On 30 December 2019, the updated Annex I (the “Dual-Use List”) to Regulation 428/2009 (the “Dual-Use Regulation”) was published in the Official Journal of the European Union (see here). The updated Regulation came into effect on 31 December 2019.

The changes to the Dual-Use List reflect updates to the international non-proliferation agreements during the previous year. The majority of the changes result from amendments agreed to the Wassenaar Arrangement including:

  • a new decontrol note for ‘open-cell foam’ electromagnetic wave absorbing materials (1C001);
  • an amendment to control entry for Digital-to-Analogue Converter to avoid overlapping of the controls (3A001a5b);
  • a new decontrol note for ‘information security’ items that are specially designed for a “connected civil industry application”, covering certain network-capable endpoint devices limited to network connected consumer or civil industry applications other than “information security”, digital communication, general purpose networking or computing, and also covering certain networking equipment specially designed to communicate with such devices. Additional parameters also apply governing the cryptographic functionality and the standards implemented, which items must satisfy in order to quality for this decontrol (5A002); and
  • the defined term “described security algorithm” replacing the references to key length strength thresholds in the main control text. The existing strength thresholds for symmetric and asymmetric algorithms are kept in the new definition, along with alternative new criteria for certain quantum-resistant asymmetric algorithms (5A002).

A more detailed summary of the changes can be found in our previous update here. Author: Sunny Mann