Published the EU Guidance for Internal Compliance Programmes for controls of Research involving dual-use items
GLOSSARY
This glossary explains or defines recurring terms used in this guidance. The items marked with * refer to definitions from the EU dual-use Regulation. The descriptions of items without * should not be understood as legally binding definitions.
Term |
Description or definition |
||||||||
Annex I, Annex II or Annex IV to the EU dual-use Regulation |
Annex I, Annex II or Annex IV to Regulation (EU) 2021/821 of the European Parliament and of the Council of 20 May 2021 setting up a Union regime for the control of exports, brokering, technical assistance, transit and transfer of dual-use items. The annexes are updated annually by means of a Commission Delegated Act. For the latest update, see https://eur-lex.europa.eu. |
||||||||
Arms embargo* |
An arms embargo imposed by a decision or a common position adopted by the Council or a decision of the Organisation for Security and Cooperation in Europe (OSCE) or an arms embargo imposed by a binding resolution of the Security Council of the United Nations. |
||||||||
Australia Group (AG) |
Export control regime for controlling chemical and biological production equipment, materials and technology. See also: https://www.dfat.gov.au/publications/minisite/theaustraliagroupnet/site/en/index.html |
||||||||
Authorisation |
Licence |
||||||||
Basic scientific research* |
Experimental or theoretical work undertaken principally to acquire new knowledge of the fundamental principles of phenomena or observable facts, not primarily directed towards a specific practical aim or objective. |
||||||||
Biological Weapons Convention (BWC) |
Convention on the prohibition of the development, production and stockpiling of bacteriological (biological) and toxin weapons and on their destruction. |
||||||||
Catch-all controls |
Export controls for non-listed dual-use items according to the conditions, especially referred to in Article 4, 5, 9 and 10 of the EU dual-use Regulation. |
||||||||
Chemical Weapons Convention (CWC) |
Convention on the prohibition of the development, production, stockpiling and use of chemical weapons and on their destruction. |
||||||||
Consignee |
First recipient abroad of the item(s) to be exported. This may be where the item remains in which case the consignee will be the end-user. |
||||||||
Customs territory of the Union |
Customs territory of the Union within the meaning of Article 4 of the Regulation (EU) No 952/2013 of the European Parliament and of the Council of 9 October 2013 laying down the Union Customs Code (5) (‘the Union Customs Code’). |
||||||||
Cyber-surveillance items* |
Dual-use items specially designed to enable the covert surveillance of natural persons by monitoring, extracting, collecting or analysing data from information and telecommunication systems. |
||||||||
Dual-use items* |
Items, including software and technology, which can be used for both civil and military purposes and includes items which can be used for the design, development, production or use of nuclear, chemical or biological weapons or their means of delivery, including all items which can be used for both non-explosive uses and assisting in any way in the manufacture of nuclear weapons or other nuclear explosive devices. |
||||||||
End-user |
Final recipient abroad of the item(s) to be exported. |
||||||||
EU Common Military List |
Common Military List of the European Union with equipment covered by Council Common Position 2008/944/CFSP defining common rules governing the control of exports of military technology and equipment. The list is updated annually. For the latest update, see https://eur-lex.europa.eu/. |
||||||||
Export control regimes |
Multilateral arrangements seeking to prevent the proliferation of nuclear, biological and chemical weapons and their means of delivery as well as to prevent the destabilizing accumulation of conventional arms and dual-use items, e.g. by establishing lists of items which should be under control. The export control regimes refer to Nuclear Suppliers Group (NSG), Zangger Committee (ZC), Missile Technology Control Regime (MTCR), Australia Group (AG) and Wassenaar Arrangement (WA). |
||||||||
Export* |
|
||||||||
Exporter* |
Any natural or legal person or any partnership that:
Any natural person carrying the dual-use items to be exported where these dual-use items are contained in the person’s personal baggage within the meaning of point (a) of Article 1(19) of Commission Delegated Regulation (EU) 2015/2446 (6). |
||||||||
Internal Compliance Programme (ICP)* |
Ongoing effective, appropriate and proportionate policies and procedures adopted by exporters to facilitate compliance with the provisions and objectives of this Regulation and with the terms and conditions of the authorisations implemented under this Regulation, including, inter alia, due diligence measures assessing risks related to the export of the items to end-users and end-uses. |
||||||||
Intra-EU transfer or transfer |
Movement or transmission of a dual-use item listed in Annex IV to the EU dual-use Regulation from a supplier in one EU Member State to a recipient in another EU Member State. |
||||||||
In the public domain* |
Technology or software which has been made available without restrictions upon its further dissemination (Copyright restrictions do not remove technology or software from being ‘in the public domain’). |
||||||||
Listed dual-use items |
Dual-use items that are listed in Annex I to the EU dual-use Regulation. |
||||||||
Missile Technology Control Regime (MTCR) |
Export control regime for controlling delivery systems (unmanned aerial vehicles and missiles) for nuclear, chemical or biological weapons of mass destruction. See also: https://mtcr.info/ |
||||||||
Non-listed dual-use items |
Dual-use items that are not listed in Annex I to the EU dual-use Regulation and that can become subject to export controls (catch-all controls). It includes items that are (just) below the technical thresholds in Annex I to the EU dual-use Regulation. |
||||||||
Nuclear Non-Proliferation Treaty (NPT) |
Treaty on the non-proliferation of nuclear weapons |
||||||||
Nuclear Suppliers Group (NSG) |
Export control regime for nuclear-related goods and technology. See also: https://www.nuclearsuppliersgroup.org/en/ |
||||||||
Proliferation |
Flow of items (including software and technology) from countries that possess these items to countries that do not and that are seeking to gain access to these items for use in Weapons of Mass Destruction programmes. |
||||||||
Research organisations |
Research-performing entities that are active in the academic or research sector, irrespective of their legal status (organised under public or private law) or way of financing, and whose primary goal is to independently conduct fundamental research, industrial research or experimental development or to widely disseminate the results of such activities by way of teaching, publication or knowledge transfer. It includes universities, university colleges, academies of science applied research centres, and laboratories. |
||||||||
Sanctions |
Restrictive measures that target states, or entities and individuals. Some are mandated by the United Nations Security Council, whereas others are adopted autonomously by the European Union or nationally by an EU Member State. |
||||||||
Technology Readiness Levels (TRL) |
Technology Readiness Levels is a non-discipline specific measurement system with indicators of the maturity level of particular technologies. |
||||||||
Technology* |
Specific information necessary for the development, production or use of goods. This information takes the form of technical data or technical assistance. |
||||||||
United Nations Security Council Resolution (UNSCR) 1540 |
United Nations Resolution that aims at preventing non-state actors from acquiring nuclear, biological, and chemical weapons, their means of delivery, and related materials. |
||||||||
Wassenaar Arrangement (WA) |
Multilateral export control regime for controlling conventional arms and dual use goods and technologies. See also: https://www.wassenaar.org/ |
||||||||
Weapons of Mass Destruction (WMD) |
Chemical, biological, radiological or nuclear (CBRN) materials and their means of delivery with the capacity to kill large numbers of human beings. |
||||||||
Zangger Committee (ZC) |
The Zangger Committee maintains a Trigger List triggering International Atomic Energy Agency safeguards as a condition of the supply of nuclear-related goods. See also: http://zanggercommittee.org/ |
SECTION 1
Introduction for management
Research organisations have strong incentives to innovate for the benefit of all and to collaborate internationally as a basis to advancing research. A thriving European research and innovation sector attracts public and private investments from across the world. Amidst many genuine and transparent collaborations to develop meaningful scientific and technological advancement, there can be foreign offers of collaboration, invitations and informal exchanges with ulterior motives, i.e. seeking access to research involving dual-use items for other purposes than those stated. Researchers and research organisations may then inadvertently breach export regulations. Documented cases illustrating the importance of technology controls in proliferation relevant technology domains and enforcement actions in connection to researchers or research organisations are available on the internet.
Dual-use export controls exist to govern activities involving items (materials, equipment, software and technologies) which can be used for both civil and military purposes and possibly associated with the creation of conventional military items or the proliferation of nuclear, radiological, chemical or biological weapons, also known as Weapons of Mass Destruction, and their delivery systems such as missiles and drones. In addition, these controls may be complemented with national measures for non-listed dual-use items for public security or human rights concerns.
Cooperation between research organisations and governments is essential to contribute to the European Union (EU) and Member States security goals, international security obligations and non-proliferation commitments such as the European Security Strategy, the export control regimes, the Biological Weapons Convention, the Chemical Weapons Convention, the Nuclear Non-proliferation Treaty and the United Nations Security Council Resolution 1540. Research organisation have an important role to play in achieving these objectives through building up awareness of the risks and acting accordingly. Dual-use export controls is not the only policy instrument to contribute; visa vetting and sanctions are examples of other policy instruments that have specific objectives and methods that are not discussed in this guidance.
