|The Modernisation of EU Dual-Use Export Controls – Recast Regulation brings new requirements, recommendations, and licences for Exporters from EU Member States
After years of negotiations between the Commission, Member States, MEPs and stakeholders, the EU has adopted a regulation modernising the EU system for the control of exports, brokering, technical assistance, transit and transfer of dual-use items. The arrival of the new legislation represents a key evolution in the EU’s export control regime for 2021 and beyond, even if not the wide-ranging reform that some had advocated.
Regulation (EU) 2021/821 (the “Recast Regulation”) was published in the Official Journal of the European Union on 11 June 2021 and will enter in to force 90 days later on 9 September 2021, when it will apply directly in all EU Member States. For UK exporters, the Regulation will not become UK law (except in Northern Ireland, where it is expected to apply under the Ireland-Northern Ireland Protocol to the UK-EU Withdrawal Agreement), and it remains open whether the UK will follow the EU in adopting similar reforms.
The changes to the export control regime are intended to reflect the rapidly evolving nature of technology, cross-border business and supply chains since the previous rules were introduced in 2009. In particular, updates to controls and compliance expectations are introduced in response to emerging technologies and new security threats, and seek to mitigate the regulatory impact on trade in lower-risk technologies.
The Regulation offers exporters new general export authorisations that will ease the export compliance burden for many businesses, particularly in the technology sector. However, it also imposes new expectations around internal compliance programmes and introduces enhanced end-use controls, both of which are likely to have significant impacts upon EU exporters.
This alert focuses on the key elements of the Regulation, including the new requirements for internal compliance policies and due diligence, and examines the two new general export authorisations for cryptography, intra-group software and technology transfers. We expect that whilst the new general export authorisations will be welcomed by multinational companies operating in the tech sector and beyond, the new compliance and due diligence requirements will require significant reflection and adaptation of internal policies, to bring these in line with the modernised Regulation.
Internal Compliance Programs
“The contribution of exporters, brokers, providers of technical assistance or other relevant stakeholders to the overall aim of trade controls is crucial. In order for them to be able to act in conformity with this Regulation, the assessment of risks related to transactions concerned by this Regulation is to be carried out through transaction-screening measures, also known as the due diligence principle, as a part of an Internal Compliance Programme (ICP).” Recital 7, Regulation (EU) 2021/821
The new Regulation places increased importance on the requirements and desirability for exporters to have an effective Internal Compliance Programme (ICP).
Under the Regulation, exporters will be subject to a default requirement to implement an ICP for export controls in order to obtain global export authorisations. An ICP will also be required in order to use the new general export authorisation EU007 for intra-group software and technology transfers (see below). Certain due diligence is also expected in terms of exporters’ compliance with the new end-use controls, as noted below.
While some Member States (such as the Netherlands) already required exporters to implement an ICP in order to obtain global export authorisations, this is the first time that this requirement has been imposed at the EU-wide level. National export control authorities will have the ability to deem an ICP unnecessary “due to other information [that the authority] has taken into account“, but in practice ICPs are likely to become the norm.
An ICP requires ongoing effective, appropriate and proportionate policies and procedures adopted by exporters to facilitate compliance with the provisions and objectives of [the] Regulation and with the terms and conditions of the authorisations implemented under [the] Regulation, including […] due diligence measures assessing risks related to the export of the items to end users and end uses.
The EU published non-binding guidance on ICPs in 2019, although we expect that this will be updated and reissued following the Regulation’s implementation. The current guidance provides a degree of flexibility and takes into account the differences in size, resources, fields of activity and other features and conditions of exporters. The existing German ICP information leaflet, Dutch ICP Guidelines, and UK Compliance Code of Practice also set out checklists and expectations for export control compliance and EU exporters may wish to refer to these documents (and other guidance from national authorities) as helpful reference points in preparing their own ICPs. A core element for any ICP is to ensure it is risk-based. Conducting an appropriate risk assessment of an exporter’s trade compliance risks, and implementing controls tailored to those risks, is increasingly expected by regulators and critical to any global compliance programme.
