The independent resource on global security

Making the most of the EU catch-all control on cyber-surveillance exports

Making the most of the EU catch-all control on cyber-surveillance exports
Photo: Shutterstock

In 2021 the European Union (EU) adopted a new iteration of the EU Dual-use Regulation, which sets common standards for EU member states’ controls on exports of dual-use items. Among other new features, Regulation (EU) 2021/821 introduces a new ‘catch-all control’ for cyber-surveillance items. This requires exporters to seek approval for exports of cyber-surveillance items when they become aware that the items are likely to be used in connection with human rights violations, even if those items are not specifically covered by existing export controls. It therefore gives EU member states the power to control such transfers. 

Although the proliferation and misuse of spyware and other cyber-surveillance tools are growing concerns, the use of the new catch-all control has been limited to date. One likely reason is that exporters appear to be unclear about how to apply it. This week, the EU published a new set of guidelines intended to help exporters to comply with the catch-all control. This backgrounder examines the catch-all control and the new guidelines, highlighting their main features and limitations. It also suggests steps that could be taken by the newly elected European Parliament and others to improve the guidelines and support consistent, effective application of both the new catch-all control and restrictions on the trade in cyber-surveillance items more broadly.

Export controls and cyber-surveillance tools

Export controls rely on ‘control lists’ of specific items or categories of items that may only be exported after obtaining a licence from the competent national authorities. However, it is difficult to ensure that these lists cover all relevant items, especially in areas where technologies are developing rapidly. Moreover, there are products that are not controlled because they fall outside the technical thresholds but could nonetheless be used in ways the regulations aim to prevent. States have responded to this challenge by introducing ‘catch-all controls’ that impose a licence requirement on exports of non-listed items that are nevertheless likely to be used in prohibited ways or by prohibited end-users.

The control list of the EU Dual-use Regulation is found in Annex I and is based on the control lists adopted by the Wassenaar Arrangement and other multilateral export control regimes. Five categories of cyber-surveillance tools have been added to Annex I since 2013, to address concerns about the misuse of these cyber-surveillance items by state actors in ways that threaten other states’ national security (for example, to enable the theft of sensitive data or attacks on critical infrastructure), or in connection with violations of human rights (for example, to facilitate the repression of political opponents through torture or unlawful detention).

However, there are additional cyber-surveillance tools that are not captured by the EU dual-use control list. There are also many technologies that have legitimate civilian uses but that can be repurposed as cyber-surveillance tools or their subcomponents. To date, the EU’s control list includes no such ‘truly dual-use’ technologies—only what are better described as ‘single-use’ technologies that are specifically designed for use by law-enforcement and intelligence agencies. States have so far been unwilling to control exports of truly dual-use cyber-surveillance tools and related subcomponents for fear of disrupting the trade in legitimate cybersecurity tools.

The new EU catch-all control on cyber-surveillance items and the accompanying guidelines have the potential to help close these gaps by expanding the set of cyber-surveillance items that are subject to control and selectively targeting exports of truly dual-use cyber-surveillance tools.

The EU cyber-surveillance catch-all control

Prior to 2021 the EU Dual-use Regulation included three catch-all controls on non-listed items that may contribute to a weapons of mass destruction programme, have a ‘military end-use’ in a state subject to an arms embargo, or be used as parts or components in illegally exported military equipment. Article 5 of the 2021 Dual-use Regulation adds a new catch-all control that applies to non-listed cyber-surveillance items that ‘may be intended, in their entirety or in part, for use in connection with internal repression and/or the commission of serious violations of human rights and international humanitarian law’. 

Article 5 can be triggered in two ways. The national licensing authority can notify an exporter of the requirement for a licence. However, exporters are also obliged to inform their national licensing authority if, on the basis of their own due diligence findings, they become aware that the items are intended for a prohibited end-use, in which case the authority may decide the export cannot go ahead.

