EU Dual-Use Regulation and Export Control in Germany

By Dr. Julius Hagen, Attorney-at-Law

What the EU Dual-Use Regulation governs in practice

For many companies, the EU Dual-Use Regulation is the central export-control framework. It applies to goods, software, and technology that have civilian uses but may also be relevant for military, defence-related, or otherwise security-sensitive purposes.

Licensing requirements do not arise only from Annex I listings. Depending on the facts, they may also follow from end-use concerns, catch-all controls, technology transfers, cyber-surveillance rules, or certain intra-EU transfers. In Germany, BAFA is generally the competent licensing authority.

Dual-use does not mean marginal. It means export-control relevance

The EU Dual-Use Regulation covers items with both civilian and military potential, including goods, software, and technology. The legal question is not how a company markets its product, but whether the technical parameters or the actual end-use context bring the item within export control. That is why businesses in engineering, electronics, sensors, telecommunications, IT, aerospace, and industrial software frequently face difficult classification questions.

In practice, a matter may therefore become export-control relevant even though no classic defence product is involved. The real difficulty often lies in the correct classification of the item, the scope of a technology transfer, and whether a licence was required at all.

The starting point is often the control list, but not the end of the analysis

The standard case is the export of listed items under Annex I of the Regulation. Where an item falls under Annex I, export from the Union generally requires authorisation. For particularly sensitive Annex IV items, a licence may also be required for certain transfers within the EU. The framework also uses different licensing forms, including general export authorisations, individual authorisations, and global authorisations.

But the legal analysis does not stop with the list. Non-listed items may also become subject to control, especially where a critical end use is involved or where the rules on digital-surveillance items apply. Non-listed does not automatically mean licence-free.

Catch-all rules, end use, and digital surveillance

The Regulation includes catch-all controls for non-listed items. These do not depend on a fixed control-list entry, but on the critical end use or on notification by the competent authority. The focus of the analysis therefore shifts from product description alone to end user, end use, destination, and the real project context.

Article 5 on non-listed cyber-surveillance items deserves particular attention. This was one of the major changes introduced by the 2021 recast. It is important in practice because the definitions are technical, but not always straightforward, and BAFA has issued dedicated guidance on its application. For businesses dealing with monitoring tools, data-extraction functions, cyber capabilities, or related software, this is not a peripheral issue.

Technology transfers, software, and cloud structures matter

Export control is not limited to physical shipments. The Regulation also covers software and technology. An export may therefore take place through electronic transmission, server structures outside the Union, or other digital access and transfer arrangements. In legal and administrative practice, the idea of “transfer” is interpreted broadly; in some settings, making access possible may already be relevant.

That is why a purely shipment-based compliance view is often too narrow. In international companies with shared development environments, remote access, cloud-based collaboration, or intra-group data exchange, the real export-control issue may lie in the movement of technology rather than the movement of hardware.

BAFA, customs, and corporate organisation

In Germany, BAFA is the central licensing authority for export control. In practice, much depends on how product classification, licence applications, documentation, end-use review, and internal approvals are organised. Robust export-control structures matter not only for licensing, but also for reliability assessments and for the authority’s overall view of the company.

That is why the Dual-Use Regulation is not merely a technical compliance issue. Organisational weaknesses may later become the basis for an allegation that licensing duties were missed, warning signs were overlooked, or responsibilities were not properly allocated. What begins as an export-control classification issue can then develop into a regulatory-offence or criminal-law matter.

Why the legal boundary matters under German law

Not every export-control breach leads to the same legal consequences. In practice, the distinction between military goods and dual-use items, between criminal and administrative exposure, and between a licensing failure and a legally sustainable allegation is often decisive. In dual-use matters, sections 17, 18, and 19 AWG may each become relevant depending on the facts.

That is why the legal assessment is often technically demanding. The key questions are which EU rule actually applied, whether a licence requirement truly existed, how the technical classification should be assessed, and how responsibility for the transaction can legally be allocated within the company.

Experience in dual-use and export-control matters

We represent companies, directors, and individuals in matters involving the EU Dual-Use Regulation, licensing questions, goods classification, technology transfers, and BAFA-related proceedings.

Our work includes assessing the relevant rules, analysing the transaction in question, and advising in export-control matters under German law.