On September 9, 2021, the long-awaited recast of the EU Dual-Use Regulation (the Regulation) will enter into force. It provides for new rules on cyber-surveillance technology, the provision of technical assistance, as well as export restrictions for reasons of public security and human rights considerations. Additionally, the new Regulation provides for large project authorizations as well as two new EU General Export Authorizations.
One of the core amendments concerns cyber-surveillance items, which are defined as “dual-use items specially designed to enable the covert surveillance of natural persons by monitoring, extracting, collecting or analyzing data from information and telecommunication systems.” The recast Regulation sets out a new catch-all clause, similar to those in Article 4 of the EU Dual-Use Regulation, as well as the possibility for national authorization requirements for cyber-surveillance items. However, it is important to note that the new Regulation does not provide for a list of controlled cyber-surveillance items to be added to Annex I as initially proposed by the Commission.
The new catch-all clause provides that exports of (non-listed) cyber-surveillance items are subject to a license if the exporter has been informed by the competent authority that the items in question are or may be intended for use in connection with internal repression and/or the commission of serious violations of human rights and international humanitarian law.
Furthermore, if the exporter is aware, “according to its due diligence findings”, that non-listed cyber-surveillance items are intended for such uses, they shall notify the competent authority, which may decide whether or not to make the export in question subject to authorization. The reference to the exporters’ due diligence findings could be understood to mean that exporters are under an obligation to take reasonable steps to determine the intended use of cyber-surveillance items where they become aware of unusual circumstances.
Furthermore, a Member State may adopt or maintain national legislation imposing an authorization requirement on the export of cyber-surveillance items not listed in Annex I of the Regulation if the exporter has grounds for suspecting that those items are or may be intended for use in connection with internal repression and/or the commission of serious violations of human rights and international humanitarian law.
A Member State which imposes an authorization requirement under the catch-all clause or by way of national legislation shall provide the other Member States and the Commission with relevant information on the authorization requirement in question. This information exchange aims to allow for a transparent application of national restrictions and to prevent their circumvention.
Authorization requirement for technical assistance
Article 8 of the revised Regulation provides for an authorization requirement for the provision of technical assistance related to dual-use items listed in Annex I if the items in question are or may be intended for any of the uses referred to in the catch-all clauses pursuant to Article 4(1). This includes items that are intended for (i) uses related to weapons of mass destruction; (ii) specific military end uses, if the purchasing country or country of destination is under an arms embargo; or (iii) use as parts or components of military items that have already been exported illegally.
The authorization requirement is triggered if the provider of technical assistance has been informed by the competent authority that the items in question are or may be intended for such uses. If the provider of technical assistance is aware of such uses because of its own due diligence findings, they must notify the competent authority which shall then decide whether or not to make such technical assistance subject to authorization.
National authorization requirements for public security or human rights reasons
Article 9 provides Member States with the option of adopting measures in order to prohibit or impose an authorization requirement on the export of dual-use items not listed in Annex I for reasons of public security, including the prevention of acts of terrorism, or for human rights considerations. In particular, such measures may include the establishment of a national control list of such dual-use items. Member States shall notify the Commission and the other Member States of any such measures (including amendments) and indicate the precise underlying reasons. The Commission shall then publish such Member States measures in the C series of the Official Journal of the EU. Additionally, the Commission shall publish separately a compilation of national control lists in force in the Member States.
National measures adopted under Article 9 may also have an impact on exports from other Member States. In fact, Article 10, which is a completely new provision introduced by the recast Dual-Use Regulation, sets out that an authorization shall be required for the export of dual-use items not listed in Annex I if:
- another Member State imposes an authorization requirement for the export of those items on the basis of a national control list of items pursuant to Article 9; and
- if the exporter has been informed by the competent authority that the items in question are or may be intended for uses of concern with respect to public security (including the prevention of acts of terrorism) or human rights considerations.
It remains to be seen to what extent EU exporters will face new authorization requirements for exports of dual-use items that are not listed in Annex I. In fact, the possibility of adopting national controls lists is not new and, so far, has only been used by a few Member States for a small number of items. Therefore, it would be surprising to suddenly see a drastic increase in national measures.
As regards the new Article 10, its practical relevance will not only depend on the Member States’ willingness to adopt national control lists but also on other Member States’ competent authorities’ willingness to become active and impose authorization requirements based on such national control lists. It is noteworthy that the competent authorities may impose such restrictions without the need for political approval from their Member States’ legislators.
Large project authorizations
The recast of the Dual-Use Regulation provides for a new category of authorizations, referred to as large project authorizations. A large project authorization is defined as “an individual export authorization or a global export authorization granted to one specific exporter, in respect of a type or category of dual-use items which may be valid for exports to one or more specified end-users in one or more specified third countries for the purpose of a specified large-scale project”. Unlike other individual and global export authorizations, which are generally valid for up to two years, large project authorizations may be valid for up to four years.
New EU General Export Authorizations
Annex II to the new Dual-Use Regulation provides for two additional EU General Export Authorizations:
- Union General Export Authorization No EU007 on intra-group export of software and technology covers the export of specified software and technology to certain destinations by any exporter that is a legal person established in a Member State to a company wholly owned and controlled by the exporter (i.e., a subsidiary) or to a company directly and wholly owned and controlled by the same parent company as the exporter (i.e., a sister company). A number of conditions and requirements must be met to benefit from this General Export Authorization, including an obligation to implement an Internal Compliance Program.
- Union General Export Authorization No EU008 on encryption covers exports of specified information security systems and software to certain countries. A number of conditions and requirements must be met to benefit from this General Export Authorization.
The revised Dual-Use Regulation also provides for a number of smaller and less controversial amendments. In particular, it increases the period during which exporters must keep registers or records of their exports from three to five years. Since most companies are likely to keep such documents for five years or longer anyway, because of existing national statutory obligations or for other reasons, they will not be affected by this change.
The revised EU Dual-Use Regulation brings a number of changes to the EU dual-use framework. Most notably, the new rules will affect companies active in cyber-surveillance industry as they may face new authorization or notification requirements for exports that were previously not controlled. However, other companies will also need to carefully verify whether their internal compliance processes need to be adapted. Additionally, exporters will need to monitor national measures that may become more common in the future.
Overall, the recast is not the revolution some might have expected, as most of the framework remains the same and the new rules only appear to be relevant in a relatively limited number of scenarios. Despite having had the opportunity to enhance the EU dual-use framework after years of negotiations and legislative work, it is apparent that the new Regulation is the result of compromises. The fact that the recast Regulation provides Member States with the option of adopting national measures instead of setting out EU-wide rules bears the risk of increased fragmentation. This, in turn, is likely to make compliance more burdensome for companies.