European Union — Export Controls

Regulation (EU) 2021/821 of the European Parliament and of the Council of 20 May 2021 sets up the EU regime for the control of exports, brokering, technical assistance, transit, and transfer of dual-use items (the "EU Dual-Use Regulation"). The Regulation entered into force on 9 September 2021, repealing and replacing Regulation (EC) No 428/2009, though licensing applications submitted before 9 September 2021 continued to be processed under the prior regulation.

Dual-use items are defined in Article 2(1) as items — including goods, software, and technology — that can be used for both civilian and military purposes. Examples range from advanced semiconductors and encryption software to biological agents and uranium enrichment equipment. The term captures items that have legitimate commercial applications but also pose proliferation or national-security risks if diverted.

Article 1 establishes the scope: the Regulation controls five categories of activities:

• Export (Article 2(2)): the physical sending, electronic transmission, or personal carriage of dual-use items from the EU customs territory to a third country.
• Brokering (Article 2(5)): the negotiation or arrangement of transactions involving dual-use items between third countries (i.e., when neither the origin nor the destination is within the EU).
• Technical assistance (Article 2(6)): technical support related to the design, development, manufacture, assembly, testing, maintenance, or any other technical service for dual-use items, including instruction, advice, training, and consulting, whether delivered in person, electronically, or verbally.
• Transit (Article 2(13)): the movement of non-EU dual-use items through EU territory without being placed under a customs procedure such as release for free circulation.
• Transfer (Article 2(14)): the intra-EU movement of certain particularly sensitive dual-use items listed in Annex IV of the Regulation (for instance, specific materials used in nuclear fuel cycles and certain military-applicable stealth technologies). Most dual-use items may move freely within the EU; only Annex IV items require a transfer authorization.

Any natural or legal person — including researchers, exporters, brokers, and technical-assistance providers — established or resident in the EU customs territory may be subject to the Regulation's requirements when engaged in one of these five activities.

Territorial application extends across the entire EU customs territory, which currently comprises the 27 EU Member States. The Regulation does not apply to exports of military items (which fall under Council Common Position 2008/944/CFSP and national military-export laws), nor does it govern items covered by separate EU sanctions regimes, though both frameworks may apply concurrently.

Article 3(1) sets the core licensing requirement: an authorisation is required for the export of dual-use items listed in Annex I of the Regulation. Annex I implements the control lists agreed by the four multilateral export-control regimes — the Wassenaar Arrangement (conventional arms and dual-use goods), the Missile Technology Control Regime (MTCR), the Nuclear Suppliers Group (NSG), and the Australia Group (chemical and biological weapons precursors) — as well as commitments under the Chemical Weapons Convention. Annex I is updated at least annually by the European Commission through delegated regulations to incorporate changes agreed in those multilateral fora.

Additional "catch-all" controls in Articles 4 and 5 may require an authorisation for items not listed in Annex I if a Member State competent authority informs the exporter that the items are or may be intended for weapons of mass destruction (Article 4), military end-use in an embargoed country (Article 4), or — under Article 5 — internal repression involving cyber-surveillance technology that could enable serious human-rights violations.

The Regulation replaced the previous regime (Regulation 428/2009) with a recast framework that introduced several modernisations: expanded controls on cyber-surveillance items under Article 5, new Union General Export Authorisations (UGEAs) for intra-group transfers of software and technology (EU007, Annex II-G) and for encryption items (EU008, Annex II-H), mandatory internal compliance programmes (ICPs) for holders of global export authorisations, and an enhanced Dual-Use Coordination Group (Article 24) to harmonise national licensing practices and share information on denials.

Member States retain the power under Article 9 to impose national controls on non-listed items for reasons of public security or human rights, and under Article 10 of Regulation (EU) 2015/479 to prohibit or restrict exports on other public-policy grounds, though such measures must be notified to the Commission and published in the Official Journal.

Source: Regulation (EU) 2021/821 of the European Parliament and of the Council of 20 May 2021 setting up a Union regime for the control of exports, brokering, technical assistance, transit and transfer of dual-use items (recast)

Annex I to Regulation (EU) 2021/821 establishes the common EU control list of dual-use items — goods, software, and technology — that require an export authorisation under Article 3(1) when exported from the EU customs territory to third countries. The Annex implements the control lists agreed by four multilateral export-control regimes (the Wassenaar Arrangement, the Missile Technology Control Regime, the Nuclear Suppliers Group, and the Australia Group) and commitments under the Chemical Weapons Convention. The Commission updates Annex I at least annually through delegated regulations to reflect new international agreements on proliferation-sensitive technologies.

Annex I organises controlled items into ten categories, numbered 0 through 9. Each category corresponds to a distinct technology domain or industrial sector. An exporter must determine which category, if any, applies to its item — and then review the specific entries, sub-entries, and technical parameters within that category — to decide whether an authorisation is required. The ten categories are:

• Category 0 — Nuclear Materials, Facilities and Equipment

Covers nuclear reactors, specially designed or prepared nuclear-fuel-cycle equipment (enrichment, reprocessing, heavy-water production), nuclear materials (source material, special fissionable material, and items above specified isotopic thresholds), and deuterium and heavy water. Implements Nuclear Suppliers Group trigger lists and dual-use nuclear controls.

