The European Parliament adopted by 642 votes to 37, with 9 abstentions, a legislative resolution on the proposal for a regulation of the European Parliament and of the Council setting up a Union regime for the control of exports, transfer, brokering, technical assistance and transit of dual-use items (recast).

The European Parliament’s position adopted at first reading amends the Commission proposal as follows:

Regulation’s objective

It is clarified that the Regulation aims to ensure that, in the field of dual-use items, the Union and its Member States take into account all relevant factors, including international obligations and commitments, obligations arising from relevant sanctions, foreign policy and national security considerations, including those relating to human rights, and considerations relating to the intended end-use and the risk of diversion.

Cyber-surveillance goods

The export of cyber-surveillance items not listed in Annex I would be subject to authorisation if the competent authority has informed the exporter that the items in question are or may be intended for use involving internal repression and/or the commission of serious and systematic violations of human rights and international humanitarian law.

The associated risks include cases where cyber-surveillance goods are specifically designed to enable the intrusion or deep packet inspection of information and telecommunication systems in order to conduct covert surveillance of individuals through the monitoring, extraction, collection and analysis of data from such systems, including biometric data.

Due diligence, information exchange

In order to enhance the effectiveness of export controls on unlisted cyber-surveillance items, Member States should support these controls by exchanging information with each other and with the Commission, in particular on technological developments related to cyber-surveillance items, and by exercising vigilance in the application of these controls in order to promote an exchange at EU level.

In order to enable the EU to react quickly to serious misuse of existing technologies or to new risks associated with emerging technologies, the mechanism put in place by the Regulation should enable Member States to coordinate their responses when a new risk is identified. Equivalent controls at multilateral level could thus be established to broaden the response to the identified risk.

A Member State could also prohibit or require authorisation for the export of dual-use items not listed in Annex I for reasons of public security, including the prevention of terrorist acts, or the safeguarding of human rights.

Export authorisations, brokering and technical assistance services

The Regulation should allow the following types of export authorisations to be issued: (a) individual export authorisations; (b) global export authorisations; (c) national general export authorisations.

Individual and global export authorisations should be granted by the competent authority of the Member State where the exporter is resident or established. They would have a maximum validity of two years, unless the competent authority decides otherwise.

Individual export authorisations should, in principle, be subject to an end-use statement. Global export authorisations could be made subject, where appropriate, to the provision of an end-use statement.

Exporters using global export authorisations should implement an internal compliance programme (ICP), unless the competent authority deems it unnecessary due to other circumstances which it has taken into account when processing the exporter's application for a global export authorisation.

Technical assistance authorisations should clearly indicate the end-user and its exact location.

Administrative cooperation, enforcement and control

Through this Regulation, the EU demonstrates its commitment to maintaining robust legal requirements with regard to dual-use items, as well as to strengthening the exchange of relevant information and greater transparency.

The Dual-Use Coordination Group should set up an enforcement coordination mechanism to support exchange of information and direct cooperation between competent authorities and enforcement agencies of the Member States.

Within the framework of the enforcement coordination mechanism, Member States and the Commission should exchange relevant information, including on the application, nature and effect of measures taken, on the application of best practice and unauthorised exports of dual-use items and/or on breaches of the Regulation and/or relevant national legislation.

The exchange of information should also cover best practice of national law enforcement authorities with regard to risk-based audits and the detection and prosecution of unauthorised exports of dual-use items.

The exchange of information under the enforcement coordination mechanism would be confidential.

Guidance for exporters

This Regulation also aims to strengthen the guidance to be given to exporters, in particular to small and medium-sized enterprises (SMEs), regarding responsible practices, yet without impairing the global competitiveness of exporters of dual-use items.

The provision of guidelines and/or recommendations for best practices to exporters, brokers and providers of technical assistance shall be the responsibility of the Member States where they are resident or established.

Parliament also approved a declaration by the Commission recognising the importance of a common capacity building and training programme in the field of licensing and enforcement for an effective EU export control system.

The Commission presented a report on the implementation of Regulation (EC) No 428/2009 setting up a Community regime for the control of exports, transfer, brokering and transit of dual-use items.

The report, prepared by the Commission with input from Member States' in the Dual-Use Coordination Group (DUCG), provides information on the implementation of the Regulation in 2017, and includes aggregated export control data for 2016.

