top of page

EU export controls: the 821 clinic - Session 2 The new cyber surveillance controls – what, why, how

Customs Manager Ltd is delighted to present, in conjunction with WorldECR , a six-webinar series giving you the lowdown on the new EU export control regulation. (P)

This series has 6 sessions:

• Session 1: Overview of the key changes in a nutshell

• Session 2: The new cyber surveillance controls – what, why, how?

• Session 3: Could I be caught by catch-all?

• Session 4: Two new General Licences: Are they right for my company, and how do I use them?

• Session 5: The EU Export control regime – for non-EU companies

• Session 6: Putting it all together: What does the regulation mean for my ICP?

Let's explore Session 2

Session 2: The new cyber surveillance controls – what, why, how?

The recast was, in part, driven by a perceived need for better technology that might be used for ‘cyber surveillance’. This session looks at the breadth of new provisions, including catch-all, the new ‘transmissible controls’ concept, and other areas of the Regulation which may, in particular, affect the ICT sector.

Watch the Reconding On Demand


Tom Blass, WorldECR: I don’t sell or export ‘spyware’ – so why is this stuff important for me to know?

Arne Mielken, Customs Manager Ltd: Three aspects to it are important.

1. Understand what is controlled and what is not

2. Understand who determines what is controlled specifically and what the consequences are

3. Understand how the EU wants us to control this and act.

I should tell you that the EU law is currently not specific enough for us to say DO THIS or DO THAT. We need guidance and more instructions, to be provided by the EU and the Member States.

As we have seen with companies like Kingfisher or recently alleged under the PEGASUS project, certain cyber-surveillance technologies exported have been misused by persons complicit in or responsible for directing or committing serious violations of human rights or international humanitarian law in situations of armed conflict or internal repression.

The EU believes that it is appropriate to control the export of those technologies to protect public security as well as public morals.

Tom Blass, WorldECR: You mean, some of the things I export could be considered to be ‘spyware’?

Arne Mielken, Customs Manager Ltd: You are right to be concerned.

Think about all the many products and items that we export which deal with capturing data and transmitting it to us. There are endless commercial applications used, for example, for billing, marketing, quality services, user satisfaction, network security etc. are considered to generally not entail risks.

Rest assured; this is not what the EU targets. No licence is required.

Let me tell you what is controlled. These are cyber-surveillance items that are

  • specially designed

  • to enable intrusion or deep packet inspection into information and telecommunications systems in order

  • to conduct covert surveillance of natural persons by

  • monitoring, extracting, collecting or analysing data, including biometrics data, from these systems”.

So, these are very specific controls aiming to capture specific systems. Most of us won’t be concerned.

Tom Blass, WorldECR: So when I want to export these items, I need a licence?

Arne Mielken: Not necessarily! There is a further limitation.

The law says that the export must have been informed by the authorities that the items in question are or may be intended, in their entirety or part, for use in connection with internal repression and/or the commission of serious violations of human rights and international humanitarian law.

Then - a licence is required.

Tom Blass, WorldECR: What if I become aware of some possible fishy activity going on?

Arne Mielken, Customs Manager Ltd:

Where an exporter is aware, according to its due diligence findings, that cyber-surveillance item which the exporter proposes to export, not listed in Annex I, are intended, in their entirety or part, for any of the uses we discussed, then there is a legal requirement to notify the competent authority. The authority then decides whether to make the export concerned subject to authorisation.

So, what businesses need is

  • guidance to exporters from the authorities

  • a due diligence programme by the exporter to include cyber security and human rights abuse provisions

  • knowledge of these new rules by the exporter

  • processes in the company on how to deal with such events when they incur. I would argue that an ICP may be a good place for this.

Tom Blass, WorldECR: Hm. ‘Transmissible controls.’ and the “Eu Watch List” What do these terms mean

The Recast has added a catch-all in its Article 10, whereby authorisations shall be required for the export of non-listed dual-use items, if another Member State imposes an authorisation requirement based on a national control list of items and if the competent authority considers that the items are or may be intended for uses of concern concerning public security, e.g. acts of terrorism, and human rights considerations.

So, transmissible controls, in a nutshell, allow one Member State to introduce export controls based on another Member State’s legislation.

The mechanism in the legislation follows a “bottom-up” approach when MS decide to control non-listed cyber-surveillance items based on human rights considerations.

So, there are can be national control lists!

This is a recipe for disaster for businesses in the EU, if not managed carefully.

