Dual-Use Regulation: what companies need to know and how they can benefit

The Dual-Use Regulation comes into force today, 9 September 2021. Almost three months after its publication, there is still some uncertainty as to how exactly the regulations are now going to be applied. What do I, as an entrepreneur, have to consider and how can I possibly profit from the new regulations. Our expert Stefan Müller provides answers.

Following many years of negotiations at European level on a new regulation for dual-use goods, the new Dual-Use Regulation (EU) 2021/821 was published in the Official Journal of the EU on 11 June 2021. This enters into force on 9 September 2021 and replaces Dual-Use Regulation (EC) 2009/428. All entrepreneurs have to observe and implement it as of this date, without any further transitional periods.

The Guidelines of the Commission envisaged in the Regulation are not expected until the beginning of 2022 at the earliest, but the German Federal Office of Economics and Export Control [Bundesamt für Wirtschaft und Ausfuhrkontrolle - BAFA] has already published its own pamphlets on its homepage. We have already summarised the most important points for you.

New General Export Authorisations

With the recast of the Dual-Use Regulation, two new General Export Authorisations were added to Annex II of the Regulation.

Intra-group exchange of software and technology

In business practice, it is virtually a matter of course for software and technology to be exchanged in cases where, for example, new developments are promoted at different company sites or production is distributed across several sites. The need for export authorisations for this type of intra-group cooperation was always considered inappropriate.

The new Union General Export Authorisation UGEA 007 serves to facilitate intra-group exchanges within the scope of industrial product development.

The privileged group of goods is fundamentally very broadly defined. With some exceptions, all items of Annex I of the Dual-Use Regulation are covered. Besides explicitly excluded goods of Annex II Part I of the Regulation, the exemptions also apply to communications surveillance goods, as these have a particular potential for abuse and are regularly the focus of political and media attention.

The territorial scope of application is positively limited by a list of possible destination countries.

A further condition is that the end-user is a subsidiary or sister company of the exporter, provided that the parent company provides a binding guarantee for the actions of such company. This should ensure a certain degree of control. Other requirements also ensure that the exporter retains control over the software or technology, for example, the extension of the control to the products resulting from the development. At the end of the development process or in the event of any other loss of control over the software and technology (for example, upon the sale of the company concerned), the technology/software must be returned to the exporter and completely deleted by the subsidiary/sister company.

Another - novel - ancillary provision is the obligation to register at least 30 days before the first export using this General Export Authorisation.[1] The further reporting obligations on the use that have to be observed correspond to the previously known regulations.

Another new point is the required confirmation of an established Internal Compliance Programme (ICP) by the exporter, as the area of development technology at issue is particularly sensitive. This further increases the importance of ICP for companies.

Encryption technology

The additional new UGEA008 privileges the export of certain dual-use items of encryption technology. Its scope of application is narrower than that of the National General Export Authorisation NGEA 16. The delimitation can be technically very complex in individual cases. For example, depending on their technical configuration, VPN routers may be classified either under subheading 5A002.a.1. of Annex I to the EU Dual-Use Regulation (in which case they are only approved for NGEA 16) or under subheading 5A002.a.2. (in which case they are approved for both UGEA 008 and NGEA 16). The legislators recognised the described assignment problem and strove to facilitate the procedure in as user-friendly a manner as possible. Therefore, in the exceptional case this means that UGEA 008 does not have to be used with priority, rather, that the exporter has a free choice.[2]

If the exporter chooses UGEA 008, the limited range of countries as well as several ancillary provisions have to be observed:

With regard to the geographical scope of application, in principle all countries that are not already covered by UGEA 001 are covered. Countries that are excluded from the privileged group of countries are arms embargo countries or countries against which EU sanctions in the dual-use sector exist. Moreover, there is also an extensive list of countries that are explicitly excluded from its scope of application.

In addition to the known notification obligations and exclusion criteria, the ancillary provisions also include a registration obligation on the part of the exporter. According to this, the exporter has to register - as in the case of UGEA 007 - before making use of UGEA 008 for the first time. The registered exporter also has to notify the BAFA 10 days prior to the date of first export of its intention to use this authorisation for the first time.

Large projects

Article 12 (3), second sentence, introduces a possibility of authorisation for large projects in order to account for the specific needs of industry. According to this, applications may be made for individual or global export authorisations that are valid for exports to one or more specified end-users in one or more precisely specified third countries for the purpose of carrying out a precisely specified large project. This authorisation is fundamentally valid for up to four years. However, in duly justified cases based on the duration of the project, the period of validity may also be extended beyond this.

