Export control

New EU dual-use regulation 2021/821

Date : 11 June 2021

Regulation (EU) 2021/821 of the European Parliament and of the Council of 20 May 2021 setting up a Union regime for the control of exports, brokering, technical assistance, transit and transfers of dual-use items (recast)

Forthcoming entry into force of the new dual-use regulation


Regulation (EU) 2021/821 of the European Parliament and of the Council of 20 May 2021 was published in the OJEU L 206 of 11 June 2021.


This regulation recasts and repeals regulation 428/2009 on dual-use items (DU) – (items designed for civilian purposes but which may have both civilian and military use).  It is applicable as of September 9, 2021.


While the amendments to Regulation (EC) 428/2009 do not change the fundamental principles of the control of trade in such BDUs or the general scheme of the Regulation, they will nevertheless result in some changes to the current “rules of the game”.


After four years of negotiations between the Commission, the European Parliament and the Council of the European Union on a Commission proposal of September 2016, a preliminary political agreement on the text of the Regulation was reached on November 9, 2020. The Parliament gave its first reading agreement on 25 March 2021, followed by the Council on 10 May 2021.


The text of the Regulation will enter into force after a transitional period of 90 days following its publication in the OJEU on 11 June 2021, i.e. on 10 September 2021.


This means that the relevant provisions of Regulation (EC) No. 428/2009 remain applicable for export authorization applications submitted before September 9, 2021.


These changes in the “rules of the game” are briefly outlined here and concern primarily new or revised definitions.


“The Exporter”


The definition of exporter has been revised in point 3) of Article 2 of Chapter I “Purpose and Definitions” of the Regulations.


Firstly, the time at which this definition is to be analysed has been clarified, namely “the time at which the export or re-export declaration or the exit summary declaration is accepted”. In the previous version, the reference was to “the moment when the declaration is accepted”.


As a reminder, the rule for defining an exporter under the Regulation is as follows: the exporter is the person (natural or legal) who has the power to determine the sending of the items out of the customs territory of the Union (see 3) a)).



In line with this rule, the exporter can only be resident or established in the EU. Indeed, if the person entitled to decide on the export of the product is not in the EU, then depending on the contract on which the export is based, the exporter is deemed to be the contracting party who is resident or established in the EU.


What if the person entitled to decide on the export is not only resident or established outside the EU but also a third party to the export contract?


This person is not an exporter within the meaning of the Regulation, but does this mean that the transaction involving controlled goods within the meaning of the Regulation is not subject to control?


Transfers by electronic means are also covered and specified by the Regulation in point b) of 3):


“any natural or legal person or any partnership that decides to transmit software or technology by electronic means, including by fax, telephone, electronic mail or by any other electronic means to a destination outside the customs territory of the Union, or to make available in an electronic form such software and technology to natural or legal persons or to partnerships outside the customs territory of the Union [new]”.



“Technical assistance”


Technical assistance is now defined in point 9) of Article 2 of Chapter I “Purpose and Definitions” of the Regulation as: ” any technical support related to repairs, development, manufacture, assembly, testing, maintenance, or any other technical service, and may take forms such as instruction, advice, training, transmission of working knowledge or skills or consulting services, including by electronic means as well as by telephone or any other verbal forms of assistance“.


Provider of technical assistance is also defined in point 10) and it is interesting to note that the concept covers not only any person providing assistance from the EU to a third territory but also any person “resident or established in a Member State that provides technical assistance to a resident of a third country temporarily present in the customs territory of the Union”. This definition looks like the US “deemed export” which controls the exchange of controlled technical information as soon as it takes place on the US soil. However, in the European case, it is necessary that the technical assistance provider be established or resident in the EU.


This means that the provision of technical assistance in relation to dual-use items listed in the Annex to the Regulation will be subject to authorization if there are indications of a sensitive end-use or if the competent authority has been informed of such an end-use.





Cyber-surveillance goods


Cyber surveillance goods are defined in Article 2(20) of Chapter I “Purpose and Definitions” of the Regulation as: “dual-use goods specifically designed to enable the covert surveillance of natural persons by monitoring, extracting, collecting or analyzing data from information and telecommunications systems.


Contrary to what had been envisioned, there will not be a specific category for cyber surveillance goods (category 11).


