Are you exporting cyber-surveillance items without knowing It?

Are you an innovative company specializing in software publishing, artificial intelligence, or cybersecurity, and expanding internationally?

Some of your products may fall into the category of cyber-surveillance items under Regulation (EU) 2021/821.

These might include network security equipment, facial or emotion recognition technologies, or geolocation devices designed to analyze movement patterns in commercial areas.

This article explains what this means in practical terms, the applicable export rules, and the steps you need to take to secure your operations.

Dual-Use Items: Export Control and Foreign Investment Monitoring

Dual-use items, which include cyber-surveillance items, are not ordinary products. These are technologies, software, or equipment that, while initially designed for civilian purposes, can also be used in military contexts or for human rights violations.

For example, encryption software may protect sensitive data in commercial settings but could also be used to secure military communications.

For this reason, the exportation of these items is subject to a strict legal framework, notably under Regulation (EU) 2021/821. Export authorizations must be obtained from the relevant authorities following an in-depth assessment of the items’ nature, declared use, and final destination.

In France, the Service des Biens à Double Usage (SBDU) is responsible for issuing the required export authorizations. Exporting such items without proper authorization may lead to severe penalties, including imprisonment, fines, or confiscation of the goods concerned.

The majority of dual-use items are listed in Annex I of Regulation (EU) 2021/821. Additionally, the French regime for foreign investment control applies to companies engaged in research and development involving dual-use items. Acquisitions, takeovers, or significant increases in foreign shareholding in these companies require prior authorization from the Ministry of the Economy.

A lack of awareness of these rules could jeopardize your investment projects, exports, and lead to heavy penalties.

What Does "Export" Mean?

Contrary to common belief, the notion of "export" does not solely refer to the permanent shipment of physical goods abroad. Regulation (EU) 2021/821 applies to several situations, some of which may be unexpected:

• Temporary Exports: For instance, if one of your engineers travels abroad to demonstrate a product. If the item presented is classified as dual-use, this could be considered a temporary export requiring authorization.
• Re-exports: This applies to goods transiting through the European Union before being shipped to a destination outside the EU.
• Outward Processing: This allows goods to be temporarily exported for processing operations abroad.
• Electronic Transmission: Perhaps the least intuitive aspect, the transmission of software or technologies electronically—including via fax, phone, email, or other electronic means—may qualify as an export subject to controls.

Cyber-Surveillance Items: A Key Category for Innovative Companies

Within dual-use items, particular attention is paid to cyber-surveillance items.

Some of these items are explicitly listed in Annex I, which establishes the list of dual-use items subject to export controls. However, other technologies may also fall within the scope of the regulation. 

Indeed, Article 5 of the regulation introduces a "catch-all clause," which extends controls to technologies not listed in Annex I but that are capable of being used for internal repression or to commit violations of human rights and international humanitarian law. These cases involve either situations where the exporter has been informed of such use by the competent authorities, or where the exporter becomes aware of it through their own due diligence procedures.

Examples? Network protection equipment or a surveillance camera associated with a facial recognition system may, in certain circumstances, be classified as cyber-surveillance items.

Independently of the information provided by the authorities, exporters are therefore required, through their own due diligence procedures, to verify whether the goods they intend to export fall under this category.

Article 5 thus poses a significant challenge for exporters, as they must not only assess the technical characteristics of their products but also anticipate their possible uses.

To support them in implementing this article, the European Commission published guidelines on October 11, 2024 (Recommendation (EU) 2024/2659). These guidelines aim to clarify the definition of "cyber-surveillance items" and the specific obligations of exporters.

Cyber-Surveillance Items Listed in Annex I

Some items clearly listed in Annex I of Regulation (EU) 2021/821 are the easiest for exporters to identify. These include:

• Telecommunications Interception Systems: Such as IMSI catchers, certain equipment simulating fake Wi-Fi access points to extract IMSI numbers from phones, and certain deep packet inspection (DPI) tools.
• Internet Surveillance Systems: Designed to operate on carrier-grade IP networks (e.g., national IP transport networks). These analyze, extract, and index the content of transmitted metadata (voice, video, messages, attachments), often based on "strict selectors." These systems can also map relationships between users.
• Intrusion Software: Tools that allow discreet remote access to devices (smartphones, computers, IoT devices, servers). Once installed, they can extract data, activate cameras or microphones, or use the device to attack other systems.
• Cryptanalytic Tools: Designed to bypass cryptographic mechanisms to obtain confidential variables or sensitive data (passwords, cryptographic keys, or plaintext).
• Forensic or Investigation Tools: Used to bypass authentication or authorization mechanisms on a device to extract raw data.