Export control policy review

Further to the adoption on 28 September 2016 of a Commission proposal for a modernisation of EU export controls, the legislative process has started in 2017 as the European Parliament and the Council examined the proposal.

INTA adopted a report on the legislative proposal on 21 November 2017, including 101 amendments demonstrating the Parliament's broad support for more harmonised and effective controls, adapting the EU export control system to new threats associated with cybersurveillance items and taking into consideration human rights.

For its part, the Commission conducted a series of targeted consultations and outreach to key industry and civil society stakeholders in the course of 2017.

Activities of the Dual-Use Coordination Group (DUCG)

During the reporting period, TDAG held six meetings, providing a forum for consultations on a number of emerging issues related to the application of the regulations. In particular, TDAG organised:

- general information exchanges in support of the modernisation of EU export controls, in particular on the implementation of catch-all and transit controls and the validity of licences;

- general exchanges of information on the implementation of national measures;

- a collection of 2016 licensing data;

- an exchange of information on the application of controls over cyber-surveillance technologies.

DUCG also:

- supported the preparation of updates to the EU control list;

- held exchanges of technical information on specific implementation issues;

- decided to establish a Technical Expert Group (TEG) to develop guidelines to ensure industry compliance;

- continued to support the further development of the online Dual-Use Goods System (DUeS), a secure and encrypted electronic system hosted by the Commission, in order to facilitate a better exchange of information between export control authorities and the Commission;

- exchanged information on specific attempts to circumvent controls;

- contributed to the organisation of a forum on export control on 19 December 2017 in Brussels and prepared documentation to facilitate the application of the regulations by exporters.

Export control

In 2017, the Regulation primarily applied to the export of about 1841 dual-use ‘items’ listed in Annex I (the "EU Control List") and classified in 10 categories. These dual-use items relate to circa 1000 customs commodities, including chemicals, metals and non-metallic mineral products, computers, electronic and optical products, electrical equipment, machinery, vehicles and transport equipment.

Statistical estimates of the relative importance of dual-use trade indicate that dual-use exports represent about 2.6% of EU total exports (intra and extra-EU), within a broad ‘dual-use export domain’ of customs commodities. The main dual-use export destinations and indicate that a large part of these exports are directed towards 'EU001 countries' benefiting from Union general export authorisations (EUGEAs).

Authorised dual-use trade amounted to EUR 33.1 billion, representing 1.9% of total extra-EU exports, with a majority of transactions authorised under individual licenses (approx. 25 000 single licenses issued in 2016) and global licenses (by their value). Only a small portion of exports were actually denied: approx. 690 denials were issued in 2016, representing about 1.1% of the value of controlled dual-use exports in that year, and 0.03% of total extra-EU exports.

The European Parliament adopted by 571 votes to 29, with 29 abstentions, amendments to the proposal for a regulation of the European Parliament and of the Council setting up a Union regime for the control of exports, transfer, brokering, technical assistance and transit of dual-use items (recast).

The matter was referred back to the committee responsible for interinstitutional negotiations.

The main amendments adopted in plenary concern the following issues:

Cyber-surveillance and human rights violations : in addition to traditional dual-use items, the Regulation should cover cyber-surveillance assets used to directly interfere with human rights, including the right to privacy and data protection, freedom of expression, freedom of assembly and association .

Items to be covered by this Regulation should include hardware, software and technology, which are specially designed to enable the covert intrusion into information and telecommunication systems and/or the monitoring, exfiltrating, collecting and analysing of data and/or incapacitating or damaging the targeted system without the specific, informed and unambiguous authorisation of the owner of the data.

Considering the rapid advance of technological developments, it is appropriate that the Union introduces controls on certain types of cyber surveillance technologies on the basis of a unilateral list, in Section B of Annex I. The Council, the Commission and Member States should, in close cooperation with the EEAS, pro-actively engage in the relevant international fora in order to establish the list of cyber-surveillance items set out in Section B of Annex I as an international standard .

Due diligence : if an exporter, becomes aware while exercising due diligence that dual-use items not listed in Annex I which he or she proposes to export, may be intended to violate human rights, he or she must notify the competent authority of the Member State in which he or she is established or resident in, which will decide whether or not it is expedient to make the export concerned subject to authorisation.

