An Overview of the Recast EU Dual Use Regulation

An Overview of the Recast EU Dual Use Regulation

September 21, 2021, Covington Alert

Introduction

On September 9^th, 2021, the EU’s recast of the Dual-Use Regulation (Council Regulation No. 2021/821, hereinafter the “Regulation”) entered into force. The recast represents the culmination of five years of consultation at the EU, leading to the formal endorsement of the revised text to the Regulation by the European Council in May 2021. The Regulation replaces the previous EU dual use regulation, Council Regulation (EC) 428/2009. 

The new Regulation represents the most significant change to the EU dual-use regulatory framework since the prior dual-use regulation was implemented in 2009. However, while early discussions concerning the recast involved wide-ranging proposals to introduce new EU export controls, the Regulation ultimately represents a more modest evolution in those controls. The Regulation does not include new categories of products subject to dual-use licensing requirements in the EU Dual-Use List (Annex I to the Regulation), and most of the key definitions and licensing frameworks from the prior regulation have been carried over with limited changes. The new Regulation does, however, introduce notable new controls in specific areas – this alert summarizes those key changes.

Article 5 of the Regulation introduces new export controls for “cyber-surveillance items,” which the Regulation defines in general terms as “dual-use items specially designed to enable the covert surveillance of natural persons by monitoring, extracting, collecting or analysing data from information and telecommunication systems.” The Regulation provides limited guidance on the new cyber-surveillance definition, noting only that the definition generally should not capture items for purely commercial applications such as billing, marketing, quality services, user satisfaction, or network security.

The Regulation does not include new Dual Use List entries for cyber-surveillance items. Rather, it imposes a catch-all licensing requirement for items meeting the above definition if an exporter has been informed by a competent EU Member State export controls authority that the items in question are or may be intended for use in connection with internal repression and/or the commission of serious violations of human rights and international humanitarian law.  Separately, if an exporter is “aware,” including on the basis of its “due diligence findings,” that non-listed cyber-surveillance items are intended for the foregoing end uses, the exporter is affirmatively required to notify the competent Member State authority, and the authority will then determine on a case-by-case basis whether the export will require licensing. The Regulation also provides Member States with authority to extend this requirement to circumstances where an exporter merely has “grounds for suspecting” that cyber-surveillance items may be intended for the foregoing restricted end uses.

The new cyber-surveillance catch-all controls draw from standards in pre-existing dual-use catch all provisions, set forth in Article 4 of the Regulation, with regard to military end uses in jurisdictions subject to arms embargoes and end uses relating to weapons of mass destruction.  Article 5 does not, therefore, break entirely new ground, but it extends EU catch-all controls to the subject of cyber-surveillance goods, software, and technology. By referring expressly to the exporter’s “due diligence findings,” the Regulation states an expectation that EU parties that export cyber-surveillance items will implement internal compliance controls to detect potential restricted end uses in connection with those exports. (The “due diligence” standard does not appear in the pre-existing Article 4 catch-all controls. However, that is unlikely to emerge as an important distinction in practice – in implementing Article 4 historically, EU export controls authorities have generally held an expectation that exporters involved in military and/or WMD-related activities would exercise reasonable due diligence to comply with the broader requirements of Article 4.)

The Regulation also includes provisions, set forth in Article 5, to facilitate coordination between Member States with regard to the implementation of the new cyber-surveillance controls. In particular, Member States that impose case-by-case licensing requirements on cyber-surveillance items must notify the other Member States and the Commission. In the event that all Member States impose materially the same controls on the same cyber-surveillance items, Article 5 requires the Commission to publish those controls, together with any specific destinations subject to licensing requirements for the items in question. As such, Article 5 seeks to promote coordination among the Member States in imposing new cyber-surveillance controls; however, the Regulation leaves ample room for potential divergences to arise, among individual Member States, in practice in implementing those controls. 