Cloud computing

Cloud computing is now mentioned in the recitals for the first time. For the export of dual-use software or technology, inter alia in the context of cloud computing, member states must provide for provisions on general or global authorisations or a harmonised interpretation of the relevant provisions. This aims to reduce the administrative burden on exporters.

On the other hand, when an export in the context of cloud computing requires authorisation has not been concretely regulated. Consequently, an interpretation of the term "export" pursuant to Article 2 No. 2 of the EU Dual-Use Regulation is still required. However, the various member states interpret this differently.

Germany takes a rather strict approach here: in case of the electronic transfer of software or technology from the EU to a server located in a third country, an export is deemed to have taken place even if the software or technology is transferred and stored exclusively in encrypted form and nobody in the third country is granted access to this data. The background to this is that, although at first glance there appears to be no danger of the software or technology falling into the "wrong hands" in this constellation, government agencies could gain access to this data on the basis of national laws.

In cases where software or technology is hosted on servers within the EU, according to the practice of the BAFA, an export is deemed to have taken place if a person from a third country is given the possibility of unrestricted access. Actual access, on the other hand, is not required.

Consequently, companies continue to face major challenges. They need to be aware of the possible restrictions on the day-to-day use of, for example, cloud services or webmail and obtain any necessary authorisations. A concrete need for entrepreneurs to adapt on grounds of the new Regulation therefore does not exist.

However, there is hope that future general export authorisations or global authorisations at national level will reduce the administrative burden.

Extension of authorisation requirements for brokering transactions

If one reads the new Article 6 (1) EU Dual-Use Regulation on the authorisation requirement for the provision of brokering services, there does not appear to be any significant difference to the old Article 5 (1) EC Dual-Use Regulation at first glance.

However, appearances are deceptive. The Article 4 (1) referred to by both provisions has changed significantly: as a result of the new structure of Article 4, authorisation is now required not only for brokering transactions for exports of dual-use items intended for use in connection with the development, production, handling, operation, maintenance, storage, detection, identification or dissemination of chemical, biological or nuclear weapons or other nuclear explosive devices, or for the development, production, maintenance or storage of missiles capable of delivering such weapons (point (a)). Now also subject to authorisation is brokering involving goods for a military end-use if the purchasing country or the country of destination is subject to an arms embargo (point (b)). In addition, the EU Dual-Use Regulation provides for an authorisation requirement for brokering transactions relating to the use as a component of military items listed in the national military list that have been exported from the territory of a member state without authorisation or in violation of an authorisation prescribed by the national legislation of that member state (point (c)).

Emerging technologies

Emerging technologies are subject to rapid development, which can pose a threat to national security interests or human rights, for example drones, artificial intelligence, quantum computing or satellite technology.

As a result, the Export Control Reform Act (ECRA) was passed in the US back in 2018 to tighten export control regulations. The background to this is the increasing outflow of technological know-how, particularly to China, directly through exports but also indirectly through foreign investment.

China responded to this with the Export Control Law of thePeople's Republic of China (ECL), which came into force in December 2020. This explicitly also includes technologies, services or data that need to be controlled in the interest of Chinese security.

The EU is countering this politically charged area of tension by taking a more cautious with the introduction of Articles 9 and 10 of the EU Dual-Use Regulation. Through the mechanism foreseen therein, a national authorisation requirement for non-listed items can be initially introduced for reasons of public security, including the prevention of terrorist attacks, or for human rights considerations. The other member states then have the option of adopting this national listing, whereby all of the competent national authorities have to be informed accordingly.

This is to implement the desired improved cooperation between the member states themselves as well as the harmonisation of export controls, which can ultimately also lead to more equality of competition in the internal market.

Goods of digital surveillance

The Regulation further introduces a catch-all clause for digital surveillance goods. This will only be relevant for a small group of companies. 

The clause only covers dual-use items specifically designed to enable the covert surveillance of natural persons by monitoring, extracting, collecting or analysing data from information and telecommunication systems or allowing corresponding "deep packet data analysis".

These data also include biometric data, i.e. personal data relating to the physical, physiological or behavioural characteristics of a natural person which enable or confirm the unique identification of that natural person and which are obtained by means of specific technical procedures, such as facial images or dactyloscopic data.

