Recast Dual-Use Regulation: An Overhaul of the EU export control regime fitted for the XXI century?

The recast process

The EU rules on the export control of dual-use items are currently set out in Council Regulation (EC) No 428/2009 of 5 May 2009 setting up a Community regime for the control of exports, transfer, brokering and transit of dual-use items (“Dual-Use Regulation”). In addition to dual-use items listed in Annex I, the Dual-Use Regulation imposes controls on certain non-listed dual-use items that may be intended for certain prohibited purposes connected to military uses (“catch-all clause”).

On 30 September 2016, the European Commission (“Commission”) submitted to the European Parliament (“Parliament”) and the Council of the EU (“Council”) a proposal for the recast of the Dual-Use Regulation, with a view to modernising the EU export control framework to reflect contemporary technological developments and current practice. Following a series of inter-institutional negotiations among the Council, the Parliament and the Commission, on 9 November 2020, a full provisional agreement on the final compromise text was reached between the institutions. As of its entry into force on 9 September 2021, Regulation (EU) 2021/821 (“Recast Regulation”) will replace the Dual-Use Regulation.

The Recast Regulation

The Recast Regulation will bring about both substantive and procedural changes, the most important of which are:

Substantive

• New catch-all controls on non-listed cyber-surveillance items: The catch-all clause maintains catch-all controls on items not listed in Annex I if the they might be used: (1) in connection with weapons of mass destruction or missiles; (2) for a military-end use in a country subject to an arms embargo; or (3) in connection with military items listed in Member States’ national military lists if exported from the EU without or in violation of an export authorisation.

Further, the Recast Regulation provides for  catch-all controls on non-listed cyber-surveillance items that might be used in connection with internal repression and/or serious violations of human rights and international humanitarian law. Cyber-surveillance items are defined as “dual-use items specially designed to enable the covert surveillance of natural persons by monitoring, extracting, collecting or analysing data from information and telecommunication systems”.

These controls on the export of any cyber-surveillance item that may be used for internal repression or serious human rights violations go beyond similar controls in various sanctions regime (e.g. Belarus, Iran, Libya, Myanmar, Syria, Venezuela and Zimbabwe).   

Additionally, the Recast Regulation introduces controls with respect to  “essentially identical transactions” of non-listed cyber-surveillance items. “Essentially identical transactions” are “transactions concerning items with essentially identical parameters or technical characteristics and involving the same end-user or consignee as another transaction”.   Such controls would be possible through the  information exchange amongst Member States on authorizations granted under the new catch-all controls. In this regard, the Commission will publish a list of cyber surveillance items and destinations that are subject to licenses.

• New rules concerning transit through the EU: The current Dual-Use Regulation allows Member States to prohibit or to impose authorisation requirement on the transit through the EU of dual-use items listed in Annex I, if they are intended for use in connection with weapons of mass distraction or missiles. The Recast Regulation expands controls on transit to items intended for all uses prohibited under the catch-all clause (i.e., including also military end-uses in countries subject to an arms embargo or items listed in Member States’ national lists). The Recast Regulation allows the granting of a transit authorisation to the declarant or the carrier if the party determining the transit of the items is not established in the EU.

• New rules on technical assistance: The Recast Regulation adds a new licensing requirement for the provision of technical assistance related to dual-use items including those intended for uses prohibited under the catch-all clause. Member States may extend these controls to non-listed items.

However, an authorisation requirement will not apply if the technical assistance  (1) is supplied within or into the territory of or towards a resident of ally countries (Australia, Canada, Iceland, Japan, New Zealand, Norway, Switzerland (including Liechtenstein), the UK and the US); (2) takes the form of transferring information in the public domain or basic scientific research; (3) is provided by authorities or agencies of a Member State in the context of their official tasks; (4) is provided for the armed forces of a Member State on the basis of the tasks assigned to them; (5) is provided for a purposes cited under the exceptions for items listed in Annex IV; or (6) is the minimum necessary for the installation, operation, maintenance (checking) or repair of those items for which an export authorisation has been issued.