• Category 1 — Special Materials and Related Equipment

Includes composite and ceramic materials (fibrous/filamentary materials exceeding specified tensile strengths or elastic moduli), metals and alloys (maraging steels, titanium alloys, aluminium alloys meeting aerospace-grade specifications), toxins, pathogens, genetic elements, and other materials with proliferation or biological-weapons concern. Implements Australia Group biological- and chemical-precursor lists and Wassenaar advanced-materials entries.

• Category 2 — Materials Processing

Machine tools (including numerically controlled lathes, milling machines, and coordinate measuring machines meeting precision thresholds), dimensional-inspection or measuring systems exceeding specified accuracy levels, controlled-atmosphere and vacuum furnaces, isostatic presses, and vibration-test equipment. Relevant for precision manufacturing of missile components, centrifuge parts, and aerospace structures.

• Category 3 — Electronics

Integrated circuits (including microprocessors, analog-to-digital converters, and field-programmable gate arrays exceeding specified performance parameters), microwave and millimetre-wave items (travelling-wave tubes, power amplifiers), electronic assemblies and components (capacitors, switches, connectors meeting military or radiation-hardened specifications), and semiconductor manufacturing equipment (epitaxy reactors, ion implanters, photolithography equipment).

• Category 4 — Computers

Electronic computers and related equipment exceeding specified aggregate computational performance thresholds (measured in weighted teraFLOPS, WT), hybrid computers, electronic assemblies specially designed for signal or image enhancement under specific conditions, and "software" specially designed for the "development," "production," or "use" of controlled computer equipment.

• Category 5 — Telecommunications and Information Security

Subdivided into Part 1 (Telecommunications) (optical-fiber communication cables, underwater communication equipment, radio equipment exceeding specified frequency or output-power parameters, fibre-optic items) and Part 2 ("Information Security") (cryptographic systems, cryptanalytic systems, software and hardware using symmetric or asymmetric algorithms exceeding key-length thresholds, systems specially designed for command-and-control or intelligence applications). Part 2 is particularly sensitive and many items are listed in Annex IV, meaning they require authorisation even for intra-EU transfers among Member States.

• Category 6 — Sensors and Lasers

Optical sensors and lasers (including continuous-wave and pulsed lasers exceeding specified wavelengths, output power, or pulse-repetition rates), cameras (focal-plane arrays, streak cameras, framing cameras for high-speed imaging), optics (mirrors, windows, lenses meeting specified surface-finish or wavefront-distortion parameters), and magnetometers, gravimeters, and radiation-detection equipment exceeding sensitivity thresholds. Relevant for precision-guided munitions, missile seekers, and intelligence-surveillance-reconnaissance (ISR) platforms.

• Category 7 — Navigation and Avionics

Accelerometers and gyroscopes meeting specified bias-stability or drift-rate parameters, inertial navigation systems, Global Navigation Satellite System (GNSS) receiving equipment capable of operation above specified altitude and speed coordinate limits (the "COCOM limits"), radar systems, flight-control systems (including "FADEC" — Full Authority Digital Engine Control systems), and airborne-refueling equipment.

• Category 8 — Marine

Submersible and surface vessels (including unmanned underwater vehicles, remotely operated vehicles, and manned submersibles exceeding specified depth ratings), underwater-detection systems (sonar, acoustic arrays, magnetometers, electric-field sensors), marine propulsion systems, and hydrofoil systems, surface-effect vehicles, and air-cushion vehicles.

• Category 9 — Aerospace and Propulsion

Aero gas-turbine engines and components (including those meeting specified thrust-to-weight ratios or specific fuel consumption parameters), ramjet, scramjet, or combined-cycle engines, rocket propulsion systems and components (nozzles, thrust-vector-control systems, turbo-pumps, combustion chambers, solid propellants), unmanned aerial vehicles (UAVs) and remotely piloted aircraft systems exceeding specified range or endurance parameters, launch vehicles, spacecraft buses, and re-entry vehicles.

Each category is further subdivided into lettered sections:

• Section A — End products, systems, and equipment
• Section B — Test, inspection, and production equipment
• Section C — Materials
• Section D — Software
• Section E — Technology

Within each section, items are identified by alphanumeric Entry Control List Numbers (ECLNs) — for example, 3A001 designates a category-3 (Electronics), section-A (end products), entry 001 integrated circuit; 5A002 designates a category-5, section-A, entry 002 "information security" system. Sub-entries are denoted by lower-case letters and further nested numbers (e.g., 3A001.a.1). An exporter must read the entry text, the technical parameters, and all relevant notes to determine coverage.

Technology entries in Section E warrant special attention. Under the general technology note, "technology" for the "development," "production," or "use" of controlled goods in Categories 1–9 is itself controlled according to the provisions of the relevant category, even when the technology is applicable to non-controlled goods. However, controls do not apply to technology that is "in the public domain" (defined in the General Technology Note), to "basic scientific research" (pre-competitive fundamental research in educational institutions), or to the minimum technology necessary for the installation, operation, maintenance, or repair of goods whose export has been authorised.