New general export authorisations for cryptography and intra-group software and technology transfers
The Regulation sets out two significant new general export authorisations: one will cover intra-group transfers of dual use software and technology and the other will cover dual-use cryptography items.
EU007 – Intra-group export of software and technology
The new general export authorisation EU007 will allow intra-group exports of most software and technology to a specific list of countries exclusively for product development purposes, where developed technology will be returned to the exporter.
Specifically, the authorisation covers exports by an EU exporter to a subsidiary or sister company, provided that:
- the parent company is resident or established in either an EU Member State or a destination benefiting from general export authorisation EU001 (Australia, Canada, Iceland, Japan, Liechtenstein, New Zealand, Norway, the UK or the US);
- the parent directly controlling the exporter provides a binding guarantee for the sister company’s compliance with the authorisation;
- the exported software and technology will only be used for commercial product development activities by the exporter and the subsidiary/sister company, and will be returned to the exporter and completely deleted by the subsidiary or sister company, either when the development activities come to an end or if the subsidiary or sister company leave the group (i.e. is acquired by another entity);
- any resulting developed technology must also be transmitted to the exporter and deleted by the subsidiary or sister company; and
- the exported software and technology (and any products resulting from these) remain under the complete control of the exporter (or in the case of an export to a sister company, under the complete control of the direct parent), and will not be shared with any other entity.
EU007 will be valid for exports to Argentina, Brazil, Chile, India, Indonesia, Israel, Jordan, Malaysia, Morocco, Mexico, Philippines, Singapore, South Africa, South Korea, Thailand and Tunisia.
Exporters must provide to their competent authority a report, at least once a year, including at least:
- a description of the software and technology;
- the quantity and value of the software and technology; and
- the subsidiaries, sister companies and parent companies involved under the authorisation.
An exporter intending to use EU007 must register with the competent authority of the Member State where they are resident or established prior to the first use of the authorisation (registration is automatic and should be acknowledged within 10 working days of receipt), and must notify first use of the authorisation to the competent authority no later than 30 days before the date of the first export.
As noted above, any exporter wanting to rely on EU007 must implement an ICP.
EU008 – Encryption
The new EU008 is a long-awaited EU-wide general export authorisation for certain kinds of cryptographic equipment, software and technology commonly used by multinational companies. It will be welcome news for companies dealing with encryption items that do not receive the benefit of exemptions for generally available products or where activities extend beyond the destinations covered by general export authorisation EU001. However, the scope of this licence may not be as permissive as exporters had anticipated, and exporters must carefully review and ensure full compliance with its scope and terms.
The licence covers:
- Digital communication or networking systems, equipment or components (5A002.a.2);
- Computers, other items having information storage or processing as a primary function, and components (5A002.a.3);
- Software having the characteristics of, or performing or simulating the functions of such equipment (5D002.c.1);
- Software specially designed or modified for the use of such equipment or software (5D002.a.1);
- Certain “cryptographic activation tokens” relating to the above (5A002.b, 5D002.b, 5E002.b);
In order to benefit from the new licence, items can only use published or commercial cryptographic standards approved or adopted by internationally recognised standard bodies (and not standards specially designed for government use such as public safety radio). Further, any cryptographic functionality used by the items cannot be easily changed by the user.
The relatively broad scope of the licence (both in terms of items and destinations covered) is intended to redress the perceived imbalance between the compliance burden on EU exporters of cryptographic items and US-based exporters that are able to take advantage of relaxations to export compliance requirements for certain cryptographic items under the Export Administration Regulations (notably License Exemption ENC). Nonetheless, use of the new EU008 authorisation still requires significant reporting and record keeping steps to be completed, and exporters must pay particular attention to excluded destinations.
The authorisation is available to EU exporters provided that they follow the registration and notification requirements and provide the competent authority of the Member State where they are resident or established the necessary technical data related to the export. The requirement to provide technical data is extensive and more onerous than for other general export authorisations.
|Technical Data Requests
If a competent authority requests technical data in relation to a specific item, the exporter must provide at least the following information:
- product name;
- model number;
- item description e.g. what would be included in a product brochure;
- technical specifications (if the competent authority determines necessary) including:
- a list of all relevant cryptographic algorithms, including associated key management, related to data confidentiality;
- a list of any protocols to which the item adheres;
- specification of pre- or post-processing of data, such as compression of plain text or packetizing of encrypted data; and
- details of programming interfaces that can be used to gain access to the cryptographic functionality of the item;
- the export control classification.