One category of non-listed cyber-surveillance items that might be subject to a licence requirement under the catch-all control is mobile phone hacking services, which trick wireless carriers’ servers into revealing the location data of their users. Switzerland has proposed that mobile phone hacking tools be covered by the Wassenaar Arrangement control list but this is unlikely to happen in the near future due to political divisions within the group. Another category is data-retention systems, which store collected surveillance data for later use by law-enforcement and intelligence agencies. These have also been proposed for control at the Wassenaar Arrangement and are included in the national control lists of Germany and Spain.

Truly dual-use cyber-surveillance tools that might be covered by the catch-all control include, for example, tools for capturing and analysing biometric data, such as facial recognition tools. Another type is dual-intent tools, such as vulnerability scanners, that are designed to help organizations test their own vulnerability to cyberattacks but can also be used to perpetrate malicious cyberattacks. 

One important type of subcomponent that might be captured by the catch-all control is deep packet inspection (DPI) technologies. DPI has a wide range of legitimate cybersecurity applications but is also used to enable the functioning of some cyber-surveillance tools. 

The new guidelines and what they say

Article 5 of the Dual-use Regulation states that the Commission and Council ‘shall make available guidelines for exporters’ on how to implement their obligations under the catch-all control. The new Commission Recommendation (EU) 2024/2659, which was released on 16 October 2024 (but dated 11 October), fulfils that requirement.

The guidelines are mainly concerned with clarifying for exporters when they should alert the licensing authority about a potential export. To do this they elaborate on the content of Article 5 and the definition of cyber-surveillance items provided by the Dual-use Regulation. This section looks at key aspects of those explanations and their implications. 

‘Specially designed to enable . . . covert surveillance’

The Dual-use Regulation defines cyber-surveillance items as ‘dual-use items specially designed to enable the covert surveillance of natural persons by monitoring, extracting, collecting or analysing data from information and telecommunication systems’. According to the new guidelines, ‘specially designed’ means that covert surveillance must have been the ‘main purpose’ of the item’s development and design, although the item may have other possible uses. ‘Covert surveillance’ is explained as occurring when a person ‘cannot objectively expect to be under surveillance’. 

This definition potentially brings mobile phone hacking tools, data-retention systems and certain types of dual-intent product within the scope of Article 5. Less clear is if and how facial recognition and other biometric tools would be captured.

Both the European Parliament and non-governmental organizations (NGOs) have advocated for biometric tools to be subject to controls, and in July 2024 it was proposed that facial recognition tools be included in the national control list of the United States. However, many of the most concerning applications of biometric tools involve the use of footage collected from CCTV cameras that are publicly visible. The guidelines say that ‘[f]acial and emotion recognition technologies that can be used to monitor or analyse stored video images, could fall within the scope of the definition of cyber-surveillance item’. However, if the system is drawing its data from publicly visible CCTV, then it is hard to see how it would meet the criterion ‘specially designed to enable . . . covert surveillance’, creating ambiguity.

‘Awareness’ that the items are ‘intended . . . for’ 

Regulation 2021/821 and the new guidelines reflect a wider trend in which NGOs and states are pushing for exporters to take on more responsibility for identifying potentially sensitive exports. Article 5 obliges an exporter to notify the authorities if it is ‘aware, according to its due diligence findings’ that cyber-surveillance items it proposes to export are intended for the proscribed uses. The guidelines state that ‘“aware” . . . implies that the exporter has positive knowledge of the intended misuse’ and that ‘the exporter should assess the end-use on a case-by-case basis, in light of the specific circumstances of that case’ in order to identify whether an item may be ‘intended for’ a sensitive end-use.

Significantly, the guidelines indicate that the due-diligence obligations apply not only to exporters of finished cyber-surveillance tools but also to exporters of products that ‘could be used as part or component’ of such a system. If the product was ‘specially designed to enable . . . covert surveillance’, this implies that the catch-all control could potentially apply to exports of components such as DPI technologies that might be sold as civilian products but later integrated into a cyber-surveillance system. 