The Annex I introductory notes and definitions section (approximately 100 pages in recent consolidated versions) defines over 400 terms used throughout the list — including "accuracy," "adapted for use in space," "aircraft," "ASW" (anti-submarine warfare), "CAS latency time," "critical temperature," "development," "FADEC," "fibrous or filamentary materials," "information security," "laser," "production," "required," "software," "spacecraft," "technology," "use," and many industry-specific technical parameters. These definitions are binding: an item meets a control description only if it satisfies the defined terms.

Classification is a fact-intensive, technically demanding exercise. Exporters who cannot reliably determine an item's control status may request a classification opinion from the competent export-control authority of the Member State in which they are established (national procedures vary; in Germany, BAFA; in France, SBDU of the DGE; in the Netherlands, the RVO). Obtaining a written classification opinion is advisable for novel items, items with marginal technical parameters, or where a licensing decision depends on the classification.

Annex I is a living document. Delegated Regulation (EU) 2023/996 (updating the list effective 25 May 2023), Delegated Regulation (EU) 2024/2547 (updating the list effective 8 November 2024), and Delegated Regulation (EU) 2025/2003 (updating the list effective 15 November 2025) each added new items (including quantum-technology controls, advanced semiconductor manufacturing equipment, chemical precursors, and cyber-surveillance tools) and modified existing entries. Exporters must consult the current consolidated version of the Regulation to avoid applying a superseded control text.

Source: Regulation (EU) 2021/821 of the European Parliament and of the Council of 20 May 2021 setting up a Union regime for the control of exports, brokering, technical assistance, transit and transfer of dual-use items (recast), Annex I

Source: Joint Research Centre, The TIM Dual-Use Dashboard — monitoring technologies related to each of the categories of the EU dual-use control list

Union General Export Authorisations (UGEAs) — set out in Annex II to Regulation (EU) 2021/821 — are pre-approved export authorisations that permit EU exporters to export specified dual-use items listed in Annex I to designated low-risk destinations under defined conditions without applying for an individual or global licence from a Member State competent authority. UGEAs are valid throughout the EU customs territory and may be used by any exporter established in a Member State, subject to compliance with the conditions in each UGEA and provided the competent authority of the Member State where the exporter is resident or established has not prohibited the exporter from using UGEAs under Article 9(7) of the Regulation.

UGEAs represent the most common licensing pathway for routine dual-use exports from the EU. An exporter who confirms that (1) the item falls within Annex I, (2) the transaction meets the scope and conditions of a UGEA in Annex II, and (3) none of the prohibitions in Article 4 (WMD / military end-use / components of unauthorised military items), Article 5 (cyber-surveillance for internal repression or human-rights violations), or other catch-all provisions apply, may rely directly on the UGEA and proceed with the export, subject to first-use notification or registration requirements specified in each UGEA section.

Article 9(7) permits the competent authority of the Member State where the exporter is resident or established to prohibit the exporter from using UGEAs if there is reasonable suspicion about the exporter's ability to comply with the authorisation or with export-control legislation. Competent authorities of Member States must exchange information on exporters prohibited from using UGEAs unless the authority determines the exporter will not attempt exports through another Member State.

Annex II divides UGEAs into eight sections (A through H), each corresponding to a distinct UGEA. The current set of UGEAs as of 9 September 2021 (entry into force of Regulation 2021/821) comprises:

**UGEA EU001 — Exports to trusted destinations (Section A)**

Scope: Covers all dual-use items in Annex I except those specifically excluded in Section A, Part 1 of Annex II (which lists items by ECCN and excludes certain software in Section D and technology in Section E of each Annex I category, items listed in Annex IV requiring intra-EU transfer authorisation, and items subject to specific Member State or Commission denial notifications).

Destinations: Australia, Canada, Iceland, Japan, New Zealand, Norway, Switzerland (including Liechtenstein), the United Kingdom, and the United States of America. Russia was removed from the scope of UGEA EU001 by Delegated Regulation (EU) 2022/699 of 3 May 2022, effective immediately, in response to Russia's invasion of Ukraine and the resulting threats to the Union's essential security interests.

Conditions: The authorisation prohibits exports if the exporter has been informed by a competent authority or is aware that the items are or may be intended for WMD use (Article 4(1)(a)), military end-use in an embargoed destination (Article 4(1)(b)), or as components of unauthorised military items (Article 4(1)(c)). Exporters must also comply with any Member State national measures or sanctions regimes that may further restrict exports even to these destinations.

Registration / notification: Exporters intending to use UGEA EU001 must register with or notify the competent authority of the Member State in which they are established prior to first use or within 30 days of first use, depending on the Member State's implementing rules (the Regulation delegates this procedural detail to Member States). Check the Commission's Information Note published in the C series of the Official Journal for each Member State's procedure.

**UGEA EU002 — Export of certain dual-use items to certain destinations (Section B)**

Scope: Covers a limited subset of Annex I items — specifically, items in categories 1, 2, 3, and parts of category 5 and 6 as enumerated in Section B, Part 1 of Annex II — exported to a broader list of destinations than EU001 (including many countries in Latin America, Asia, and parts of the Middle East listed in Section B, Part 2).

