On 9 September 2021, twelve years after the entry into force of Regulation 428/2009 setting up a Community regime for the control of exports, transfer, brokering and transit of dual-use items (the “Dual-Use Regulation”) the EU legal framework for export controls will be significantly upgraded.
Below we outline the main features of the upgrade and provide a glimpse of how the treatment of dual-use items will be updated with the entry into force of the new Regulation (EU) 2021/821 of the European Parliament and of the Council of 20 May 2021 setting up a Union regime for the control of exports, brokering, technical assistance, transit and transfer of dual-use items (the “Recast”)
I. A much-anticipated revision
Due to their nature, dual-use items (i.e. items, including software and technology, which can be used for both civil and military purposes) are goods the export, transfer, brokering or transit of which must be particularly monitored and regulated. In 2013, a Commission report indicated that the EU’s export control system had a solid legal and institutional foundation, but that it could not remain static: it needed to be upgraded to meet the new challenges posed to global security and human rights by the rapidly evolving technological developments such as, in particular, cyber-surveillance and emerging technologies.
In addition, economic operators and competent national authorities had been struggling with a lack of guidance on the interpretation of the Dual-Use Regulation, leading to divergent interpretation and the risk of distorting competition within the EU.
II. Main features
The Recast not only aims to update and extend the export control mechanisms and means of the EU, but also to improve transparency through reinforcing information exchange and creating a level playing field of export controls between Member States.
Within this framework, the Recast offers a number of changes and improvements that are worth noting:
a. New definitions
‘Dual-use items’: the definition of the central notion of dual-use items has been extended by expressly including any items that can be used for the “design, development, production or use of nuclear, chemical or biological weapons” within the scope of dual-use items.
- ‘Exporter’: the scope of the definition of exporter is more detailed and ensures that there is a link between the person liable to observe dual-use obligations and the EU customs territory. The definition now includes natural persons carrying dual-use items in their personal baggage and it also extends to a legal or natural person or partnership that decides to make dual-use software or technology available by any other electronic means than electronic media or in an electronic form outside the customs territory of the Union.
- ‘Broker’: this notion has been broadened. A broker is now any natural or legal person or any partnership that provides brokering services from the customs territory of the Union into the territory of a third country. The additional criterion of residence or establishment in the EU, which was part of the definition used in the Dual-Use Regulation, has been dropped: only the activity that is carried out is to be taken into account.
- ‘Arms embargo’: is now specifically defined in the Recast as an arms embargo imposed by a decision or a common position adopted by the Council or a decision of the Organisation for Security and Cooperation in Europe (OSCE) or an arms embargo imposed by a binding resolution of the Security Council of the United Nations. This description is not a novelty and it actually comes from the Dual-Use Regulation where it is used not as a formal definition but in the catch-all clause (Article 4(2)).
- ‘Internal Compliance Program’ or ‘ICP’: means ongoing effective, appropriate, and proportionate policies and procedures adopted by exporters to facilitate compliance with the provisions and objectives of the [Recast] and with the terms and conditions of the authorizations implemented under [it], including, inter alia, due diligence measures assessing risks related to the export of the items to end-users and end-uses. The Dual-Use Regulation lacks a definition of ICP which will be a mandatory requirement under the Recast for obtaining a global export authorization unless the competent authority considers this unnecessary.
- ‘Cyber-surveillance items’: this crucial notion which is central to a new catch-all provision, is defined as dual-use items specially designed to enable the covert surveillance of natural persons by monitoring, extracting, collecting or analysing data, including biometrics data, from information and telecommunication systems.
The Recast (Article 5) introduces a catch-all authorization requirement for the export of cyber-surveillance items not listed in Annex I if the exporter has been informed by the competent authority that the items in question are or may be intended, in their entirety or in part, for use in connection with internal repression and/or the commission of serious violations of human rights and international humanitarian law. This new control aims to combat the risk that cyber-surveillance items exported from the EU may be misused by persons complicit in or responsible for directing or perpetrating such crimes. The concept of ‘serious violations’ has not been defined and it will require guidance for the purpose of effective control.
Where an exporter is aware, according to its due diligence findings, that any cyber-surveillance items that it proposes to export are intended for any of the uses as set out above, the exporter shall notify the competent authority which shall then decide whether or not to subject the export concerned to an authorization requirement. Exporters dealing with cyber-surveillance items, therefore, have an obligation to implement due diligence enabling them to assess the risk of abuse of such items. Again, guidance will be required regarding the nature and requirements of the due diligence if this obligation is to be effective.
Member States may adopt national legislation imposing an authorization requirement for the export of non-listed cyber-surveillance items if the exporter is not so much aware of but has grounds for suspecting that the cyber-surveillance items it proposes to export are intended for any of the uses as set out above.