If these explicitly listed items fall under the control framework, the regulation does not stop there. It also regulates non-listed cyber-surveillance items.

Non-Listed Cyber-Surveillance Items

The dual-use regulation extends to any items that meet the definition of cyber-surveillance items as provided in the regulation (Article 2, point 20). These are defined as “specifically designed to enable the covert surveillance of natural persons by monitoring, extracting, collecting, or analyzing data from information and telecommunications systems.”

This broad definition encompasses a potentially wide range of technologies and raises interpretive questions.

In certain cases, the competent authority directly informs the exporter that the goods they intend to export could be used for internal repression or to commit violations of human rights and international humanitarian law. In such instances, the exporter is explicitly alerted and must obtain authorization before proceeding with the export.

However, as previously mentioned, Article 5 of the regulation also requires exporters to implement due diligence procedures, enabling them to independently identify whether the goods they intend to export pose a risk of misuse. If an exporter identifies such a risk, they are obligated to notify the competent authority, which will assess the situation and determine whether the export in question requires prior authorization.

To assist exporters, the guidelines (Recommendation (EU) 2024/2659) provide a methodology and an analysis of the key terms in this definition, such as "specifically designed" and "monitoring, interception, collection, analysis of data."

For example, the guidelines highlight several categories of technologies that may qualify as cybersurveillance goods under certain circumstances:

• Network Security Equipment: Including routers, switches, or relays, as several cases of misuse of these items in human rights violations have been reported.
• Facial and Emotion Recognition Technologies: When used to monitor or analyze stored video images. For example, in a public space, an AI-equipped camera can analyze facial expressions to detect specific behaviors or monitor crowds in real-time for social control purposes. Such tools could be used intrusively to monitor specific ethnic, religious, or political groups.
• Geolocation Devices: Including technologies like satellite geolocation, tracking through telecom tower relays, or Wi-Fi and Bluetooth transceivers. These tools can map movement patterns in commercial areas, monitor employees working off-site, track specific targets remotely, or provide precise data for targeted advertising campaigns. For example, a Bluetooth device integrated into a mobile application could discreetly capture a user’s movement habits.

What to Do Today?

If you haven’t already, companies potentially exporting cyber-surveillance items must strengthen their vigilance and internal procedures to comply with the requirements of Regulation (EU) 2021/821.

1. Identify Whether Your Goods Are Cyber-Surveillance Items
   Conduct a thorough analysis of the technical characteristics and context of use. This includes evaluating not only the specifications of the standalone item but also the entire system in which it is integrated.
2. Obtain the Required Export License (If Applicable)
   If your analysis indicates that your goods qualify as cyber-surveillance items, determine whether a license is necessary and, if so, which one (individual, global, or general).
3. Implement an Internal Compliance Program (ICP)
   Establish a structured ICP to secure your export operations. This program should include appropriate policies and procedures, transaction evaluation processes, and rigorous documentation for inspections or investigations.
4. React to Red Flags
   Exporters must be prepared to respond to warning signs or new information about a transaction. This could include suspending an operation, modifying export conditions, or reporting a suspicious situation to the relevant authorities.

Need Assistance Securing Your Exports?

As a law firm, we offer our expertise to support you with:

• Classifying Your Goods: We analyze your products, systems, and technologies to determine whether they fall under the category of cyber-surveillance items. If applicable, we identify your specific obligations.
• Quickly Obtaining Necessary Export Licenses: We handle your administrative procedures with the relevant authorities, expediting the process to minimize delays and avoid bottlenecks.
• Implementing Your Internal Compliance Program (ICP): We assist you in creating or strengthening your Internal Compliance Program.
• Effectively Responding to Red Flags: We support you in managing red flags, from suspending an operation to reporting to the authorities.
• Defending You in Case of Disputes: In the event of inspections or litigation, we provide guidance to protect your interests.

Contact us today for personalized support tailored to your specific needs. 

About the Author

Jocelyn Pitet is an attorney at the Paris Bar (France) and co-founder of Entropy, a law firm dedicated to advanced technologies. His practice focuses on areas such as cybersecurity, data protection, IT contracts, blockchain, artificial intelligence, and other disruptive technologies. For over ten years, Jocelyn has been advising innovative startups, leading tech companies, as well as major international groups in managing complex legal challenges related to digital and innovation.

Alongside his work at the law firm, Jocelyn Pitet also holds teaching positions at the University of Paris Panthéon-Assas and the Leonard de Vinci Institute, where he teaches courses on blockchain law, data protection law, and cybersecurity law.