A.P. Bosch & V.J.A. Goossen: “Dutch Government Presents Perspective on Recast of the EU Dual-Use Regulation”

* Authors: Alexander P. Bosch, Senior Associate, apbosch@fullcirclecompliance.eu; and Vincent J.A. Goossen, Program Manager, vjagoossen@fullcirclecompliance.eu.  Both of Full Circle Compliance; assistant editors of the Daily Bugle.

On 29 August, the Dutch Secretary of Foreign Trade and Development informed the Dutch House of Representatives (“de Tweede Kamer”) about the current state of and the position of the Netherlands concerning the recast of Council Regulation 428/2019 (“the Dual-Use Regulation”) [FN/1].

A proposal for the recast was presented by the European Commission on 28 September 2016. The aim of the proposed recast is to modernize and strengthen the regulations.  The most relevant update concerns the strengthening of controls on cyber surveillance technology in order to enhance human rights protection.  The EU commission’s aim is also to create a more equal playing field and enhance transparency.

Below is a summary and unofficial translation of the letter to the Dutch House of Representatives.

The Dutch Position: Export Controls as a Foreign Policy Tool

The Dutch position is that the EU Dual-Use Regulation has proven itself over the years as a well-functioning export control framework for the European export control authorities. The Netherlands sees “added value” in a revision and modernization of the regulation. In this review, the Netherlands will focus on the following components:

Adding Cybersurveillance Technology

The Netherlands considers the broadening of export control to include cybersurveillance technology as necessary. The Dual-Use Regulation is considered to be the appropriate instrument to achieve this.  Cybersecurity is viewed as a growing threat to the stability of countries and becomes a more relevant theme for a secure world. An increased amount of data is stored digitally, interlinked, and shared via internet connections. This offers opportunities for trade, freedom of expression, political participation and democratization. However, there is also a downside. In a growing number of countries, government restrict or forbid access to the internet. Some governments also follow the digital footprints of human rights activists as to trace and prosecute them. The threats of cyber-crime, cyber espionage, and digital warfare increase as well. Such topics require an EU-wide approach and the Netherlands sees export control as one of the ways to do so.

The European Commission’s proposal still requires further elaboration on the cyber theme as to clearly define the concept of cybersurveillance technology and of the human rights that can be violated by it. It is essential to provide clear and predictable framework for the business community in this effort.

The Netherlands considers an export control system most effective when it is based on three pillars:

  • Working on the basis of a control list,
  • The safety net of the ad hoc license requirement;
  • Corporate social responsibility.

In the revision of the regulation and the implementation of the aforementioned extension to cybersurveillance technology, the Netherlands determines its commitment on the basis of these three pillars.

(1) Implementation Control Lists

The Netherlands is committed to work towards a control list for cybersurveillance technology. Such a list provides clarity to companies and export control authorities and brings legal certainty.

With the introduction of an EU control list for cybersurveillance technology, the EU will deviate from the lists used by multilateral export control regimes. The Netherlands is committed to safeguarding the international level playing field as well as possible by continuing to work on control through the appropriate international regimes and to deviate as little as possible from the existing export control system. However, among the participating states of the multilateral export control regimes, there is currently no consensus for export control on cybersurveillance technology. At the same time, the Netherlands believes that the risks of human rights violations due to c cybersurveillance technology must be overcome and sees a role for the EU as a leader on this issue. Overcoming the risks of human rights violations weighs heavier than maintaining the international level playing field for the Netherlands.

(2) Ad-Hoc License Requirement

Technology is developing at high speed, so a control list will never be entirely able to keep pace. The Netherlands sees the ad-hoc license requirement (or “catch-all” instrument) for goods that are currently not on control list, as essential for an effective export control system. Therefore, the Netherlands also wants to use the ad-hoc licensing obligation for cybersurveillance technology. This tool enables Member States to act quickly and purposefully on information about non-controlled cybersurveillance technology, which shows that this technology may be used in human rights violations.

The catch-all instrument has shown itself useful in the current Dual-Use Regulation and enables the Dutch government to act in special cases in the case of high-risk exports of non-controlled goods. With regard to the catch-all instrument for cybersecurity technology, the Netherlands receives little support from other EU member states. The reason for this is the uncertainty in the industry about how this tool will work out in practice for cybersurveillance technology. The Netherlands tries to increase the support of other member states in bilateral consultations.

