As from September 9, 2021, Regulation (EU) 2021/821 (EU Dual-Use Regulation Recast) replaces the existing Council Regulation (EC) 428/2009 setting up the European Union (EU) regime for the control of exports, transfer, brokering, and transit of “dual-use” items (EU Dual-Use Regulation). Dual-use items are sensitive goods, services, software, and technology that can be used for both civil and military purposes.
Among others, the EU Dual-Use Regulation Recast introduces: new controls, including on technical assistance and export of cyber-surveillance items; new types of export authorizations (licenses); and a requirement for businesses to maintain appropriate internal compliance programs, as a condition for obtaining certain authorizations.
The EU Dual-Use Regulation Recast has significant implications for businesses dealing in dual-use items. Businesses should assess the potential impact of the new EU rules on their operations and revise their internal compliance policy and procedures accordingly.
Background
The EU Dual-Use Regulation regulates exports outside the EU, transfers inside the EU, transit through the EU, and brokering from the EU of certain sensitive goods, services, software, and technology (referred to as “items”) that are considered “dual-use” because they can be used for both civil and military purposes. As discussed in our Client Update of December 2020, the European Commission (Commission) first published in 2016 a proposal for a revised EU Dual-Use Regulation (in force since 2009). The EU Dual-Use Regulation Recast is the compromise resulting from the EU legislative process, which also involved the EU Council and the European Parliament.
Key changes
1. New controls for cybersurveillance items. The EU Dual-Use Regulation Recast introduces a new authorization requirement for exports from the EU of cybersurveillance items that are or may be intended for use in connection with internal repression or the commission of serious violations of human rights and international humanitarian law.
Businesses need to conduct due diligence to verify whether covered cybersurveillance items may be implicated in the mentioned restricted end uses. Notably, contrary to the Commission’s initial proposal, the EU Dual-Use Regulation Recast does not specify controlled cybersurveillance items. It merely defines them as “items specially designed to enable the covert surveillance of individuals by monitoring, extracting, collecting or analyzing data from information and telecommunication systems.” At an initial stage, businesses therefore need to self-assess whether their items may fall within the definition.
The Commission is expected to publish an “EU Watch List” including all cybersurveillance items that EU Member States will deem controlled pursuant to this provision so as to consolidate and provide guidance on covered items.
2. Strengthened public security and human rights controls. Under the previous rules, EU Member States could prohibit or introduce an authorization requirement for the export of items that were not otherwise controlled, because they were not listed on Annex I of the EU Dual-Use Regulation, on grounds of public security or human rights. The EU Dual-Use Regulation Recast expands such provision to expressly allow EU Member States to impose export restrictions to prevent acts of terrorism.
The EU Dual-Use Regulation Recast makes controls pursuant to this provision “transmissible.” In case an EU Member State restricts an item identified on its national control list on grounds of public security or human rights concerns, or to prevent acts of terrorism, other EU Member States may restrict the export of such item on the basis of its inclusion in the national list of the other EU Member State, provided the exporter is duly informed in advance by the competent authority.
3. Revised definitions of exporter and broker. Export and brokering controls are applied primarily to operators established in the EU, that are EU residents or entities incorporated in EU Member States.
The EU Dual-Use Regulation Recast clarifies that EU export controls apply now to dual-use items exported from the EU territory not only by operators established in the EU, but also by operators not established in the EU if the items to be exported are located in the EU.
Similarly, brokering controls (broadly, controls on activities enabling sales of controlled items from a non-EU country to another non-EU country) are triggered any time an operator (whether established or not in the EU) provides brokering services from the EU territory into the territory of a non-EU country.
4. Expanded brokering controls. Previous rules provided only for limited brokering controls. The EU Dual-Use Regulation Recast expands the scope of brokering controls to cover the provision of brokering services supplied from the EU in relation to dual-use items listed in Annex I of the EU Dual-Use Regulation Recast that are intended for:
a. uses in connection with chemical, biological, or nuclear weapons, or other nuclear explosive devices or missiles capable of delivering such weapons (so called ‘WMD end use’).
b. military end uses in an embargoed country (so called ‘military end use’).
c. uses as parts or components of military items exported without authorization or in breach of an authorization.