• Stricter controls on public security grounds: Controls on non-listed dual-use items for reasons of public security or human rights may be imposed also to prevent acts of terrorism. Further, controls are expanded to situations in which another Member State imposes a licence requirement on the basis of its national control list, if the exporter has been informed that the items may be intended for uses of concern with respect to public security, prevention of terrorism or human rights considerations. In these cases, a licence is required.

Procedural

• New EU General Licences: There will be two new General Export Authorisations (“GEAs”) covering (1) intra-group exports of software and technology (GEA EU007); and (2) encryption (GEA EU008). Both GEAs EU007 and EU008 set out strict conditions for their use to ensure that items exported under these licences will not be used for prohibited purposes covered by catch-all controls, such as in connection to military end-uses or for breaching of human rights, democratic principles or freedom of speech. 

  • GEA EU007 covers the export of almost all technology and software in Annex I to Argentina, Brazil, Chile, India, Indonesia, Israel, Jordan, Malaysia, Mexico, Morocco, Philippines, Singapore, South Africa, South Korea, Thailand and Tunisia. The licence will be available to EU exporters exporting items to their subsidiaries and sister companies located in the above destinations, provided that their parent company is established in the EU or in a country covered by GEA EU001.¹ Exporters will need to ensure that the conditions of the licence are fulfilled, which aim at securing that the exported controlled technology or software will be used only for the declared purposes and will remain under the control of the group. The exporter would need to provide a  guarantee for the non-EU based entity  compliance with the terms of the licence.

  • GEA EU008 covers the export of certain items of encryption from Category 5 - Part 2 of Annex I, provided that they meet all of the following conditions: (1) they use only published or commercial cryptographic standards approved or adopted by internationally recognised standard bodies; (2) they do not use cryptographic standards designed for government use, e.g., the cryptographic standards used in public safety radio systems; and (3) any cryptographic functionality cannot be easily changed by the user. GEA EU008  can be used for exports to all destinations, except countries subject to the scope of GEA EU001 and certain countries subject to EU sanctions or in risk of trans-shipment.² Exporters relying on GEA EU008 will have to fulfil strict conditions for its use to ensure that items of encryption will not be used for prohibited purposes such as military or breaches of human rights.

• New rules concerning export licences: The Recast Regulation sets out revised disciplines concerning export licences. Individual and global export licences will be valid for two years, while licences for large projects will be valid for up to four years. Internal Compliance Programmes ("ICP") will become legally mandatory for exporters using global licences, unless the authorities can rely on available information previously shared by the exporter. Any specific reporting and ICP requirements relating to global licences will be defined by each Member State.

• Enhanced Member States cooperation: In determining whether to grant an export licence or prohibit a transit, Member States’ authorities must examine all valid denials issued by other Member States for “essentially identical transactions”. Member States will have a period of 10 working days to provide their views  on whether they consider that transaction to be “essentially identical” to other ones that they previously assessed. The 10-day period may be extended up to 30 working days if additional information is required. This is likely to result in delays in the licensing process for “essentially identical transactions”.

Further, the exchange of information among Member States will include data provided for each license (e.g., value and types of licence and related destinations), the application of controls (e.g., number of companies with ICPs), the analysis underlying additions to national control lists for public security grounds, information about the enforcement of controls (e.g., risk-based audits, number of violations), and data on sensitive end-users and routes taken.

• Longer document retention periods for exporters: The Recast Regulation extends the mandatory document retention period to a minimum of five years. Nevertheless, Member States may provide for longer retention requirements.

Next steps

The Recast Regulation will have significant implications on EU exporters of dual-use items, especially companies operating in high-technology sectors:

Additional obligations on exporters

The Recast Regulation is expected to increase the burden on exporters to verify the end-use of non-controlled items that may be covered by catch-all controls, in particular on companies operating in the telecommunications sector and dealing with cyber-surveillance items. In practice this means that companies will need to enhance their due diligence and compliance processes to ensure that their products will not be used for prohibited purposes. Such processes may overlap with current due diligence checks companies do in order to comply with the various EU sanctions. EU exporters are advised to conduct appropriate training to relevant functions who should be able to distinguish between the various sanctions and export control restrictions on exports. ERP systems will also need to be adapted to reflect the new rules.

