” to include cyber-surveillance technology that “[…] can be used for the commission of serious violations of human rights or international humanitarian law or can pose a threat to international security or the essential security interests of the Union and its Member States.” It also proposed introducing a new category 10 “Other items of ‘cyber-surveillance technology’” to Annex I. Both proposals were rejected.