Guidelines on the Export of Cyber-surveillance Items Under Article 5 of Regulation 2021-821

Key Takeaways

• Enhanced Due Diligence: Exporters of cyber-surveillance items (goods, software and technology) from the EU must perform detailed due diligence on each transaction, reviewing item capabilities for misuse, assessing stakeholders and developing mitigation plans for potential adverse impacts.
• Red Flags for Misuse: The Guidelines identify warning signs, such as marketing materials emphasizing covert capabilities or indications of prior misuse for repression, to help EU exporters identify potential risks in transactions.
• Scope of Controlled Items: While certain items like facial recognition and location tracking may fall under cyber surveillance controls, typical commercial-use items (e.g. billing, marketing, network security) are generally excluded.
• Ongoing Guidance and Future Clarity: Although no exhaustive product list was provided, future updates may include case studies to clarify compliance. Exporters must gather sufficient information on customers and destination countries moving forward, particularly for potential cyber-surveillance items.
• US Considerations: The new EU catch-all controls are one of the few areas where the EU controls items and activities that the US does not. The US controls are limited to the specific multilaterally controlled cyber surveillance items the EU already controls.

Introduction

In 2021, the European Union (EU) updated the EU Dual-Use Regulation, setting unified standards for EU member states to control exports of dual-use items. A key addition in Regulation (EU) 2021/821 is Article 5’s “catch-all control” for cyber-surveillance items. This measure has not been implemented by the UK.

This provision mandates exporters to seek authorization if they know or suspect that their cyber-surveillance items could be used for human rights abuses, even if these items aren’t explicitly covered by existing export controls. Examples of such technologies include telecommunications interception systems (5A001.f.), internet surveillance systems (5A001.j.), intrusion software (4A005, 4D004) and forensic tools (5A004.b., 5D002.a.3.b., 5D002.c.3.b.).

Despite rising concerns about the misuse of spyware and surveillance tools, the catch-all control has seen limited application, and many exporters from the EU remain unsure about its implementation. To assist, the EU issued new guidelines on 15 October 2024 to clarify these requirements for exporters.

The updated guidelines are notable as they make clear that for each transaction, exporters are required to evaluate the item’s capabilities for potential misuse, examine all parties involved (including end-users and consignees) and establish measures to prevent and mitigate potential adverse impacts.

The guidelines outline several “red flags” that could suggest misuse of cyber-surveillance items. These include promotional materials emphasizing covert surveillance features and evidence that similar technologies have previously been used for repression.

The EU’s message is clear: exporters must stay vigilant and aware of the broader impacts of their products. By emphasizing transparency and accountability in the cyber-surveillance trade, the EU seeks to foster ethical export practices and safeguard human rights. Exporters are now responsible for ensuring they don’t inadvertently contribute to abuses, underscoring the need for a robust compliance framework.

Overview

The Regulation introduces controls on the export of non-listed cyber-surveillance items that could be used for internal repression or serious violations of human rights and international humanitarian law. Key provisions include:

• Recital 8: Emphasizes controlling cyber-surveillance items, especially those designed for covert surveillance, while excluding items for purely commercial uses.
• Recital 9: Calls for harmonizing controls across member states, with information-sharing and vigilance on technological developments.
• Article 2: Defines cyber-surveillance items as tools for covert monitoring or data analysis.
• Article 5: Requires export authorization if items are intended for harmful uses and mandates exporters to notify authorities if they identify such risks through due diligence.
• Article 5(2): Stipulates that the Commission and Council will issue guidelines to help exporters comply with these controls.

Cyber-Surveillance Items Controlled by Annex I to Regulation (EU) 2021/821

Some cyber-surveillance items are already controlled by the Wassenaar Arrangement and by the EU. These items include:

