- On 11 June 2021 the European Union (the “EU”) published Regulation (EU) 2021/821 (the “Recast Regulation”) in its Official Journal, which marked the final step with respect to modernizing its existing dual use legislation under Council Regulation (EC) No 428/2009 (the “EU Dual Use Regulation”). The Recast Regulation will enter into force 90 days after its publication in the Official Journal, meaning that it will commence on 9 September 2021.
- When compared to the proposal first issued by the European Commission (the “Commission”) in 2016 (the “Commission Proposal”), the Recast Regulation reflects the desire of the Member States of the EU (“Member States”) for a more limited update to the existing controls than first envisaged. In particular, the Recast Regulation is void of the more substantive provisions relating to cyber surveillance and human rights, which proved controversial both with EU decision-makers and industry.
- There are several notable changes including two new EU General Export Authorisations (“UGEAs”), amended controls on cyber surveillance and technical assistance, certain broader definitions (e.g. the definition of exporter has been expressly extended to cover ‘hand carries’), a clearer licensing gateway for non-EU exporters, as well as provisions allowing for increased coordination and transmissible controls between Member States.
- However, the Recast Regulation can at best be viewed as a modest update that has arguably skirted around some of the biggest issues and challenges facing the control of sensitive dual use items both now and in the future. In particular, it has become evident that measures implementing stricter controls on emerging technologies and human rights and national security protections will have to be implemented via other legislation. This will inevitably lead to a greater compliance burden for industry, as the lack of a harmonised system to deal with these varied challenges will require additional resources to account for national variations.
Background to the Recast Regulation
International agreements require Member States to have national controls in place to prevent the proliferation of nuclear, chemical or biological weapons. To contribute towards this, the EU controls the export, transit and brokering of dual use items. Dual use items include goods, software and technology that can be used for both civilian and military applications. To this end, the EU created its first legislative framework for the control of dual use items applicable throughout the EU in 2000 by adopting Council Regulation (EC) No 1334/2000.
The current EU Dual Use Regulation recast the same regulation in 2009. However, owing to technological, economic and geo-political developments, in 2011 the Commission launched a review of the EU Dual Use Regulation to respond to the challenges posed by such developments by publishing a Green Paper, which formed the basis of a public consultation. Feedback from the consultation indicated a desire on the part of national authorities and industry for a wider range of UGEAs, as well as greater convergence of catch-all controls and alignment of interpretation and enforcement among Member States (to create a level playing field across the EU and mitigate forum shopping for more amenable national regimes). However, the Commission’s suggestion that export controls be used as a tool to protect and support the EU’s human rights efforts (referred to as the “human security“ approach) was met with scepticism.
This (and other) preparatory work resulted in the Commission publishing its proposal for a new version of the regulation (the “Commission Proposal”) in 2016. Among other elements, the Commission Proposal included several contentious “human security” aspects aimed at giving human rights and terrorism a more central role in the EU’s dual use controls framework (operating as “catch-alls”) and introducing new controls on cyber surveillance technologies not already covered by the dual use list, giving the Commission the power to add or remove items to this autonomous list.
The approval of the Commission, the European Parliament (the “Parliament”) and Member States represented by the Council of the EU (the “Council”) is required to enact legislation of this kind. This resulted in a lengthy period of review by the Parliament and the Council, and a series of inter-institutional negotiations (known as “Trialogues”). The Parliament was largely in favour of the Commission’s approach in its first report on the Commission Proposal published in November 2017 (the “Report”). In some cases, the Parliament asked the Commission to go further by introducing similar penalties for non-compliance across all Member States as well as new provisions to capture the risks posed by emerging technologies.
It was not until June 2019 that the Council published its own parameters for these negotiations (the “Council Mandate”). The Council rejected and materially altered many of the Commission’s proposals. The Trialogue discussions concluded in late 2020 and the agreed position was ultimately more closely aligned to the Council’s desires. The Recast Regulation is therefore a much more modest update to the EU Dual Use Regulation compared to what the Commission Proposal first envisaged in 2016.
Scaled Down Ambitions
1. “Human Security” and Cyber Surveillance Items
The Removal of a Unilateral Category 10
The Recast Regulation removes the Commission Proposal’s Category 10 to its forthcoming Annex I list of controlled items, which would have covered certain types of surveillance systems, equipment and components for Information and Communication Technology for public networks including related software and technology. This reflects (at least in part) the substantive concerns of certain Member States with respect to the introduction of unilateral dual use controls at an EU level. From these discussions, it appears as though certain Member States prefer for: (i) national governments to introduce unilateral measures themselves through the existing mechanisms under the EU Dual Use Regulation relating to human rights concerns (i.e. Article 8 of the current EU Dual Use Regulation); (ii) the EU to put forward a common position in relation to listing such technologies as part of the Wassenaar Arrangement and other international export control regimes; and (iii) EU restrictive measures on third countries to continue including export restrictions on such items (such as in the EU sanctions against Venezuela and Myanmar).