The Regulation introduces, at Article 8, new controls for the provision of technical assistance related to listed dual-use items (i.e., items set forth in Annex I to the Regulation) if the items in question may be intended for uses listed in the catch-all clause pursuant to Article 4. Although the new “technical assistance” restriction represents, on its face, a substantive expansion of the Article 4 catch-all controls, this new measure may prove to offer limited new ground for new controls in practice. While Article 4 previously was not subject to an explicit “technical assistance” restriction, exports of “technology” for end uses set out in Article 4 were already subject to controls, and the definition of “technology” included “technical assistance.” As such, it is expected that much of what is captured in the new “technical assistance” controls would already have been caught under pre-existing “technology”-related export restrictions.

Notably, the new definition of “provider of technical assistance” captures scenarios where technical assistance is provided “to a resident of a third country temporarily present in the customs territory of the Union[.]” As such, the new controls introduce a variation of what is known in U.S. export controls as a “deemed export,” i.e., where controls are imposed in specific circumstances on the in-country transfer of restricted technical information. However, the new EU standard is of a very different nature than the U.S. deemed export rule – its application does not depend on the citizenship of the individual receiving the technical assistance, but rather focuses on persons who reside outside of the EU and are located within the EU temporarily (e.g., given that risk that such persons may be more likely to remove controlled information to locations outside of the EU).

The definition of “provider of technical assistance” also is noteworthy insofar as it extends not only to transfers of technical assistance from the EU, but also to such assistance when provided by “any natural or legal person or any partnership resident or established in a Member State . . . within the territory of a third country[.]” Thus, the new standard has extra-territorial application to the conduct of EU persons and entities when acting abroad.

The new Regulation allows Member States to impose unilateral export controls for non-listed items where the Member State deems those controls necessary from the standpoint of “public security, including the prevention of acts of terrorism, or for human rights considerations.” Notably, if a Member State acts to impose those controls, the Regulation appears to require other Member States to follow suit and impose similar controls. This is a novel feature of the Regulation – in the past, in the infrequent circumstances where one Member State imposed unilateral export controls, those controls generally would not carry over into the regimes of other Member States.

The Regulation’s amendments slightly expand controls on "brokering services" involving dual-use items. The term broker is now defined as any (natural or legal) person that provides brokering services from the EU with regard to restricted exports occurring between third countries. Unlike the pre-existing definition, this definition no longer requires that the broker is resident or established in a EU Member State. As a result, a foreign broker’s temporary stay in an EU Member State may suffice to trigger authorization requirements during the period in which the person is within the EU.

Brokering services are subject to an authorization under the Regulation if they relate to listed items and may be intended for any of the uses referred to in Article 4 of the Regulation. Similar to the new cyber catch-all provisions, the Regulation authorizes Member States to further extend brokering controls to non-listed items intended for any of Article 4’s end uses, and to circumstances where the exporter has grounds for “suspecting” that a transaction involves those end uses.

The Regulation continues to allow Member States to further regulate brokering services in other respects, pursuant to national legislation (for example, some EU Member States – including the Netherlands – impose licensing and reporting requirements for brokering transactions involving certain dual-use exports from the EU).

The Regulation introduces two new General Export Authorisations (“GEAs”) with regards to the intra-group export of software and technology (GEA EU007); and encryption items (GEA EU008).

• GEA EU007 authorizes the intra-group export of a broad range of dual-use software and technology listed in Annex I by any exporter established in a EU Member State to a company wholly owned and controlled by the exporter (subsidiary) or to a company directly and wholly owned and controlled by the same parent company as the exporter (sister company), provided that the parent company is established in an EU Member State or in a country covered by EU GEA EU001.
  
  One important restriction of this license is that the exported software or technology may only be used for the commercial product development activities of the exporter, the subsidiary, or the sister company. A use of the technology or software for production purposes would not be permitted.

• GEA EU008 authorizes the export of a broad variety of encryption items to most jurisdictions around the world with some exceptions (e.g., countries subject to arms embargoes – notably, the exclusion list includes China and Hong Kong). The license is, however, subject to a number of important limitations. Of particular note, it excludes exports of encryption specially-designed or otherwise intended for various government-related end-uses, including for use in connection with a violation of human rights, democratic principles, or the freedom of expression as defined by the Charter of Fundamental Rights of the European Union.