It could mean that an EU member state blocks an export, while another member state decides not to, even though the export concerned the same item and end-user.

It is not a level playing field if you cannot ship the products from, for example, France, whereas your competitor in Germany can ship them.

The mechanism in the regulation provides for the introduction of controls through a mandatory and prescriptive consultation procedure, resulting in the publication of an “EU Watch List” of items and destinations subject to control.

Any authorisation requirements based on national control lists have to be published by the Commission and can then become valid throughout the EU.

The result is that through this mechanism, the EU can make its own decisions regarding cyber-surveillance items (goods and technologies) used, or intended for use, in internal repression and/or the commission of serious violations of human rights and international humanitarian law.

The EU calls it the so-called “human security” dimension according to Art. 2.20, Art. 5). So the creation of the EU watch list is another reason to carefully monitor the EU OJ every day.

Tom Blass, WorldECR: Ok, I’m an ICT company: does that mean I have to re-appraise my whole EU compliance plan?

Arne Mielken, Customs Manager Ltd:

Businesses are asked to contribute to trade control, namely by assessing risks related to transactions concerned by this regulation, through transaction-screening measures. Are you doing this in line with the new requirements?

  • The Recast includes internal repression and human rights and international humanitarian law violations in its article 5 catch-all criteria for non-listed cyber-surveillance items. Does your Eu compliance plan include due diligence checks on this?

  • The EU enshrines human rights considerations and public security in its article 9 catch-all for non-listed dual-use items – adding the prevention of acts of terrorism. How does your compliance plan add to the prevention of terrorism, how would you demonstrate your efforts in case of an audit?

  • the recast introduces a definition of the Internal Compliance Programme (‘’ICP’’) – i.e. ongoing effective, appropriate and proportionate policies and procedures adopted by exporters to facilitate compliance with the Regulation and implemented authorisations, including due diligence measures assessing risks related to the export of the items, to end-users and end-uses.

  • ICPs are even a criterion to grant a global export authorisation: the Recast introduces the ICP implemented by the exporter in the criteria for the Member States to assess applications for global export authorisations. Do you have one and does it need to be updated?

So in short, look at how you can strengthen the focused new dimensions of these controls.

About Customs Manager Ltd.

Working with us means having a Customs Advisor, Global Trade Expert and Export Controls Consultant, on speed-dial. If you are looking for a customs consultant UK and EU, let us help you trade effectively, efficiently and, of course, compliantly, wherever you want to go in the world.

Need to stay up-to-date with changing customs and global trade rules? We monitor legislation so our clients don't have to. Learn about all changes in our fresh expert blog, join exclusive briefings and ask any questions 24/7 through to the VIP hotline. Or sign up to our no-charge, insightful newsletter.

Entrust us with your training needs and help us to upskill you and your teams in English, German, French and Spanish. We offer pubic and private live, in-house and on-demand (study from anywhere and anytime) courses.

To complete our support for globally trading businesses, we are also a UK Customs Broker. We act as a customs clearance agent on behalf of many EU and UK businesses, assisting with customs documentation and all other formalities to ensure the customs clearance of our goods. Whether you’re seeking a long-term partner to look after your customs clearance or require support for a one-off shipment, please don’t hesitate to get in touch to discuss your requirements.

Join us on social media

Important Notice

Customs Manager Ltd. owns the copyright in this information, unless other sources are identified.

You are not allowed to use this information in any way that infringes the intellectual property rights in it. You may have to hold a valid licence to use this information. A licence can be obtained by becoming a Premium subscriber to the Customs Managers’ Trade Intelligence service. As a Premium subscriber, you may download and print this information which you may then use, copy or reproduce for your own internal non-profit-making purposes.

However, under no circumstances are you permitted to use, copy or reproduce this information to profit or gain.

In addition, you must not sell or distribute this information to third parties who are not members of your organization, whether for monetary payment or otherwise.

This information is intended to serve as general guidance only and does not constitute legal advice. We cannot guarantee the quality, content, or accuracy of the information provided on this page as laws and information change regularly. Moreover, the application and impact of laws can vary widely based on the specific facts involved. This information should not be used as a substitute for consultation with professional legal or other competent advisers. Before making any decision or taking any action, you should consult a Customs Manager Ltd. professional.

In no circumstances will Customs Manager Ltd, be liable for any decision made or action was taken in reliance on the information contained within this document or for any consequential, special or similar damages, even if advised of the possibility of such damages.

9 views0 comments


bottom of page