wk07507-en18
Dieses Dokument ist Teil der Anfrage „working papers dual-use regulation“
Brussels, 19 June 2018
WK 7507/2018 INIT
LIMITE
CONOP
COMER
CFSP/PESC
ECO
UD
ATO
COARM
WORKING PAPER
This is a paper intended for a specific community of recipients. Handling and
further distribution are under the sole responsibility of community members.
CONTRIBUTION
From: BE, DE, DK, HR, HU, RO, SK, SL Delegations
To: Working Party on Dual-Use Goods
Subject: Recast of Regulation 428/2009 - For an effective, focused and balanced control of
cyber-surveillance items
With a view to the Dual Use meeting of 20 + 21 June, delegations will find attached a paper by Belgium,
Croatia, Denmark, Germany, Hungary, Romania, Slovakia and Slovenia regarding proposals on how
an EU list regarding the control of cyber-surveillance items could work. It also presents compromise
considerations regarding the overall cyber-surveillance cluster. This paper should be presented under
AOB.
WK 7507/2018 INIT
LIMITE EN
Recast of Regulation 428/2009 -
For an effective, focused and balanced control of cyber-surveillance items
Part A
1. The recast of the EU Dual-use Regulation 428/2009 has been initiated in late 2016. Council has
since devoted much time and efforts to the proposal put forward by the European Commission
as well as to the amendments made by the European Parliament in early 2018. The recast is
now at a crucial moment in time as the current legislative term is approaching its end in mid-
2019. Council needs to keep this time line in mind and should come to a position allowing for
the recast to be finalized in this legislative term.
2. One of the most discussed issues is the regulation of cyber-surveillance items. While it has
become clear that all Member States agree on the goal of strengthening human rights and
acknowledge both the legitimate uses as well as the potential of cyber-surveillance items being
misused for human rights violations, there is still no common approach on how to best address
the issue. However, various options have been put forward in WK 1019/2018, among them on
the dual-use definition, list-based controls, additional end-use controls as well as art. 8 related
clarifications.
3. Further considerations regarding list-based controls have been developed in WK 5755/2018.
While the concerns expressed therein are valid, no common regulatory solution by the EU
export control system is offered. Furthermore, the concerns expressed in WK 5755/2018 refer
to a list model in the form proposed by the European Commission which is – given the
discussions in Council – already antiquated. The Commission’s list-model is one in the
broadest and most unconditioned form possible. Instead, discussions have shown that any list-
approach must be put under strict criteria and procedures in order to be focused and well-
balanced. With this, concerns such as an ever-growing EU-autonomous list, deviation from the
regimes or list quality could be addressed while at the same time providing for an effective
regulation.
4. To facilitate the further discussion and as a contribution in finding a compromise, the following
considerations elaborating in more detail a list-based approach, as set out in WK 1019/2018 as
an option, are put forward. Any list-based model should incorporate the following:
• A limitation in scope to cyber-surveillance items. Cyber has been identified as an area of
concern for human rights violations by the Commission’s Impact Assessment. Any list-
model should therefore be focused on this area. Such limitation would bring the recast in
line with the Impact Assessment (as already acknowledged and done by EP).
• An explanation of why the EU should act at all. Even though this should be apparent, given
past incidents of unregulated exports of cyber-surveillance items from the EU to third
countries and their misuses for the violation of human rights in third countries, the distinct
motivation and reasoning to regulate the export of cyber surveillance items could be
described in a recital. This means that even if there is no immediate military application of
cyber-surveillance items, the EU shall be able to act because of their potential to be
misused by police/security forces or other governmental forces for repression purposes or
violation of certain human rights.
• A set of listing criteria (similar to the ones in Wassenaar, stated in document “Criteria for
the selection of dual-use items” in WA) should be introduced. Criteria include: foreign
availability of the item, ability to effectively control the export of the item (i.e. that no
standard, mass-market products are controlled), ability to make a clear and objective
specification of the item, controls by another regime (i.e. no double listing).
1
• Any proposals for amendments should be subject to review by the “Surveillance
Technology Technical Expert Group” (STEG), a sub-group of the “Dual-use Coordination
Group”. The STEG could assess whether measures are technically sound, ensure list
quality and that the listing criteria are met. In this regard, there is a significant difference to
other areas of control, as the EU has built up a genuine expertise in the field of cyber-
surveillance controls through the STEG.