The Regulation also provides for a “large project authorization” which is defined as an “individual export authorization or a global export authorization granted to one specific exporter, in respect of a type or category of dual-use items which may be valid for exports to one or more specified end-users in one or more specified third countries for the purpose of a specified large-scale projects”. Authorizations for large projects will be valid for up to four years.

Internal Compliance Programs

The Regulation introduces an affirmative obligation exporters who use general export licenses to implement an internal compliance program. That requirement is repeated in the terms of GEA EU 007. Export control compliance programs meet the Regulation’s new requirement if they are "ongoing, effective, appropriate and proportionate policies and procedures adopted by exporters to facilitate compliance with the provisions and objectives of this Regulation and with the terms and conditions of the authorizations implemented under this Regulation, including, inter alia, due diligence measures assessing risks related to the export of the items to end-users and end-uses." The Regulation’s recitals suggests that the European Commission may issue more specific guidance on best practices. However, it is unclear whether that will result in significant new standards, or whether it will largely follow the Commission’s pre-existing 2019 guidance on export controls compliance best practices. 

Additional Features of Note

The Regulation also introduces the following noteworthy changes:

• The Regulation extends record keeping obligations for exporters, brokers, and providers of technical assistance from three to five years from the end of the calendar year in which the export took place or the brokering services or technical assistance were provided.
• The Regulation amends the definition of "exporter" to include natural persons carrying dual-use items in their personal baggage. Notably, the Regulation does not include substantial broader revisions to the base definition of “exporter” - there were, early in the consultation process leading to the Regulation, discussions concerning a revised definition of “exporter” to clarify the status of emerging intangible export controls issues such as the use of cloud computing, but those proposals were not taken forward. With regard to cloud computing specifically, the Regulation notes only that “[i]n order to limit the administrative burden for exporters and the competent authorities of the Member States, general or global licenses or harmonized interpretations of provisions should be provided for certain transmissions, such as transmissions to a cloud.” In practice, there has been very limited guidance from EU Member States, thus far, on the issue of cloud computing (only the Netherlands and Germany have issued published guidance on the subject).
• Article 7 of the Regulation provides broadened authority for Member State to restrict the transit of items if intended for end uses set forth in Article 4. The Regulation clarifies that Member States may issue transit-related license requirements or restrictions on EU-based intermediary carriers or declarants of items, if the person who holds the contractual authority to determine the export location of the item is based outside of the EU.
• Article 23 of the Regulation establishes new mechanisms for Member States to share information concerning export controls enforcement.
• Article 26 requires the Commission to report, to the European Council and Parliament, concerning dual use licensing, administrative, and enforcement matters. The reports will be a matter of public record.

The various changes implemented through the new Regulation will have different implications for different EU-based exporters, with potentially more extensive new requirements for (1) EU exporters engaged in the development or sale of cyber-surveillance related goods, software, and technology; (2) companies that are involved in military-related technical assistance activities; and (3) companies that may benefit from the new general export authorizations noted above. Unhelpfully for European exporters, the Regulation represents – at least for the short term – the latest in a series of divergences between the EU and the UK in export controls and economic sanctions matters. While the UK implemented, into its national laws, the pre-existing EU Dual Use Regulation upon the completion of the Brexit transition process in December 2020, the UK has not yet implemented measures equivalent to the EU dual-use recast. It remains unclear whether, and if so in what timeframe, the UK will do so.

Ultimately, companies exporting or providing brokering services or technical assistance from the EU should consider the Regulation carefully, and evaluate whether any changes to internal compliance programs are merited in light of the changes implemented in the Regulation.

The Covington European trade controls team is well-positioned to assist EU-based companies in considering the implications of the Regulation. If you have any questions concerning this alert, or the Regulation more broadly, please contact any of the Covington team members listed.