A Member State may prohibit or impose an authorisation requirement on the export of dual-use items not listed in Annex I for reasons of public security, for human rights considerations or for the prevention of acts of terrorism . The manufacture's note of licensing requirements should also be compulsory for exports to third countries.

Export authorisations : individual export authorisations and global export authorisations shall be valid for two years , and may be renewed by the competent authority. They may be suspended or revoked at any time. The identity or nature of the entity that will be the end-user shall be identified.

Applications for authorisation shall be processed within 30 days of the filing of the application and the competent authority shall decide on applications for individual or global export authorisations, at the latest, within 60 days of valid submission of the application.

The exporter shall have the possibility, on a voluntary basis, to have its internal compliance programme (ICP) certified free of charge by the competent authorities on the basis of a reference ICP established by the Commission, in order to obtain incentives in the authorisation process.

Criteria to be taken into account : in deciding whether or not to grant an individual or global export authorisation, the competent authorities of the Member States shall take into account all relevant considerations including:

the obligations of the Union and the Member States under sanctions imposed by a decision or a common position adopted by the Council or by a decision of the OSCE or by a binding resolution of the Security Council of the United Nations; the occurrence of violations of human rights law , fundamental freedoms and international humanitarian law in the country of final destination as has been established by the competent bodies of the UN, the Council of Europe or the Union; the behaviour of the country of destination with regard to the international community, as regards in particular its attitude to terrorism, the nature of its alliances and respect for international law.

With regard to cyber surveillance items , the competent authorities of the Member States shall in particular consider the risk of violation of the right to privacy, the right to data protection, freedom of speech and freedom of assembly and association, as well as risks relating to the rule of law. If the existence of such risks is likely to lead to serious violations of human rights, Member States shall not grant export authorisations .

Guidelines : Members proposed that the Commission and the Council make guidelines available (in the form of a handbook) as soon as the Regulation enters into force, so as to ensure common risk assessments as well as uniformity of the criteria for licensing decisions.

That handbook shall be developed in close cooperation with the European External Action Service (EEAS) and the Dual Use Coordination Group and shall involve external expertise from academics, exporters, brokers and civil society organisations.

Modification of lists : new risks and new technologies may be added urgently to the Regulation. The Commission may also remove items from the list if, as a result of the fast-changing technological environment, these items have become lower tier or mass market products that are easily available.

Penalties : the Dual-Use Coordination Group shall set up an Enforcement Coordination Mechanism to provide for uniform criteria for licensing decisions. Upon assessment by the Commission of the rules on penalties laid down by Member States, the mechanism shall provide for ways to make penalties for infringements of this Regulation similar in nature and effect .

Transparency : Member States shall disclose publicly, at least quarterly and in an easily accessible manner, meaningful information on each license with regard to the type of license, the value, the volume, nature of equipment, a description of the product, the end user and end use, the country of destination, as well as information regarding approval or denial of the license request.

Lastly, Members asked that the Commission's evaluation report on the Regulation include a proposal on the deletion of encryption technologies from the list of controlled items.

PURPOSE: to set up a Union regime for the control of exports, transfer, brokering, technical assistance and transit of dual-use items (recast).

PROPOSED ACT: Regulation of the European Parliament and of the Council.

ROLE OF THE EUROPEAN PARLIAMENT: Parliament decides in accordance with the ordinary legislative procedure on an equal footing with Council.

BACKGROUND: Regulation (EC) No 428/2009 set up a Community regime for the control of exports, transfer, brokering and transit of dual-use items. The Commission presented in October 2013 a report to the European Parliament and to the Council on the implementation of the Regulation. The report concluded that the EU export control system provides solid legal and institutional foundations but the system must be upgraded in order to face new challenges.

In April 2014, the Commission adopted a communication setting out concrete policy options for the review of the EU export control regime and its adaptation to rapidly changing technological, economic and political circumstances.

In 2015, the Commission conducted an impact assessment of the review options outlined in that communication. As part of the impact assessment, the Commission conducted a public consultation, from which it emerged that’s stakeholders generally agreed that a review of current rules would improve the export control system , in particular with regards to its capacity to address evolving security risks such as the proliferation of weapons of mass destruction and terrorism and to respond to rapid scientific and technological developments.

