The EU will soon bring in to force new regulations that tighten up the control over the export of encrypted products. The Updated Regulation targets “cyber-surveillance items,” defined as dual-use items “specially designed to enable the covert surveillance of natural persons by monitoring, extracting, collecting or analysing data from information and telecommunication systems.” The new regulations come into force on 9th September 2021.
The new May 2021 Regulations can be found here – https://eur-lex.europa.eu/legal-content/EN/TXT/PDF/?uri=CELEX:32021R0821&from=EN
It is concerned with non-listed cyber surveillance items and states: –
In order to address the risk that certain non-listed cyber-surveillance items exported from the customs territory of the Union might be misused by persons complicit in or responsible for directing or committing serious violations of human rights or international humanitarian law, it is appropriate to place the export of such items under control. Associated risks relate, in particular, to cases where cyber-surveillance items are specially designed to enable intrusion or deep packet inspection into information and telecommunications systems in order to conduct covert surveillance of natural persons by monitoring, extracting, collecting or analysing data, including biometrics data, from those systems. Items used for purely commercial applications such as billing, marketing, quality services, user satisfaction or network security are generally considered not to entail such risks.
And further states: –
An authorisation shall be required for the export of cyber-surveillance items not listed in Annex I if the exporter has been informed by the competent authority that the items in question are or may be intended, in their entirety or in part, for use in connection with internal repression and/or the commission of serious violations of human rights and international humanitarian law.
Whilst it shouldn’t affect many commercial operations it is another point of compliance go be aware of.