• Controls must be interconnected with international and national controls in a breathing and
learning system. First, this would include a call for all MS to support the listing of EU-
controlled items in the international regimes, stating the bridge-function of EU controls to
international controls. Second, a sunset clause would be required stipulating that whenever
an item is later listed in the international export control regimes, it shall be transferred to
the respective Annex. Third, it could include a trigger mechanism: if a MS decides to
apply art. 8 for cyber-surveillance controls, this could provide an impulse for EU level.
• It must be regulated that any EU autonomous list shall be amended by regular procedure
only. However, the Commission could be empowered to (re)move items by delegated act.
5. Under these conditions, a list-based model could become an effective and workable instrument
that at the same time is strict and flexible enough. Many concerns, such as a soaring expansion
of controlled items over time, would be unfounded.
6. On the other hand, and in return for limiting the list-based model significantly, concessions on
other aspects of the cyber-surveillance cluster should be made in order to find an overall
acceptable approach. This includes to renounce the distinction between dual-use items and
cyber-surveillance items. Along the lines of proposals already made in Council, it would be
acceptable to leave the dual-use definition as it is and not have a separate cyber-surveillance
definition. This would qualify cyber-surveillance items as dual-use items in the dual-use domain,
but not internationally controlled. Furthermore, it would be acceptable to keep the reference to
the assessment criteria from 2008/944/CFSP in art. 14 (ex art. 12) in its current form as in force
today, and highlight human rights as one of the relevant existing criteria. Then there would be no
confusion about different assessment criteria for listed items, while at the same time making sure
that there is a possibility for Member States to assess the human rights aspect as well as the other
relevant criteria. Finally, art. 4.1.d) should be removed as discussions have shown that there is
almost no support for this provision.
Part B
In the following, specific text proposals for recitals, articles and the Annex are made
implementing the considerations under Part A.
Proposal for recitals
(A) In a joint statement issued on 16 April 2014, the European Parliament, the
Council and the Commission acknowledged the issues regarding the export of
certain information and communication technologies that can be used in
connection with human rights violations as well as to undermine the EU’s security,
particularly for technologies used for mass-surveillance, monitoring, tracking,
tracing and censoring, as well as for software vulnerabilities. The three institutions
asked for options to be explored to address these issues in the context of the
review of the EU dual-use export control policy. The Council, in its conclusions of
21 November 2014, confirmed this acknowledgment and called upon Member States
to assess whether further controls are necessary to prevent internal repression by
certain information and communication technologies. Based on this political
2
mandate, the EU shall act to address the issues of exports of cyber-surveillance
items as part of the EU dual-use export control policy.
(B) While cyber-surveillance items have legitimate and regulated law enforcement
applications, they can also be misused for internal repression and other human
rights violations by authoritarian or repressive regimes. In recent years there have
been numerous reports of cyber-surveillance items being exported from the Union
to repressive regimes and/or into conflict areas and being misused in violation of
human rights. As demonstrated by those reports, the export of cyber-surveillance
items under such conditions poses a risk to the security of those persons and to
the protection of fundamental human rights, such as the right to privacy and the
protection of personal data, freedom of expression, freedom of association, as well
as, indirectly, freedom from arbitrary arrest and detention, or the right to life. It is
therefore appropriate to control the export of those items in order to protect public
security as well as public morals.
(C) At the same time, it is important to underline that the four international export
control regimes are and must remain the essential fora for the identification and
regulation of dual-use items. It shall, however, also be noted that the EU through
the Anti-Torture-Regulation as well as the Member States through national lists
have already introduced additional export controls beyond the item lists of the
international export control regimes, as have many other countries which are
members of the international export control regimes. Regarding the control of
cyber-surveillance items, in particular the Wassenaar regime is a forum addressing
such controls. Some cyber-surveillance items are already regulated in the
Wassenaar regime because of their military relevance. Other cyber-surveillance
items are not regulated at an international level. While that might change in the
future, given the potential use of cyber-surveillance items in unconventional, hybrid
conflict scenarios, it remains the political mandate of the Union to act when cyber-
surveillance items shall be controlled even if there is no immediate military
application, but because they can be misused by police/security forces or other
governmental forces for internal repression purposes or violation of certain human
rights. Within the scope of this mandate, and given the importance of the
international export control regimes, any EU controls should be limited in scope to
cyber-surveillance items and not contain any duplications with items already listed
in the international export control regimes.
(D) Any controls should be based on clearly defined criteria. These measures
should not go beyond what is necessary and proportionate. They should, in
particular, not prevent the export of information and communication technology
used for legitimate purposes, including law enforcement and network and internet
security.
Proposal for an article […]
1. An authorisation shall be required for the export of the dual-use items listed in
Annex […].
