The review aims to upgrade, modernize, and strengthen the EU’s export control toolbox and respond effectively to evolving risks and emerging technologies. Export controls need to be updated regularly to adjust to evolving security risks and threats, rapid developments in science and technology, and changes in world trade. In this regard, the Regulation should allow the European Union to address the risk of human rights violations associated with trade in cyber-surveillance technologies not subject to prior agreement at a multilateral level. It also enhances the EU’s capacity to control the flow of trade in sensitive new and emerging technologies.
The need for this revision was indisputable. Indeed, all European institutions—as well as relevant stakeholders—considered the new Regulation necessary to adapt to changing technological, economic, and political circumstances. Thus, back in 2011, the European Commission expressed the need to revise the current Dual-Use Regulation. In 2016, the Commission submitted a proposal to modernize the European export control system (full text accessible here) and eventually, on May 20, 2021, the European Parliament and Council adopted the Regulation.
As may be noted from reading the text of the Regulation—the result of a long review and negotiation process—the Commission’s goal of effectively addressing human rights concerns and further harmonizing controls resulted in limited revision of the current Dual-Use Regulation in some areas. This has not sat well with human rights organizations, which oppose the new Regulation, deeming it ineffective and inadequate to protect and safeguard human rights (e.g., see here).
Still, the Regulation undeniably contains changes and updates from the previous dual-use regime. Below, we provide an overview of the major amendments and updates, but a thorough dissection of the changes would require a significantly greater amount of space:
- Authorizations: Like the current Dual-Use Regulation, the new Regulation provides: (i) individual export authorizations; (ii) global export authorizations; (iii) national and Union General Export Authorizations (“UGEAs”)—all valid throughout the customs territory of the European Union.
Individual and global export authorizations are granted by the relevant authority of the Member State where the exporter resides or is established. When the exporter is not residing or established in the customs territory of the European Union, individual export authorizations are to be granted by the relevant authority of the Member State where the relevant dual-use items are located. Moreover, the new Regulation provides that an individual export authorization shall be subject to an end-use statement (whereas the current Dual-Use Regulation provides that it may be subject if appropriate), unless exempted by the relevant authority. Global export authorizations may be subject to end-use statements, if appropriate. Notably, exporters using global export authorizations shall implement an internal compliance program (“ICP”—for more insights on ICP please see point (b) below), unless considered unnecessary by the relevant authority based on information provided by the exporter in the authorization application.
The new Regulation introduces two new types of UGEAs: one for intra-group export of software and technology (the “EU007”—see Annex IIG) and another for encryption items (the “EU008”—see Annex IIH). The intra-group export UGEA/EU007 is available for many of the dual-use items listed in Annex I, excluding those in Section I of Annex II and a few other items as indicated in Annex IIG. For exports to some countries not covered by the EU007, the UGEA EU001 can potentially be used, or (for many fewer items) the EU002. The intra-group export authorization can be used for exports by legal persons established in a Member State when both the direct parent company and the ultimate controlling entity are established in a Member State, Australia, Canada, Iceland, Japan, New Zealand, Norway, Switzerland, Liechtenstein, the UK, or the United States. It can be used for exports to a company wholly owned and controlled by the exporter (referred to as a “subsidiary”) or a company directly and wholly owned and controlled by the same parent company as the exporter (referred to as a “sister company”). In addition, conditions apply to the use and control of the relevant software and technology, which must be returned to the exporter and deleted by the subsidiary or sister company upon completion of the development activity or if the subsidiary or sister company is acquired by another entity. In addition, exporters intending to use this specific UGEA must implement an ICP.
The encryption authorization/EU008 covers the export of a range of encryption items to all destinations except those mentioned in part 2 of Annex IIH. The authorization is subject to restrictions relating to the use of encryption items and cannot be used if the encryption items are formally approved by a Member State to transmit, process, or store certain classified information or bear a certain national security classification marking.
Lastly, the recast Regulation introduces large project authorization, a new subtype of authorization. As defined, this may consist of an individual or a global authorization granted to one exporter for a type or category of dual-use items and is valid for exports to one or more specified end-users in one or more third countries for a specified large-scale project. What exactly qualifies as such a project is not established. This type of authorization is valid for a duration determined by the relevant authority, but no longer than four years, except in duly justified circumstances based on the duration of the project.
