European Commission takes action to control exports of cybersecurity tools

On 22 October 2014, the European Commission (the Commission) adopted a delegated Regulation¹ updating the European Union (the EU) list of dual-use items subject to EU export controls. It came into force on 31 December 2014. The delegated Regulation introduces numerous changes, including controls on new categories of items such as IT intrusion software, or spyware, and telecommunication and internet surveillance equipment. The updated list reflects growing security concerns regarding the use of surveillance technology and cyber-tools that could be misused in violation of human rights or against the EU's security.

The delegated Regulation represents the Commission’s first use of a new procedure based on Article 290(2) of the Treaty on the Functioning of the European Union (the TFEU). It is intended to accelerate the EU implementation of international agreements on products subject to export controls, thereby increasing the relevance and importance of EU law in this area.

The EU adopted Regulation (EC) No 428/2009² to provide a common system of export controls on dual-use goods – goods, software and technology normally used for civilian purposes that might have military applications or contribute to the proliferation of weapons of mass destruction – and to ensure compliance with the EU’s and Member States’ commitments under international export control regimes. These regimes include the Australia Group, the Missile Technology Control Regime, the Nuclear Suppliers Group, the Chemical Weapons Convention and, importantly in the context of the delegated Regulation, the Wassenaar Arrangement (the WA), which includes 41 States.

Regulation 428/2009 requires authorization from national authorities for the export, transit and brokering of dual-use goods listed in Annex I.  However, the 'Union General Export Authorisation No EU001' in Annex IIa facilitates the export of most of such goods and technologies to seven 'friendly' countries:  the United States, Australia, Canada, Japan, New Zealand, Norway, and Switzerland, including Liechtenstein.  Regulation 428/2009 is not exclusive, in that Member States are allowed to introduce controls on exports of additional/non-listed dual-use items to non-EU destinations.

Until recently, changes to Annex I of Regulation 428/2009 had to be made through the EU’s ordinary legislative process, and as a result the list of items subject to export controls was severely out of date. The last update took place in 2012 and reflected changes decided under international export control regimes up to 2010.  To address this situation, in April 2014 the European Parliament (the EP) and the Council of the European Union (the Council) delegated to the Commission the power to update Annex I by means of delegated Regulations, subject to the EP’s and Council’s right to object within a period of two months (subject to extension).  

The delegated Regulation represents the Commission’s first use of the new procedure.  Among other things, the delegated Regulation implements decisions taken by the WA at its plenary meeting in December 2013 to restrict the spread of technologies that can be used for mass surveillance, monitoring, tracking and interception.  

The Commission noted that the delegated Regulation introduces some 400 changes to the list of dual-use items subject to controls in the EU, including:

• changes to technical parameters for nuclear reactor parts and components, such as frequency changers;
• new controls on certain chemicals, such as plant pathogens; and
• new controls on special materials, electronics and computers, telecommunications and information security equipment, sensors and lasers, aerospace and propulsion, for example underwater survey equipment, carbon monoxide lasers and hydro-acoustic sensors.

In particular, controls are being introduced on cybersecurity tools, such as IT intrusion software ('spyware'), and telecommunication and internet surveillance equipment.

Intrusion software is defined as software specially designed or modified to avoid detection by 'monitoring tools', or to defeat 'protective countermeasures,' of a computer or network-capable device, and performing any of the following:

• the extraction of data or information from a computer or network-capable device, or the modification of system or user data; or
• the modification of the standard execution path of a program or process in order to allow the execution of externally provided instructions.

Internet Protocol (IP) network communications surveillance systems or equipment is included if it performs all of the following on a carrier class IP network:

• analysis at the application layer;
• extraction of selected metadata and application content (e.g., voice, video, messages, attachments); and
• indexing of extracted data.

In addition, such surveillance systems or equipment are only included in the dual-use list if they are specially designed to carry out the execution of searches on the basis of 'hard selectors' and the mapping of the relational network of an individual or of a group of people.

Political momentum has been gathering to introduce more security-based controls over the fast growing market for cybersecurity tools. The update of the EU dual use list implements decisions that the WA adopted at its plenary meeting in December 2013, which represented an effort by the 41 WA states to restrict the spread of technologies that can be used for mass surveillance, monitoring, tracking and interception.  In a Communication published in April 2014, the Commission acknowledged the importance of cybersecurity as a crucial issue in the area of export controls.³

Overall, the new procedure for implementing export controls at EU level will increase the effectiveness of EU export controls and reduce the need or incentive for Member States to act unilaterally.  Previously, to respect their international commitments, Member States would sometimes implement controls at the national level before the EU could act, leading to a fragmented regime across the EU. For example, the French government, after the changes to the WA control lists in December 2013, published official advice to exporters in relation to surveillance equipment well before any EU-level action.⁴ The new EU procedure will increase the importance of the EU in implementing international export controls, and the increased coherence across the EU will be welcomed by EU exporters.