Enhanced due diligence processes would entail extensive information requests to non-EU clients in order to ascertain that a given transaction will not risk being subject to the catch-all controls and hence require an export licence. In practice this is likely to increase the time required to complete all export formalities. This would also be the case for companies providing technical assistance to exported goods and technology.

Exporters should count for longer timeframes for granting export licences, due to the enhanced Member States’ cooperation and exchange of information, in particular their consultation with respect to essentially identical transactions.

Additionally, companies using global licences will be subject to a mandatory implementation of an ICP. In other words, they will have to demonstrate that their internal trade compliance policies and procedures allow them to verify that the circumstances of the transaction will not lead to a breach of applicable rules (e.g., through appropriate screening of their counterparties and end-user of the items, escalation procedures and checks). Although such a requirement has been applied in practice by many Member States authorities, it will now become a legal obligation. An effective ICP is therefore implicitly made a central part of the export licensing process.

Further, Member States’ authorities will have to consider all circumstances surrounding a transaction before they grant an export licence, including applicable EU and UN sanctions. This would mean that companies will have to be able to ascertain that their intended transactions are in compliance with applicable rules. An effective ICP should therefore reflect and address both sanctions and export control compliance considerations.

Exporters’ obligation concerning document retention is extended to a minimum of five years. For those Member States that provided for shorter document retention periods, exporters will need to change their internal policies to comply with the five-year obligation (or longer if national laws are amended). This will mean that companies will need to ensure that their internal record keeping policies allow for a full tracking of each export transaction through the documents retained in their systems.

Benefits for exporters

The enhanced cooperation among Member States will limit any scope of diversion within the EU through the imposition of controls on “essentially identical transactions”, i.e., transactions on items having identical technical characteristics, and concerning the same end-user or consignee. This is expected to harmonise the application of export controls, for example under the catch-all clause, and to reduce the possibility for companies attempting to do forum-shopping in order to export controlled items.

Intra-company transfers of technology and software, and the export of certain items of encryption will become easier, as they will now benefit from the newly introduced EU GEAs. Provided they fulfil all relevant criteria and conditions under the relevant licence, exporters will be able to rely on these EU GEAs and reduce the process for applying for individual export licences.

This is particularly important for global corporations, which regularly transfer dual-use software and technology among their various subsidiaries. The new GEA EU007 on intra-group exports of software and technology will allow EU companies to share controlled technology and software with their non-EU subsidiaries in covered destinations without having to go through the individual licence procedure. This is expected to further facilitate the use of modern solutions such as cloud computing. Importantly, corporations of allied countries that control the EU exporting entity will also be able to benefit from this licence and export controlled software and technology from the EU to covered countries. We would expect that reliance on this licence will further facilitate trade in new technologies and global supply chains.

Finally, EU exporters involved in long term projects will be able to benefit from authorisations with a validity of up to four years. This will reduce the administrative burden of obtaining individual licences for different components and consignees, as all items concerning a certain project will be able to benefit from such licences.

The Recast Regulation will be directly applicable in all Member States and binding upon EU exporters as from 9 September 2021.  At this stage, we do not have any indication that the UK Government may consider a similar revision of its own export control rules.

We would be happy to provide more information about the upcoming changes to the EU export control regime and to assist you with any specific queries or transactions.

References

1 Australia, Canada, Iceland, Japan, New Zealand, Norway, Switzerland including Liechtenstein, the UK and the US.

2 Afghanistan, Armenia, Azerbaijan, Belarus, Burma (Myanmar), Cambodia, Central African Republic, China (including Hong Kong and Macao), Democratic Republic of Congo, Republic of Congo, Egypt, Eritrea, Georgia, Iran, Iraq, Israel, Kazakhstan, Kyrgyzstan, Lebanon, Libya, Malaysia, Mali, Mauritius, Mongolia, North Korea, Oman, Pakistan, Russian Federation, Qatar, Saudi Arabia, Somalia, South Sudan, Sudan, Syria, Tajikistan, Turkmenistan, United Arab Emirates, Uzbekistan, Venezuela, Yemen, Zimbabwe.

Authored by Lourdes Catrain and Eleni Theodoropoulou.