1. Telecommunication Interception Systems (5A001.f.)
   • Equipment for covertly extracting communication content and metadata that is transmitted over the air view wireless communication, and radiofrequency monitoring equipment. Includes items such as international mobile subscriber identity (IMSI)-catchers that intercept mobile traffic, as well as certain items designed to enable “deep packet inspection”.
   • Excludes mobile jamming equipment, which disrupts communications rather than collects data.
2. Internet Surveillance Systems (5A001.j.)
   • Internet control systems that operate on a “carrier class IP network” to perform analysis, extraction and indexing of transmitted metadata content (voice, video, messages, attachments) on the basis of “hard selectors”, and map the relational network of people.
   • Excludes user or subscriber-interactive systems like social networks and commercial search engines.
3. Intrusion Software (4A005, 4D004, 4E001.a, 4E001.c)
   • Includes software as well as systems, equipment, components and related technology, specially designed or modified for the generation, command and control, or delivery of “intrusion software”, but does not apply to “intrusion software” itself, as defined in Annex I to the Regulation.
   • Focuses on preventing misuse while enabling cybersecurity research.
4. Communication Monitoring Software (5D001.e.)
   • Software for law enforcement to monitor and analyze data from targeted interception measures requested from a communications service provider. Covers software that allows for searches based on “hard selectors” of communication content or metadata, using an interface for lawful interception and mapping the relational network or tracking the movement of targeted individuals based on the results of searches.
   • Excludes systems meant for commercial purposes like billing.
5. Items for Cryptanalysis (5A004.a.)
   • Equipment designed to defeat cryptographic protections to extract sensitive data, facilitating covert surveillance.
6. Forensic/Investigative Tools (5A004.b., 5D002.a.3.b., 5D002.c.3.b.)
   • Tools for extracting raw data from devices for judicial use, with the potential for misuse in sensitive cases.
   • Excludes tools not specifically designed for covert surveillance and those used for commercial purposes.

Additional Notes

• Certain items, such as mobile jamming equipment, intrusion software that modifies systems and laser microphones, are not classified as cyber-surveillance items.
• Each item’s classification is subject to a case-by-case assessment based on its intended use and design.

Key Definitions

The Regulation provides key definitions essential for controlling exports of non-listed cyber-surveillance items. These terms are crucial for exporters to conduct due diligence effectively:

“Cyber-surveillance items”: Defined in Article 2(20) as dual-use items designed to enable covert surveillance of individuals by monitoring, extracting or analyzing data from information systems.

“Specially designed”: Refers to items where covert surveillance of individuals was the primary purpose of their development, though they may have other uses. Items for commercial purposes (e.g. billing, marketing) are not included in this definition.

“Covert surveillance”: Involves surveillance that is not obvious to the person being monitored, where individuals are unaware and cannot adjust their behavior. Even public space monitoring can count if data is processed for undisclosed purposes.

“Natural persons”: Refers to living human beings, distinguishing them from legal entities, objects, or machines, which are not covered by the Regulation’s surveillance provisions.

The terms “monitoring, extracting, collecting, and analyzing data” in the Regulation refer to specific technical capabilities needed for surveillance:

• “Monitoring”: Overseeing or surveillance of data.
• “Extracting”: Drawing data out of systems.
• “Collecting”: Gathering data.
• “Analyzing”: Examining data methodically to understand or explain it.

Examples include technologies like intrusion software or facial recognition systems, which can process and analyze data from telecommunications systems. However, items like basic video surveillance cameras do not qualify unless combined with other advanced technologies (e.g. artificial intelligence (AI) or big data). The definition is flexible, and a cyber-surveillance item only needs one of these capabilities to fall under the Regulation’s scope.

The terms “from information and telecommunication systems” refer to systems that process or transmit information electronically, such as computer hardware, software, web technology, and telecommunication systems using wired, wireless, or optical channels. This definition covers a broad range of information systems, focusing on systems rather than individual equipment.

Regarding “awareness” and “intended for” use in harmful activities, exporters must notify authorities if they have positive knowledge that exported items will be used for internal repression or human rights violations. “Awareness” requires active efforts to assess risks, not passive ignorance. Additionally, the term “intended for” refers to specific end-use assessments based on actual circumstances, not theoretical risks.

Technical Scope of Cyber-Surveillance Items

1. Listed Items: Annex I of the Regulation contains cyber-surveillance items. Exporters can use this list to identify potential non-listed items.
2. Potential Non-Listed Items: While no exhaustive list exists for non-listed items, some may have surveillance potential and require vigilance under Article 5 of the Regulation. Commercial items like billing, marketing or network security tools generally don’t pose misuse risks but should be monitored due to occasional reports of misuse.