2. The list of dual-use items in Annex […] shall be limited in scope to cyber-
surveillance items, i.e. hardware, software and technology specially designed
to enable the monitoring, exfiltrating, collecting and analysing of data and the
covert intrusion into information and telecommunication systems or the
incapacitating or damaging the targeted system without the specific, informed
and unambiguous authorisation of the owner of the data.
3
3. The list of dual-use items in Annex […] shall be amended in accordance with
art. 294 TFEU if this is necessary due to risks that the export of such items may
pose as regards the commission of serious violations of human rights or
international humanitarian law, in particular due to their potential to be misused
by police/security forces or other governmental forces for internal repression
purposes or violation of certain human rights such as the right to privacy, the
right to data protection, freedom of speech and freedom of assembly and
association.
4. (1) Any amendments of Annex […] shall be based on the following criteria:
a. foreign availability of the items outside of the Union,
b. the ability to control effectively the export of the items,
c. the ability to make a clear and objective specification of the item,
d. controls by the international export control regimes (no double listing).
(2) Proposals for amendments shall be subject to review by the Surveillance
Technology Technical Expert Group (STEG), a sub-group of the Dual-use
Coordination Group. The STEG shall review whether the proposal is technically
sound, ensure list quality and that the listing criteria under a)-d) above are met.
It shall provide a technical assessment of the proposal and a recommendation
regarding its adoption to Council, Commission and European Parliament.
5. In case a Member State has applied national controls for cyber-surveillance
items, it shall notify the Commission, the STEG and the other Member States of
such controls. The STEG shall carry out a review in accordance with paragraph
4.2 to assess whether such national controls are also suitable for amendment
of Annex […].
6. Amendments may also concern decisions to delist items from Annex […]. In
particular if an item becomes listed in one of the international export control
regimes, it shall be delisted from Annex […]. The Commission shall be
empowered to adopt delegated acts in order to delist items of Annex […].
7. The Member States and, where appropriate, the Commission shall engage in
relevant international organizations, in particular the international export
control regimes in which they participate, to promote international adherence to
the list of items subject to export controls in the Union under Annex […]. The
Commission and the Member States shall, where appropriate, maintain regular
and reciprocal exchange of information with third countries and engage in
capacity-building with the aim of promoting upward convergence of the items
in Annex [..] becoming listed in the international export control regimes.
Proposal for Annex […]
Explanatory note: The following annex includes the items as foreseen in the Commission’s
proposal. However, since the beginning of the proposal technical discussions have taken place
among Member States. As a result, the annex will have to be revised from a merely technical
point of view. It shall be updated to the then current stage of play at the time of adoption.
4
GENERAL TECHNOLOGY NOTE (GTN)
"Technology" "required" for the "development", "production" or "use" of goods under control
remains under control even when applicable to non-controlled goods.
Controls do not apply to that "technology" which is the minimum necessary for the installation,
operation, maintenance (checking) or repair of those goods which are not controlled or
whose export has been authorised.
Controls on "technology" transfers do not apply to information "in the public domain", to "basic
scientific research" or to the minimum necessary information for patent applications.
CATEGORY 10
10A001 Surveillance systems, equipment and components for ICT (Information and
Communication Technology) for public networks where the destination lies outside the
customs territory of the European Union and outside of Part 2 of Section A of Annex II to
this Regulation, as follows:
a. Monitoring Centres (Law Enforcement Monitoring Facilities) for Lawful
Interception Systems (LI, for example according to ETSI ES 201 158, ETSI ES 201
671 or equivalent specifications or standards) and specially designed
components therefor,
b. Retention systems or devices for event data (Intercept Related Information IRI, for
example, according to ETSI TS 102 656 or equivalent specifications or standards)
and specially designed components therefor.’
Technical note:
Event data includes signalling information, origin and destination (e.g. phone
numbers, IP or MAC addresses, etc.), date and time and geographical origin
of Communication.
Note: 10A001 does not control systems, or devices that are specially designed for
any of the following purposes:
a) billing
b) data collection functions within network elements (e.g., Exchange or HLR)
c) quality of service of the network (Quality of Service - QoS) or
d) User satisfaction (Quality of Experience - QoE)
e) operation at telecommunications companies (service providers)’.
10D001 “Software” as follows:
a. “Software" specially designed or modified for the "development", "production" or
"use" of equipment, functions or features, specified by 10A001;
b. "Software" specially designed or modified to provide characteristics, functions or
features of equipment, specified by 10A001.
10E001 “Technology” according to the General Technology Note for the "development",
"production" or "use" of equipment, functions or features specified by 10A001 or
"software" specified by 10D001.
5