The export control policy review has been identified as an initiative under the regulatory fitness and performance programme (REFIT). Council Regulation (EC) No 428/2009 has been amended on several occasions. Since further amendments are to be made, it should be recast in the interests of clarity and readability.

IMPACT ASSESSMENT: besides the baseline scenario (no policy change), the impacts of four other scenarios were assessed. A combination of the options "EU system upgrade" (adjustments to the regulatory framework), and "EU system modernisation" (focusing on cyber-surveillance Technologies and human rights) was retained as the preferred solution.

CONTENT: the proposal to recast Regulation (EC) No 428/2009 aims to set up a Union regime for the control of exports, transfer, brokering, technical assistance and transit of dual-use items. The main points are as follows;

Control provisions : the proposal:

contains amendments to key export control notions : the definition of dual-use items is thus revised to reflect the emergence of new types of dual-use items, such as cyber-surveillance technologies. The proposal also clarifies that controls apply to natural persons, who may be "exporters", especially when it comes to technology transfers; clarifies controls on and facilitates intangible technology transfers , as they only become subject to control when the dual-use technology is made available to a person in a third country; clarifies controls applicable to technical assistance involving a cross-border movement; strengthens brokering controls , (i) by extending the definition of the broker to subsidiaries of EU companies outside of the EU, as well as to brokering services supplied by third country nationals from within the EU territory; (ii) by harmonising their application to non-listed items and military end-uses and extending their application to terrorism and human rights violations ; harmonises the application of transit controls to non-listed items and military end-uses, and extends controls to the risk of misuse for terrorist acts and human rights violations; puts in place certain controls an anti-circumvention clause to combat trafficking in items of dual usage.

EU licensing : the proposal:

provides for a definition of authorisations and for common licensing parameters (e.g. validity period) and conditions for use of the EU general authorisations and for global licences; establishes a new authorisation for 'large-projects' for certain large multiannual projects e.g. construction of a nuclear power plant; introduces new general authorisations regarding encryption and low value shipments to facilitate trade while ensuring a sufficient level of security through robust control modalities (e.g. registration, notification and reporting, and auditing); introduces a general authorisation on intra-company transfers of dual-use technology in non-sensitive countries, in particular for research and development purposes, as long as the technology remains under the ownership or control of the parent company.

Convergence of catch-all controls : the proposal provides for a clarification and harmonisation of the definition and scope of catch-all controls to ensure their uniform application across the EU.

Re-evaluation of intra-EU transfers : the proposal revises the list of items subject to control within the EU in order to focus controls on an updated list of most sensitive items, taking account of technological and commercial developments;

Control of exports of cyber-surveillance technologies : the proposal sets out new provisions for an effective control focusing on specific and relevant cyber-surveillance technologies. It introduces an EU autonomous list of specific cyber-surveillance technologies of concern to be subject to controls (monitoring centres and data retention systems), with detailed technical parameters.

Enhanced cooperation : the proposal provides for enhanced information exchange between competent authorities and the Commission with a view to support effective and consistent application of controls. It introduces a legal basis regarding the introduction of electronic licensing systems and their interconnection with the Dual-Use Electronic System, and for the setting up of 'technical expert groups' bringing together key industry and government experts into a dialogue on the technical parameters for controls.

Transparency and outreach : the proposal sets out transparency measures and expands outreach and information-sharing with operators in order to develop a "partnership with the private sector".

Dialogue with third countries : the proposal provides a basis for the development of regular dialogues between the EU and key trade partners, and for the negotiation of mutually beneficial measures such as end-user verification programmes (whereby selected third-country companies could be granted special status of "Verified end-user" and obtain EU-wide recognition and facilitation of controls).

BUDGETARY IMPLICATIONS : some specific provisions in the proposal are expected to have implications on the resources of relevant services at EU or national levels , in particular ;

extended competence for the Commission to amend lists of dual-use items and general export authorisations by delegated acts ; cyber-surveillance controls expected to require some additional administrative costs (staff) for administrations, both at national and EU level; the realisation of certain actions – such as the development of electronic licensing systems – while the financing and budgetary implications remain to be assessed in detail before any decision is taken regarding their implementation.

DELEGATED ACTS: the proposal contains provisions empowering the Commission to adopt delegated acts in accordance with Article 290 of the Treaty on the Functioning of the EU.