The European Commission has recently released updated guidelines under Article 5 of Regulation (EU) 2021/821, addressing the export of cyber-surveillance items. With these recommendations, the emphasis is clear: businesses must enhance their accountability in exporting technologies capable of monitoring, extracting, and analyzing personal data. These tools carry significant risks if misused -potentially enabling covert surveillance or facilitating human rights violations. As cyber-surveillance technologies grow more sophisticated, the stakes for businesses rise, making it mandatory to check these guidelines to safeguard ethical use, mitigate reputational, legal and financial risks and identify licence obligations. 

This article is written by Sefa Gecikli ([email protected]) and Marius Ungureanu ([email protected]). Marius and Sefa are both part of RSM Netherlands International Consulting Services with a specific focus on Trade Compliance and Emerging Technology. 

Understanding the Guidelines

The EU Dual Use Regulation pertains to the control over the export of dual-use items from the European Union.  According to Article 3(1) of the Regulation, an authorisation shall be required for the export of dual-use items listed in Annex I.  Moreover, Article 3(2) of the Regulation, an authorisation may also be required for the export to all or certain destinations of certain dual-use items under Article 4, 5, 9 or 10, also known as “catch-all clauses”, even if they are not listed in Annex I. 

Most importantly, according to Article 5 of the Regulation, an authorization is still required for the export of cyber-surveillance items, regardless of whether they are not included in the list. Article 2(20) of the Regulation defines ‘cyber-surveillance items’ as “dual-use items specially designed to enable the covert surveillance of natural persons by monitoring, extracting, collecting or analysing data from information and telecommunication systems”. The risks are particularly significant in cases involving cyber-surveillance items specifically designed to intrude into or deeply inspect information and telecommunications systems. These items can be used for covert surveillance of individuals by monitoring, extracting, collecting, or analyzing data -such as biometric information- stored or transmitted within those systems.

The primary focus of these guidelines is to support exporters in assessing and mitigating risks associated with non-listed cyber-surveillance items—tools designed for covert monitoring of individuals. Examples include facial recognition systems, location tracking devices, video-surveillance tools and certain types of forensic tools. For example: facial recognition systems designed for analyzing stored video images to identify individuals in a crowd without their knowledge may meet the criteria under Article 2, point (20), of the Regulation. Satellite or cell tower-based location tracking devices capable of covertly monitoring individuals’ real-time movements without their consent and/or awareness could be classified as cyber-surveillance items.

The guidance clarifies certain terms used in the EU Dual-Use Regulation related to the cybersurveillance items. It highlights that the main purpose of these items must be to enable covert surveillance, though they may have other uses as well. The guidance further clarifies what constitutes "covert surveillance," explaining that such surveillance occurs when individuals are unaware of being monitored, and therefore, cannot alter their behavior or escape the surveillance. The guidelines also stress that even if an item only possesses one of several capabilities (monitoring, extracting, collecting, or analyzing data), it may still be classified as a cyber-surveillance item.

Key Actions for Businesses

The Regulation expands controls to include non-listed items where exporters are "aware" that their products may be used for unethical purposes. The guidance highlights the importance of assessing the end-use of cyber-surveillance items to ensure they are not intended for internal repression or violations of human rights and international humanitarian law. Exporters must assess their awareness of the intended misuse of these items and take steps to prevent them from being used for purposes such as torture, arbitrary executions, or other serious violations. Exporters are advised to consider the recipient's record of respecting human rights and international law when assessing whether to export of such items to that end-user.

Awareness entails taking proactive steps to assess risks and implement due diligence measures. This requirement emphasizes a shared responsibility between businesses and competent authorities to prevent misuse. The guidelines outline several essential steps for exporters:

  • •Classify your items: Determine if the product qualifies as a cyber-surveillance item based on its technical features and intended use.
  • Assess risks: Evaluate potential misuse of the product for human rights violations or internal repression by examining end-users and their contexts.
  • Monitor red flags: Be vigilant for indicators of misuse, such as: marketing of the item for covert surveillance, past misuse of similar items or known associations of end-users with unethical practices.
  • Conduct stakeholder reviews: Examine the roles of distributors, resellers, and end-users in the transaction to identify potential risks.
  • Implement an Internal Compliance Program: Adopt policies and procedures for due diligence and ongoing risk management.
  • Prepare corrective action plans: Use findings to refine policies, enhance risk management, and update compliance frameworks.

Failing to recognize and properly notify the relevant authorities about items covered under the guidelines can lead to severe legal and financial repercussions for exporters. Neglecting to identify and report cyber-surveillance items accurately might result in their unauthorized export to regions where they could be misused for human rights violations or internal repression. Such violations can attract heavy fines, revocation of export licenses, and even criminal charges for the responsible parties. Additionally, businesses may face restrictions on future trade activities, significantly disrupting operations and profitability.

Beyond regulatory penalties, failure to comply with notification requirements can tarnish a company’s reputation. Associations with unethical use of technology, particularly in cases of documented human rights abuses, can erode trust among clients, investors, and the public. Negative publicity and potential boycotts can have lasting effects by damaging long-term growth prospects. As such, thorough due diligence and timely notification are not merely compliance issues but fundamental aspects of responsible and sustainable business operations.

Forward Thinking 

The updated guidelines under Regulation (EU) 2021/821 send a clear message: businesses must take accountability seriously when exporting cyber-surveillance technologies. These tools, while innovative, come with risks if used improperly, and the consequences—legal, financial, and reputational—can be severe. Businesses should prepare for expanded regulatory inquiries, as updates are providing more guidance to the businesses. This increased scrutiny by governments and international organizations underscores the growing importance of addressing the risks posed by these technologies.

Moreover, the evolving regulatory landscape reflects a rising demand for ethical innovation. Consumers and business partners are increasingly prioritizing companies that align with global human rights standards and demonstrate a commitment to their privacy and ethical practices. By anticipating these shifts, businesses can not only ensure compliance but also leverage these changes as opportunities to lead in responsible innovation.

RSM is a thought leader in the field of International Trade and Emerging Technology consulting. We offer frequent insights through training and sharing of thought leadership based on a detailed knowledge of industry developments and practical applications in working with our customers. If you want to know more, please contact one of our consultants.