EU Expects to Issue Cyber-Surveillance Export Guidelines Next Year

“Teamwork usually [leads] to better and more stable results,” Farcas-Hutchinson said during the EU’s annual export control forum Dec. 8. “But sometimes teamwork might also take a little bit longer.”

Although the commission is hoping it can produce a “rather compact document,” Farcas-Hutchinson said the guidelines will include sufficient information to help member states better comply with EU export controls over cyber-surveillance items, including definitions, “technical parameters,” due diligence and compliance requirements, red flags in export transactions and potentially a set of frequently asked questions. The guidance may also include case studies of approved or prohibited exports of cyber-surveillance goods.

The commission has so far drafted the “biggest parts of the text” and held an initial round of feedback with member states, Farcas-Hutchinson said. The commission plans to finalize the draft by early next year, solicit public comments by February and adopt the guidelines by September.

“We do understand that there is a certain urgency for guidelines,” she said. “We believe we can do that, but we also hope we can do that.” The cyber-surveillance guidelines have been one of the EU’s top export control guidance priorities since it approved a new dual-use export control regime last year (see 2011100021 and 2105100013).

The U.S. last year released its own guidance for surveillance exports, which includes definitions and guidance principles for companies to weigh before exporting surveillance technologies (see 2009300056). The Commerce Department also will soon implement new export controls over certain cybersecurity items and create a new license exception for those exports (see 2110200036 and 2111120041).