The authorisation is specifically not available where the exporter has been informed or is aware that the items are or may be intended for use in military, paramilitary, police, intelligence, surveillance end-use, or other security end-use by the government or by entities acting on behalf of the government or for use in connection with a violation of human rights, democratic principles or freedom of speech; or the that items will be re-exported to any excluded destination.
The authorisation is also not available for any exports of items that are also controlled by any other (e.g. non-encryption) control entry.
EU008 sets out a negative list of destinations – in other words, exports can be made to any destination not named in the schedule to the authorisation. Destinations excluded for export include those under general export authorisation EU001 (as they already benefit from that more permissive authorisation) as well as a longer list of excluded countries, notably excluding China (including Hong Kong and Macao), Egypt, Israel, Malaysia, Pakistan, Qatar, Russia, Saudi Arabia and the UAE, as well as all jurisdictions subject to an EU arms embargo or sanctions related to dual-use items, amongst others.
Exporters must provide to their competent authority a report, at least once a year, including at least:
- the export control classification of the dual-use items;
- the quantity and the value of the dual-use items;
- the name and address of the consignee;
- where known, the end-use and end-user of the dual-use items;
- a reference to the last submission of technical data for the dual-use items.
An exporter intending to use EU008 must register with the competent authority of the Member State where they are resident or established prior to the first use of the authorisation (registration is automatic and should be acknowledged within 10 working days of receipt), and must notify first use of the authorisation to the competent authority no later than 10 days before the date of the first export.
Other changes to export authorisations and record keeping
In addition to the inclusion of two new general export authorisations, global and individual authorisations will be valid for up to two years. This is a marked change from the past where global licences could be, and were, granted for longer durations.
The time requirements for record keeping are also extended under the Regulation. Records of exports from the EU will need to be kept for up to five years from the end of the relevant calendar year for exports, as opposed to three years currently.
New control on technical assistance
The Regulation introduces a new control to cover the supply of technical assistance related to controlled dual-use items (and for some Member States, this may be extended to non-listed dual-use items), if the items are to be, or may be, used for a military or WMD-related use.
Previously, technical assistance in the form of instructions, skills, training, working knowledge and consulting services, or involving the transfer of technical data, could have comprised a transfer of controlled technology that would have been subject to licensing requirements under the regime. The new Regulation applies more broadly, in line with EU competency for the provision of technical assistance involving a cross-border movement, and introduces a new wide definition of technical assistance to encourage consistent and effective implementation across Member States. The Regulation closes the gap where an exporter may be helping someone to use the items, but they are strictly speaking not providing controlled technology.
Technical assistance in the Regulation means “any technical support related to repairs, development, manufacture, assembly, testing, maintenance, or any other technical service, and may take forms such as instruction, advice, training, transmission of working knowledge or skills or consulting services, including by electronic means as well as by telephone or any other verbal forms of assistance.”
Under the new control in Article 8 of the Regulation, authorisation is required to provide technical assistance related to listed dual-use items where the exporter has been informed or is aware (or, if extended by Member States, where the exporter has grounds to suspect) that the dual-use items are, or may be intended to be used for prohibited military or WMD-related end-uses (as set out in Article 4(1)). Member States are given the option to extend this control to technical assistance relating to non-listed dual-use items. The controls are applied to “providers of technical assistance”, defined not only to capture (i) the provision of technical assistance by any party from within to outside the EU, but also (ii) the provision of technical assistance by EU resident/established natural or legal persons either within a third country or to a resident of a third country temporarily present in the EU.
There are several exceptions to this new control that largely follow the normal exceptions for dual use technology in the General Technology Note, such as the provision of public domain information, basic scientific research, and “minimum necessary” technology for the installation, operation, maintenance and repair of items exported under a licence. This new control will also not apply to supplies to destinations benefitting from general export authorisation EU001.
