IT Law and Data Protection20.11.2020 Newsletter

Agreement on a new Dual-use Regulation

On 9 November 2020, the European Council and the European Parliament agreed on new regulations for the control of exports, brokering, technical assistance, transit and transfer of dual-use items. Since the Dual-use Regulation came into force in 2009, it has already been amended several times. The list of controlled items was adjusted annually. As early as in 2016, it became clear that the existing regulation would have to be adapted to the rapid technological, economic and political changes. After years of discussions by the EU Council and EU Parliament, an amendment to the Dual-use Regulation is now within reach. The final draft of this agreement has now been published.

Most important innovations

The planned amendments focus in particular on cyber-surveillance technologies, a flexible adaptation of the annexes to the Dual-use Regulation, the optimisation of the authorisation and control system as well as a revision of the basic definitions:

Cyber-surveillance technologies

The draft provides for the special control of dual-use items that are designed to enable the covert surveillance of natural persons by monitoring, extracting, collecting or analysing data from information and telecommunications systems (cyber-surveillance technologies).

Besides the items already listed today (mainly in category 5) in this area and the existing catch-all clause of Art. 4 Dual-use Regulation, a special catch-all clause is to be introduced for such items. An export of cyber-surveillance technology becomes subject to authorisation if the exporter becomes aware (by being informed by the Federal Office for Economic Affairs and Export Control [Bundesamt für Wirtschaft und Ausfuhrkontrolle, BAFA] or by third parties) that the product in question is or could be used for internal repression purposes and/or to commit serious violations of international human rights and humanitarian law. The national customs authorities and EU member states also have to be informed in this case. The latter then have up to 30 working days to check the information and, if necessary, to raise any objections to the export. Thus, the draft fits into the existing control system within the framework of a catch-all. In particular, under the current draft, companies are not solely responsible for making an assessment of the human rights situation.

According to the draft, a particular risk of violations of human rights exists in cases where cyber-surveillance technologies are specifically designed to carry out, inter alia, the covert surveillance of natural persons by monitoring, extracting, collecting or analysing data, including biometric data, from these systems. Here, the legislator recognises that items used for purely commercial applications such as billing, marketing, quality services, user satisfaction, network security, etc., are generally not subject to such risks.

The draft no longer provides for a separate, new category 10 for cyber-surveillance technology items. The EU member states undertake to exchange information in order to strengthen effective controls of the export of non-listed cyber-surveillance goods. 

Moreover, the member states are empowered to impose national authorisation obligations for sensitive cyber-surveillance technologies.

Flexible adaptation of the annexes

The legislator is to be able to react quickly to a serious misuse of existing technologies or to new risks associated with emerging technologies. To this end, the competence to revise the lists of controlled items (Annex I of the Dual-use Regulation), the General Export Authorisations (Annex II) and the intra-European controlled items (Annex IV) is being transferred to the EU Commission.

In addition, a system for the exchange of information between Member States is going to be set up to enable them to coordinate their reactions when a new risk is identified.

Optimisation of the authorisation and control system

The draft provides for the establishment of a common export control network throughout the Union. This includes, for example, electronic authorisation procedures, technical expert groups and the establishment of a mechanism to coordinate enforcement. Exporters, brokers, suppliers of technical assistance and other relevant players affected by the Regulation, including industry and civil society organisations, are to be regularly consulted in this context.

The conditions and requirements for authorisations are to be harmonised in order to avoid distortions of competition and to ensure the uniform and effective execution of controls throughout the customs territory of the Union. However, the new draft does not create any obligation for Member States insofar, as was foreseen in the Commission's original draft. It merely provides that the Commission, in cooperation with the Member States, can develop guidelines to support cooperation across the authorities between the licensing and customs authorities. 

The draft also provides for further EU General Export Authorisations, in particular for

  • the export of encryption technologies,
  • the intra-grouptransfer of software and technology and
  • exports for the purpose of specific large projects.

In particular, the General Export Authorisation for intra-group technology transfer is likely to gain considerably in practical importance. 

In Germany, companies have been implementing so-called Internal Compliance Programs (ICP) for years: the BAFA requires this, inter alia, when an application for a global export authorisation (Sammelgenehmigung) is filed. However, the draft now foresees that all Member States should adopt corresponding guidelines for ICPs. Here, too, the draft aims at a practice-oriented solution: it explicitly stipulates that the guidelines should also take into account the differences in the size, resources, areas of activity and other characteristics of exporters, such as internal group structures and compliance standards. There specifically cannot be a "one solution fits all". This is also recognised in the draft.

Such a guideline already exists in Germany in the form of the BAFA's Information Leaflet on Internal Compliance Programs (ICP) [Merkblatt des BAFA zur Firmeninternen Exportkontrolle]. Amendments by the BAFA on the basis of the Regulation are unlikely, as the Information Leaflet already states that there is no "boiler plate" ICP. Depending on the size, business area and customer portfolio of a company, a risk or impact analysis must be used to determine which individual requirements are to be met by the ICP (Information Leaflet, page 11).

Revision of basic definitions

A final substantial change introduced by the draft is a revision of basic definitions.

The definition of exporter clarifies that this also covers persons available in an electronic form software and technology to legal or natural persons or partnerships outside the customs territory of the Union.

Additionally, definitions have been included for:

  • technical assistance
  • supplier of technical assistance
  • Cyber-surveillance items
  • large project authorisations
  • Union general export authorisation
  • internal compliance program (ICP) and
  • essentially identical transaction.

Next steps

The agreement will be submitted to the EU ambassadors for endorsement. Parliament and Council will subsequently be requested to adopt the draft at first reading. The EU Commission expects to publish the final version in spring 2021, which means that the new Regulation could come into force in summer 2021.

Back to list