A New Cyber Surveillance Catch-All
The Recast Regulation expands the pre-existing catch-all for reasons of public security or human rights considerations to include the prevention of acts of terrorism. It also introduces a new catch-all that specifically targets cyber surveillance items, which are defined as “dual use items specially designed to enable the covert surveillance of natural persons by monitoring, extracting, collecting or analysing data from information and telecommunication systems.”
This catch-all allows for the imposition of an authorisation requirement on the export from the EU of cyber surveillance items not already controlled under Annex I to the EU Dual Use Regulation (or Recast Regulation), where these items are or may be intended, in their entirety or in part, for use in connection with (i) internal repression; and/or (ii) the commission of serious violations of international human rights and international humanitarian law. The Recast Regulation does not however provide a definition for either “internal repression” or “serious violations” of international human rights/humanitarian law, which is likely to result in diverging interpretations between Member States.
If the exporter is aware of such a use, there is a positive obligation to notify the relevant authorities who must then decide whether or not to impose an export authorisation requirement. Member States can also extend this notification obligation on a national level to situations where the exporter merely has grounds for suspecting such a use. When a Member State elects to impose an export authorisation requirement, it must inform all other Member State authorities and the Commission. Where all Member States notify each other and the Commission that an authorisation requirement should be imposed for essentially identical transactions, then the Commission will publish information relating to the cyber surveillance items and (where relevant) destinations subject to authorisation requirements as notified by the Member States.
2. Changes to the Licensing Architecture
The Recast Regulation introduces two new UGEAs covering “Encryption” and “Intra-company Transmission of Software and Technology” with the stated aim of helping further facilitate trade while ensuring a sufficient level of security through robust control measures (e.g. through registration, notification and reporting, and auditing). The original Commission Proposal, however, envisaged two additional UGEAs covering “Low Value Shipments” and “Other Dual Use Items.” The Recast Regulation also introduces tighter licensing conditions with respect to the Encryption UGEA. It also reduces the number of permitted countries under the “Intra-company” UGEA, and maintains that users must put in place an internal compliance programme as a condition of its use.
The Recast Regulation maintains the concept of a Large Project Authorisation (“LPA”). An LPA can be either a global or an individual licence (the Commission Proposal only suggested an LPA as being a global licence). Member State authorities will be able to grant an LPA to one specific exporter, in respect of a type or category of dual use items, which may be valid for exports to one or more specified end users in one or more specified third countries. The Recast Regulation is silent on a minimum length but places an upper limit of four years (unless there is a circumstantial justification for a longer period) and does not offer a definition of a “large scale project” (though the Commission previously mentioned the construction of a nuclear power plant as an example).
3. No Circumvention Prohibition
The original Commission Proposal introduced a clause aimed at preventing companies from knowingly and intentionally participating in activities the object or effect of which is to circumvent the export licence requirement for dual use items, or the catch-all control for dual use items not listed in Annex I (e.g. by exporting such items from another Member State).
Even though an identical circumvention clause is included in EU sanctions regulations, the Council Mandate removed this clause in its entirety and it has not reappeared in the Recast Regulation.
4. Technical Assistance Controls
Under the existing EU Dual Use Regulation, “technical assistance” is an aspect of the defined term “technology” and thus controlled when captured by a control entry. Both the Commission Proposal and the Council Mandate agreed on defining “technical assistance” separately from the definition of “technology,” which is now reflected in the Recast Regulation.
The Recast Regulation also includes a new definition of “provider of technical assistance,” which covers:
- any natural or legal person or any partnership that provides technical assistance from the customs territory of the Union into the territory of a third country.
- any natural or legal person or any partnership resident or established in a Member State that provides technical assistance within the territory of a third country.
- any natural or legal person or any partnership resident or established in a Member State that provides technical assistance to a resident of a third country temporarily present in the customs territory of the Union.
The Recast Regulation determines that an authorisation is required where the “technical assistance” relates to dual use items and the “provider of technical assistance” is aware that the assistance is for, or told by authorities that assistance is or may be for a prohibited end use. The prohibited end uses are: (i) weapons of mass destruction end use; (ii) military end use in an arms embargoed country; or (iii) use as parts or components of military items exported without license or in violation thereof. Member States are permitted to extend these restrictions to dual use items not listed in Annex I, as well as lowering the knowledge threshold for dual use items to when a provider of technical assistance merely has grounds for suspecting that the items will or may be for a prohibited end use. Note that there are a number of exceptions to this requirement including the situation where the technical assistance takes the form of transferring information that is in the public domain.