‘Internal repression’, ‘serious violation of human rights’ and ‘serious violation of international humanitarian law’

To clarify what may constitute prohibited uses, the guidelines refer to language used in both the EU Common Position on arms exports (2008/944/CFSP) and its accompanying user’s guide. According to the Common Position, ‘internal repression includes . . . torture and other cruel, inhuman and degrading treatment or punishment, summary or arbitrary executions, disappearances, arbitrary detentions and other major violations of human rights and fundamental freedoms as set out in relevant international human rights instruments’. The user’s guide states that ‘the current and past record’ of the end-user and recipient country with regard to human rights should be considered to assess the risk of an exported item being used for internal repression. 

Similarly, for the interpretation of ‘serious violation of international humanitarian law’, the guidelines again refer to the Common Position user’s guide, which calls for assessing the recipient’s attitude towards international humanitarian law (IHL) by looking at its record, its formal commitments and its capacity to uphold relevant provisions. 

The Dual-use Regulation uses the Common Position as a point of reference for licensing authorities in making licensing decisions, so it is logical to also use it as a reference point for exporters assessing potential exports of cyber-surveillance tools. However, the Common Position and its user’s guide are focused on transfers of military equipment and do not consider several issues relevant to transfers of dual-use items and cyber-surveillance tools or other items captured by the Dual-use Regulation. In particular, they do not consider factors that would be relevant for assessing the recipient’s record regarding the appropriate use of cyber-surveillance tools or consider the specific IHL risks that might arise in connection with their use. 

Next steps for Article 5 and the guidelines 

Regulation 2021/821 tasks the Commission with conducting an evaluation, ‘after 10 September 2024’, of the new catch-all control for cyber-surveillance items. This gives the newly elected European Parliament and others an opportunity to clarify the intended coverage of the new catch-all control and strengthen the EU’s and EU member states’ controls on cyber-surveillance tools more broadly. These steps should include the following:

Develop case studies

In feedback on the first draft of the guidelines, which was published in March 2023, businesses and other stakeholders asked for ‘concrete practical examples’ of cyber-surveillance items potentially requiring an export licence under Article 5, accompanied by relevant case studies. These have not been included in the published guidelines. 

Although the guidelines rightly note that it is ‘impossible to provide an exhaustive list of those products that may be controlled as “non-listed items” under Article 5’, it should be possible to develop real or fictional case studies. This could be done collaboratively by the Commission, the European Parliament, EU member states and NGOs through the use of tabletop exercises.

Add language on cyber-surveillance risks to the Common Position user’s guide

The new guidelines make frequent reference to Common Position 2008/944/CFSP and its user’s guide. While these documents are useful on issues of human rights and IHL, they do not specifically address issues relating to the use and misuse of cyber-surveillance tools. In order to improve the value and comprehensiveness of the user’s guide, the European Parliament could recommend revising it to cover both military items and items captured by the Dual-use Regulation and include detailed language on assessing risks associated with cyber-surveillance tools. This could be done as part of the current review of the Common Position, which is expected to conclude by the end of 2024.

Build connections with other areas of policymaking

Addressing the proliferation and misuse of cyber-surveillance tools is a complex challenge that cannot be achieved through any single policy instrument. Building on its 2023 inquiry to investigate the use of Pegasus and equivalent surveillance spyware, the European Parliament could push for the development of a common and coordinated EU approach for controlling not only the export but also the procurement and use of cyber-surveillance tools. 

In response to the European Parliament’s recommendations following the inquiry, the Commission is currently working on a draft communication that will reportedly focus on addressing the possible misuse of cyber-surveillance tools at the national level. This communication and the publication of the Article 5 guidelines create the opportunity for a more coordinated set of policy responses at the EU level. As part of this approach, the EU should coordinate with the USA-led initiative to counter the proliferation and misuse of commercial spyware, which seeks to adopt a more comprehensive policy response.

 

With support from the Open Society Foundations, the SIPRI Dual-Use and Ams Trade Control Programme is conducting a project focused on improving the implementation of export controls related to surveillance technologies.

 

ABOUT THE AUTHOR(S)

Dr Mark Bromley is the Director of the SIPRI Dual-Use and Arms Trade Control Programme.
Giovanna Maletta is a Senior Researcher in the SIPRI Dual-Use and Arms Trade Control Programme.