Dual-use export controls pose specific challenges for research organisations connected to the importance of sharing research results, together with the ‘publish or perish’ imperative in the research ecosystem. Raising awareness about these controls is an important aspect of preventing and mitigating risks related to non-compliance. In the EU, the level of experience in implementing and managing such compliance measures within research organisations varies significantly. Competent authorities in the EU are committed to provide guidance for research organisations on how to strengthen internal compliance measures.
While it is recognised that it takes time for research organisations to set up and maintain such measures, a systematic and proportionate approach to internal compliance measures for dual-use export controls is vital to comply with the applicable EU dual-use Regulation and national complementary measures.
It is up to each research organisation to determine how internal compliance measures are best implemented and what internal operational procedures for individual researchers are to be followed. This could be accomplished by building new export control structures or incorporating these measures in (existing) structures, such as advisory bodies. An Internal Compliance Programme (ICP) for dual-use export controls is often only one part of the research organisation’s overall compliance system.
Many research activities performed by research organisations are not subject to dual-use export control scrutiny. Firstly, because such research does not relate to any of the items on the EU dual-use list. Secondly, because the research does not specifically deal with technology for the development, production or use that is responsible for achieving or extending the controlled performance levels or functions in the EU dual-use list. Lastly, because it can be labelled as ‘basic scientific research’ or ‘in the public domain’ as defined in the EU dual-use Regulation or it represents the minimum necessary information for patent applications.
However, no reputable research organisation wishes to be involved in the misuse of proliferation relevant research (output). This is not just a matter of being obliged to comply with export controls, but also in its own self-interest. Hence, it is important that research organisations take proportionate and effective internal measures to minimise the risk of non-compliance. The absence of such measures may lead to legal liability being attached to the institution should non-compliance be detected. Top-level management commitment is needed to emphasise the importance and value placed on effective compliance and to provide adequate resources to ensure the compliance commitments.
SECTION 2
Awareness for researchers
2.1 Introduction
EU dual-use export controls exist to prevent the undesired accumulation of conventional military items and the proliferation of nuclear, radiological, chemical and biological weapons, also known as Weapons of Mass Destruction (WMD), and their delivery systems such as missiles and drones. In addition, these controls may be complemented with national measures for dual-use items that are not listed in Annex I of the EU dual-use Regulation because of public security or human rights concerns. Since dual-use items are predominantly used for civilian purposes, their potential for abuse is often not apparent at first glance. In the wrong hands, however, they pose a threat to international peace and the security interests of the European Union and its Member States.
Research organisations are often concerned about the public perception of research with military potential. ‘Dual-use’ in the context of research is often considered in a broad sense: what are the (un)desired civil and military applications of research, or what is potential misuse of research for unethical purposes.
With regards to the EU dual-use export control system, however, ‘dual-use’ is to be understood in a restricted meaning. It refers to items, including software and technology, which can be used for both civil and military purposes. For more information on the scope of listed and non-listed dual-use items, see subsection 2.3.2 and Appendix 1.
Everyone, natural or legal person, has the legal obligation, when dealing with dual-use items, to comply with the relevant laws and regulations. These legal obligations are not identical to (but may overlap with) ethical motivations or self-restriction that exist to prevent or mitigate the risks and potential damage which may be caused by malicious use of research involving dual-use items.
This guidance speaks of ‘research involving dual-use items’: dual-use items that are used during research or research that results in research output in any possible form (7) meeting the technical specification of a dual-use item in the EU dual-use control list or in a complementary national dual-use list (if any). In a limited number of cases, it includes situations with military or WMD end-use(r) concerns for non-listed dual-use items. It is important to note that not every research activity involving dual-use items will require an authorisation. Subsection 2.3.6 details in what cases an authorisation is needed.
2.2 Research areas and scenarios that could trigger dual-use export controls
The aim of export controls is not to censor scientific research (output), but to prevent security-related abuse when sensitive goods or knowledge are transferred abroad. Scientists and research institutions are bound by the same laws as manufacturing industry and everyone else. Before goods are exported or information is transferred, exporters and information brokers have a duty to check whether their actions require prior regulatory approval. It is recognised that in the research context this requires balancing the concerns of (inter)national security and academic freedom, but also the push for Open Access related to research output and data:
— |
Academic freedom is a fundamental right guaranteed by the Charter of fundamental rights of the European Union (8). However, that does not exempt the researchers and research organisations from complying with regulations that are established to safeguard the security interests of the EU and of its Member States (9). |
— |
The push for Open Access, as required by some funding programs, aims to improve the access to and re-use of research output and data. However, these Open Access objectives also do not exempt the researchers and research organization from screening proposed publications and data sets first under the (technology) control provisions of the EU dual-use Regulation and act accordingly. |
Research disciplines within Science, Technology and Engineering are more likely to be subject to dual-use export controls than academic activities in Humanities, Social Sciences and Economics.
The following topics are examples of research that could trigger dual-use export controls :
|
Appendix 1 illustrates research areas that, among others, may be subject to dual-use export controls as the EU dual-use control list contains items in these technology domains. For instance, research related to nuclear physics and engineering may deal with nuclear reactors, specially designed or prepared equipment and components of nuclear reactors or to nuclear material that is on Annex I to the EU dual-use Regulation. This does not mean that all related research is by default research involving listed dual-use items (10), nor that the research activity requires an authorisation.
Appendix 2 highlights some recurring research scenarios that may trigger export controls:
— |
Teaching (11), consulting, collaborating or working on research involving dual-use items with visiting foreign researchers inside the customs territory of the Union (12); |
— |
Teaching, consulting, collaborating or working on research involving dual-use items outside customs territory of the Union; |
— |
Organising a (virtual) conference/meeting/seminar or presenting at a (virtual) conference/meeting/seminar inside or outside the customs territory of the Union about research involving dual-use items; |
— |
Publishing about listed dual-use technology; |
— |
Submitting information for patent application and patented information; and |
— |
Exporting tangible dual-use items (goods), including prototype design and second-hand lab equipment. |
In each of these scenarios, it is also important to determine if any EU or national restrictive measures or sanctions apply for the items, the type of activity, the end-use or the entities and countries involved.
In these scenarios, personal motivation, the source of research funding, the nature of research partners and the purpose of research are irrelevant for determining whether the research involving dual-use items meets the technical control thresholds.
Dual-use export controls may arise at different levels during the research life cycle: at the stage of research funding, project application, contract development, disseminating research output, etcetera. Section 3 provides more information on how to set up a systematic export screening procedure at the different levels during the research life cycle.
2.3 Basics of the EU dual-use export control system
2.3.1 The EU dual-use Regulation
The EU dual-use export control system is governed by the EU dual-use Regulation.
Annex I to the EU dual-use Regulation contains the EU list of dual-use items. All items in Annex I to the EU dual-use Regulation require a licence for exporting outside customs territory of the Union. Annex IV to the EU dual-use Regulation is a small subset of Annex I and contains more sensitive items that require a licence also for intra-EU transfers.
Annex I (and thus also Annex IV) is dynamic to account for technological advances over time and the EU export controls reflect commitments agreed upon in export control regimes. Therefore the list is updated every year. It is important to always consult the latest version of Annex I to the EU dual-use Regulation (13).
Every dual-use item has a classification number. This is a combination of numbers and a letter (comprising the Category, the Subcategory and the individual control entry) and is crucial for the item classification and authorisation documents. The classification number is not random; it refers to the nature of the item and the origin of control by the corresponding export control regime (see Figure 1).
Figure 1 illustrates the meaning of the dual-use classification number. The dual-use classification number 9A012.a. refers to controlled unmanned aerial vehicles (or drones) with technical specifications and certain related equipment and components.
|
The classification of dual-use items is based on objective technical criteria, and the end-use and end-user do not play a role in the technical classification. Accordingly, it is irrelevant for the classification and for the existence of the licensing requirement whether the item is to be used exclusively for civilian purposes or whether a military use is intended. However, the end-use and involved parties play an essential role in the question of eligibility for licence approval. Consult subsection 2.3.9 and Appendix 3 for more support on end-use and end-user checks.
Dual-use items are generally distinct from military items. Military items are commodities (such as systems, equipment, components, materials, software or technology) that are in most parts specially designed or modified for military use. Military items are listed in the Common Military List of the European Union or in national lists in EU Member States. (14) Unlike the common EU dual-use export control system, the control system for military items is governed by each EU Member State. The (stated) military end-use of research output or activity does not automatically render this item specially designed or modified for military use. However, it may be an indicator, and obviously is useful information in the classification of military items and licence application assessment.
