European Union: New European Legislation For Trade Of Dual-Use Products

The European Union has updated the legislation regulating the exports of the so-called "dual-use" goods and technologies, such as, for example, cybersurveillance tools, in order to promote a more responsible, competitive and transparent trade. On May 10^th, 2021, the Council adopted a Regulation "setting up a Union regime for the control of exports, transfer, brokering, technical assistance and transit of dual-use items," i.e., goods, materials, software, and technologies that can be used for both civilian and military applications.

The impact on companies is twofold: on one hand, the administrative burdens for exporters have decreased thanks to the creation of general or global and harmonized licenses; on the other hand, it requires companies to develop their own measures to control export operations (due diligence principle). This means that any company wishing to export potentially dual-use goods and services must create internal procedures that document the strict "dual-use" control that the company independently performs.

The Regulation places great emphasis on cyber surveillance products, as there is a specific risk that they may be used for internal repression, serious human rights violations and/or breaches of international humanitarian law. The associated risks arise when cyber surveillance products are specifically designed to allow intrusions into information and telecommunications systems, in order to conduct covert surveillance of individuals by monitoring, extracting, collecting or analyzing data, including biometric data, from such systems. Items used for purely business applications such as billing, marketing, quality of service, user satisfaction, or network security are generally considered not to pose such risks.

Once signed by both the European Parliament and the Council, the Regulation will be published in the Official Gazette and will officially come into force 90 days after publication.

In the Regulation are indicated four types of export authorizations (for specific exports, global exports, general national exports, and general exports to certain destinations with specific conditions and requirements for use). In addition, two new general authorizations for exports from the EU have been created: that for dual-use cryptographic items and that for intra-group technology transfers. This will significantly reduce the administrative burden for both exporting companies and licensing authorities. The latter will cooperate with customs authorities to reinforce the execution of controls, even between different Member States. In this regard, the Regulation includes a new provision on transferable controls, i.e., export controls carried out by one Member State based on legislation established by another Member State, thus allowing a cross-border effect of export controls.

Controls are strengthened for a wide range of emerging dual-use technologies, and legal requirements for internal due diligence are introduced for manufacturers wishing to use global export licenses, so that goods and services comply with the Regulation. Thus, the new rules place direct responsibility on companies to create well-documented internal due diligence programs, obviously differentiated according to the size and resources of the exporter. Companies thus take on an important active role in addressing national security risks in international relations, created by dual-use products.

The new Dual-Use Regulation increases coordination on controls between Member States and the Commission, and between the EU and partner countries. Member (and non-member) States will share information with each other and with the Commission, particularly regarding technological developments of items for cyber surveillance, identification and prosecution of unauthorized exports and other possible violations of the Regulation. Thus, the modernization of the export control mechanism will be implemented through convergent approaches at European level, also thanks to the creation of a "coordination group" chaired by a representative of the Commission, with the common purpose of ensuring international security and respect for human rights. To guarantee an effective control regime, the shared list of dual-use items will be periodically updated.

Finally, the Regulation aims to harmonize at European level the rules applicable to certain services relating to dual-use items that are currently regulated at national level, for instance the supply of technical assistance within the European Union.

The Regulation therefore requires producers of dual-use items or other industries in the Union, especially small and medium-sized ones, to follow new guidelines, as well as to implement internal control procedures (so-called Internal Compliance Programs). The guidelines regarding internal programs, however, will not affect the firms' competitiveness in the global market, since they will be calibrated to better suit the exporters' characteristics, conditions, and sectors of activity. Companies will therefore have to create an internal procedure that controls and demonstrates dual use both with respect to the product/service and to the recipient, for which KYC procedures, i.e., control of the final beneficiary of the sale, become important.

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.