Exclusions: Does not cover software (Section D) or technology (Section E) in any category, nor items listed in Annex IV, nor cyber-surveillance items.

Conditions: Prohibits exports if the items are intended for WMD use, military end-use in embargoed destinations, or as components of unauthorised military items. Exporters must declare use of UGEA EU002 in customs documentation and notify the competent authority of first use within 30 days (or prior to first use if the Member State requires advance notification).

**UGEA EU003 — Export after repair/replacement (Section C)**

Scope: Covers all dual-use items in Annex I except those listed in Section C, Part 1 exclusions, when the items were reimported into the EU customs territory for maintenance, repair, or replacement and are being exported or re-exported to the country of consignment (the original exporting country outside the EU) without changes to their original characteristics within 5 years of the date the original export authorisation was granted, or when items are exported to the country of consignment in exchange for items of the same quality and number that were reimported for maintenance, repair, or replacement within the same 5-year window.

Conditions: The original export must have been authorised under a Union general export authorisation or the competent authority of the Member State must have permitted use of UGEA EU003 for the specific transaction. The authorisation is valid only for exports to the original end-user. Standard WMD / military-end-use / component prohibitions apply.

**UGEA EU004 — Temporary export for exhibitions or trade fairs (Section D)**

Scope: Covers all dual-use items in Annex I except those excluded in Section D, Part 1 (including software in Section D and technology in Section E of each Annex I category, items in Annex IV, and certain sensitive items), when the items are temporarily exported for an exhibition or trade fair and are reimported within 120 days after the initial export, complete and without modification, into the EU customs territory.

Destinations: Listed in Section D, Part 2 of Annex II (a subset of low-risk and moderate-risk countries).

Conditions: The competent authority may, at the exporter's request, waive the 120-day reimport requirement if circumstances justify an extension. Exporters must notify the competent authority prior to first use of UGEA EU004 or within 30 days of first use, depending on Member State rules.

**UGEA EU005 — Telecommunications items (Section E)**

Scope: Covers specified telecommunications and information-security items from Category 5 (Telecommunications and Information Security) in Annex I, as enumerated in Section E, Part 1, when exported to destinations listed in Section E, Part 2.

Conditions: Narrower scope than EU001; intended to facilitate exports of telecommunications equipment to a defined set of countries where WMD and military-diversion risk is assessed as low for these specific items. Standard prohibitions apply.

**UGEA EU006 — Chemicals (Section F)**

Scope: Covers specified chemical precursors and related equipment from Category 1 (Special Materials and Related Equipment) in Annex I, as enumerated in Section F, Part 1, when exported to destinations listed in Section F, Part 2.

Conditions: Designed to streamline exports of dual-use chemicals to jurisdictions that are parties to the Chemical Weapons Convention and have robust national export-control regimes. Exporters must ensure items are not diverted to WMD or military end-use.

**UGEA EU007 — Intra-group export of software and technology (Section G)**

Scope: Covers most dual-use items listed in Annex I (goods, software, and technology) except those excluded in Section G, Part 1 (items listed in Section I of Annex II, cyber-surveillance items under 10A005 and 10D005, and a limited list of particularly sensitive items), when exported to subsidiaries or sister companies of the exporter for the purpose of product development in designated countries listed in Section G, Part 2.

Eligible exporters: The exporter must be a legal person established in an EU Member State whose direct parent company and ultimate controlling entity are established in a Member State, Australia, Canada, Iceland, Japan, New Zealand, Norway, Switzerland, Liechtenstein, the United Kingdom, or the United States.

Eligible recipients: The end-user must be a subsidiary (a company wholly owned and controlled by the exporter) or a sister company (a company directly and wholly owned and controlled by the same parent company as the exporter).

Conditions: The parent company must provide a binding guarantee for the actions of the subsidiary or sister company. Software and technology exported under UGEA EU007 must be returned to the exporter and deleted by the recipient upon completion of the development activity or if the recipient is acquired by another entity. Exporters must implement an Internal Compliance Programme (ICP) that meets the requirements of Article 14 of the Regulation. Standard WMD / military-end-use / component prohibitions apply.

First use: Exporters must notify the competent authority of their intention to use UGEA EU007 prior to first use or within 30 days of first use, depending on Member State procedures, and must demonstrate that an ICP is in place.

UGEA EU007 was introduced in Regulation 2021/821 to replace the prior National General Export Authorisation regimes for intra-group transfers and to harmonise facilitation of technology and software transfers within multinational corporate groups for R&D and product-development purposes.

**UGEA EU008 — Encryption items (Section H)**

Scope: Covers a defined range of encryption items from Category 5, Part 2 (Information Security) in Annex I, as enumerated in Section H, Part 1 (including cryptographic activation tokens under 5A002.b., encryption software under 5D002.a.1. and 5D002.c.1., and encryption technology under 5E002.b.), when exported to all destinations except those listed in Section H, Part 2 (embargoed or high-risk countries excluded from UGEA EU008 coverage).