- Due diligence obligations and Internal Compliance Programs: The new Regulation diverges from the current Dual-Use Regulation, in that it explicitly dictates that stakeholders (e.g., exporters) must implement ICPs to obtain global export authorizations. The big news here is that prior to the new dual-use regime some Member States already required exporters to implement ICPs for export controls to obtain export authorizations. Now, the Regulation is making the ICP an EU-wide requirement (with limited exceptions).
Article 2, No. 21 of the Regulation defines an ICP as ongoing effective, appropriate, and proportionate policies and procedures adopted by exporters to facilitate compliance with the provisions of the Regulation and with the terms and conditions of authorizations (please refer to point (a) above) implemented under this Regulation (including, among others, due diligence measures assessing risks related to the export of the items to end-users and end-uses). Due diligence involves assessing the risks associated with the transactions covered by these Regulations by means of analytical review of the transactions as part of an ICP.
- Public security and human rights considerations: The new Regulation does provide an optional authorization regime for the export of non-listed dual-use items raising human rights concerns. Like the current Dual-Use Regulation, it allows Member States to impose authorization requirements on the export of non-listed dual-use items for public security reasons or human rights considerations.
Article 10 of the Regulation states that an authorization is required for the export of non-listed dual-use items if: (i) another Member State requires an authorization for the export of these items; and (ii) the exporter has been informed by the relevant authority that the items in question are or may be intended for uses of concern with respect to public safety, including the prevention of acts of terrorism, or human rights.
- Technical assistance: It is worth noting that the current Dual-Use Regulation already requires authorization for providers of technical assistance for certain dual-use items, as set out in paragraph E (Technology) of the various categories of Annex I. Additionally, Article 8 of the Regulation requires authorization for the provision of technical assistance related to all items included in Annex I if the provider has been informed by the relevant authority that the items in question are or may be intended for the uses described in Article 4 (meaning use in connection with internal repression or the commission of serious violations of human rights and international humanitarian law).
Technical assistance providers must notify the relevant authority if they are aware that the dual-use items for which they propose to provide technical assistance are intended for such use. Member States can again choose to expand this notification obligation to cover situations in which the exporter merely has grounds for suspecting that the relevant items are or may be intended for such use. Member States may also extend the authorization requirement, but not the notification obligation, to non-listed dual-use items.
- Cyber-surveillance: Article 5 of the Regulation adds a catch-all authorization requirement for the export of non-listed cyber-surveillance items. The Regulation does include a definition of “cyber-surveillance items” that covers dual-use items specifically designed to enable covert surveillance of natural persons by monitoring, extracting, collecting, or analyzing data from information and telecommunication systems.
The catch-all authorization requirement for the export of non-listed cyber-surveillance items applies if the exporter has been informed by the relevant authority that the items in question are or may be intended for use in connection with internal repression and/or the commission of serious violations of human rights and international humanitarian law. If an exporter’s due diligence findings indicate that the non-listed cyber-surveillance items are intended for any of the outlined uses, it must notify the relevant authority. The relevant authority must then decide whether to subject the export to authorization. Member States can choose to expand this notification obligation to situations in which the exporter merely has grounds for suspecting that the relevant items are or may be intended for such use.
Article 5 also provides a new mechanism for coordination between Member States. In a nutshell, if a Member State imposes an authorization requirement on the export of a non-listed cyber-surveillance item, it must provide relevant information to the other Member States and the Commission.
- License duration and record-keeping: Global and individual authorizations will now be valid for a maximum of only two years. Further, records must be kept for five years (as opposed to the current three-year period) following the end of the calendar year in which the transfer takes place.
 The Commission proposal originally sought to regulate the export of cyber-surveillance technology more comprehensively, expanding the definition of “dual-use items” to include cyber-surveillance technology that “[…] can be used for the commission of serious violations of human rights or international humanitarian law or can pose a threat to international security or the essential security interests of the Union and its Member States.” It also proposed introducing a new category 10 “Other items of ‘cyber-surveillance technology’” to Annex I. Both proposals were rejected.