EU Member States can further extend brokering controls to non-listed items intended for any of the foregoing end uses. This is an expansion of the previous brokering controls, which were limited only to instances where listed items were intended for WMD end use, while allowing EU Member States to apply controls in relation to listed items intended for military end use and non-listed items for WMD end use.
5. New controls on technical assistance. Technical assistance refers to any technical support related to repairs, development, manufacture, assembly, testing, maintenance, or any other technical service. The EU previously lacked harmonized controls on technical assistance, though certain EU Member States applied national restrictions.
The EU Dual-Use Regulation Recast introduces harmonized controls on technical assistance provided from the EU or by EU residents or entities established in the EU but acting in a third country. Controls specifically apply to the provision of technical assistance in relation to listed dual-use items intended for any of the end uses identified under point 4, above — that is (a) WMD end use, (b) military end use, or (c) uses as parts or components of military items exported without authorization or in breach of an authorization. EU Member States can further extend technical assistance controls to non-listed items intended for any of the foregoing end uses.
6. New export authorizations. Under the previous rules, businesses could request
authorizations to carry out controlled activities from competent national authorities. At the EU level, there are three main categories of authorizations:
a. General export authorizations — for which exporters must register without going through a formal application process and that authorize multiple transactions relating to multiple items destined to multiple end users in multiple countries under certain conditions.
b. Global authorizations — for which exporters must apply and that authorize multiple transactions relating to multiple items destined to multiple end users in (potentially) multiple countries.
c. Individual authorizations — for which exporters must apply and that authorize a single transaction relating to one or more items destined to a specified end user or consignee in a specific third country.
The EU Dual-Use Regulation Recast introduces new EU-wide authorizations, including (i) a large project authorization for exports aimed to a specified large-scale project, which can take the form of a global or an individual authorization, and (ii) two new general export authorizations, one for intragroup exports of software and technology to certain destinations (e.g., Brazil, India, Morocco, Philippines, Singapore, South Africa, South Korea) and one for transfers of encryption technology to non-EU countries with some exceptions (e.g., countries subject to an arms embargo).
7. Enhanced compliance obligations. The EU Dual-Use Regulation Recast extends recordkeeping obligations from three to five years for documentation relating to exports or the provision of brokering services or technical assistance (the obligation for intra-EU transfers remains three years).
More important, the EU Dual-Use Regulation Recast urges businesses to adopt and implement internal compliance programs to ensure compliance with relevant export control rules. In particular, internal compliance programs become an essential prerequisite for businesses to be able to apply for global authorizations.
8. Reinforced enforcement action. The EU Dual-Use Regulation Recast attempts to strengthen coordination among national authorities that are responsible for implementation and enforcement of EU export control rules, and overall to improve enforcement of EU controls on dual-use items. To this end, the EU Dual-Use Regulation Recast sets up the Dual-Use Coordination Group (chaired by the Commission and composed of EU Member State representatives) to discuss and monitor issues relating to the application of the EU Dual-Use Regulation Recast. The Dual-Use Coordination Group shall also set up an enforcement coordination mechanism for consultation and information exchange among competent authorities and enforcement agencies.
Despite the foregoing enforcement efforts, the EU Dual-Use Regulation Recast fails to include a non-circumvention clause. Such clause was initially provided in the Commission’s proposal, and is found in most EU sanctions regulations to ensure effective application and compliance with relevant rules.
Conclusion
The EU Dual-Use Regulation Recast confirms the EU’s commitment to implement broad controls on dual-use items. To some extent, it falls short of securing effective, harmonized rules within the EU. Among others, the scope of the newly introduced cybersurveillance controls remains ambiguous; EU Member States retain discretion in the adoption of (divergent) national rules; and enforcement has been reinforced only to a limited extent.
This notwithstanding, the EU Dual-Use Regulation Recast undisputedly expands EU controls and is expected to have significant implications for businesses dealing in dual-use items. Businesses should assess the potential impact of the new EU rules on their operations, and revise their internal compliance policy and procedures accordingly.