Conditions: The authorisation is subject to restrictions relating to the use of the encryption items and cannot be used if the encryption items are formally approved by a Member State to transmit, process, or store certain classified information or bear a certain national security classification marking. Exporters must ensure the encryption items are not diverted to WMD use, military end-use in embargoed destinations, or internal-repression / human-rights-violation uses under Article 5.

Notification: Exporters must notify the competent authority of first use of UGEA EU008 within 30 days or prior to first use, depending on Member State rules.

UGEA EU008 was introduced in Regulation 2021/821 to streamline exports of mass-market and widely available encryption products and certain encryption items not subject to the Cryptography Note (Note 3 in Category 5, Part 2 of Annex I), while maintaining controls on classified-information encryption systems and exports to high-risk destinations.

Annex II is a living document. The European Commission is empowered under Article 17(2) to adopt delegated acts amending Annex II by removing items and by adding or removing destinations from the scope of UGEAs, in consultation with the Dual-Use Coordination Group established under Article 24. Delegated Regulation (EU) 2022/699 removed Russia from UGEA EU001; further amendments may be adopted in response to evolving geopolitical and proliferation risks.

Record-keeping and customs declarations: Exporters using UGEAs must maintain detailed records of their exports for 5 years, including commercial documents (invoices, contracts, transport documentation) sufficient to identify the descriptions and quantities of items, the names and addresses of end-users and consignees, the dates and values of exports, and the UGEA relied upon. When completing export formalities at the customs office, the exporter must furnish proof that the necessary export authorisation has been obtained (in the case of UGEAs, a declaration referencing the applicable UGEA number and Annex II section) and, if requested by customs, a translation into an official language of the Member State.

Source: Regulation (EU) 2021/821 of the European Parliament and of the Council of 20 May 2021 setting up a Union regime for the control of exports, brokering, technical assistance, transit and transfer of dual-use items (recast), Articles 9, 14, 17, 22, and Annex II

Source: Delegated Regulation (EU) 2022/699 of 3 May 2022 amending Regulation (EU) 2021/821 by removing Russia as a destination from the scope of Union general export authorisations

Individual export authorisations are export licences granted by the competent authority of an EU Member State to one specific exporter for the export of one or more dual-use items listed in Annex I (or subject to catch-all controls under Articles 4, 5, 9, or 10) to one end-user or consignee in a third country (a country outside the EU customs territory). Individual authorisations are the core licensing pathway when an exporter cannot use a Union General Export Authorisation (UGEA) in Annex II, a National General Export Authorisation (NGEA) issued by a Member State, or a global export authorisation.

Under Article 11(2) of Regulation (EU) 2021/821, individual and global export authorisations shall be granted by the competent authority of the Member State where the exporter is resident or established. For example, an exporter with its registered office in Germany applies to BAFA (Bundesamt für Wirtschaft und Ausfuhrkontrolle); an exporter in France applies to SBDU (Service des Biens à Double Usage) within the DGE; an exporter in the Netherlands applies to RVO (Rijksdienst voor Ondernemend Nederland). If the exporter is not resident or established on the customs territory of the Union, individual export authorisations are granted by the competent authority of the Member State where the dual-use items are located at the time of the application.

Validity. Individual export authorisations are valid for up to two years, unless the competent authority decides otherwise (Article 11(3)). The authorisation specifies the dual-use items covered (by Annex I Entry Control List Number (ECLN) and technical description), the quantity or value, the end-user name and address in the destination country, the country of destination, and the period of validity. An individual authorisation is valid throughout the EU customs territory (Article 11(1)): once granted, the exporter may complete customs export formalities at any customs office empowered to handle dual-use exports in any Member State, not solely in the Member State that issued the authorisation.

End-use statement requirement. Individual export authorisations shall be subject to an end-use statement (Article 11(4)). The end-use statement — typically an End-User Certificate (EUC) or End-User Undertaking (EUU) signed by the consignee or end-user in the destination country — certifies the identity of the end-user, the specific end-use of the items, and an undertaking that the items will not be re-exported or diverted without prior authorisation from the destination country's government. The competent authority may exempt certain applications from the obligation of providing an end-use statement if the nature of the items, the destination, or the end-user presents a low proliferation risk. Many Member States require end-use statements for exports to destinations outside the trusted-destination lists in UGEA EU001 (Australia, Canada, Iceland, Japan, New Zealand, Norway, Switzerland (including Liechtenstein), the United Kingdom, and the United States) and for items in sensitive Annex I categories (nuclear, missiles, WMD-applicable technology).

Application procedure. Exporters must supply the competent authority with all relevant information required for their application under Article 11(10), including:

• A clear and complete technical description of the dual-use items, including the Annex I ECLN (e.g., 3A001.a.1) if the exporter has classified the item, or a detailed technical specification if the exporter is requesting classification assistance;
• The quantity or value of the items to be exported under the authorisation;
• The name, address, and contact details of the end-user in the destination country, with supporting documentation (e.g., a purchase order, supply contract, or letter of intent);
• The country of destination;
• The end-use of the items (a description of the application, project, or system in which the items will be incorporated or used);
• An end-use statement or End-User Certificate, if required;
• Details of any known involvement of intermediaries, freight forwarders, or consignees if different from the end-user; and
• Any other information requested by the competent authority to assess the application against the criteria in Article 12 (proliferation risk, human-rights impact, regional stability, embargoes, and the EU Common Position 2008/944/CFSP on arms exports, which Member States may apply by analogy to dual-use items).