However, the clause does not cover goods intended for purely commercial use, such as for billing, marketing, ensuring quality services, user satisfaction or network security.

The BAFA provides further details and examples in its information leaflets "Die neue EU-Dual-Use-Verordnung (Verordnung (EU) 2021/821)” [The new EU Dual-Use Regulation (Regulation (EU) 2021/821)] and "Merkblatt zum Artikel 5 der neuen EU-Dual-Use-Verordnung (Verordnung (EU) 2021/821)” [Information Leaflet on Article 5 of the new EU Dual-Use Regulation (Regulation (EU) 2021/821)] published on 16 August 2021. Although these are not legally binding, they give a good impression of the approach taken by the authorising authority.

If an entrepreneur is aware, on the basis of information obtained in the course of his duty of care, that the digital surveillance goods to be exported are intended, in whole or in part, to be used in connection with internal repression and/or the commission of serious violations of human rights and international humanitarian law, he must inform the BAFA accordingly.

It remains to be seen what requirements will be placed on the exporter's duty of care. In the BAFA's view, it would appear to be sufficient if the entrepreneur makes use of the simplest sources, such as Google or the Federal Government's Human Rights Report[3] (available on the homepage of the Federal Foreign Office) to obtain knowledge about his business partner’s use of the goods; in other words, sources that are accessible to everyone. Whether a corresponding code of conduct on end-use also needs to be agreed with the contractual partners is under discussion. In initial oral statements, representatives of the BAFA did not deem this necessary. 

The catch-all clause is also relevant if the BAFA notifies the exporter of one of the above end-uses. 

This regulatory pattern is well known from Article 4 of the EC Dual-Use Regulation.

As a result, in both of the above-mentioned cases, the BAFA decides on the authorisation requirement for the export of the goods concerned.

In German law, a listing of surveillance systems as well as equipment and its components for information and communication technology was already added to 5A902 Part I Section B of the Export List in 2015. For the goods listed therein, the authorisation requirement applies to the export and transfer pursuant to Sections 8, 11 AWV of the said goods themselves and for related trading and brokering transactions pursuant to Section 46  German Foreign Trade Ordinance [Außenwirtschaftsverordnung – AWV], as well as the authorisation requirement of Section 52 b AWV, which was also inserted in 2015. With this, an authorisation requirement was also created for technical assistance in connection with certain communication interception equipment listed in Part I Section B of the Export List.

In accordance with Recital 9 of the EU Dual-Use Regulation, the purpose of the provision of Article 5 of the EU Dual-Use Regulation is to harmonise the export control of non-listed digital surveillance goods.

In the relationship between EU law and national law, Article 5 (3) EU Dual-Use Regulation provides for an opening clause, enabling a national legal provision such as that of Sections 8, 11 AWV in conjunction with 5A902 or Section 52 b AWV to continue to exist, subject to the various requirements of Article 5 EU Dual-Use Regulation.

Conclusion:

Entrepreneurs definitely need to give the Dual-Use Regulation their attention. They need to clarify to what extent they can benefit from the newly created General Export Authorisations or the regulation on large projects. In particular, it is advisable to review an existing ICP as to its effectiveness and efficiency in the context of the new General Export Authorisations.

The new Article 5 of the Regulation concerning digital surveillance goods will only affect a small group of companies that have followed this development closely and, in some cases, actively accompanied it. 

Companies should be aware that, through various new formats of cooperation and transparency at EU level, an overall higher and more uniform level of control will be achieved. Authorisation decisions, for example, could be published - at least anonymously.  For example, an application for authorisation could be checked to see whether a member state has already rejected an essentially identical transaction.  However, companies based in Germany should certainly see this as an opportunity for improvement in the sense of uniform competitive conditions throughout Europe (keyword: “level playing field").

[1] With the existing General Export Authorisations, registration up to 30 days after initial use is usually sufficient.

[2]Kochendörfer/Paul: Neue Allgemeingenehmigungen EU 007 and EU 008 [New General Export Authorisations UGEA 007 and UGEA 008], AW-Prax 2021, 218, 222.

[3] BAFA information leaflet on Article 5 of the new EU Dual-Use Regulation, p. 11, available [in German] at www.bafa.de/SharedDocs/Downloads/DE/Aussenwirtschaft/afk_merkblatt_eu-dual-use-vo_artikel-5.html.

Back to list