The Recast Dual-Use Regulation entered into force on 9 September 2021, replacing the regulation from 2009, governing controls of items with both civil and military purposes. What key changes does the new regulation introduce?
Extended definition of exporter and broker
Regulation (EU) 2021/821 of the European Parliament and of the Council of 20 May 2021 setting up a Union regime for the control of exports, brokering, technical assistance, transit and transfer of dual-use items (recast) entered into force on 9 September 2021, replacing Council Regulation (EC) 428/2009, which had already been updated several times to take account of new technological challenges, including cybersecurity and human rights. (For applications for authorisation submitted before 9 September 2021, the relevant provisions of Regulation 428/2009 will continue to apply.)
Now, the concept of an exporter will cover any natural or legal person or partnership that decides to transmit dual-use software or technology by electronic media to a destination outside the customs territory of the EU. An exporter also includes any natural person carrying dual-use items in their personal baggage.
The scope of export controls with regard to the provision of brokering services has also been extended. Now brokers include non-residents, if they provide services from within the EU customs territory.
Broader control of technical assistance
The recast regulation introduces new controls covering situations where a company provides technical assistance related to dual-use items. Previously, export control applied to the provision of technical assistance when the controlled technology (controlled products or software) was exported under that assistance.
Supervision over cybersecurity
A new catch-all clause has been introduced concerning the end use of cyber-surveillance products not listed in Annex I to the regulation. It applies if the exporter is aware or has been informed that the exported products are or may be intended for use in relation to internal repression or serious violations of human rights and international humanitarian law.
In particular, this applies to products specifically designed to allow covert surveillance of natural persons by monitoring, extracting, collecting or analysing data from information and telecommunication systems. Products used exclusively for commercial purposes, such as billing, marketing, quality services, user satisfaction surveys or network security, are not considered to pose such a risk.
If an exporter has determined through due diligence that the cyber-surveillance items it plans to export, although not listed, are intended for use in repression or human rights violations, it must notify the competent authority. Then, the competent authority must decide whether the export should be authorised. Member states may extend the notification obligation to situations where the exporter has a reason to suspect that the given products may have such use.
New EU general export authorisations
The recast regulation introduces a Union general export authorisation for:
- Intra-group transfer of software and technology (EU007) (selected countries only, and subject to a robust internal compliance programme within the company)
- Certain encryption elements (EU008).
The regulation retains the concept of a “large project authorisation” (LPA). The member states’ authorities will be able to grant an LPA to one specific exporter for a type or category of dual-use items. An LPA may be valid for export to one or more specified end-users in one or more specified third countries. The regulation sets only an upper limit of validity (four years), but does not contain a definition of a “large project.”
New requirements for internal compliance and due diligence policies
Some member states had previously required exporters to implement an internal compliance programme (ICP) for export controls in order to obtain global export authorisations. Now this will be an EU-wide requirement. In Poland, until now the obligation to maintain an internal control system has been imposed only on applicants for arms trading permits.
While the requirements for ICPs are set by member states, it is stressed that the design and implementation of the internal compliance programmes should take into account, in particular, the size and organisational structure of exporters.
Period of validity of authorisation
Now global and individual authorisations will be valid for a maximum of two years, unless the competent authority decides otherwise.
Extension of the period for keeping export transaction registers and records
While the regulation maintains a three-year retention period for documents and records relating to intra-EU transfers, for EU exports this period is extended to five years from the end of the calendar year when the transfer took place.
Cooperation and information exchange
In the interests of efficiency and consistency in the application of export controls throughout the customs territory of the Union, the regulation has introduced mechanisms for increased exchange of information between member states and for direct cooperation between the enforcement authorities of the member states. It also requires the European Commission to submit an annual report to the European Parliament and the Council of the EU containing data on the exercise of controls, in particular the number of authorisations, denials, infringements, and penalties imposed.
Worth checking out
Companies exporting dual-use items should pay attention to the changes introduced by Regulation 2021/821 and assess, among other things, whether:
- Their products qualify as unlisted cyber-surveillance items
- The revised definitions cover their activities
- The services they provide qualify as technical assistance within the meaning of the regulation
- They can benefit from the newly introduced EU general authorisations
- Their internal compliance procedures allow them to verify whether a planned transaction will lead to a breach of applicable export provisions relating to sanctions and controls.
Anna Olejniczak-Michalska, attorney-at-law, Private Client practice, Wardyński & Partners