The competent authorities shall process requests for individual or global authorisations within a period of time to be determined by national law or practice (Article 11(5)). Processing times vary by Member State and by the complexity and sensitivity of the application. Routine applications for low-sensitivity items to trusted destinations may be processed in two to four weeks; applications for WMD-applicable items, items subject to multilateral denial notifications, or exports to embargoed or high-risk destinations may take two to six months or longer, particularly if the competent authority must consult with other Member States under Article 15 (the consultation mechanism for denials and essentially identical transactions).

Form of authorisation. Individual export authorisations shall be issued, whenever possible, by electronic means on forms containing at least all the elements of and in the order provided for in the models set out in Section A of Annex III to the Regulation (Article 11(2), second subparagraph). Annex III, Section A prescribes a standardised form with fields for the authorisation number, the exporter's name and address, the items covered (by ECLN and description), the quantity or value, the end-user, the country of destination, the period of validity, any conditions or restrictions (e.g., inspection rights, reporting obligations, prohibitions on re-export without end-user government authorisation), and the signature and seal of the competent authority. Member States may implement electronic licensing systems (e.g., ELAN in Germany, EGIDE in France, eXplicit in the Netherlands) that allow exporters to submit applications, upload supporting documents, and receive authorisations online. The authorisation document — whether electronic or paper — must accompany the customs export declaration or be referenced in the export declaration by authorisation number.

Conditions and restrictions. The competent authority may impose conditions on the individual export authorisation, including:

• A requirement that the exporter notify the competent authority before each shipment under the authorisation (a "notification condition");
• A requirement that the exporter submit periodic reports (quarterly or annually) on the use of the authorisation, including quantities exported, dates, and end-users;
• A prohibition on re-export by the end-user without prior authorisation from the end-user's government;
• A requirement that the exporter obtain confirmation of delivery or installation before making additional shipments; or
• Technical-assistance or after-sales-service restrictions (e.g., permitting maintenance but not technology transfer for design modification).

The competent authority may suspend, revoke, or modify an individual export authorisation at any time under Article 16 if circumstances change — for example, if the end-user is added to an EU sanctions list, if the destination country becomes subject to an arms embargo, if the competent authority receives information that the items may be diverted to WMD use or military end-use in violation of Article 4, or if the exporter has violated the conditions of the authorisation or other export-control obligations.

Prohibition on use when WMD / military-end-use risk is known. Even when an individual export authorisation has been granted, the exporter may not use the authorisation if the exporter has been informed by the competent authority or is aware that the items are or may be intended for WMD use (Article 4(1)(a)), military end-use in an embargoed destination (Article 4(1)(b)), use as components of unauthorised military items (Article 4(1)(c)), or cyber-surveillance for internal repression or human-rights violations (Article 5). If the exporter becomes aware of such a risk after the authorisation has been granted but before shipment, the exporter must notify the competent authority and may not proceed with the export unless the competent authority confirms in writing that the export may proceed.

Record-keeping. Exporters using individual export authorisations must maintain detailed records of their exports for five years following the end of the calendar year in which the export took place (Article 22(1)). Records must include commercial documents (invoices, contracts, transport documentation) sufficient to identify the descriptions and quantities of items, the names and addresses of end-users and consignees, the dates and values of exports, and the authorisation number under which each shipment was made. Competent authorities and customs authorities may inspect these records during the five-year retention period.

Customs formalities. When completing customs export formalities, the exporter must furnish proof that the necessary export authorisation has been obtained. For individual authorisations, this means presenting the authorisation document (or its electronic equivalent) to the customs office at the point of export and entering the authorisation number in the customs export declaration. Member States may designate specific customs offices empowered to handle dual-use exports (Article 21(1)); the European Commission publishes the list of empowered customs offices in the C series of the Official Journal of the European Union.

Large project authorisations. A variant of the individual export authorisation is the large project authorisation (Article 11(3), third subparagraph), which is an individual or global export authorisation granted to one specific exporter for a type or category of dual-use items valid for exports to one or more specified end-users in one or more specified third countries for the purpose of a specified large-scale project (e.g., construction of a nuclear power plant, a petrochemical complex, a telecommunications network, or a satellite constellation). Large project authorisations are valid for a duration to be determined by the competent authority, but no longer than four years, except in duly justified circumstances based on the duration of the project. Large project authorisations reduce the administrative burden of obtaining separate individual authorisations for each shipment of components, materials, software, and technology throughout the life of the project.

Source: Regulation (EU) 2021/821 of the European Parliament and of the Council of 20 May 2021 setting up a Union regime for the control of exports, brokering, technical assistance, transit and transfer of dual-use items (recast), Articles 11, 12, 15, 16, 21, 22, and Annex III

Articles 4 and 5 of Regulation (EU) 2021/821 impose catch-all export-authorisation requirements for dual-use items not listed in Annex I when the exporter has been informed by a competent authority — or is aware, based on due diligence — that the items are or may be intended for weapons of mass destruction (WMD) use, military end-use in an embargoed country, use as components of unauthorised military items, or cyber-surveillance for internal repression or serious human-rights violations. These provisions extend the EU dual-use export-control regime beyond the list-based controls in Annex I to cover proliferation, military-diversion, and human-rights risks associated with otherwise uncontrolled goods, software, and technology.