The EU Dual-Use Regulation Recast has significant implications for businesses dealing in dual-use items. Businesses should assess the potential impact of the new EU rules on their operations and revise their internal compliance policy and procedures accordingly.
Background
The EU Dual-Use Regulation regulates exports outside the EU, transfers inside the EU, transit through the EU, and brokering from the EU of certain sensitive goods, services, software, and technology (referred to as “items”) that are considered “dual-use” because they can be used for both civil and military purposes. As discussed in our Client Update of December 2020, the European Commission (Commission) first published in 2016 a proposal for a revised EU Dual-Use Regulation (in force since 2009). The EU Dual-Use Regulation Recast is the compromise resulting from the EU legislative process, which also involved the EU Council and the European Parliament.
Key changes
1. New controls for cybersurveillance items. The EU Dual-Use Regulation Recast introduces a new authorization requirement for exports from the EU of cybersurveillance items that are or may be intended for use in connection with internal repression or the commission of serious violations of human rights and international humanitarian law.
Businesses need to conduct due diligence to verify whether covered cybersurveillance items may be implicated in the mentioned restricted end uses. Notably, contrary to the Commission’s initial proposal, the EU Dual-Use Regulation Recast does not specify controlled cybersurveillance items. It merely defines them as “items specially designed to enable the covert surveillance of individuals by monitoring, extracting, collecting or analyzing data from information and telecommunication systems.” At an initial stage, businesses therefore need to self-assess whether their items may fall within the definition.
The Commission is expected to publish an “EU Watch List” including all cybersurveillance items that EU Member States will deem controlled pursuant to this provision so as to consolidate and provide guidance on covered items.
2. Strengthened public security and human rights controls. Under the previous rules, EU Member States could prohibit or introduce an authorization requirement for the export of items that were not otherwise controlled, because they were not listed on Annex I of the EU Dual-Use Regulation, on grounds of public security or human rights. The EU Dual-Use Regulation Recast expands such provision to expressly allow EU Member States to impose export restrictions to prevent acts of terrorism.
The EU Dual-Use Regulation Recast makes controls pursuant to this provision “transmissible.” In case an EU Member State restricts an item identified on its national control list on grounds of public security or human rights concerns, or to prevent acts of terrorism, other EU Member States may restrict the export of such item on the basis of its inclusion in the national list of the other EU Member State, provided the exporter is duly informed in advance by the competent authority.
3. Revised definitions of exporter and broker. Export and brokering controls are applied primarily to operators established in the EU, that are EU residents or entities incorporated in EU Member States.
The EU Dual-Use Regulation Recast clarifies that EU export controls apply now to dual-use items exported from the EU territory not only by operators established in the EU, but also by operators not established in the EU if the items to be exported are located in the EU.
Similarly, brokering controls (broadly, controls on activities enabling sales of controlled items from a non-EU country to another non-EU country) are triggered any time an operator (whether established or not in the EU) provides brokering services from the EU territory into the territory of a non-EU country.
4. Expanded brokering controls. Previous rules provided only for limited brokering controls. The EU Dual-Use Regulation Recast expands the scope of brokering controls to cover the provision of brokering services supplied from the EU in relation to dual-use items listed in Annex I of the EU Dual-Use Regulation Recast that are intended for:
a. uses in connection with chemical, biological, or nuclear weapons, or other nuclear explosive devices or missiles capable of delivering such weapons (so called ‘WMD end use’).
b. military end uses in an embargoed country (so called ‘military end use’).
c. uses as parts or components of military items exported without authorization or in breach of an authorization.
EU Member States can further extend brokering controls to non-listed items intended for any of the foregoing end uses. This is an expansion of the previous brokering controls, which were limited only to instances where listed items were intended for WMD end use, while allowing EU Member States to apply controls in relation to listed items intended for military end use and non-listed items for WMD end use.
5. New controls on technical assistance. Technical assistance refers to any technical support related to repairs, development, manufacture, assembly, testing, maintenance, or any other technical service. The EU previously lacked harmonized controls on technical assistance, though certain EU Member States applied national restrictions.
