EU dual-use export controls regulation comes into force | Fieldfisher
Skip to main content

EU dual-use export controls regulation comes into force


Belgium, Germany, Ireland, Italy, United Kingdom

On 9 September 2021, the EU’s recast of its Dual Use Regulation (2021/821) came into force. This results from a revision process begun back in 2011 intended to respond to evolving threats to security and human rights. 
This article summarises what’s new. 

Post-Brexit, these changes will not apply in Great Britain, where the provisions in the previous EU Dual Use Regulation 428/2009, as retained in UK law, continue in force. UK officials have indicated informally that there is likely to be a substantive update of the UK’s Export Control Order 2008 in due course, but no timetable has been set. However, these changes do apply in Northern Ireland -  how this will work in practice remains to be seen.


The EU Member State governments constrained the initial ambitions of the Parliament and the Commission, particularly with respect to more radical controls relating to cyber surveillance and human rights. As a result, the changes are relatively modest, but they nonetheless still place some additional burdens on exporters. It remains unclear how far the EU has an appetite for introducing new controls on emerging technologies of the sort under consideration by the US, or to address the continuing concerns of business to ensure a level playing field among Member States in their implementation of these controls.

Human Rights, Public Security and Terrorism 

  • In addition to the previous option for Member States to impose an end-use (catch-all) licensing requirement for the export of any items on the grounds of public security and human rights, the recast includes the prevention of acts of terrorism.
  • If a Member State adds an item to its own national control list pursuant to public security, human rights or terrorism concerns, any other Member State may also require a licence for such an item. But it must inform the exporter that the item in question may be intended for such end-uses, thereby relieving the exporter of a new due diligence requirement in this respect.  

Cyber surveillance

  • This is defined as “the covert surveillance of natural persons by monitoring, extracting, collecting or analysing data from information and telecommunication systems”. The recast introduces a new end-use control on any such items if the exporter has been informed that the items may be intended for internal repression or serious violations of human rights or international humanitarian law. If an exporter is aware of such a use, it must notify its national authorities, which shall decide whether to impose a licensing requirement; if they do so, they must inform the other Member States, which may adopt the same requirement. 
  • Member States may decide on a national basis also to require such notification by an exporter if it has grounds for suspecting such an end-use. But unless they take this extra step, the new due diligence burden on exporters from this new control is effectively minimal.

Internal compliance programmes  

  • In order to obtain a global export authorisation, it is now an EU-wide requirement that (with limited exceptions) businesses must implement an ‘Internal Compliance Programme’. These are defined as “ongoing effective, appropriate and proportionate policies and procedures adopted by exporters to facilitate compliance with the Regulation and implemented authorisations, including due diligence measures assessing risks related to the export of the items, to end-users and end-uses.” The Commission is developing guidelines on this.

New Licences 

There are two new Union General Export Authorisations:
  • Intra-Group transfers of dual use software and technology for product development purposes to a limited list of 16 destinations;
  • Encryption, covering some (but not all) encryption items controlled under Category 5, Part 2 in the dual-use list, to most (but not all) destinations.
There is a new Large Project Authorisation, which can be either a global or an individual licence. Member States may grant these to an exporter in respect of a type or category of dual use items, for exports to one or more specified end users in one or more specified third countries. They may be valid for up to four years, to be determined by each Member State.

Member States may introduce national general export authorisations for low-risk exports.

Technical Assistance 

  • Previously, export controls only applied to technical assistance when controlled technology was exported. Technical assistance is now defined separately and there is also a definition of a ‘provider of technical assistance’ which covers any person that provides technical assistance from the EU customs territory into the territory of a third country, and any person resident or established in a Member State that provides technical assistance within the territory of a third country or to a resident of a third country temporarily present in the EU. 
  • The licence requirement applies if a provider is informed that technical assistance related to listed dual-use items is intended for prohibited WMD or military end-uses. But Member States may extend these restrictions to unlisted items as well as to if a provider is aware or has grounds for suspicion of such end-uses (similar to the catch-all control on cyber surveillance). 
  • There is a new control on technical assistance to a resident of a third country temporarily present in the customs territory of the EU. While this is a form of ‘deemed export’ control, it is far narrower than such US controls.  


  • The definition now includes persons and partnerships not resident or established in a Member State if they provide brokering services from the customs territory of the EU.

Licensing for exporters outside the EU

  • Persons and partnerships not resident or established within the EU may obtain an individual licence from a Member State authority for the export of dual use items located on its territory or for the provision of brokering services or technical assistance from its territory.

Licence validity and Recordkeeping

  • Global and individual authorisations will now only be valid for a maximum of two years unless the competent authority decides otherwise. 
  • The three-year period for keeping records relating to intra-EU transfers is unchanged, but a five-year period now applies in respect of exports from the EU.