Concerning the list of dual-use items in Annex I to the EU dual-use Regulation, it is important to keep the following in mind:
|
2.3.2 How to read the text of the dual-use codes?
Annex I to the EU dual-use Regulation is long and there is no single best way to quickly find each and every listed dual-use item. During a novel classification exercise, in order to classify in the right way our dual-use goods or our dual-use technology, it is important to go through the latest version of Annex I thoroughly to find the most relevant and thus most specific control entry for the item at hand. In case of doubt or in case of multiple possible classification numbers, consult the compliance officer at your research organisation or, where appropriate, the competent authority in your Member State.
In many control entries there are several notes (Note, Technical Note or Nota Bene) to assist in the exact item classification. These notes further clarify the control scope (including illustrations or de-control) or make a cross reference to other parts of Annex I or the EU Common Military List (17). These notes are integral part of the item classification and thus should not be considered as illustrative.
The list has a set of global definitions (18) indicated with “” (double quotation marks) and local definitions indicated with ‘’ (single quotation marks). These definitions may differ from commercial or scientific jargon.
Example 1: 1C351.a.57 1C351 Human and animal pathogens and “toxins”, as follows:
Example 2: 1A004.d
|
2.3.3 Software controls (subcategory D)
Software in the context of the EU dual-use Regulation is defined as a collection of one or more “programs” (20) or “microprograms” (21) fixed in any tangible medium of expression. In many instances, the software controls relate to software designed or modified for the development, production or use of listed items elsewhere in the EU dual-use list. But there are also dedicated (stand-alone) software controls.
Example: 6D001 includes the control of “software” specially designed for the “development” or “production” of equipment, amongst others, specified in 6A008 (specific radar systems equipment, assemblies, and specially designed components). 7D005 refers to “software” specially designed to decrypt satellite navigation system ranging code designed for government use. |
Key take-aways for the definition of software The definition of software indicates that in order to be listed, the software must exist at some point in a tangible medium or expression. The software itself may be transferred by both tangible and intangible means. The definition of software needs to be read in conjunction with the Nuclear Software Note for Category 0 and the General Software Note for Category 1 to 9. In relation to information security software (specified in category 5 - part 2) it is important to note that the Nuclear Software Note in its entirety and the General Software Note partially does not apply, and thus cannot be used for releasing from control. |
2.3.4 Technology controls (subcategory E)
Technology controls exist to ensure that knowledge, know-how and expertise related to sensitive items are not inadvertently supplied for use in programmes with military, WMD, public security or human rights concerns.
Determining whether research involves dual-use items can be (very) challenging. Innovative research does not easily allow itself to be labelled according to the existing control entries. A good understanding of the definition of “technology”, the technology notes and the de-control notes “basic scientific research” and “in the public domain” are essential to navigate through the technology controls.
“Technology” in the context of the EU dual-use Regulation means specific information necessary for the “development”, “production” or “use” of goods. This information takes the form of ‘technical data’ or ‘technical assistance’. The reference to ‘specific information necessary’ is intended to focus the technology control on that part of technology that makes an item to meet or exceed the listed performance thresholds. For Category 1 to 9, only this specific information is to be considered as listed dual-use technology. The aim of the definition of “required” is to focus the technology controls on the specific technology that makes an item subject to license. Importantly, listed dual-use technology remains under control even when applicable to any uncontrolled item.
What is covered by ‘specific information necessary’ is not defined. Generally, the following information is not considered to be specific enough to be falling under the technology definition:
— |
Safety data sheet (SDS), material safety data sheet (MSDS), or product safety data sheet (PSDS); |
— |
Brochures, catalogues and excerpts thereof, which, in their respective form, are intended or may be intended for an indefinite number of interested parties and which are made available to them without individual changes to the contents; |
— |
Schematic diagrams, block diagrams, process diagrams (without detailed data); |
— |
Technical performance data, key performance indicators; |
— |
Electrical and mechanical connection and consumption data; |
— |
Parts lists if no reference can be made to drawings; |
— |
Norms and standards that are generally available and not specific to a company product; |
— |
Articles from trade journals and comparable publications; |
— |
General process and procedure descriptions (in the case of production plants); |
— |
Delivery specifications (e.g. for chemicals and other auxiliary materials); |
— |
Photos (without detailed information on geometric sizes, materials used and electrical/electronic components); |
— |
Exploded drawings/elevations without detailed dimensions; |
— |
Sectional views (schematic and without material and detailed data); |
Illustration of the “required” threshold 3E001 refers to the controlled technology for the “development” or “production” of listed integrated circuits specified in, amongst others, 3A001.a. 3A001.a.5.a.5 refers to Analogue-to-Digital Converter integrated circuits with a resolution of 16 bit or more with a sample rate greater than 65 Mega Samples Per Second. A document (22) detailing the design parameters or the design steps necessary to achieve (or exceed) the 65 Mega Samples Per Second threshold alone does not contain the technology that is peculiarly responsible for developing the controlled 3A001.a.5.a.5 item and thus it does not contain the “required” technology under the General Technology Note. The reason is that the document does not detail how to achieve or exceed the ‘resolution of 16 bit’ parameter. A manual describing the production technique to produce Analogue-to-Digital Converter integrated circuits with a resolution of 16 bit or more but with a sample rate below 65 Mega Samples Per Second does not contain the “required” technology to produce the controlled item. In the two above situation, the document and manual are not considered containing the controlled technology required for the development or production of listed 3A001.a.5.a.5 items as it does not contain the specific information related to the two technical parameters described in 3A001.a.5.a.5 |
Example: 1E001 controls “technology” according to the General Technology Note for the “development” or “production” of equipment or materials specified in 1A002 to 1A005, 1A006.b., 1A007, 1B or 1C. Let’s apply this to 1C216. 1C216 specifies the controls for maraging steel. This item is controlled in Category 1 therefore the General Technology Note is applicable. Hence, the controlled dual-use technology under 1E001 is the one that is “required” for the “development” or “production” of maraging steel with the specifications of 1C216. What is not controlled under 1E001? Research output detailing
What is controlled under 1E001? Research output detailing
|
Key take-aways for the definition of technology
|
Be aware that some research funding programmes require to do a dual-use screening at the time of application for a research grant. It is a good practice based on internal review mechanisms to detect early on in the research program or project which of the involved equipment or materials, or the anticipated results (such as publications) may need further dual-use export control scrutiny. If such (potential) dual-use export control issues are identified, follow-up is needed during and at the end of the research programs or projects.
The exporter is obliged to adequately assess the technology to determine if it meets the threshold for dual-use control. Due to their expertise and knowledge of their own research, the researcher is most suited to adequately classify its own research, possibly with the support of trained administrative staff that is familiar with the structure of the EU dual-use list. Presentations or publications will rarely in entirety meet the controlled technology threshold. Some subsections or small excerpts may meet the threshold. Only these parts are licence required if the researcher or research organisation is in need of guidance, they can contact their national competent authority. This enables the researcher or research organisation to make an informed choice regarding which parts should be submitted for export licence application before transmitting or publishing.
2.3.5 De-controls for dual-use items
The EU dual-use Regulation contains a number of de-controls, stating under which conditions a certain listed item is excluded from control. Hence, while such item meets the technical requirements, it will not require a license for export or transfer. Importantly, the de-controls can only be applied to listed dual-use items.
Basically, there are two kinds of de-controls. On the one hand, there are de-controls specifically linked to a certain listed dual-use items.
Examples Note 2 under 2B001 states that this control entry does not apply to special purpose machine tools limited to the manufacture of dental prostheses. Note 2 under 5A002.a. does not control items, where the “information security” functionality is limited to wireless “personal area network” functionality, implementing only published or commercial cryptographic standards. |
On the other hand, there are systematic de-controls for software and technology. These de-control notes are inserted in the Nuclear Software Note, the Nuclear Technology Note, General Software Note, and the General Technology Note in Annex I to the EU dual-use Regulation.
Only listed dual-use “software” or “technology” can benefit from the de-controls mentioned in the Software and Technology Notes. It is thus paramount to determine whether the research involves dual-use items, and if so what part(s), meet(s) the software or technology control entry in respectively Subcategory D and E in conjunction with the Software Notes and Technology Notes.
— |
The Nuclear Software Note highlights that the minimum necessary object code for the installation, operation, maintenance (checking) or repair of those items listed in category 0 whose export has been authorised is not controlled. |
— |
The General Software Note includes three de-controls for listed software in category 1 to 9:
|
In relation to Information Security Software (specified in category 5 - part 2) it is important to note that the Nuclear Software Note in its entirety and the General Software Note partially does not apply, and thus cannot be used for releasing from control.
For listed dual-use technology there are three de-controls possible: “technology” that is the result from “basic scientific research”, “technology” that is already “in the public domain” and the minimum necessary information for patent applications. The latter does not apply to category 0 technology.
In the following part, the guidance focuses on the de-controls “basic scientific research”, “in the public domain” and minimum necessary information for patent applications.