The Recast sets up a coordination mechanism in this regard. A Member State which imposes an authorization requirement shall immediately inform its customs authorities and other relevant national authorities and shall provide the other Member States and the Commission with relevant information on the authorization requirement in question. This information duty, however, is not a blanket obligation, because a Member State may desist from sharing information if it considers that this is not appropriate in light of the nature of the transaction or the sensitivity of the information concerned.
c. Human rights
The Recast (Article 9) entitles Members States to impose an authorization requirement on the export of non-listed dual-use items for reasons of public security, including the prevention of acts of terrorism, or for human rights considerations. The Recast foresees in a potential cross-border effect in this regard: if a Member State lists dual-use items on a national control list and this list has been published in the Official Journal, this may also result in an authorization requirement in other Member States if the competent authority has informed the exporter that the export of the items is of concern for reasons of public security or with respect to human rights.
d. Technical assistance
Whereas the Dual-Use Regulation already captures and controls ‘technical assistance’ as an aspect of ‘technology’, the Recast (Article 8) essentially extends the scope of control of technical assistance. Accordingly, the Recast determines that an authorization shall be required for the provision of technical assistance related to any dual-use item listed in Annex I if the provider of such assistance has been informed by the competent authority that the items in question may be intended for a prohibited end-use (Article 4). Member States may extend this authorization requirement to non-listed dual-use items. Where the provider of technical assistance is aware that the items in question may be intended for a prohibited end-use, the provider shall notify the competent authority which shall decide whether or not to subject the technical assistance to an authorization. In addition, a Member State may maintain or adopt national legislation imposing an authorization requirement on the provision of technical assistance where the provider of the assistance has grounds for suspecting that the items are intended for a prohibited end-use.
Companies should take note that certain types of technical assistance are exempted from control, including technical assistance that (i) is provided within or into the territory of certain listed countries or towards residents of such countries, (ii) takes the form of transferring information that is in the public domain or basic scientific research, or (iii) is the minimum necessary for the installation, operation, maintenance (checking) of items for which an export authorization has been issued.
It is also worth noting that technical assistance controls, through the definition of ‘provider of technical assistance’, have been broadened by the Recast to encompass the situation in which the assistance is provided to a resident of a third country temporarily present in the customs territory of the EU. Providers of technical assistance should therefore consider how they can determine whether the recipient of the assistance is not an EU resident (and, indeed, how to collect and process the information received in accordance with EU data protection legislation). As a matter of fact, this change introduces the US concept of ‘deemed export’ into EU export controls.
e. EU007, EU008, and LPA
The Recast introduces two new types of union general export authorizations (UGEAs): one UGEA for intra-group export of software and technology (EU007, Annex IIG) and one UGEA for encryption items (EU008, Annex IIH). The aim of these UEGAs is to further facilitate trade while at the same time ensuring a sufficient level of security by means of robust control measures through registration, notification, reporting, and auditing.
EU007 is available for the majority of dual-use items of Annex I, except for those listed in Section I of Annex I and certain technology and software related to intrusion software, mobile telecommunications interception or jamming equipment (including monitoring equipment therefor), and IP network communications surveillance systems or equipment. This UGEA covers a limited number of 16 destinations. Exporters intending to use the EU007 shall implement an Internal Compliance Program. Furthermore, the use of EU007 is subject to a number of conditions and requirements, including the requirement of (continued) control of ‘subsidiaries’ and ‘sister companies’ as defined in Part 3 of the UGEA, which exporters should carefuly note.
EU008 covers Category 5 encryption items as listed in Part 1 thereof, provided that such items have not been earmarked for storing classified information or for protective national security purposes as described in Part 1. It is valid for exports to all destinations except, as provided for in Part 2, to (i) the destinations eligible for export under EU001, (ii) certain sensitive destinations and (iii) destinations subject to an arms embargo or restrictive measures of the EU applicable to dual-use items. Again, the use of the EU008 is subject to a number of conditions and requirements that exporters should carefully take not of.
In addition to UGEA EU007 and EU008, the Recast introduces the notion of a Large Project Authorization (LPA) which can be either an individual or a global licence. Accordingly, Member State authorities may grant an LPA to one specific exporter, regarding a specific type or category of dual-use items, valid for exports to one or more specified end-users in one or more specified third countries.
f. Framework for enhanced EU cooperation
As with the new coordination mechanism introduced for cyber-surveillance (see above), the Recast will establish a general framework aimed at enhancing the exchange of dual-use information between Member States’ competent authorities and enforcement bodies and at improving direct cooperation. Member States inter alia will have to inform the Commission without delay of the laws, regulations and administrative provisions adopted to implement dual-use regulations.
In order to enhance the exchange of information and cooperation between Member States’ administrations and, where applicable, the Commission, a Dual-Use Coordination Group will be set up. In addition, the Commission will be required to make available additional guidelines and/or recommendations for best practices regarding dual-use and to submit each year a report which will have to include dual-use data concerning licensing, the execution of controls, the number of infringements and sanctions, etc.
The Recast will introduce both conceptual and institutional reform which makes it difficult to comment on its future reception and practical implementation. Nevertheless, some basic observations are possible.
First, the Recast lays the foundations for a reinvigorated system of control measures that – at least in potential – seems up to the job of meeting the challenges of the new technological developments, such as the emerging trade in cyber-surveillance technology, and the threat to human rights and international security they pose. It appears that the new controls in combination with the framework of enhanced cooperation can provide the backbone and flexibility that is required of a future system of effective export controls.
Secondly, while the Recast seems to provide the toolkit that is necessary for its own effective implementation, the sweeping nature of the reforms it introduces raises questions about their practical feasibility. In this regard, in particular the new framework of enhanced cooperation, appears to be so ambitious that it justifies the question whether EU Member States across the board, as well as the institutions of the EU, are capable (and willing) to deal with the administrative burden it creates.
Thirdly, considering that the ever-increasing pace of the development and dissemination of new technologies can only be effectively controlled if backed by a close cooperation between the regulatory authorities and the industry, the Recast seems to be a missed opportunity. Instead of the well-construed plan to create the absolutely vital dialogue between EU and EU Member State institutions on the one hand and research and academia on the other, the Recast only seems to offer a rudimentary idea involving unspecified initiatives by the Dual-Use Coordination Group and ‘technical expert groups’. This is a failure that could very well seal the fate of the Recast.