Cyber-surveillance and human rights
Another addition is a much discussed end-use control on cyber-surveillance items. During the Regulation’s legislative journey, there was significant debate on how wide-ranging this control should be, in order to ensure the appropriate balance between national security and human rights interests. The initial, broader proposals from the European Commission in 2016 have been materially watered down, and the parallel proposals for a new Annex of listed cyber surveillance items were not ultimately adopted. Instead, the new control covers unlisted (i.e., not otherwise controlled) cyber-surveillance items, defined as “dual-use items specially designed to enable the covert surveillance of natural persons by monitoring, extracting, collecting or analysing data from information and telecommunication systems“, where such items are intended for use in connection with internal repression and/or the commission of serious violations of human rights and international humanitarian law. This definition captures a wide range of data gathering technologies and it will be important for competent authorities to establish guidance on how covert surveillance will be interpreted.
Notably, the recitals indicate that items used for purely commercial applications such as billing, marketing, quality services, user satisfaction or network security are generally considered not to entail the risks connected with cyber-surveillance items.
As for other end-use controls, the restrictions under the regime apply where the exporter has been informed by competent authorities or is aware that items are or may be intended for such an end-use. Member States are also given the option to extend this to cases where the exporter has grounds for suspecting that items are or may be for such an end-use. In addition, for the new end-use controls in respect of cyber-surveillance items, the Regulation provides that where exporters are aware of such an end-use according to their “due diligence findings”, they shall notify their relevant competent authority which may decide whether a licence is required; in turn, this may lead to Member States agreeing authorisation requirements for “essentially identical transactions”. The Regulation provides that guidance will be issued for exporters in respect of these new requirements.
National authorities will have significant leeway when interpreting “use in connection with internal repression and/or the commission of serious violations of human rights and international humanitarian law”, which is not further defined or elaborated by the Regulation.
In practice, concerns are most likely to arise in relation to countries subject to internal repression controls under more recent EU sanctions programmes (such as Belarus, Venezuela, Myanmar and Iran), as well as other countries not subject to sanctions, but that are still of general concern for the EU due to concerns over perceived human rights abuses. However, it remains to be seen how this novel control will be applied in practice.
Expansion of unilateral Member State controls to include the prevention of acts of terrorism
Under the existing Dual-Use Regulation, Member States have had the power to impose their own unilateral controls on items not listed in Annex I to the Regulation “for reasons of public security, including the prevention of acts of terrorism, or for human rights considerations.” These measures may include the establishment of a national control list.
In practice, this control is subject to considerable Member State interpretation, so there may be significant divergence between national policies. However, the introduction of so-called “transmissible controls” (see below) aims to close the gap.
Building on the expansion in scope of unilateral Member State controls set out above, and following significant debate around the scope of the new controls in respect of cyber surveillance technologies, the Regulation also requires exporters to obtain a licence if:
- another EU Member State has adopted a unilateral control list; and
- the exporter has been informed by the competent authority (in the Member State where they are resident or established ) that the items that it is seeking to export may be intended for an end-use related to public security/human rights/terrorism concerns.
This is a significant change to the existing EU regime, under which unilateral controls apply only within the Member State that imposed them. Exporters will now need to be aware not only of the unilateral controls imposed by their Member State of establishment, but also those imposed elsewhere in the EU. The Commission will publish a compilation of national control lists notified to it by Member States, in all of the official languages of the EU.
In the short term, the widest practical impact of the Regulation will likely come from the introduction of the two new general export authorisations and the increased emphasis on ICPs and due diligence requirements. We expect many businesses will welcome the new authorisations, but it will be important for them to assess whether their internal processes and policies are up to scratch. In the longer term, particularly for those exporters in the technology sector, the expansion of national controls for public security and human rights purposes may have an increasing practical impact if member states make use of the powers to introduce these controls and extend their effect across the EU.
The Regulation implements many of the modernisations discussed for technical assistance, end uses and cyber surveillance and serves as an important shift for EU exporters. This will require thorough consideration to identify the impacts of each of the changes, and the actions that exporters need to take in response.