Key take-aways for the de-control note “basic scientific research” for technology The EU dual-use Regulation defines “basic scientific research” as experimental or theoretical work undertaken principally to acquire new knowledge of the fundamental principles of phenomena or observable facts, not primarily directed towards a specific practical aim or objective. While not stated explicitly, it refers to fundamental research, hereby excluding from de-control non-fundamental research or applied research. This definition poses implementation challenges, as it remained unchanged for many years, and due to the evolving nature of the research ecosystem. It is important to bear in mind that terminology can be an issue here: A scientific classification of a research project as ‘basic research’ does not necessarily or automatically comply with the definition of “basic scientific research” of the EU dual-use Regulation. The compliance staff in your organisation or your competent authority may assist you with the classification in cases of doubt. Basic scientific research is a de-control for listed dual-use technology only. It cannot be used for tangible items (goods) such as equipment and materials. In essence, it de-controls the actual research output and not the intention to produce research output (at the research funding stage). This is a crucial distinction when to consider applying this de-control note. This guidance provides two criteria to assist in determining whether the de-control note “basic scientific research” is relevant: the Technology Readiness Level and the prevalence of industry funding. Both criteria do not determine whether the de-control note should apply. This has to be decided on a case-by-case basis via the internal export screening procedures and, where appropriate, in consultation with the competent authority.
|
Key take-aways for the de-control note “in the public domain” for software or technology The EU dual-use regulation defines “in the public domain” as follows: “technology” or “software” which has been made available without restrictions upon its further dissemination (copyright restrictions do not remove “technology” or “software” from being “in the public domain”). In essence, it de-controls listed dual-use software and technology anyone can obtain. This EU guidance emphasises that controlled dual-use software or technology that is not yet in the public domain cannot be de-controlled under the “in the public domain” de-control note. The definition clearly refers to software or technology which has been made available without restrictions upon its further dissemination. The intended act of releasing the (object code for) software or technology in the public domain is not sufficient for becoming de-controlled. That means that a to-be research output (open-source software, publication, conference material, …) can only benefit from this de-control if the listed dual-use software or technology that it contains is already in the public domain. Hence, the act of releasing without an authorization could be a violation of export controls. The reference to ‘without restrictions’ has to be understood as not limiting the access to only a restricted group of persons. If information is only made accessible after an individual decision has been taken by the information carrier or owner, then not everyone has the possibility to access the information, and thus the information cannot be considered as being in the public domain. Legal restrictions, for example copyright restrictions, without relevance under export control law do not affect eligibility for being de-controlled. Similarly, measures such as requesting a fee for access or prior registration to access, is not considered as a restriction, as long as everybody is allowed to pay the fee or register. Open source development is often conducted globally by communities in a collaborative way. Open source technologies or software that is published and made publicly available without restrictions can benefit from the public domain de-control. Technology for the development of “intrusion software” can be decontrolled in case the technology is in the context of “vulnerability disclosure” or “cyber incident response”. Consult the latest version of Annex I for the applicable definitions. If a researcher refers to or integrates proliferation sensitive information from other sources that is already in the public domain, then it does not make the research output automatically controlled dual-use software or technology. The fact that such listed dual-use software or technology became available in the public domain without a licence, is a violation of export control regulations, but this cannot be attributed to this researcher. |
Key take-aways for the de-control ‘minimum necessary information for patent applications’ for technology The General Technology Note contains an exemption for the minimum necessary information for patent applications. This minimum information needed to submit a patent application is thus exempt from export controls. This de-control makes no distinction between national, EU or international patent applications. Once the patent information is published in the public domain, it is no longer subject to export controls. There is no definition in the EU dual-use Regulation of what entails ‘minimum necessary information’. It is generally understood as the information needed to meet the filing requirements as determined by the European Patent Office or the patent offices of the EU Member States. |
2.3.6 Controlled activities
Not every research activity involving dual-use items will require a licence. The EU dual-use Regulation includes five different types of activities that require an authorisation. Section 2.3.7 details which types of licence exist for each of these activities.
The following two are constant authorisation requirements:
— |
An export authorisation is needed for the movement or transmission outside the customs territory of the Union of any listed dual-use item in Annex I to the EU dual-use Regulation. |
— |
A transfer authorisation is needed for the movement or transmission of items inside the customs territory of the Union only for listed dual-use items in Annex IV to the EU dual-use Regulation. |
The following three are authorization requirements on a case-by case basis:
— |
A transit authorisation is needed for items passing through the Customs territory of the Union. |
— |
A brokering authorisation is needed for the brokering of items between third countries from inside the customs territory of the Union. |
— |
An authorisation is required for provision of technical assistance related to dual-use items. |
The transit, or brokering of listed dual-use items and provision of technical assistance for listed dual-use items may be prohibited or may require an authorisation, respectively, if the item is or may be intended, in its entirety or in part, for uses referred to in Article 4(1) of the EU dual-use Regulation. It is the competent authority that decides whether an authorisation is required or a transit is prohibited. Some EU Member States have adopted national measures concerning the transit, brokering or provision of technical assistance controls for non-listed dual-use items. A list of National Measures adopted by Member States in accordance with Regulation (EU) 2021/821 is published and regularly updated by the European Commission. (23)
Some items do not meet the technical specifications of Annex I, but are nonetheless proliferation sensitive due to their technical possibilities or suspected end-use of concern. Transactions with such items and with (suspected) end-use concerns, could require an authorisation requirement for exports. Such controls for non-listed dual-use items are called ‘catch-all controls’ (see also subsection 2.3.8).
Appendix 5 provides for a flow chart on determining the licence requirements under the EU dual-use Regulation.
2.3.7 Types of authorisations
The EU dual-use Regulation contains the following types of authorisations:
— |
Individual export authorisations covering one or more dual-use items to one specific exporter for one end-user or consignee in a third country. |
— |
Global export authorisations covering one or more dual-use items which may be valid for exports to one or more specified end-users and/or in one or more specified third countries. |
— |
Large project authorisations covering one or more dual-use items which may be valid for exports to one or more specified end-users in one or more specified third countries for the purpose of a specified large-scale project. |
— |
Union General Export Authorisations (EUGEAs) serve the aim to simplify the export of specific dual-use items to certain countries of destination available to all EU-based exporters who respect its conditions and requirements for use as listed in Annexes IIa to IIf. Annex IIa to IIh correspond to the eight available EUGEAs (EUGEA 001 to EUGEA 008). |
— |
National General Export Authorisations (NGEAs) are additional simplified authorisations for specific dual-use items to certain countries of destination as defined by national legislation. These authorisations only apply to exporters based in the respective EU Member State (24). |
— |
Authorisation for the provision of technical assistance from the customs territory of the Union into the territory of a third country, within the territory of a third country or to a resident of a third country temporarily present in the customs territory of the Union. |
— |
Authorisation for brokering services for a set quantity of specific dual-use items moving between two or more third countries. |
— |
Transit authorisation for non-Union dual-use items that only transit the EU. |
— |
Intra-EU transfer authorisation for Annex IV dual-use items from one EU Member State to another EU Member State |
EU Member States may complement these authorisation requirements with national licence requirements or prohibitions.
An EU authorisation (granted licence) is valid in all 27 EU Member States and can be used to export the items from anywhere in the Customs Union Territory. The validity of licences is determined by each MS.
Examples: Publication Researcher A would like to publish an article in an American journal. The article contains technology covered by Annex I to the EU Dual-Use Regulation (more specifically 3E001 in relation to the development of 3A002.c signal analysers) and will also be available outside the United States of America (US) after its publication. 3E001 in relation to 3A002.c is covered by the items listed in EUGEA 001. The US is one of the countries of destination authorised in the EUGEA 001. Researcher A however cannot use the EUGEA 001 to send the article to the American publisher as the exporter knows that the item will not remain in the EUGEA 001 country to which it will be exported. This is the case here. The article will be made available worldwide, as researcher A is aware. As the EUGEA 001 cannot be used, it is important that the researcher or research organisation reaches out to the competent authority to discuss how to mitigate the licence requirement (e.g. determining and possibly amending or omitting the specific parts that contain the controlled technology, or restricting the access to these specific parts) and if mitigation is not feasible how to fulfil the licence requirement (e.g. individual licence application). Please consult subsection 2.3.4 for more information on the determination of controlled technology. Export of second-hand dimensional inspection equipment Research department B wants to sell a second-hand X-ray tomography system for three dimensional defect inspection to a university in Brazil. The equipment is listed under 1B001.f.1. 1B001.f.1. items are not included into EUGEAs (EUGEA 003: export after repair/replacement; EUGEA 004: temporary export for exhibition or fair) covering Brazil as destination. This requires Research department B to apply for an individual licence as this involves one transaction to one end-user. |
2.3.8 Controls on export for non-listed dual-use items
Some items do not meet the technical specifications of Annex I, but are nonetheless proliferation-sensitive due to their technical possibilities or suspected end-use of concern.