The technical assistance controls have been broadened to encompass situations in which the assistance is given to residents of a third country who are temporarily present in the customs territory of the EU. A “provider of technical assistance” may therefore face the question of how to determine whether the recipient of the assistance is in fact not an EU resident, and subsequently how to collect and process the information received in accordance with EU data protection legislation.
Other Notable Changes
- Expanded definition of “exporter”: The concept of “exporter” now includes a specific reference to any natural person carrying the goods to be exported where these goods are contained in the person’s personal baggage.
- Expanded definition of “broker”: The Recast Regulation definition of the term “broker” has been revised to include natural and legal persons and partnerships not resident or established in a Member State if they provide brokering services from the customs territory of the EU. Under the EU Dual Use Regulation, the definition was limited to natural and legal persons and partnerships resident or established in a Member State.
- Licensing gateway for exporters based outside of the EU: The Recast Regulation states that where an exporter is not resident or established within the EU, an individual export authorisation can still be obtained from the Member State authority responsible for issuing authorisations where the dual use items are located. We note that this differs from the definition of exporter under the Union Customs Code, which may cause practical issues. In addition, where the broker or supplier of technical assistance is not resident or established in the customs territory of the EU, authorisations for brokering services and technical assistance will be granted by the competent authority of the Member State from where the brokering services or technical assistance will be supplied.
- Transmissible controls: If under the Recast Regulation one Member State imposes an authorisation requirement on the basis of a national control list on items pursuant to public security/human rights concerns, then another Member State can also impose an authorisation requirement on the export of such items using their inclusion on the national control list of the other Member State as justification, provided that the Member State informs the exporter that the items are or may be intended for uses of concern with respect to public security/human rights considerations.
- Extension of recordkeeping period: Whilst the Recast Regulation retains the three-year recordkeeping period for documents and records relating to intra-EU transfers, it expands that period in respect of exports from the EU to five years.
- Enforcement mechanism: The Recast Regulation introduces new provisions to support information-exchange and cooperation on enforcement between Member States, in particular by way of the setting up of an “enforcement coordination mechanism” under the Dual Use Coordination Group. It does however stop short of introducing concrete measures to promote the harmonization of enforcement and monitoring of export controls compliance across the EU.
An Uncertain Future
With regard to content, the Recast Regulation reflects the fact that there is no consensus among Member States to implement far-reaching changes as initially set out in the Commission Proposal and the documented wishes of the previous Parliament. The result is merely tweaking the edges of the current EU Dual Use Regulation.
- The Recast Regulation does not address the “human security” element of export controls by introducing specific new controls for certain technologies as advocated by the Commission and, in particular, the Parliament.
- Likewise, the Recast Regulation does little to address the number one concern voiced by business, namely the lack of a level playing field among Member States in their application of dual use export controls.
- The way the Recast Regulation is drafted reveals a reluctance by Member States to introduce new measures at the EU level to tackle the (perceived) risks from emerging technologies. The Parliament made the introduction of such measures a key recommendation in its November 2017 Report. It is now clear that if any unilateral measures to control the export of emerging and critical technologies are taken, they will exist outside of the EU’s cornerstone legislative framework governing export controls.
The Recast Regulation, and the duration of its inception, raises the question whether the EU’s dual use export controls framework is fit for purpose in addressing geopolitical shifts, the aggressive expansion of influence by some state actors and the corresponding focus on national security by those who are impacted by this, as well as related challenges posed by emerging technologies and globalised supply chains for strategically relevant technologies (e.g. semiconductors).
This leaves considerable room for individual Member States to tackle each of the three areas called out above either in their export licensing policies or other legislative areas (such as scrutiny of foreign investment for national security purposes). In addition, it creates an increasingly diverse regulatory landscape in the EU, which will demand increased efforts and attention from business to achieve compliance.
The Recast Regulation comes at a time when one of the EU’s most significant trade and technology partners, the United States, is having a robust internal debate how to expand the scope of its dual-use export controls beyond their non-proliferation focus to respond to national security and economic security threats created by the Chinese government’s (i) technology acquisition policies designed to achieve strategic dominance in critical technology sectors; (ii) civil-military fusion policies, and (iii) human rights abuses associated with the misuse of commercial technologies. United States export controls are almost certainly going to continue expand into more non-regime list-based, end user, and end use controls designed to address such issues that are not traditionally within the mandate of the multilateral regimes.
With the Recast Regulation, however, the EU stays close to the traditional objective of export controls, i.e., controlling the export of items on the multilateral regime control lists for non-proliferation-related reasons. A core element of the Biden Administration’s foreign policy is to develop multilateral approaches to solving problems of common interest. Thus, it remains to be seen whether the United States will be able to convince the EU and its Member States to adopt plurilateral changes to their export control rules to respond to non-traditional national security, economic securities, and supply chain threats pertaining to China that the United States has identified and that are not addressed by the multilateral regimes.