The EU’s New Dual-Use Regulation: 5 Things to Know

September 2021 - Jonathan Lauria and Cody Taylor

On 9 September 2021, Regulation (EU) No 2021/821 is expected to come into effect in the European Union (EU). It would be the first major overhaul of Regulation (EC) No 428/2009 in over a decade.

This recasting of the long-standing EU dual-use regulation (“Regulation 428”) represents a broadening of the EU’s trade control focus towards cyber-surveillance and human rights. The so-called “recast” dual-use regulation (“Regulation 821”) also serves to provide clarity to the old regulation after many years of amendments.

Here’s five things industry needs to know about the new Regulation.

#1: Regulation 821 is replacing Regulation 428 in full

When Regulation 821 comes into effect, it will be the primary regulation for dual-use controls in the European Union.

Regulation 821 will retain the text of Regulation 428 along with the new changes summarized in Figure 1. This means that Regulation 821 will remain largely familiar to those who have worked in EU dual-use controls in the past, despite superseding Regulation 428.

Figure 1. Summary of Key Changes Made in Regulation 821


#2: Human Rights and Cyber-Surveillance are the Focus

The President of the EU Council, João Leão, lauded the changes in Regulation 821 as “giv[ing] human rights the prominence they deserve. Strong controls will allow us to prevent human rights violations and abuses while keeping up with the latest technological developments.”

The reform producing Regulation 821 was passed by a vote of 642 to 37, signaling strong support from the Member States.

#3: Control List Unchanged, but Member States Can Require Authorization for Cyber-Surveillance Items

Regulation 821 does not make any additions or removals of items on the EU Dual-Use Control List (Annex 1).

Instead per Article 5(1), exported cyber-surveillance items not in Annex 1 that may be intended for “internal repression and/or the commission of serious violations of human rights” will have an authorization requirement. The authorization requirement may be triggered by competent authorities informing exporters or by the exporters themselves through their exercise of due diligence during transactions.

Essentially, companies may be vulnerable to violations if an item not listed in Annex 1 is exported when it meets the conditions detailed in Article 5(1 & 2) and is not properly licensed.

Notably, Regulation 821 does create two new Union General Export Authorizations (UGEAs): EU007 (in Annex IIG) for intra-group export of software and technology, and EU008 (in Annex IIH) for encryption items.

#4: Member States Can Control Other Items Not in Annex 1

Article 9 of Regulation 821 permits the Member States to place an authorization requirement on items (other than for cyber-surveillance) not in Annex 1 for “reasons of public security, including the prevention of acts of terrorism, or for human rights considerations.” Article 8 also accounts for technical assistance.

Member States imposing such authorization requirements must notify the other Member States and the EU Commission, like with cyber-surveillance items dealt with in Article 5. In accordance with Article 10, Member States are then responsible via their competent national authorities and control lists to authorize the export of items that “may be intended for uses of concern with respect to public security or to human rights considerations.” Updates regarding the implementation of Regulation 821 will be detailed by the EU Commission in its annual report per Article 26(2).

Essentially, Regulation 821 allows for other Member States to impose an authorization requirement on an item not in Annex 1 on the basis that it is regulated by another Member State.

What this means for business is that previously uncontrolled items can now have an authorization requirement if a Member State determines it necessary. To maintain compliance, it is important to stay current with EU Commission reports on additional authorization requirements for items not in Annex 1.

#5: Transmissible Controls Aim to Increase Parity Between Member States

Regulation 821 seeks to harmonize and increase transparency of the EU dual-use regime. At first glance, the changes in Regulation 821 (Articles 5 and 9 in particular) appear to add confusion as each Member State may add new authorization requirements to dual-use items not in Annex 1.

The solution is to make newly implemented controls “transmissible. Rather than adding items not in Annex 1 on which Member States impose authorization requirements to the EU Dual-Use Control List, Member States imposing new authorization requirements are required to inform other Member States and the EU Commission of their actions. The EU Commission then publishes such authorization requirements for “essentially identical transactions” of cyber-surveillance items (See Figure 2 for definition) in the C Series of the Official Journal of the European Union. The EU will also publish a compilation of updated national control lists in the Official Journal.

Figure 2. Article 2(22) defines “essentially identical transactions”

All Member States should therefore be made aware of new authorization requirements they can impose. To aid parity between Member States, Article 26(1) prompts the EU to create guidelines and recommendations for best practices.


The EU has made control of cyber-surveillance items and prevention of human rights violations key objectives of its recast dual-use export control regime.

Regulation 821 is replacing Regulation 428 to provide Member States and the EU with the flexibility to require authorization (licenses) on previously uncontrolled dual-use items (not in Annex 1) as the need arises.

While nothing has changed in the EU Dual-Use Control List (Annex 1), the changes in Regulation 821 will require industry operating in EU Member States to continue to monitor for new controls and stay in communication with national licensing authorities.

Hopefully, the harmonization efforts provided through new “transmissible” controls will be adopted uniformly, but industry should be prepared to adapt to new control requirements that may emerge.


The information provided in this article does not, and is not intended to, constitute legal advice; instead, all information, content, and materials herein are for general informational purposes only.