Under Article 4 of the EU dual-use Regulation national authorities can impose an authorisation requirement for dual-use items not listed in Annex I if there is a (suspected) connection with use in a WMD program, (suspected) military end-use in a country subject to an arms embargo (25) or (suspected) use of the item as a component in military equipment that has been exported without or in violation of an authorisation. This provision is known as the “catch-all control”, and in such a case, where you have a suspected potential use of your items in one of the mentioned above cases, it is recommended that you contact your national authority for further information.
Under Article 5 of the EU dual-use Regulation, the export of non-listed cyber surveillance items may be subject to authorisation requirement in case you have been informed by your competent authority or if you are aware - according to your due diligence findings – that there is an end-use of concern in connection with internal repression and/or the commission of serious violations of human rights and international humanitarian law.
Under Article 9 of the EU dual-use Regulation, an EU Member State may prohibit or impose an authorisation requirement on the export of dual-use items not listed in Annex I for reasons of public security, including the prevention of acts of terrorism, or human rights considerations. A list of such national measures is compiled by the European Commission and published in the Official Journal. It is also available on the website of the European Commission. (26)
Appendix 7 summarizes the licence requirements for exports and intra-EU transfers of dual-use items.
2.3.9 Red flags
Being vigilant for signs of suspicious enquiries or collaborations is vital for countering the risks of WMD proliferation, their means of delivery, and the destabilising accumulations of conventional weapons. Sharing suspicious information with your internal compliance point of contact is highly recommended. In some cases information sharing with the competent export control authority may be mandatory under EU and national laws and regulations.
Appendix 3 contains a list of ‘red flags’ to assist researchers or compliance staff to make an initial assessment whether dual-use export controls may apply. This list groups the red flags according to the research, end-use and end-user, shipment, and funding, finance and contract condition. This list is particularly useful for non-listed dual-use items (to determine whether catch-all controls may apply). It is a good practice as well to use this list when gathering necessary information during the licence application process for listed dual-use items.
2.3.10 Control of technical assistance
There are two types of controls of technical assistance, one which is regulated in the dual-use Regulation and one which is regulated according to national law in the EU Member States.
Technology, according to the EU dual-use Regulation, may take the form of technical assistance such as verbal instruction, training, passing-on of technical knowledge and skills or advisory services, including, by telephone or electronic means. Hence, the instruction given to a colleague working at in a third country research institute can constitute technical assistance. The technical assistance must be specific enough to meet the technology thresholds in Annex I to the dual-use Regulation.
Other than dual-use listed technology in the form of technical assistance listed in Annex I of the EU dual-use Regulation, it covers all other technical support related to the repair, development, manufacture, assembly, testing, maintenance or any other technical service intended for use in connection with the development, production, handling, operation, maintenance, storage, detection, identification or dissemination of chemical, biological or nuclear weapons or other nuclear explosive devices or the development, production, maintenance or storage of missiles capable of delivering such weapons or related to military end-uses in destinations subject to an arms embargo.
2.3.11 Export controls and restrictive measures (sanctions)
Export controls and sanctions both impose prohibitions or restrictions. While export controls are focussed on (non-) listed items and case-by-case export screening, sanctions are primarily focused on travel bans, asset freezes and prohibitions to make economic resources available to designated persons and entities and/or sectorial measures (such as restricting certain items and services to specific countries (in some cases to all end-users in a specific country). This guidance does not provide for specific information on EU sanctions.
See the EU Sanctions Map for an overview of all applicable EU sanctions at the moment and the list of designated persons and entities: https://www.sanctionsmap.eu/.
For general information on EU sanctions see https://ec.europa.eu/info/business-economy-euro/banking-and-finance/international-relations/restrictive-measures-sanctions_en.
Additional guidance can be made available at the national level.
2.3.12 Frequently Asked Questions
Who is the exporter under the EU dual-use Regulation? |
Both natural persons and legal persons are covered by the definition of exporter. This means that a researcher on his or her own behalf or the research organisation on behalf of the researcher can be the exporter. The exporter definition applies not only to export operations, but to all controlled activities of the EU dual-use Regulation, including the intra-EU transfers for items listed in Annex IV. It is up to the research organisation to make internal arrangements concerning who will apply for a licence.
It should be noted that the identification of the exporter is different from the identification of an export. When a visiting third country researcher gets access to, for instance, controlled technology at a university campus inside the customs territory of the Union, then no export takes place. When this researcher returns home to his/her third country and brings with him/her the controlled technology, then an export takes place which requires an approved and valid licence. Hence, prior to this export, a licence application needs to be filed. The last person inside the customs territory of the Union deciding on the transmission of the controlled technology outside the EU, needs to apply for a licence. Who may apply for this licence application, is up to each EU Member State to decide. It may be the visiting third country researcher, but in many cases, this researcher will need to have a representative that is established inside the customs territory of the Union. Regardless who is the exporter, an export control violation takes place when this controlled technology leaves the customs territory of the Union without an approved and valid licence.
If a publication contains controlled technology, does the author, the university or the scientific publisher have to apply for a licence? |
The key point here is that a natural or legal person needs to apply for a licence and thus acts as the exporter. Who that is depends on the internal policy or the contractual arrangement between the author of the publication and the scientific publisher. If the publisher is established outside the EU, then the last person inside the EU deciding on the transmission of the controlled technology outside the EU, needs to apply for a licence.
Can an employee of a research organisation when traveling abroad on a professional visit remotely accessing controlled technology or software located on the server of an EU-based research organisation? |
Employees accessing controlled technology or software abroad on a professional visit generally have to apply for a licence before traveling. Some EU Member States (27) consider the key determinant here whether the controlled technology or software is accessed abroad by other persons (besides the employee(s)).
Who needs to apply for a licence in case of a research consortium with partners in multiple EU Member States and third country partners? |
The exporter, and thus the one who must apply for a licence, is the one that is the contractual partner of the consignee in the third country and has the power for determining the sending or transmission of the items from the customs territory of the EU (for Annex I items). In other words, the consortium partner itself or the consortium leader itself may have to request a licence before sending off the dual-use items. This depends on the contractual arrangements between the consortium partners and the consortium leader.
SECTION 3
Setting up or reviewing an internal compliance programme for research involving dual-use items
The role of every Internal Compliance Programme (ICP) is to systematically address and mitigate one or more types of risk in order to ensure compliance with obligations set in the law or undertaken voluntary by an organisation.
In a research environment, setting up compliance measures to conform to export control laws and regulations is a process that takes time and effort.
The section below lays out all the main elements that a research organisation should consider when it designs or reviews its internal dual-use export compliance system.
3.1 Risk assessment
While considering whether and to what extent it is concerned by dual-use export controls, a research organisation needs to conduct an initial risk assessment by examining the following parameters: (28)
1. |
The subjects of its activities (e.g. disciplines and research areas where it is active). For an overview of research areas that are more likely to be affected by export controls see Appendix 1. |
2. |
The type and scope of these activities (e.g. field research, online and distance learning and amount of international collaborations and foreign participation involved in its activities). |
3. |
The current status of institutional policies and standardised procedures (e.g. type of organisation structure, existing mitigating measures for security risks and predominant attitudes of the staff). |
These parameters must be assessed against legal obligations set out in the EU and national export control laws. (29) At the end of this initial risk assessment, a research organisation will be able to determine its specific dual-use risk profile. This will help the organisation to become aware of the parts of its research activities that need to be covered by the ICP (scope of its internal export compliance system) and target the ICP to the organisation’s specific circumstances (e.g. structure, institutional procedures and available resources).
The initial risk assessment is instrumental in designing and implementing ICP measures which are effective, proportionate and tailored to the specific profile of the organisation. It is often preferable to start by addressing activities/research areas that require immediate action and such areas which are easily identified as involving dual-use items. Following that, the ICP can be expanded to cover further risks and more robust mitigating procedures. Integrating dual-use internal compliance measures to existing institutional policies and procedures is often a key to creating efficiencies and synergies.
Research organisations should consider a dynamic legal and research environment where risks should be determined or re-evaluated regularly and thus, internal compliance measures depend on the evolving control lists and the activities of a research organisation undertaken each time. Indeed, a more thorough evaluation and rating of materials, equipment, software and technology involved or produced in a research takes place under the “export screening process and procedures” as explained in core element 4.
3.2 The core elements of an ICP
This section builds on Commission Recommendation (EU) 2019/1318 of 30 July 2019 on internal compliance programmes for dual-use trade controls under Council Regulation (EC) No 428/2009.
