NSO Group human rights

New EU dual use export control rules finally adopted, but leave a lot of room for improvement

Today, March 25, a decade after the EU first began soliciting views on export controls around dual use technologies — or tools that can have some peaceful aims but that can also be used to violate human rights — the EU Parliament has adopted the final text of the new rules.

Access Now, Amnesty International, Committee to Protect Journalists, FIDH (International Federation for Human Rights), Human Rights Watch, Privacy International, and Reporters Without Borders note positive elements within the text, but emphasize an overall lack of ambitious safeguards for human rights and security across the EU. The coalition has outlined a set of recommendations that must be adhered to, to bolster the written rules for the export of dual use items and better protect human rights. 

“While we welcome the positive elements in the regulation adopted by the EU legislators, we see the resulting agreement in many ways falling short of what was necessary to ensure stronger human rights protections,” said Natalia Krapiva, Tech-Legal Counsel at Access Now. “As the negotiations process dragged on for years, and the stronger provisions in earlier drafts were watered down, the sale and abuse of EU-based technologies have proliferated.”   

As negotiations stalled, and the stronger provisions in the original Commission’s proposal were weakened, EU-based companies have continued to undermine people’s human rights by selling and exporting surveillance technology around the world, including into the hands of known rights abusers, making the text’s finalization incredibly timely. Despite the final agreement’s shortcomings, it is now vital that all Member States robustly implement the positive elements of the new regulation. EU Member States and the Commission must go further than the new compromise in order to meet their international human rights obligations, and ensure that the continued export of sophisticated surveillance tools by EU companies does not facilitate human rights violations of people around the world.


The new EU dual use regulation should be considered a minimum baseline. To fulfill their international obligations to protect human rights, and under close monitoring and clear guidance by the Commission, Member States must:

  • Interpret “cyber-surveillance” to include mobile telecommunications interception or jamming equipment; intrusion software, IP network communications surveillance systems or equipment, and other invasive technology;
  • Ensure that systems specially designed to perform biometric identification are subject to control within the EU control list and within the Wassenaar Arrangement in a transparent and consultative process and interpret these items to constitute “cyber-surveillance;”
  • Ensure detailed reports describing export license applications — including details such as a description of the end user and destination, the value of the license, and the number of license applications per item — made to authorities concerning all dual use items are made publicly available on a regular basis; 
  • Ensure national legislation governing the assessment of export licenses takes into account relevant European human rights protections, such as the EU Charter of Fundamental Rights as well as those developed by the Court of Justice of the European Union and the European Court of Human Rights, and  evidence from civil society and human rights experts; and
  • Ensure European legislation requiring corporate actors to respect human rights and implement human rights due diligence measures as prescribed by the United Nations Guiding Principles on Business and Human Rights (UNGPs). 

Read the full statement, including all recommendations.