Are you exporting cyber-surveillance items without knowing It?

The export of dual-use items — products, software, or technologies that can be used for both civilian and military purposes — is a complex operation. It is strictly regulated by Regulation (EU) 2021/821, which imposes rigorous obligations on businesses. Yet, many exporters may be unaware that they are affected.

Are you an industrialist, software developer, or active in the fields of artificial intelligence (AI) or cybersecurity?

You may be subject to these obligations, even without realizing it.

It is, therefore, essential to understand the specifics of this regulatory framework and the implications it may have on your export activities.

Cyber-surveillance: Sensitive and Controlled Exports

In accordance with Regulation (EU) 2021/821, the export of these items requires prior authorization granted by the competent authorities (the SBDU in France). This authorization is obtained after a thorough evaluation of the nature of the items, their declared use, and their final destination.

In France, the Foreign Investment Control Regime may also apply to companies conducting research and development activities involving dual-use items. The takeover, acquisition, or significant increase in foreign investment in such a company may be subject to prior authorization from the Ministry of the Economy.

Among dual-use items, particular attention is given to "cyber-surveillance" items. 

Some of these cyber-surveillance items are explicitly listed in Annex I of the regulation. For example, telecommunications interception tools, cryptographic analysis systems, and intrusion software are explicitly included, making them relatively easy for exporters to identify.

However, other technologies, seemingly more innocuous, may also fall within the scope of the regulation, often unbeknownst to the exporters.

Indeed, Article 5 of the regulation introduces a "catch-all" clause, extending controls to technologies not listed in Annex I, but where the exporter knows or should reasonably know that they could be used for internal repression or for committing human rights violations or violations of international humanitarian law.

Examples? Network security equipment designed to protect networks or a surveillance camera combined with a facial recognition system may, in certain situations, be considered cyber-surveillance items if their export presents risks of misuse. In such cases, these items may require specific authorization before export, under the threat of severe sanctions.

It is the responsibility of exporters to verify if the items they wish to export fall under the category of cyber-surveillance items. Article 5 therefore represents a challenge for exporters, who must carefully assess the characteristics of their products and their possible uses.

To assist exporters and national authorities in implementing this article, the European Commission published, on October 11, 2024, guidelines (Recommendation (EU) 2024/2659). These guidelines aim to clarify the definition of "cyber-surveillance items" and the specific obligations of exporters.

Cyber-surveillance Items Listed in Annex I

Some items, clearly listed in Annex I of Regulation (EU) 2021/821, are the easiest for exporters to identify.
Among them, we find:

• Telecommunications interception systems, such as IMSI interceptors, certain equipment simulating fake Wi-Fi access points to extract IMSI numbers from phones, as well as certain deep packet inspection (DPI) tools;
• Internet surveillance systems, designed to operate on IP networks at the operator level (e.g., national IP transport networks). They analyze, extract, and index the content of transmitted metadata (voice, video, messages, attachments), often based on strict selectors. These systems also allow mapping the relationships between users;
• Intrusion software, allowing discreet remote access to devices (smartphones, computers, connected objects, servers). Once installed, they can extract data, activate cameras or microphones, or even use the device to attack other systems;
• Cryptographic analysis tools, designed to break cryptographic mechanisms to obtain confidential variables or sensitive data (passwords, cryptographic keys, or plain text);
• Certain forensic or investigative tools, used to bypass the authentication or authorization mechanisms of a device to extract raw data.

While these explicitly listed items are subject to control, the regulation does not stop there. It also provides for the control of cyber-surveillance items not listed in Annex I.

"Non-listed" Cyber-surveillance Items

The regulation on dual-use items extends to all items that meet the definition of cyber-surveillance items as given by Regulation (Article 2, point 20). These items are defined as "specifically designed to allow the discreet surveillance of individuals through the surveillance, extraction, collection, or analysis of data from information and telecommunications systems."

This general definition includes a potentially very wide range of technologies and raises questions of interpretation.

To assist exporters, the guidelines provide an analysis of key terms in this definition, such as "specifically designed", "discreet surveillance", or "surveillance, extraction, collection, analysis of data". They also provide concrete examples of potentially relevant technologies and criteria to assess the risk of misuse.

Moreover, the European Commission stresses that the evaluation of the qualification of an item must not be limited to its technical characteristics taken in isolation. It is the entire system in which it is integrated that must be examined.

By way of examples, and without being exhaustive, the guidelines highlight several categories of technologies that may be concerned in certain circumstances:

• Network security equipment — this includes, in particular, routers, switches, or relays, as several cases of the abusive use of these items in human rights violations have been reported;
• Facial recognition and emotion recognition technologies: when they may be used to monitor or analyze stored video footage. For example, in a public space, an AI-equipped camera may analyze facial expressions to detect specific behaviors or monitor crowds in real-time for social control purposes. These tools may be used intrusively to monitor specific ethnic, religious, or political groups;
• Location devices: This includes technologies such as satellite geolocation, tracking via telecommunications antennas, or Wi-Fi and Bluetooth transmitters/receivers. These tools can be used to map movement patterns in commercial areas, but also to monitor off-site employees, track specific targets remotely, or provide precise data for personalized advertising campaigns. For instance, a Bluetooth device integrated into a mobile app may capture a user's movement patterns without their explicit consent.

What to Do Now?

If not already done, companies likely to export cyber-surveillance items must immediately strengthen their vigilance mechanisms and internal procedures to comply with the requirements of Regulation (EU) 2021/821.

The first imperative for exporters is to ensure that their items are properly classified. This includes a thorough analysis of technical characteristics and a review of the context of use. This means evaluating not only the specifications of the individual item but also the entire system in which it is integrated. For example, a surveillance device could be involved if combined with advanced technologies such as facial recognition.

It is also important to carry out a thorough evaluation of risks related to the end-user, the destination, and the technical capabilities of the items being exported.

Next, it is essential to implement a well-structured internal compliance program (ICP) to secure your export operations. This program should include appropriate policies and procedures, transaction evaluation processes, and thorough documentation in case of inspection or investigation.

Finally, exporters may need to react to red flags or new information related to a transaction. This could include suspending an operation, modifying the export conditions, or reporting a suspicious situation to the relevant authorities.

Expert Support to Secure Your Exports

Exporting cyber-surveillance items, whether listed or not, requires heightened vigilance and strict control measures. As a law firm, we advise our clients to go beyond a mere literal reading of the regulation and adopt a proactive and comprehensive approach.

Additionally, a thorough analysis of your items' characteristics, coupled with the implementation of enhanced vigilance mechanisms, is essential to identify non-compliance risks, prevent sanctions, and secure your export operations.

If you have questions regarding the classification of your products or your obligations concerning diligence and vigilance, we are at your disposal to assist you in your compliance process with this complex regulatory framework.

Feel free to contact us for personalized support tailored to your needs.

About the Author

Jocelyn Pitet is an attorney at the Paris Bar (France) and co-founder of Entropy, a law firm dedicated to advanced technologies. His practice focuses on areas such as cybersecurity, data protection, IT contracts, blockchain, artificial intelligence, and other disruptive technologies. For over ten years, Jocelyn has been advising innovative startups, leading tech companies, as well as major international groups in managing complex legal challenges related to digital and innovation.

Alongside his work at the law firm, Jocelyn Pitet also holds teaching positions at the University of Paris Panthéon-Assas and the Leonard de Vinci Institute, where he teaches courses on blockchain law, data protection law, and cybersecurity law.