It presents an adaptation of the ICP core elements to make them more suitable for use in a research context. This adaptation is based on feedback received from the research community and it is articulated along the following subsections:
(1) |
Top-level management commitment to compliance |
(2) |
Organisation structure, responsibilities and resources |
(3) |
Training and awareness raising |
(4) |
Export screening process and procedures |
(5) |
Performance review, audits, reporting and corrective actions |
(6) |
Recordkeeping and documentation |
(7) |
Physical and information security |
In Appendix 4, a checklist for each core element is provided to support developing an ICP, or at a later stage reviewing an existing ICP.
3.2.1 Top-level management commitment to compliance
Top-level management commitment and support to an ICP is important for both symbolic and practical reasons. A proclaimed statement of commitment to compliance with export control law by the top management body/function of the organisation can raise the awareness of the staff, increase the importance attached to such compliance measures, and result to enhanced human and technical resources by other departments of the organisation.
What is expected from research organisations?
As in every organisation, top-level management commitment aims to increase legitimacy of compliance measures and create or enhance an organisational culture that is conducive to dual-use export control imperatives. In a research environment, top management commitment is essential in order to encourage and actively support the deployment of an ICP.
Given that research organisations and particularly universities often feature decentralised models of organisation structure, it might be useful to consider the expression of commitment at a department, faculty or school level (e.g. the different deans of faculties/schools). Such an approach can be particularly relevant to organisations having just few departments potentially concerned by export controls.
This element is materialised by a written statement and support from top-level management which results in adequate organisational, human and technical resources for the organisation’s ICP. Such commitment statement calls all concerned staff to comply with the relevant EU and Member State laws and regulations and take the necessary precautions when using controlled inputs or producing research outputs that are sensitive and might be controlled.
What are the steps involved?
Develop a commitment statement stating that staff members (scientific and administrative) shall comply with all EU and national dual-use export control laws and regulations by applying the mitigating measures foreseen in the organisation’s policies and procedures. Refer to the possible consequences of non-compliance incidents for the organisation and the individuals involved. Clearly and regularly communicate the commitment statement to all potentially concerned staff (also staff with no role in dual-use export control) in order to raise awareness and promote a culture of compliance with the dual-use export control laws and regulations. Consider using all available means (either electronic or print-outs) to publicise the statement and sources of information about the internal compliance procedures of the organisation. (30) |
3.2.2 Organisation structure, responsibilities and resources
Each research organisation is unique and therefore, there is not only one way to organise compliance procedures and allocate respective responsibilities. However, having a well-defined set of procedures and responsibilities for export compliance can help the organisation to achieve its compliance objectives and improve its management model as a whole.
What is expected from research organisations?
In a research context, there are different types of responsibility to be considered. Typically, such responsibilities will be shared by both administrative and scientific staff.
The first type of responsibility concerns the overall responsibility for implementing the organisation’s compliance policies which lies with the management of the organisation. This responsibility might entail approval of license applications, oversight that adequate resources are allocated to compliance as well as ensuring that there are regular reviews and updates of the compliance measures in place. In some Member States, this function must be a member of the top-level management.
The second type of responsibility requires the establishment of an export compliance function responsible for developing and/or implementing the compliance measures of the organisation. The tasks of this function may include: responding to export control enquiries, deciding whether a licence application is relevant and what mitigating measures are necessary for a given activity. The export control function may also help staff to understand license conditions, apply due diligence checks and maintain appropriate records.
This responsibility is typically assumed by a department having experience in complying with legal obligations and interacting with the organisation’s staffs and external collaborators. (31) There should be at least one person in the organisation who is entrusted with export compliance. If possible, the export control function should be free from conflicts of interest. Also, it should have direct access and a reporting obligation to the top management.
In addition to this, it might be necessary to appoint points of contact in different departments of the organisation, who can raise awareness, guide the administrative and scientific staff whenever a relevant issue arises and, if necessary, refer enquiries and requests to the export control function.
The third type of responsibility concerns the implementation of practical steps to be taken by scientific staff in order to ensure conformity with the organisation’s compliance requirements. This function entails tasks such as identifying projects that might require a license, apply end-use/end-user checks and undertake the prescribed mitigating measures and approvals while performing research activities. While all concerned staff must adhere to the organisation’s compliance procedures when performing their work, typically the responsibility to identify sensitive projects and apply the required checks lies with the project leader. Frequently, this is the person who secures the funding and coordinates the project within an organisation, known also in some research contexts, as the Principal Investigator.
Administrative staff (e.g. from the procurement and legal department) can oversee certain compliance tasks as foreseen by the compliance policies. Such staff can be part of the export compliance function or merely collaborate closely with it.
Administrative staff might be able to identify issues that have escaped the attention of the research staff. This way, trained administrative staff could act also as the “gate keepers” when other safeguards fail. (32)
Appendix 6 offers two examples of possible compliance organisation structure in research settings.
What are the steps involved?
Determine which parts of your organisation are relevant for export control compliance. Identify and appoint the person(s) with the overall responsibility and attribute at least one person to the export compliance function. Depending on the organisation’s needs this person may only have to handle tasks relating to dual-use export control on a part-time basis. Consider all different types of responsibility and compliance related functions. Define clear processes and responsibilities for both administrative and scientific staff. Start by the departments conducting research in a critical area and expand to address other less sensitive departments as your compliance system evolves. Do not overlook to define the delegation of powers (e.g. in case of sickness or holidays) and back-up functions whenever possible. Ensure that appropriate resources are allocated to the ICP and consider the knowledge and skillset needed in terms of both legal and technical expertise. Written job descriptions are recommended. Be ready to fully exploit expertise and experience already available in different parts of the organisation. Consult with colleagues of different departments (e.g. procurement, security and legal department) on the ways that available policies and procedures could accommodate export compliance requirements. Consider setting up -along with your IT support- online tools and procedures to facilitate the implementation of internal compliance measures. Codify the organisation’s export compliance policies and procedures including the main chain of responsibility in manuals/handbooks and make them available to the organisation online or in hard copy. Try to use language that is as precise and clear as possible. Consider including examples and practical cases such as the ones offered in this guidance or in national sources. Make sure that the scientific and administrative staff know what procedure to follow and who is the contact point whenever an export control question arises. |
3.2.3 Training and awareness raising
Training and awareness raising is an important element of every ICP and it should be tailored to the specific situation of a research organisation. Awareness raising is considered the first step in enabling both scientific and administrative staff to understand security risks and fulfil their responsibilities under the export control law and the organisation’s ICP. Training includes specialised courses tailored to the functions and staffs in the organisation that are affected by export controls.
What is expected from research organisations?
Research organisations need to consider awareness raising and training initiatives at different levels, through different means and with varying goals.
First, general introduction to export control issues for all potentially concerned research staff and students is important for raising awareness and promoting a culture of responsibility throughout the organisation. This can be accomplished through inclusion of references to export control objectives and related internal measures in codes of conduct, webpages on ethics and research integrity as well as general safety and security courses provided regularly. (33)
Second, general training and awareness raising activities should be developed for those scientific staff coming from the organisation’s departments identified as of relevance to export controls in the initial risk assessment and subsequent re-assessments. The aim of these trainings is to make staff familiar with export control requirements and ensure that they can take the necessary action when an issue or concern arises in the design, planning, and execution of their research.
Third, targeted training should be conducted towards administrative staff dealing with the implementation of the different internal control procedures such as those relating to security, procurement, technology transfer, contracts and research collaborations. Likewise, specialised training should be organised for research staff being regularly affected by the implementation of export controls due to their involvement in sensitive projects requiring particular attention and control measures.
A research organisation may perform very different types of research and dual-use export control lists relate to a wide spectrum of items and technologies. This implies a need to consider developing training material and approaches tailored to audiences coming from different departments, expertise and backgrounds.
Considering the dynamic character of the export control laws and developments in this area, training should be carried out on an annual basis while the staff having the main responsibility for the operation of the ICP should update available tools and information material regularly.
Please check with your national authority whether additional resources such as subscription to information sessions and newsletters, national guidance and trainings are available.
What are the steps involved?
Provide compulsory, periodic training for all staff members potentially involved in export controlled dual-use activities in order to raise awareness of export control issues and infuse a culture of responsibility throughout the organisation. When possible, use existing training initiatives such as introductory courses for newly recruited staff to incorporate references to export compliance measures and requirements. Follow the same approach with staff regulations and didactic material being already in use. Ensure via awareness raising tools (e.g. decision trees, intranet webpages, information and acknowledgement notes in export control relevant procedures) that all concerned staffs are aware of all internal policies and measures on export controls. Make use of material containing information on relevant EU dual-use export control laws and control lists and restrictive measures, as well as national measures and embargoes. Consider making user-friendly tools (developed in-house or provided by external resources) available to all concerned staff to facilitate easy navigation through these legal documents and their updates. If possible, consider customised trainings for both administrative and scientific staff. Consider, whenever appropriate, to make use of opportunities to receive national or EU training for dual-use export controls. Incorporate lessons learnt from performance reviews, audits, reporting and corrective actions, whenever possible, in your training or export awareness programmes. Conversely, take note of any findings alluding to an insufficient functioning of the compliance measures in place. |
3.2.4 Export screening process and procedures
This element contains internal measures the organisation should implement to ensure that no ‘‘export’’ takes place without the required license or against any relevant export restriction or prohibition.