The EU Dual-Use Regulation Recast introduces harmonized controls on technical assistance provided from the EU or by EU residents or entities established in the EU but acting in a third country. Controls specifically apply to the provision of technical assistance in relation to listed dual-use items intended for any of the end uses identified under point 4, above — that is (a) WMD end use, (b) military end use, or (c) uses as parts or components of military items exported without authorization or in breach of an authorization. EU Member States can further extend technical assistance controls to non-listed items intended for any of the foregoing end uses.
6. New export authorizations. Under the previous rules, businesses could request
authorizations to carry out controlled activities from competent national authorities. At the EU level, there are three main categories of authorizations:
a. General export authorizations — for which exporters must register without going through a formal application process and that authorize multiple transactions relating to multiple items destined to multiple end users in multiple countries under certain conditions.
b. Global authorizations — for which exporters must apply and that authorize multiple transactions relating to multiple items destined to multiple end users in (potentially) multiple countries.
c. Individual authorizations — for which exporters must apply and that authorize a single transaction relating to one or more items destined to a specified end user or consignee in a specific third country.
The EU Dual-Use Regulation Recast introduces new EU-wide authorizations, including (i) a large project authorization for exports aimed to a specified large-scale project, which can take the form of a global or an individual authorization, and (ii) two new general export authorizations, one for intragroup exports of software and technology to certain destinations (e.g., Brazil, India, Morocco, Philippines, Singapore, South Africa, South Korea) and one for transfers of encryption technology to non-EU countries with some exceptions (e.g., countries subject to an arms embargo).
7. Enhanced compliance obligations. The EU Dual-Use Regulation Recast extends recordkeeping obligations from three to five years for documentation relating to exports or the provision of brokering services or technical assistance (the obligation for intra-EU transfers remains three years).
More important, the EU Dual-Use Regulation Recast urges businesses to adopt and implement internal compliance programs to ensure compliance with relevant export control rules. In particular, internal compliance programs become an essential prerequisite for businesses to be able to apply for global authorizations.
8. Reinforced enforcement action. The EU Dual-Use Regulation Recast attempts to strengthen coordination among national authorities that are responsible for implementation and enforcement of EU export control rules, and overall to improve enforcement of EU controls on dual-use items. To this end, the EU Dual-Use Regulation Recast sets up the Dual-Use Coordination Group (chaired by the Commission and composed of EU Member State representatives) to discuss and monitor issues relating to the application of the EU Dual-Use Regulation Recast. The Dual-Use Coordination Group shall also set up an enforcement coordination mechanism for consultation and information exchange among competent authorities and enforcement agencies.
Despite the foregoing enforcement efforts, the EU Dual-Use Regulation Recast fails to include a non-circumvention clause. Such clause was initially provided in the Commission’s proposal, and is found in most EU sanctions regulations to ensure effective application and compliance with relevant rules.
Conclusion
The EU Dual-Use Regulation Recast confirms the EU’s commitment to implement broad controls on dual-use items. To some extent, it falls short of securing effective, harmonized rules within the EU. Among others, the scope of the newly introduced cybersurveillance controls remains ambiguous; EU Member States retain discretion in the adoption of (divergent) national rules; and enforcement has been reinforced only to a limited extent.
This notwithstanding, the EU Dual-Use Regulation Recast undisputedly expands EU controls and is expected to have significant implications for businesses dealing in dual-use items. Businesses should assess the potential impact of the new EU rules on their operations, and revise their internal compliance policy and procedures accordingly.
Attorney Advertising—Sidley Austin LLP is a global law firm. Our addresses and contact information can be found at www.sidley.com/en/locations/offices.
Sidley provides this information as a service to clients and other friends for educational purposes only. It should not be construed or relied on as legal advice or to create a lawyer-client relationship. Readers should not act upon this information without seeking advice from professional advisers. Sidley and Sidley Austin refer to Sidley Austin LLP and affiliated partnerships as explained at www.sidley.com/disclaimer.
© Sidley Austin LLP