However, the regulation does provide for the introduction of stricter controls on the export of digital surveillance technology. There is now a catch-all clause for the export of unlisted digital surveillance and interception technologies.



The export of such goods will be subject to authorization if the exporter has been informed by the competent authority that the goods concerned are or may be intended, in whole or in part, for use in internal repression or in connection with the commission of serious violations of human rights or humanitarian law.


If, on the other hand, an exporter becomes aware, as a result of “due diligence information”, that unlisted cybersurveillance goods are intended for one of the above-mentioned critical uses, it will now have a duty to inform the competent authority.



The “Internal Compliance Program” (“ICP”)


The principle of due diligence involves the assessment of the risks associated with the transactions covered by these Regulations by means of analytical review of the transactions as part of an internal compliance program (“ICP”).


In this regard, the size and organizational structure of exporters in particular must be taken into account when developing and implementing ICPs.


The PIC defined in Article 2, point 21) of Chapter I “Purpose and Definitions” of the Regulation is necessary but not unique: there is no “one size fits all” in this respect.



Licensing obligation for reasons related to public security or to human rights


If an EU Member State places additional dual-use items on a national control list and this list is published in the Official Journal of the EU, this may also trigger a licensing requirement in other EU Member States if the competent authority (in the exporter’s Member State) has informed the exporter that the export of the items in question is of concern for reasons of public security (including the prevention of terrorist acts) or human rights.



The creation of two new general authorizations


Two new general authorizations are created:


  • EU007: For intra-group exports of software and technology
    • Goods covered are all those in Annex I except 4A005, 4D004, 4E001.c, 5A001.f and 5A001.j
    • Destinations covered are: Argentina, Brazil, Chile, India, Indonesia, Israel, Jordan, Malaysia, Mexico, Morocco, Philippines, Singapore, South Africa, South Korea, Thailand, Tunisia.


  • EU008: For certain items containing cryptography
    • The goods covered are: 5A002.a.2, 5A002.a.3, certain goods covered by 5A002.b, certain software covered by 5D002.a.1, certain software covered by 5D002.b, certain software covered by 5D002.c.1, and certain technology covered by 5E002.b.
    • They must meet certain cumulative conditions:
      • Use only published or commercial cryptographic standards approved or adopted by internationally recognized standards bodies;
      • Not use standards designed for government use;
      • Not be easily modified by the user.
    • All destinations except:
      • Afghanistan, Armenia, Azerbaijan, Belarus, Cambodia, Central African Republic, China (including Hong Kong and Macau), Democratic Republic of the Congo, Congo, Egypt, Eritrea, North Korea, Saudi Arabia, Georgia, United Arab Emirates, Iran, Iraq, Israel, Kazakhstan, Kyrgyzstan, Lebanon, Libya, Malaysia, Mali, Mauritius, Mongolia, Myanmar/Burma, Oman, Pakistan, Qatar, Russia, Somalia, South Sudan, Sudan, Syria, Tajikistan, Turkmenistan, United Arab Emirates, Uzbekistan, Venezuela, Yemen, Zimbabwe;
      • Countries subject to an arms embargo or subject to EU restrictive measures applicable to BDUs.


In France, certain goods containing cryptography are controlled by the ANSSI (Agence Nationale de la Sécurité des Systèmes d’Information) and require a declaration or an application for authorization with the Authority in order to be imported, transferred or exported.


In Germany, for example, the use of the German National General Authorization 16 (telecommunications and information security) will remain possible.






The creation of a large project license


A license (which can be individual or global) for large projects is introduced with a maximum validity period of four years in principle (the validity period can even be longer than four years in duly justified cases resulting from the duration of the project). It is granted to a particular exporter for a type or category of BDU, which may be valid for exports to one or more specific end-users in one or more specific third countries for the purpose of a specific large-scale project.



The exchange of information between the national authorities and the Commission, but also between the licensing authorities and the customs authorities of the EU Member States, is reinforced.


In France, the implementation of GUN has allowed, for several years now, a shared and transparent knowledge of BDU files by the SBDU and the DGDDI; the submission of a simple application without a license to the SBDU is thus visible to the customs.


All customs codes likely to correspond to a BDU are subject to special attention both at the declarative level by the operator (see RITA & CANA database to be indicated in box 44 of the export declaration) and at the level of surveillance of the flows monitored by the DGDDI.



Paris, June 11, 2021