• Facial and Emotion Recognition Technology: These technologies, typically used for identification, could fall under the regulation if used for covert surveillance or video analysis. Whether they qualify depends on whether they are specially designed for covert surveillance.
• Location-Tracking Devices: Advanced tracking technologies, such as satellite or cell tower-based tracking, could enable mass surveillance. Although commonly used by law enforcement and commercially, their potential for abuse requires vigilance.
• Video-Surveillance Systems: Basic video-surveillance cameras, even high-resolution ones, used in public spaces are not considered cyber-surveillance items as they don’t gather data from information or telecommunications systems.

Due Diligence

The Regulation emphasizes the importance of due diligence measures for exporters, as outlined in Recital 7. Exporters must implement transaction-screening processes, also known as due diligence, as part of an Internal Compliance Programme (ICP). The ICP involves ongoing policies and procedures to ensure compliance with regulations and assess risks related to the export of items.

Key due diligence steps include:

• Identifying Cyber-Surveillance Items: Exporters must review if non-listed items qualify as “cyber-surveillance items” designed for covert surveillance of natural persons by monitoring or analyzing data from information and telecommunication systems. This involves examining technical characteristics and classifying items appropriately.
  • Exporters are being encouraged to consider their products from a broader perspective, beyond the items explicitly listed as restricted. The list of controlled items should serve as a starting point, prompting exporters to assess whether any of their goods, even if not specifically mentioned, could be used in covert cyber-surveillance or potentially violate export controls. In practice, this means reviewing each item they supply and asking, “Is there anything in my product range that, while not explicitly restricted, has features or applications similar to those listed that could lend itself to covert surveillance?” This approach will help ensure compliance by anticipating risks that might otherwise be overlooked in a standard review process.
• Assessing Misuse Risk: Exporters must evaluate if the product could be misused for internal repression or serious human rights violations, including violations of privacy, freedom of speech, or freedom of association. They should also check if the item could be part of a system that could lead to such misuse.
  • Human Rights Risk Assessment: Exporters are required to assess whether their products could be repurposed to infringe upon fundamental human rights. This includes evaluating the potential for misuse in committing acts of internal repression, violating privacy or infringing upon rights such as freedom of speech, association and religion. Any product that could be used to undermine these rights needs to be carefully scrutinized.
  • Component-Based Risk Assessment: Beyond complete products, exporters must also consider whether their goods could function as parts or components within a larger system that could lead to human rights abuses. For example, if a product could be used to enhance or support a system designed for covert surveillance or repression, it could pose similar risks.
  • Red Flags: Exporters should be alert to red flags that indicate potential misuse, such as items marketed for covert surveillance, known cases of misuse for repression or rights violations, or any information suggesting unlawful surveillance activities or misuse in violation of human rights.
  • Enhanced Scrutiny of Transactions and Destinations: Exporters must apply extra caution if any red flags arise, investigating further to confirm that the end-use, end-user, and destination are legitimate and unlikely to be associated with repressive regimes or unethical activities.

This guidance suggests that the EU takes the view that exporters should potentially be adapting their goods by adding controls or safeguards to prevent improper use, especially if due diligence reveals potential for misuse in illegal surveillance. This could involve measures such as stopping or adjusting activities linked to human rights risks, updating policies, strengthening management systems to detect risks early and notifying authorities of findings.

US Considerations

In March 2022, the United States implemented in the Export Administration Regulations (EAR) controls on “cybersecurity items” that the US, the EU countries and other Wassenaar Arrangement members had agreed to in 2013 and amended in 2017. These controls, with a novel US-only license exception, are, however, limited to controlling the export, reexport and transfer of the listed cybersecurity items. Although the US created in October 2022 novel end use controls related to the development or production in China of advanced node semiconductors and other items, it has not created any human-rights-specific catch-all controls. In July 2024, however, the US proposed the creation of catch-all controls focused on military end users, intelligence users and foreign security end users in China and other countries of controls to address many of the same human-rights issues that motivated the EU’s creation of the new catch-all controls. The US is unlikely to implement the final versions of its new human-rights-specific controls until sometime in 2025.