(3) Corporate Social Responsibility

Companies taking their international corporate social responsibility is considered by the Dutch government as the third pillar of an effective export control system. The Dutch export control authorities regularly consult with companies to point out the risks that exports may entail. It underlines that companies have their own social responsibility, must be aware of the potential safety risks of their exports and act accordingly.

The Netherlands requires companies to issue an Internal Compliance Program (ICP) for global export licenses, which, among other things, address the risk of human rights violations in the export of cyber-surveillance goods. The Netherlands considers it desirable that corporate social responsibility is explicitly mentioned in a revised Dual-Use Regulation. The European Parliament has already introduced the term “due diligence” (an approach taken from the OECD guidelines for multinational companies and the UN Guiding Principles on Business and Human Rights) in its Position on the matter. The Netherlands can support such an addition, provided that it remains sufficiently clear what is expected from exporters.

Two other elements from the Dutch position are the following:

A Level Playing Field Within The EU

Promoting a level playing field within the EU is undiminished a Dutch priority in the negotiations on the revision of the Dual-Use Regulation. The Netherlands, therefore, supports the Commission’s proposal to level license periods within the EU and to introduce a mandatory Internal Compliance Program (ICP) when applying for global export licenses, which is already practice in the Netherlands.


The EU Commission requests more and more extensive reports from the EU Member States on exports that have been licensed and on rejected license applications. The Commission also wants EU Member States to share more information about cases in which the ad-hoc license requirement is invoked. The Netherlands states that it can only support the Commission’s efforts if this is done within the existing frameworks for sharing state secret and company-sensitive information. The Dutch practice is already characterized by a high degree of transparency towards the public and the Dutch Parliament. An example of this is the monthly and annual arms export reports that are published by the Ministry of Foreign Affairs. The Netherlands is still not convinced of the usefulness and necessity of more reports and wants to limit the increase in administrative burdens as much as possible. The new regulation must be effective, clearly written, and executable for industry and governments.

Slow Negotiations in the Council

The negotiations in the Council require a lot of time in view of the technical nature of the subject. The Council is aware of the fact that the European Parliament has already taken a position [FN/2]. The Netherlands is working in various ways to keep the progress in the discussions at a pace. For example, the Netherlands, together with a number of other EU member states, has taken the initiative to conduct informal discussions in parallel with the Council, with the aim of making the discussions in the Council as smooth as possible. The Netherlands writes position papers, and provides, as one of ten Member States, each time written comments and text suggestions on the Commission proposal. The Netherlands sends experts to Brussels to participate in technical consultations. It also scheduled a number of bilateral talks at the end of the summer to emphasize, once again, the importance of cybersecurity technology and human rights in the Dual-Use Regulation and to find a way forward in the Council discussions.

In the Council a dichotomy has become visible in recent months [FN/3]. There is a group of like-minded EU member states that can support the expansion to control cybersurveillance technology within the Dual-Use Regulation. The Netherlands is part of this group. However, other member states believe that this issue must be tackled on a national level through national measures. However, such national measures are a last resort for the Netherlands, measures on a topic such as this are particularly effective if they are designed and implemented in a comprehensive manner. The European Parliament supports an approach at the EU level and is not in favor of solely national measures in the EU Member States on this issue.

The Netherlands works together with a number of other EU Member States to maintain the momentum and to come to a Council position with the current European Parliament. The Netherlands wants to adequately tackle new threats from cyber-surveillance technology. A strong EU export control framework is part of that approach. The modernization of the Dual-Use Regulation is necessary to accomplish this.


[FN/1] Kamerbrief inzake stand van zaken omtrent de onderhandelingen over de dual use-verordening binnen de EU, 29 August 2018, available here.

[FN/2] Reference P8_TA-PROV (2018) 0006, available here.

[FN/3] In January 2018, eleven EU Member States (Germany, Croatia, the Czech Republic, France, Italy, Poland, Portugal, Romania, Slovakia, Slovenia, and Spain) signaled their support for the EU Commission to draft rules that would place export restrictions on companies selling surveillance technologies, according to a leaked negotiating document obtained by EURACTIV.com. See here.