In approximately one month, the next round of changes to the EU Dual-Use list will take effect.

On 17 October 2019, the European Commission adopted a delegated Regulation updating Annex I to Regulation 428/2009 (the “Dual-Use List”). The update is not yet in force, but is currently halfway through a two month period during which the European Parliament or Council can raise any objections to the proposed changes. Once this two month period has lapsed in mid-December, or earlier if the Parliament and Council confirm to the Commission that they have no objections, the Regulation will be published in the Official Journal and will take effect the following day.

An overview of the proposed changes is provided in the comprehensive change note summary, which can be accessed here, and the full text can be accessed here.

Of particular interest from these changes are the amendments to Category 5 part 2. These amendments are aimed at making the associated control entries more user friendly. The key changes to note are as follows:

  • There is a new decontrol note for ‘information security’ items that are specially designed for a “connected civil industry application”, covering certain network-capable endpoint devices limited to network connected consumer or civil industry applications other than “information security”, digital communication, general purpose networking or computing, and also covering certain networking equipment specially designed to communicate with such devices. Additional parameters also apply governing the cryptographic functionality and the standards implemented, which items must satisfy in order to quality for this decontrol.
  • The defined term “described security algorithm” replaces the references to key length strength thresholds in the main control text. The existing strength thresholds for symmetric and asymmetric algorithms are kept in the new definition, along with alternative new criteria for certain quantum-resistant asymmetric algorithms.
  • The new threshold for quantum-resistant cryptography includes algorithms where the security is based on:
    • Shortest vector or closest vector problems associated with lattices (e.g., NewHope, Frodo, NTRUEncrypt, Kyber, Titanium);
    • Finding isogenies between Supersingular elliptic curves (e.g., Supersingular Isogeny Key Encapsulation); or
    • Decoding random codes (e.g., McEliece, Niederreiter).
  • The definition of cryptographic activation remains unchanged but the controls for software and technology converting or enabling controlled cryptographic functionality has been rewritten using a local definition of a ”cryptographic activation token”, to make it clearer what kinds of software and technology are liable to be caught by these controls.

Limited substantive changes are also made to Categories 1, 2, 3, 6, 8 and 9 (although minor and editorial changes are made to other Categories).

This month the European Commission also published its latest annual report covering the implementation of the Dual-Use regime in 2018, and including aggregated export data for 2017. This notes changes to national implementing export control legislation – chiefly the measures introduced in Italy in 2017 and in Luxembourg in 2018, as well as referencing guidance on cloud exports issued by the Netherlands authority in 2018.

Other key statistics and trends from the report include:

  • There were 120 breaches of export control regulations recorded in 2017, with 130 administrative penalties and 2 criminal penalties applied by national law enforcement authorities.
  • Around 25600 single export licenses were issued in 2017, with approximately 631 denials during the same period.
  • Within these licence applications, an increasing trend is observed since 2014 in licensing applications for cyber-surveillance items (including 5A001.f 5A001.j 4A005, 4D004, 4E001). In 2017, the most recent year for which aggregate figures are reported, 285 of these licenses were awarded, whilst 34 were denied.

The full annual report can be accessed here.