Export controls: the EU’s new dual-use regime

On 9 September 2021 the EU effected a number of amendments to its export control regime via the implementation of Regulation (EU) No 2021/821 (referred to as the Recast Dual Use Regulation), replacing Regulation (EU) No 428/2009 as the key legislative instrument governing EU exports of “dual-use” items.

“Dual-use” items are goods, software and technology that can be used for both civilian and military applications. The EU imposes controls on the export and transit of dual-use items, and on the provision of related brokering services and technical assistance.

The new legislation aims to modernise and enhance the EU’s controls on exports of “dual use” items, to address the emergence of new technologies, to enhance compliance with the restrictions, and to improve co-ordination between EU Member States and the EU Commission, as well as between the EU and international partners. The core list of “dual-use” items subject to EU export controls, now contained in Annex I of the Recast Dual Use Regulation, remains broadly unchanged as a result of the new legislation.

Key changes to the EU’s export control regime in respect of “dual use” items

“Internal compliance programmes”

It is now an EU-wide requirement that exporters implement “Internal compliance programmes” (IPC) as a condition of certain general export authorisations. IPCs are defined as, “ongoing effective, appropriate and proportionate policies and procedures adopted by exporters to facilitate compliance with the provisions and objectives of this Regulation and with the terms and conditions of the authorisations implemented under this Regulation, including, inter alia, due diligence measures assessing risks related to the export of the items to end-users and end-uses”. Further guidance on IPCs is to be issued at EU level.

Cyber-surveillance technology

In addition to items related to cyber surveillance specifically designated as subject to “dual-use” controls within the list contained in Annex I to the Recast Dual Use Regulation, individual Member States may impose a requirement that additional “cyber-surveillance items” must be subject to export authorisation by that Member State, where they believe that those items are or may be intended, in their entirety or in part, for use in connection with “internal repression and/or the commission of serious violations of international human rights and international humanitarian law”.

The Recast Dual Use Regulation defines “cyber-surveillance items” as, “dual-use items specially designed to enable the covert surveillance of natural persons by monitoring, extracting, collecting or analysing data from information and telecommunication systems”.

Further, exporters are subject to an obligation to report to the competent regulatory authority of the relevant Member State if they are aware that “cyber-surveillance items” that they propose to export, are intended, in their entirety or in part, in connection with internal repression and/or the commission of serious violations of international human rights and international humanitarian law.

Upon receipt of such a report, the relevant Member State must decide whether to impose an authorisation requirement upon exports of such items. Where a Member State imposes such an authorisation requirement, it must notify the EU Commission and other Member States.

Technology of concern with respect to public security

Similarly, individual Member States may impose a requirement that items not contained in Annex I to the Recast Dual Use Regulation must be subject to export authorisation by that Member State, for reasons of “public security”, including the prevention of acts of terrorism or due to human rights considerations. Where a Member State imposes such an authorisation requirement via entry onto its national control list (of which it must notify the EU Commission), exporters from other Member States who have been informed by their relevant competent regulatory authority that items that they propose to export may be used, in their entirety or in part, for the purposes above, must also seek authorisation to permit such export.

Additional export authorisations

Several additional general export authorisations have been introduced (authorising exports of certain dual-use items to specified destinations, subject to the conditions of the licence), including:

• Intra-group exports of software and technology, covering exports of a wide range of dual-use software and technology to 15 destinations (in addition to those destinations subject to the general export authorisation in respect of all dual-use items)
• Encryption goods, software and technology of a variety of export control classification numbers to all destinations except for 41 prohibited by the licence conditions

Individual Member States may also issue additional authorisations including:

• National general export authorisations for “low risk” exports
• Large project authorisations for exports of dual-use items of specific categories to specific end users or destinations
• Record-keeping period
• Record-keeping requirements are extended from 3 to 5 years In respect of exports of dual-use items from the EU. The requirement remains three years for intra-EU transfers.
• Enforcement Coordination Mechanism
• The Dual Use Coordination Group shall oversee a new “enforcement coordination mechanism” designed to facilitate communication, cooperation and information sharing between Member states on matters such as violations, penalties, authorisation decisions.
• Record-keeping period
• Record-keeping requirements are extended from 3 to 5 years In respect of exports of dual-use items from the EU. The requirement remains three years for intra-EU transfers.
• Enforcement Coordination Mechanism
• The Dual Use Coordination Group shall oversee a new “enforcement coordination mechanism” designed to facilitate communication, cooperation and information sharing between Member states on matters such as violations, penalties, authorisation decisions.

Record-keeping period

Record-keeping requirements are extended from 3 to 5 years In respect of exports of dual-use items from the EU. The requirement remains 3 years for intra-EU transfers.

Enforcement Coordination Mechanism

The Dual Use Coordination Group shall oversee a new “enforcement coordination mechanism” designed to facilitate communication, cooperation and information sharing between Member states on matters such as violations, penalties, authorisation decisions.