**Article 4 — WMD and military end-use catch-all**

Article 4(1) requires an authorisation for the export of dual-use items not listed in Annex I if the exporter has been informed by the competent authority that the items in question are or may be intended, in their entirety or in part, for:

• (a) WMD use: use in connection with the development, production, handling, operation, maintenance, storage, detection, identification, or dissemination of chemical, biological, or nuclear weapons or other nuclear explosive devices, or the development, production, maintenance, or storage of missiles capable of delivering such weapons;

• (b) Military end-use in an embargoed country: military end-use (incorporation into military items listed on the EU Common Military List, or use of production equipment, components, or technology for military items) in a country subject to an arms embargo imposed by a decision or common position adopted by the Council of the European Union, a decision of the Organisation for Security and Co-operation in Europe (OSCE), or a binding resolution of the United Nations Security Council; or

• (c) Components of unauthorised military items: use as components for military items that were exported from the territory of a Member State without authorisation or in violation of an authorisation required by the national law of that Member State or by Council Common Position 2008/944/CFSP.

When the competent authority informs the exporter in writing that one or more of these end-uses applies or may apply to a proposed export, the exporter must apply for an individual export authorisation under Article 11 before proceeding, even if the items are not in Annex I.

Article 4(2) imposes a self-notification duty on exporters: where an exporter is aware that dual-use items which it proposes to export, not listed in Annex I, are intended, in their entirety or in part, for any of the uses in Article 4(1), the exporter shall notify the competent authority. The competent authority shall then decide whether to make the export subject to an authorisation requirement. "Aware" means the exporter has actual knowledge or reasonable grounds to suspect — based on customer inquiries, technical specifications, end-use declarations, published sanctions lists, open-source intelligence, or prior dealings — that a proliferation, military-diversion, or unauthorised-component risk exists.

Article 4(3) permits Member States to adopt or maintain national legislation imposing an authorisation requirement on the export of dual-use items not listed in Annex I if the exporter has grounds for suspecting that those items are or may be intended for any of the Article 4(1) uses. National measures adopted under Article 4(3) or Article 9 (public security and human-rights grounds) must be notified to the Commission and published in the C series of the Official Journal of the European Union. The list of national measures is compiled and updated by the Commission and available on the Commission's trade-policy website.

The Article 4 catch-all applies to all items capable of WMD or military end-use, not only those with obvious proliferation sensitivity. Examples include: general-purpose machine tools used to manufacture centrifuge components for uranium enrichment; commercially available software used in ballistic-missile trajectory modelling; metal alloys, composite materials, or electronic components incorporated into military drones or precision-guided munitions; and chemical precursors for nerve agents or blister agents that are below the concentration thresholds in Annex I Category 1 but can be concentrated or reacted by the end-user.

Article 4(4) through (8) establish information-sharing, consultation, and denial-notification procedures among Member States and between Member States and the Commission. When a Member State denies an authorisation under Article 4 for a transaction involving non-listed items, it must notify all other Member States and the Commission (through the secure electronic system under Article 23(6)), and Member States must inform their customs authorities and other relevant national authorities. The consultation mechanism in Article 15 applies to essentially identical transactions (same exporter, same end-user, same items, and same intended use): if Member State A denies an application under Article 4 and an exporter in Member State B submits an essentially identical application, Member State B must consult Member State A before granting the authorisation and must take utmost account of the circumstances of the denial.

**Article 5 — Cyber-surveillance catch-all**

Article 5(1) requires an authorisation for the export of cyber-surveillance items not listed in Annex I if the exporter has been informed by the competent authority that the items in question are or may be intended, in their entirety or in part, for use in connection with internal repression and/or the commission of serious violations of human rights and international humanitarian law.

"Cyber-surveillance items" are defined in Article 2(23) as items specially designed to enable the covert surveillance of natural persons by monitoring, extracting, collecting, or analysing data from information and telecommunication systems. Examples include:

• Intrusion software (malware, spyware, remote-access trojans) designed to compromise computers, mobile phones, or network infrastructure to extract communications, files, or location data without the knowledge of the user;
• Deep packet inspection (DPI) systems and telecommunications interception equipment designed to intercept and analyse internet traffic, voice-over-IP calls, messaging-app communications, or mobile-network signalling data at scale;
• IMSI catchers (cell-site simulators) and other mobile-network interception devices that masquerade as legitimate base stations to intercept mobile communications or track the location of mobile devices;
• Forensic tools for extracting data from locked or encrypted devices;
• Monitoring centres and lawful-intercept management systems designed to aggregate, store, and analyse intercepted communications and metadata; and
• Technology (technical assistance, know-how, training, or software updates) for the development, production, or use of any of the above.