The export screening process collects and analyses relevant information concerning the following aspects: item classification, risk assessment of the activity, license determination and application, and post-licensing. While following the steps mentioned below, a research organisation needs to design and operate an export screening process taking into account the different types of activities undertaken, existing institutional policies and procedures and the specific challenges linked to the risk profile of the organisation.
What is expected from research organisations?
The export screening process is at the very heart of the organisation’s internal compliance measures. The implementation of this element must be shared by administrative and scientific staff as their compliance roles have a mutually reinforcing impact on the operation of an ICP. The aim is to set up screening procedures that specify the steps involved for complying with the export control law and the organisation’s internal control policies. Depending on the scope and the sensitivity of the research undertaken, the export control screening process can be relevant to several activities:
— |
Exporting items (through tangible means of transfer); |
— |
Contracting (primarily with international partners) (34); |
— |
Patenting/licensing of research results; |
— |
Publishing (e.g. articles, conference material, software); |
— |
Electronic transmissions (including making items available online); |
— |
Hiring staff and receiving visitors (mostly, sanctions related); |
A research organisation can consider adjusting its institutional policies and procedures concerning all the activities mentioned above by inserting export control checks and verifications. Most of the time, non-university research institutes have centralised procedures in place, that can be adapted to accommodate such screening and mitigating procedures. Universities can choose to follow the same approach, tailored to their needs.
In a research organisation and particularly in a university, export controlled activities can take place in the context of both formal collaborations with external partners and informal exchanges. In the latter case, the exchanges can take place mostly at the level of individual researchers. Therefore, the export screening process shall address both possibilities and introduce screening procedures and checks for identifying whether a specific research activity entails the ‘‘export’’ of a controlled item.
Individual researchers must be able to identify and report export control issues while conducting their research. This can be materialised by using generic tools such as decision trees guiding researchers through the steps to be taken in identifying possible export control issues (35). In addition, targeted procedures and checks could be integrated into institutional processes authorising the aforementioned activities. For example, a research organisation could insert in its online system for approving travels abroad, an information note and a requirement for researchers to perform export control checks prior to submitting a request. (36)
Furthermore, export screening procedures should be included in the phase of planning a research project and prior to entering into a formal agreement with other partner organisations. In this phase already, the definition of the project’s objectives and the funding source might have implications from an export control point of view.
An export control issue can come into play in different phases of the project life. In some cases, an export control authorisation might become relevant only at the very final phase of a research project when the research organisation/researcher chooses to share an export controlled output with third parties, for instance through a license agreement. This underlines the importance of introducing export control verifications in different institutional procedures.
In other situations - particularly those involving collaborations with international partners - a research can entail the disclosure of sensitive technologies and the consignment of export controlled outputs in different phases of the project. Therefore, for projects flagged as sensitive, it is appropriate to add export controls checks and mitigating measures throughout the project’s life. This is important to be specified in the agreement signed with other organisations.
In all instances discussed above, the export screening procedures to be set up shall consider the following aspects:
— |
Item classification, including software and technology; |
— |
Risk assessment of the activity
|
If the result of the items classification and the risk assessment of the activity leads to the conclusion that the activity is controlled further aspects need to be addressed as below:
— |
Determination of which license (authorisation) is needed (e.g. for export, brokering, transfer and transit) as well as application for such license and, (38) |
— |
Post-licencing, including shipment control and compliance with the conditions of the authorisation. |
In a limited number of cases, it might be determined that the organisation or the individual researcher must refrain from a certain activity or that a project or engagement with a collaborating organisation cannot take place. For example, this can be the case where an involved party is included on a restricted list under sanctions or, where the organisation deems the risk of a research output to be used for nefarious purposes in a third country as high. Likewise, it is possible that the competent authority denies (i.e. rejects) an application for an export authorisation in accordance with applicable export control law, e.g. if its assessment identifies proliferation risk.
In case of doubt or suspicion during the export screening process, particularly regarding the results of the stated end-use and involved parties or, diversion risk screening, consult with the competent authority in the EU Member State where your organisation is established.
What are the steps involved?
Set up export screening procedures allowing your organisation to perform a risk assessment that addresses all different potentially sensitive activities and sources of risk. These procedures shall enable individual researchers, students, project leaders and administrative staff to contribute to the assessment of the export control risks relating to the organisation’s activities. Where possible, adjust your institutional policies and procedures to accommodate export control checks for potentially sensitive activities (shipping, contracting, publishing, sharing online etc.) and, allow for mitigating measures concerning projects flagged as sensitive. Consider using generic risk assessment tools (e.g. flow charts) (39) as well as data mining technics (40) and other software for screening items, projects and linked activities against export control lists and lists of restricted entities and destinations. |
Item classification This aspect of the screening procedure seeks to understand whether an item used or produced in the framework of a research falls within the scope of the control list(s) or, whether a research project will be confronted with controlled items. This is done by comparing the technical characteristics of an item against the EU and national dual-use control lists. If applicable, identify whether the item is subject to restrictive measures (sanctions and embargoes) imposed by the EU or the EU Member State in which your organisation is established. (41) Please keep in mind that software and technology that meet the control specifications could be exempted if the “basic scientific research” and “public domain” exemptions apply (see Section 2.3.5). Try to determine whether an envisaged project will use controlled items and examine whether its contributions will meet the thresholds specified in the control list. For projects identified as of high risk, provide for export screening checks throughout the life cycle of the project. Pay particular attention to the classification of dual-use components and spare parts, and to the classification of dual-use software and technology that can be transferred by e-mail or made available via a ‘cloud’ service abroad. As a precautionary measure, consider verifying whether dual-use items falling within the scope of the control lists exist in the laboratories and repositories of the organisation. Their presence can be an indicator of export control sensitivities. Examine the possibility to register in your inventories whether an item, (either new, used or spare) is of dual-use relevance and thus, requires special handling in case of export. Consult with the project leaders and available experts in order to collect information about the possible misuse of your dual-use items in the context of conventional military weapons or WMDs. While collaborating with companies or other research organisations, it is a good practice to request additional information about the technical parameters and the control status and classification of materials, components, subsystems that are to be used by your organisation from them. As required by Article 11(9) of the EU dual-use regulation concerning intra-EU transfers, mention in the relevant documents (contract, order confirmation, invoice or dispatch note) that the transaction involves listed dual-use items and are subject to controls if exported from the EU. |
Risk assessment of the activity The export screening process also takes into account the partners involved to a sensitive research project and all different recipients of controlled research outputs as well as the risk that these recipients will use such outputs for unlawful purposes. The list of the red flag questions offered in Appendix 3 of this Guidance is of help in assessing the various risks linked to an activity. Checks on embargoed, sanctioned or sensitive destinations and entities Ensure that none of the parties involved in a project or sensitive activity are subject to restrictive measures (sanctions and embargoes) by consulting the EU consolidated list of sanctions (42) or national list, where available. Stated end-use and involved parties screening Know your partner(s) and consider how they intend to use your research involving dual-use items. Be aware of the existence of research organisations acting as cover for military research or having strong ties with state-owned entities. Ask for an end-use statement if the activity involves listed dual-use items or, when there are end-use(r) concerns in the case of non-listed dual-use items. (43) Consult the information provided by your competent authority for national rules and requirements concerning end-use statements. (44) Please be aware that end-use statements can be requested also for sharing controlled software and technology. Be vigilant for diversion risk indicators and signs about suspicious enquiries or orders. Diversion risk screening Be vigilant for diversion risk indicators and signs about suspicious enquiries for cooperation. There might be indications suggesting that a partner will use dual-use items shared or delivered by your organisation in the context of unauthorised military research or, in relation to WMDs and their means of delivery or, other unlawful purposes. Please consider that also non-listed dual-use items might require an export authorisation, if the stated end-use and involved parties screening or the diversion risk screening raise some concern in the sense of the catch-all provisions, in Article 4 of the EU dual-use Regulation. Usually, this situation concerns items having technical parameters close to the controlled ones. Catch-all controls for non-listed dual-use items The export screening process should assess the possibility for a non-listed dual-use item to be used in connection to sensitive end-uses specified under Article 4 of the EU dual-use Regulation. If the researcher or research organisation is aware or suspects that an activity or project entails such a risk, it must abstain from engaging further to this research and immediately inform the competent authorities who will conclude whether a license application is necessary. For more information on the application of catch-all controls see Section 2.3.8. |
License determination and application, including for controlled brokering, transfer and transit activities The result of the item classification and risk assessment of the activity might be that a licence requirement is relevant. Gather and disseminate information about the range of license types (including individual, global and general licenses) and controlled operations (export, brokering, transfer and transit), and about the license application procedures relating to the applicable EU and national dual-use export controls. Be aware of national dual-use export control measures for other activities, such as technical assistance. See Section 2 for more information on the possible authorisation requirements. Consider making use of simplified licence procedures (general licenses) for destinations mentioned in the EU dual-use Regulation or national measures. Ensure that all concerned staff knows about the different types of licences and procedures to be followed internally and for submission to the authority (who will be able to apply and what steps to follow). |
Post-licencing, including shipment control and compliance with the conditions of the authorisation Before the actual shipment or transmission of a controlled item, there should be a final check if all steps regarding compliance were taken. This is a good moment to double check if items are correctly classified, if red flags have been checked, if the screening of entities was done and whether there is a valid licence for the shipment. Be aware that a change of relevant legislation could have taken place in the meantime. For example: the item is now a listed dual-use item or the end-user is now sanctioned. Ensure that the terms and conditions of the licence have been complied with (including reporting). Please be aware that a licence may restrict the transfer of technology and software to only certain recipients and consider how partners involved in a sensitive research observe such requirements. Be aware that any changes to the organisation’s details (such as name, address and legal status), to the details of the end-user and/or intermediaries and to the details of the authorised items may affect the validity of your license. |
3.2.5 Performance review, audits, reporting and corrective actions
Every management system needs to be subject to periodic review to identify omissions and operational failures as well as to adjust its policies and procedures based on new information, legal requirements and newly identified best practices.