Extended restrictions on “technical assistance”

The provision of all “technical assistance” in respect of “dual-use” items is now controlled (i.e., subject to an authorisation requirement), where the “provider of technical assistance” is aware or has been informed that the items may be for a prohibited end use (e.g. WMD, military use in breach of an arms embargo). A “provider of technical assistance” is defined in the new Regulation as including:

• any party that provides “technical assistance” from the customs territory of the EU into the territory of a third country;
• any party resident or established in a Member State that provides technical assistance within the territory of a third country; or
• any party resident or established in a Member State that provides technical assistance to a resident of a third country temporarily present in the customs territory of the EU.

Under the previous regime “technical assistance” was restricted only when involving the provision of goods, software or technology that are themselves controlled. This therefore represents a significant expansion of the scope of restricted activities, and encompasses, “any technical support related to repairs, development, manufacture, assembly, testing, maintenance, or any other technical service, and may take forms such as instruction, advice, training, transmission of working knowledge or skills or consulting services, including by electronic means as well as by telephone or any other verbal forms of assistance”, in respect of “dual-use” items.

Broadened definition of “broker”

The definition of a “broker”, subject to controls on the provision of “brokering services” in respect of “dual-use” items, is extended to include parties not resident or established in a Member State where they provide “brokering services” from the customs territory of the EU. Previously, a “broker” was defined more narrowly, to include only parties resident or established in a Member State.

Key impacts on EU exporters

• Exporters will need to ensure that they implement “Internal compliance programmes” (IPC) as a condition of using certain general export authorisations, which are ongoing, effective, and proportionate to ensure compliance with the provisions of the Recast Dual Use Regulation, and include due diligence to assess risks of exporting to restricted end users or end uses.
• Businesses engaged in exports of cyber-surveillance related goods, technology or software may need to enhance their due diligence processes and internal controls to assess whether their activities fall within the expanded restrictions on “cyber-surveillance items”. This includes (1) checking if export authorisations are imposed at a Member State level (e.g., on national control lists), and (2) ensuring compliance with the positive obligation now incumbent on exporters to report to their relevant regulatory if they are aware that “cyber-surveillance items” may be used in connection with internal repression and/or human rights abuses.
• Businesses engaged in exports of goods, technology or software which may be put to uses which threaten “public security” (e.g., in connection with terrorism or human rights abuses) must also assess whether proposed exports are subject to export authorisations imposed at a Member State level.
• Exporters or providers of services which constitute “technical assistance” in respect of “dual-use” items may need to adopt additional due diligence processes and internal controls to assess whether their activities fall within the expanded restrictions on providing “technical assistance” where “dual use” items may be for a prohibited end use. Additionally, such internal processes and controls must ensure that exporters or service providers comply with the positive obligation incumbent upon them to inform their relevant competent regulatory authority if they are aware that such circumstances exist.
• Exporters may be able to make use of additional general export authorisations for intra-group transfers or certain encryption related items; national general export authorisations granted in respect of “low-risk” exports; or large project authorisations in respect of multiple exports of specified controlled items to specified end users or destinations.

Impacts on the UK and wider non-EU actors

• Businesses engaged in imports of “dual use” items from the EU, or whose operations have a wider direct or indirect EU nexus, should determine whether any of the expanded restrictions under the Recast Dual Use Regulation impact upon their activities. This includes the potential for non-EU providers of “brokering services” in respect of “dual use” items to fall within EU brokering controls where they provide such services to parties based in the EU.
• Under the terms of the Protocol on Northern Ireland within the EU-UK Withdrawal Agreement, Northern Ireland must continue to implement EU regulations in respect of export controls. Therefore, exporters of “dual use” goods, or controlled related “technical assistance” or “brokering services” from Northern Ireland must ensure that they comply with the above measures including the additional and extended restrictions summarised above. As with the EU, this therefore represents a degree of divergence in respect of the export control regimes implemented in Northern Ireland versus the rest of the UK. As before, shipments of “dual use” items from the EU to Northern Ireland are treated as intra-EU transfers and are not usually subject to a licensing requirement. However, the UK and the EU have expressed inconsistent positions as to whether shipments of “dual use” items from Northern Ireland to other parts of the UK are subject to a licensing requirement. Businesses undertaking such activities should therefore ensure to seek advice in advance from the UK Export Control Joint Unit.
• Certain importers of “dual use” items from the EU to non-EU destinations including the UK have reported certain administrative issues related to changes to registration reference numbers for General Export Authorisation numbers, which has caused exports to be refused or delayed. Importers are advised to check with their freight forwarder or logistic provider and if necessary, the relevant competent authority in the exporting Member State to confirm that the new regulations have no impact at a procedural / administrative level.
• An amended version of Regulation 428/2009 (i.e., the previous Dual Use Regulation) constitutes retained EU law implemented in UK domestic legislation via the European Union (Withdrawal) Act 2018, and continues to form the basis of the UK’s export control regime for “dual use” goods. The UK Government has confirmed that it does not intend to harmonise the UK’s regime with the new EU legislation, with the effect that the EU and UK regimes now feature a greater degree of divergence in their requirements. Nevertheless, the lists of controlled “dual use” items contained in the relevant annexes of Regulation 428/2009 (as retained in UK law) and the Recase Dual
• Use Regulation remain the same, as they are derived from multilateral agreements to which both the EU and UK are a party, e.g. the Wassenaar Arrangement.