Trade Update Webversion
279 logo v%c3%a4nsterst%c3%a4lld neg
1146 Trade update
New EU dual-use regulation: cyber-surveillance, human rights and compliance programmes
On 11 June the EU’s new dual-use regulation was published in the Official Journal (Regulation 2021/821) (the "Regulation"). It will start to apply 90 days after publication (9 September) and will replace the current Council Regulation (EC) No 428/2009.
Although the new Regulation is less ambitious than what was initially proposed by the European Commission in 2016, there are some important new requirements and features. The following Trade Update highlights three of these, control of cyber-surveillance items that could be used for human rights violations, new Union general export authorisations and a recurring theme of implementation of Internal Compliance Programmes (“ICPs”).

The new Regulation also introduces several other requirements and conditions, and we recommend that companies dealing or trading in dual-use goods, software or technology consider whether the new rules will affect their business operations.

Catch-all on cyber-surveillance used for human rights violations

The new Regulation introduces a catch-all rule in Article 5, covering any “cyber-surveillance items" which are not explicitly listed in the Regulation. A "cyber-surveillance item" is defined as any item that is specially designed to enable the covert surveillance of natural persons by monitoring, extracting, collecting or analysing data from information and telecommunication systems.

If an exporter is made aware that such items may be used in connection with internal repression or serious human rights violations, the competent authorities can choose to make the export subject to an authorisation. Also, exporters that suspect that their items may be used for these purposes should also contact the competent authorities for guidance on whether an authorisation is needed.

Recommendation: It is advisable for companies dealing in products or software that have the capability of monitoring, extracting, collecting or analysing data from telecommunication to conduct extra due diligence in relation to countries in which there is a risk of human rights violations or internal repression.

New Union general export authorisations for intra-group export and for export of encryption technologies

To ease the administrative burden for companies and competent authorities, two additional Union general export authorisations are introduced, to complement the existing authorisations EU001 to EU006.

The new general export authorisation EU007 enables the export of dual-use software and technology within the same group of companies, but only to certain destinations. The authorisation will apply to exports from a parent company in the EU to a wholly-owned and controlled subsidiary outside the EU, and between two “sister” companies owned and controlled by the same parent company. The use of this authorisation will require an ICP and several other conditions have to be fulfilled.
The new general export authorisation EU008 will facilitate the export of many, but not all, products or transfers of software that use dual-use controlled encryption. Using encryption functionality is becoming more and more common, in particular as many companies move into digitalisation and develop and connect products and services to the internet (e.g. Internet of Things). The new EU008 will thus make it easier to manage such rolling out and exporting products and services which contain encryption functionality. The EU008 will apply as a general authorisation for all destinations, except those specifically listed. It will not cover, for example, exports to China and Israel, where an exporter will instead have to apply for an individual or global authorisation.

Recommendation: The new general authorisations each come with a number of specific conditions. Companies considering whether to use either of the general authorisations are advised to examine the detailed conditions, and in particular, administrative requirements and applicable destinations.


Companies will be required to implement ICPs in order to use the EU007 authorisation (or to use a global authorisation in the case of companies exporting to a non-listed destination), unless deemed unnecessary by a competent authority.

The new dual-use Regulation introduces a definition of an ICP, which emphasises the need for ongoing compliance procedures, as well as due diligence and risk assessment in relation to end-users and end-use:

“ICP means ongoing effective, appropriate and proportionate policies and procedures adopted by exporters to facilitate compliance with the provisions and objectives of this Regulation and with the terms and conditions of the authorisations implemented under this Regulation, including, inter alia, due diligence measures assessing risks related to the export of the items to end-users and end-uses”

Recommendation: Companies trading in dual-use items and that need to implement an ICP should consider the European Commission’s recommendation on ICPs for dual-use trade controls (Commission Recommendation (EU) 2019/1318 of 30 July 2019).
If you have questions or want to discuss any of these issues, you can always reach out to your existing contacts at the firm. You are also welcome to contact the members of our Trade team, some of whom are listed below.

Carolina Dackö,
Lucas Leger Jonsson,
Anders Lückander,
Stefan Perván Lindeborg,
Fredrik Svensson,
Click to visit us on LinkedIn Click to visit us our homepage