Internal repression includes the use of cyber-surveillance items to monitor, harass, intimidate, arbitrarily arrest, detain, or torture human-rights defenders, journalists, lawyers, political opponents, or members of ethnic, religious, or other minority groups; to suppress peaceful protests or freedom of expression; or to enforce discriminatory laws or practices. Serious violations of human rights include torture, extrajudicial killings, enforced disappearances, and unlawful surveillance that enables such violations.

Article 5(2) imposes a due-diligence and self-notification duty on exporters: where an exporter is aware, according to its due diligence findings, that cyber-surveillance items which the exporter proposes to export, not listed in Annex I, are intended, in their entirety or in part, for any of the uses in Article 5(1), the exporter shall notify the competent authority. The competent authority shall decide whether to make the export subject to an authorisation requirement. Commission Recommendation (EU) 2024/2659 of 11 October 2024 provides detailed guidelines on the export of cyber-surveillance items under Article 5, including transaction-screening measures, item-classification methodologies, risk-assessment criteria, and due-diligence practices. The Recommendation advises exporters to review whether the non-listed item is a cyber-surveillance item, to assess whether the destination country or end-user presents internal-repression or human-rights-violation risk (based on EU sanctions lists, UNSC resolutions, reports by the UN Human Rights Council, the European External Action Service, UN special rapporteurs, or credible non-governmental organisations), and to document the due-diligence process.

Article 5(3) permits Member States to adopt national legislation extending the Article 5 catch-all to situations where the exporter has grounds for suspecting that cyber-surveillance items may be used for internal repression or human-rights violations, even if the exporter is not yet aware under Article 5(2). National measures must be notified to the Commission and published in the Official Journal.

Article 5(6) and (7) establish a multilateral publication mechanism: where all Member States notify each other and the Commission that an authorisation requirement should be imposed for essentially identical transactions involving cyber-surveillance items, the Commission shall publish in the C series of the Official Journal information regarding the cyber-surveillance items and, where appropriate, destinations subject to authorisation requirements as notified by Member States. Member States must review this published information at least annually. This multilateral process is designed to build consensus on emerging cyber-surveillance risks (e.g., spyware sold to authoritarian regimes, intrusion tools used to target civil-society activists) and to extend controls incrementally before formal addition to Annex I through a delegated regulation.

Article 5(8) and (9) extend the denial-notification and consultation procedures in Article 16 to cyber-surveillance items not listed in Annex I, and require that all exchanges of information under Article 5 take place via secure electronic means (the system under Article 23(6)) with due consideration for the protection of personal information, commercially sensitive information, or protected defence, foreign-policy, or national-security information.

**Exporter obligations and penalties**

Both Article 4 and Article 5 impose affirmative duties on exporters: competent-authority notification is not optional when the exporter is aware (Article 4(2)) or aware according to due diligence (Article 5(2)) of a covered end-use. Failure to notify or to obtain an authorisation when required is a criminal or administrative violation of the Regulation, subject to penalties under Article 21 and national implementing law. Member States must lay down rules on penalties and ensure they are effective, proportionate, and dissuasive, including — where appropriate under national law — criminal penalties for serious breaches (Article 21(1)).

Exporters are also prohibited from using any general export authorisation (UGEA in Annex II or NGEA) if they have been informed by a competent authority or are aware that the items are or may be intended for any of the uses in Article 4(1) or Article 5(1), even if the items are listed in Annex I and the transaction otherwise meets the conditions of the UGEA or NGEA. The same prohibition applies to individual and global export authorisations: an exporter may not use an already-granted authorisation if it becomes aware of a WMD, military-end-use, or internal-repression risk after the authorisation was issued but before shipment (Article 4 and Article 5, read in conjunction with the general due-diligence obligations in Article 14 on Internal Compliance Programmes).

**Guidance and enforcement**

The Commission and the Council are required under Article 26(1) to make available guidelines for exporters on the application of Articles 4 and 5, on due diligence, and on the interpretation of terms such as "aware," "internal repression," and "serious violations of human rights and international humanitarian law." Commission Recommendation (EU) 2024/2659 (published 16 October 2024) is the first such guideline for Article 5; guidelines on Article 4 WMD and military-end-use catch-all were previously issued under the predecessor Regulation (EC) No 428/2009 and remain relevant for interpreting analogous provisions in Regulation 2021/821.

Enforcement is the responsibility of the competent authorities and customs authorities of the Member States. Competent authorities conduct risk-based inspections of exporters, review licensing compliance, and investigate suspected violations. Customs authorities at points of export verify that the exporter has furnished proof of the necessary export authorisation (or, for catch-all controls, that the exporter has properly self-assessed non-applicability or obtained a catch-all authorisation). Member States share information on violations, seizures, and prosecutions through the Dual-Use Coordination Group (Article 24) and the secure electronic information-sharing system (Article 23(6)).

Source: Regulation (EU) 2021/821 of the European Parliament and of the Council of 20 May 2021 setting up a Union regime for the control of exports, brokering, technical assistance, transit and transfer of dual-use items (recast), Articles 4, 5, 14, 16, 21, 23, 24, 26

Source: Commission Recommendation (EU) 2024/2659 of 11 October 2024 on guidelines on the export of cyber-surveillance items under Article 5 of Regulation (EU) 2021/821