On 11 June 2021, the Recast Dual-Use Regulation was published in the Official Journal of the European Union as Regulation 2021/821 (the “Regulation”). The Regulation, which comes into force on 9 September 2021, will replace the current Dual-Use Regulation introduced in 2009.
Key changes include:
- Two new general export authorisations: The Regulation introduces a general export authorisation for intra-group transfers of dual use software and technology to specified countries for product development purposes, that is available where the parent company is resident in an EU Member State or an EU GEA 001 destination country, and is subject to conditions including the parent company providing a guarantee for the subsidiary’s compliance with the authorisation. A further export authorisation is introduced for certain encryption items, and permits exports to countries other than those on a negative list.
- New requirements for internal compliance policies and due diligence: Whilst some Member States already require exporters to implement an Internal Compliance Programme for export controls in order to obtain global export authorisations, this is now an EU-wide requirement (with limited exceptions).
- Technical assistance: The Regulation introduces new controls covering situations where a company provides technical assistance relating to dual-use items. Previously, export controls would not apply to the provision of technical assistance other than where controlled technology (or controlled goods or software) were exported as part of the assistance.
- Cyber-surveillance: The Regulation introduces a new end-use control on cyber-surveillance equipment, where the exporter is aware or has been informed that the exported items are or may be intended for use in connection with internal repression or the commission of serious violations of human rights and international humanitarian law. This applies to items (whether or not listed) that are specially designed to enable the covert surveillance of natural persons by monitoring, extracting, collecting or analysing data from information and telecommunication systems.
- Relationship with national control lists: To address public security concerns and facilitate cooperation between member states to prevent circumvention of national controls, exporters may be required to seek authorisation where items are placed on national control lists in another Member State.
- License duration and record-keeping: Global and individual authorisations will now only be valid for a maximum of two years. Further, records must be kept for five years (as opposed to the current three year period) following the end of the calendar year in which a transfer took place.
Following Brexit, the Regulation will not automatically apply in Great Britain, where the retained Dual-Use Regulation (Regulation 428/2009) – based on the pre-Brexit controls – will continue to apply as the basis for the export control regime (although the UK separately issued new guidance on export of dual-use technologies earlier this year, see our previous post here). However, there remains some residual uncertainty as to how the UK Government will administer the revised rules in practice under the new Regulation for exports out of Northern Ireland given the terms of the Brexit agreement.
For more detail on the Regulation, please contact Alex Phillips to be added to our mailing list and receive our full client alert and analysis.