A well-functioning ICP has clear reporting procedures about the notification and escalation actions of staff when a suspected or known incident of non-compliance has occurred. As part of a sound compliance culture, scientific and administrative staff must feel confident and reassured when they raise questions or report concerns about compliance in good faith.
Performance reviews, audits and reporting procedures are designed to detect inconsistencies to clarify and revise routines if they (risk to) result in non-compliance and improve the efficiency of the controls in place.
What is expected from research organisations?
The role of this core element is to verify the day-to-day compliance work within the organisation, consider areas of improvement and revise the compliance procedures, if deemed necessary. Information retrieved during training and awareness raising and other reporting measures in place can feed into the performance review.
Another important component of this core element is audits to be performed internally or by an independent auditor to check whether the ICP is correctly implemented. If resources allow, it is a good business practice to periodically deploy an external auditor.
Reporting procedures prescribe the steps (e.g. notification procedure) to be taken internally and externally in case of a suspected or known incident of non-compliance.
Finally, corrective actions are a set of remedial actions to guarantee that a non-compliance will not take place again.
What are the steps involved?
Provide for control mechanisms as part of the regular operations to monitor the workflow within the organisation to ensure that any wrong doings are detected in an early stage. For example, one approach is to use the four eyes principle for a technical classification or export screening result. Consider the roles of both administrative staff and researchers in the process of monitoring. Develop and perform audits to check the design, adequacy and efficiency of the ICP. Make sure to include all elements of the ICP into the audit. Ensure that all staff, including students, feel confident and reassured when they raise questions or report concerns about compliance in good faith. Establish whistleblowing and escalation procedures to govern the actions of staff when a suspected or known incident of non-compliance has occurred. Document any suspected breaches of national and EU dual-use export control legislation and the associated corrective measures in writing. Take corrective actions to adapt the export control operations or the ICP according to the findings of the performance review, the ICP system audit or the reporting. It is recommended to share these findings, including the revision to procedures and corrective actions with all staff concerned and the top-management. Once the corrective actions have been implemented, it is recommended to adapt the policies and procedures of the ICP as necessary and communicate the changes within the organisation. A dialogue with your competent authority can contribute to damage control and possible ways to strengthen the research organisation’s export control system. |
3.2.6 Recordkeeping and documentation
Proportionate, accurate and traceable recordkeeping of dual-use export control related activities is essential for a research organisation’s compliance efforts. A comprehensive recordkeeping system will help a research organisation to comply with the EU and national documentation retention requirements (45), review and improve its compliance measures and, it will facilitate cooperation with competent authorities in case of a dual-use export control enquiry or a verified non-compliance.
What is expected from research organisations?
A research organisation’s document retention policy must comply with relevant obligations set in the national law or practice (e.g. obligation to keep and track documents relating to an export authorisation for at least a certain amount of time) and it could provide for additional requirements when conducting research featuring controlled items, technologies and software. Decisions made and steps taken during the various export screening procedures (e.g. an internal document describing the technical decision to classify an item or a collaborative project) may be in the organisation’s best interest to maintain. For example, if all required records are captured and correctly filed, this will allow for an efficient search retrieval during risk assessment procedures for future projects but also during periodic audits. Quite importantly, effective recordkeeping and documentation will demonstrate the course of actions followed when a suspicion or case of non-compliance arises.
Research activities are most of the time a joint enterprise and therefore, maintaining appropriate records of all sensitive activities can be a genuinely collective effort. In the case where a research organisation undertakes or could undertake controlled research in collaboration with other organisations, special clauses could be inserted in the formal agreements specifying the obligations of all involved parties to abide by the applicable export control law. Such clauses could clarify whose responsibility is to apply for a license and comply with the ensuing recordkeeping requirements. It is necessary that all involved parties take the required steps to observe recordkeeping requirements and ensure that their actions do not run against the laws of the EU Member State where they are based. (46)
What are the steps involved?
Verify the legal requirements for recordkeeping (period of safekeeping, scope of documents, etc.) in the national legislation of the EU Member State where the organisation is established. In order to make sure that all relevant documentation is at hand, consider determining the record retention requirements in the contracts with collaborators. Create an adequate filing and retrieval system for the dual-use export control. Electronic systems with performant indexing and search functionalities are essential. Ensure that export control related documents are maintained in a consistent manner and can be made available promptly to your government or other external parties for inspections or audits. It is recommended to keep a record of past contacts with the competent authority, also in relation with end-use(r) controls for non-listed dual-use items and in case of technical classification advices. |
3.2.7 Physical and information security
Physical and information security refer to the set of internal procedures that are designed to ensure the prevention of unauthorised removal of or access to dual-use items by the organisation’s staff, contractors, collaborators and visitors. They are designed to function in synergy with other internal security procedures implemented by a research organisation and they are particularly useful for monitoring and tracking the intangible transfers of technology.
While physical and information security standards are not foreseen by the EU dual-use Regulation, monitoring and safeguarding access to controlled items can ensure that no unauthorised export will take place either wilfully or by negligence.
What is expected from research organisations?
Security risks emanate from both external and internal threats to an organisation. Moreover, when designing internal procedures, it is often more efficient and effective to consider the whole spectrum of threats and develop mechanisms which address both external and internal risks.
Having appropriate security measures preventing the unauthorised access or removal of controlled dual-use items can be used for achieving different objectives. For instance, a system monitoring who has access to what premises/laboratories can help an organisation to comply with both security protocols required for certain types of research and export control and sanction obligations setting restrictions in the access and use of dual-use equipment by third country nationals. In a similar way, access to controlled dual-use technology via the internal servers of the research organisation should be restricted on a need-to-know basis as much as possible and sensitive electronic transfers should be monitored according to export control requirements.
In order to safeguard sensitive projects involving dual-use or other security relevant items, a research organisation can implement a set of internal measures for identifying and mitigating risks in an integrated manner thereby addressing both physical and information security and export control aspects. It is underlined that export authorisations for intangible technology transfers to non-EU destinations may constitute part of such an integrated approach.
What are the steps involved?
Physical security Ensure, according to the research organisation’s risk assessment, that controlled dual-use items are secured against unauthorised removal, access or use by all staff including students, visiting scientific staff and external collaborators. Measures to be considered include, for example, physically safeguarding the items, the establishment of restricted access areas and personnel access or exit controls. Information security Establish internal policies and procedures for secured storage of and access to controlled dual-use software or technology in electronic form, including antivirus checks, file encryption, audit trails and logs, user access control and firewall. In the case of handling export controlled information in the context of an international collaboration make sure that the necessary precautions are applied also by the organisation’s partners. Such a requirement could be specifically included in the agreement/contract setting up the collaboration. Consider using classification schemes (e.g. markings) when transmitting software and technology containing sensitive or export controlled information. If applicable to your organisation, consider protective measures such as end to end encryption for uploading software or technology to the ‘cloud’, storing it in the ‘cloud’ or transmitting it via the ‘cloud’. (47) |
Distribution channels: Banking, Finance & Investment Industry
Legal Disclaimer:
EIN Presswire provides this news content "as is" without warranty of any kind. We do not accept any responsibility or liability for the accuracy, content, images, videos, licenses, completeness, legality, or reliability of the information contained in this article. If you have any complaints or copyright issues related to this article, kindly contact the author above.
Submit your press release