Search Close search

HomeNew EU Dual-Use Regulation enters into force

New EU Dual-Use Regulation enters into force

9 September 2021

In force from today, the recast EU Dual-Use Regulation introduces notable changes to the regulatory landscape for export of dual-use items. These include the introduction of several new general export authorisations, new rules on cyber-surveillance items and provision of technical assistance, and further discretion for Member States to introduce national control lists. Companies exporting dual-use products, including cyber-surveillance items, and those providing technical assistance relating to dual-use products should review their compliance programs to ensure they are aligned with the new Dual-Use Regulation.

On 9 September 2021, the new EU Dual-Use Regulation No 2021/821[1] (referred to as the “Recast”) enters into force. It modernizes EU export controls on sensitive dual-use items, i.e. goods, software and technology that can be used for both civilian and military applications. The Recast replaces the previous Dual-Use Regulation No 428/2009.

The Recast is less ambitious in scope than envisaged by the European Commission in its original proposal[2] and central aspects of EU export controls remain unchanged: No new categories of dual-use items are added to Annex I; the definition of ‘dual-use items’ is not substantially amended; and the general catch-all provision in Article 4 (regulating the export of non-listed items) is not expanded.

However, the Recast also introduces certain material changes. Below we have described the most significant developments.

New authorisations

Two new Union General Export Authorisations (“UGEA”) have been introduced. They cover intra-group export of software and technology (UGEA EU007) and encryption (UGEA EU008).

The intra-group export authorisation (found in Annex IIG) covers mostly all technology and software specified in Annex 1 and is valid for exports to group companies in certain third countries. A precondition for using the authorisation is that the direct parent company and ultimate controlling owner of the exporter are resident or established in a Member State or in a country covered by UGEA EU001, i.e. Australia, Canada, Iceland, Japan, New Zealand, Norway, Switzerland, Liechtenstein, the UK or the US. Further, exporters intending to use this authorization must implement an Internal Compliance Programme.

The encryption authorisation (found in Annex IIH) covers a range of encryption items exported to all destinations except those listed in part 2 of Annex IIH. Use of the authorisation entails notable bookkeeping obligations: The exporter must be able to submit comprehensive technical data of any export planned or conducted under the authorisation upon request from the competent authority of the Member State where the authorisation was issued.

Further, the Recast introduces the large project authorisation. It is defined as an export authorisation granted to one specific exporter, in respect of a type or category of dual-use items valid for exports to specified third country end-users for the purpose of a specified large-scale project. Whereas individual and global export authorisations are generally valid for up to two years, large project authorisations may be granted for up to four years.

National control lists

The Recast provides an optional authorisation regime for export of non-listed dual-use items for reasons of public security or for human rights considerations. Under these rules, Member States are entitled to establish national control lists of items not listed in Annex I.

This will add further complexity to the compliance efforts of companies involved in export of dual-use items. To mitigate the increased regulatory burden, the European Commission is under obligation to publish a compilation of all national controls lists in force.

Cyber-surveillance items

Companies active in the cyber-surveillance industry face increased scrutiny. The Recast introduces a catch-all clause for exports of non-listed cyber-surveillance items.

An authorisation is needed for the export of any cyber-surveillance item when the exporter has been informed by the national competent authority that the item in question may be used in connection with human rights violations and breaches of international humanitarian law. If an exporter by way of its own due diligence findings becomes aware that non-listed cyber-surveillance items are intended for such uses, it has an obligation to notify the national competent authority and await authorisation to carry out any proposed export.

For this purpose, cyber-surveillance items are defined as “dual-use items specially designed to enable the covert surveillance of natural persons by monitoring, extracting, collecting or analysing data from information and telecommunication systems.”

Technical assistance

Technical assistance related to listed dual-use items is now subject to authorisation if the items in question are intended for any of the uses referred to in the catch-all clause in Article 4. This includes uses related to (a) proliferation of weapons of mass destruction, (b) military end-uses by countries subject to an arms embargo, and (c) for use as parts or components of military items that have been exported unlawfully.

As with exports of cyber-surveillance items, the authorisation requirement is triggered when the provider of technical assistance is notified by the national competent authority or on its own account becomes aware that the items in question are intended for restricted uses.

Exceptions to the authorisation requirement are provided under Article 8(3). For instance, technical assistance provided towards a resident or within the territory of Australia, Canada, Iceland, Japan, New Zealand, Norway, Switzerland, Liechtenstein, the UK or the US is not subject to prior authorisation.

Member States may extend the authorisation requirement to non-listed dual-use items.


Exporters of dual-use items are required to keep detailed records of their exports in accordance with the national law or practice in force in the Member State concerned. Whereas EU export control rules previously required exporters to keep said records for at least three years, this period has now been increased to five years.

Next steps

With the changes introduced by the Recast, companies which have not previously been subject to export control rules may find that this has changed. This may especially be the case for exporters of cyber-surveillance items and providers of technical assistance.

It is Gorrissen Federspiel’s recommendation that all exporters of dual-use items review their compliance programs to ensure they are aligned with the new Dual-Use Regulation. For exporters of cyber-surveillance items and providers of technical assistance, it is recommended to carry out a review of whether any of their activities are now subject to export control rules. Companies may also consider whether they can benefit from any of the new authorisations.

Gorrissen Federspiel can assist in reviewing companies’ compliance programs and advise on relevant changes introduced by the Recast.


[1] The Regulation is available on link.

[2] For more information, please see our previous newsletter on the topic.

Sign up for our newsletter

Sign up for Gorrissen Federspiel’s news updates and receive the latest legal news and event invitations directly in your inbox.

Thank you for signing up

You have already signed up