EU Dual-Use Export Controls in 2026: What Businesses Need to Understand Before they Act
Export controls are among the most technically demanding areas of international trade law, and among the most frequently underestimated by businesses operating across borders. The consequences of non-compliance include criminal liability, licence revocations, reputational exposure, and loss of market access. The regulatory framework is genuinely complex, and the gap between what companies believe they understand about it and what it actually requires is often significant.
This article provides a structured overview of the EU dual-use export control regime as it stands in 2026, with reference to key national implementation considerations in the EU Member States.
What are dual-use export controls?
Dual-use goods, software, and technology are items with legitimate civilian applications that can also be used for military purposes. The category is deliberately broad: it encompasses advanced semiconductors, encryption software, certain biological agents, precision manufacturing equipment, drone components, and an expanding range of emerging technologies including quantum computing hardware and artificial intelligence tools with specific capabilities.
The EU's dual-use export control regime seeks to ensure that these items do not reach end-users or end-uses that pose proliferation, military, or human rights risks, while preserving the conditions for legitimate international trade and research collaboration.
The governing legal framework: Regulation (EU) 2021/821
The principal instrument governing dual-use export controls across the European Union is Regulation (EU) 2021/821, which entered into force on 9 September 2021 and replaced Council Regulation (EC) No 428/2009. The 2021 Regulation represented a structural recast of the EU regime, introducing several changes of substance.
Most significantly, it extended the scope of controls beyond the export of physical goods to encompass the supply of technical assistance, brokering services, and the transmission of controlled technology by electronic means, including cloud-based transfers and deemed exports arising within research or employment contexts. It also introduced, for the first time in EU law, a framework for controlling cyber-surveillance technology that does not appear on the control lists but can be demonstrated to pose a risk to human rights.
Annex I to Regulation (EU) 2021/821 contains the dual-use control list, structured across ten categories: Category 0 (nuclear), Category 1 (advanced materials), Category 2 (materials processing), Category 3 (electronics), Category 4 (computers), Category 5 (telecommunications and information security), Category 6 (sensors and lasers), Category 7 (navigation and avionics), Category 8 (marine), and Category 9 (aerospace and propulsion). Each category is subdivided into systems, equipment, components, software, and technology.
What the November 2025 update changed
On 8 September 2025, the European Commission adopted Delegated Regulation (EU) 2025/2003, which amended and replaced Annex I to Regulation (EU) 2021/821. The delegated regulation was published in the Official Journal on 14 November 2025 and entered into force on 15 November 2025. It is now directly applicable across all Member States.
The principal areas of tightening.
Quantum technologies: Controls on quantum computers, cryogenic cooling systems specific to quantum applications, quantum key distribution components, parametric signal amplifiers, and cryogenic electronics and wafer probers were strengthened, with revised and in some cases extended parameter thresholds. Companies active in quantum research, particularly those with non-EU academic or commercial partners, should treat this as a high-priority classification review area.
Semiconductors and advanced manufacturing equipment: Parameter thresholds for a range of semiconductor fabrication and testing equipment were revised downward, broadening the scope of licensing requirements materially. Affected equipment categories include atomic layer deposition systems, epitaxial deposition equipment, lithography tools, EUV pellicles, masks and reticles, etching equipment, and scanning electron microscopes. The practical effect falls the most on European equipment manufacturers supplying into Asian markets and on distributors handling second-hand fabrication assets, where prior classification assessments based on pre-2025 parameters will need to be revisited.
Additive manufacturing: Controls on metal powder bed fusion systems were extended to encompass related software, inoculants for metal powders, and high-performance alloy powders with proliferation-relevant specifications, responding to continued concern about the manufacture of precision components for missile and munitions applications.
Biotechnology: Controls on gene synthesis and peptide synthesis equipment and certain biological agent handling infrastructure were amended, reflecting the dual-use risks associated with synthetic biology and the accelerated development of relevant technologies during and after the pandemic period.
Additional areas addressed in Delegated Regulation (EU) 2025/2003, not captured in prior classification frameworks, include high-temperature coatings, advanced computing integrated circuits and electronic assemblies, and certain life sciences tools. Businesses in affected sectors should conduct a fresh classification review against the full text of the new Annex I rather than relying on assessments prepared under the pre-November 2025 list. Prior classifications that were accurate under the 2021 Regulation's original Annex I may no longer be correct.
Licensing: the structure of authorisations
The EU dual-use regime operates through a hierarchy of authorisations. Understanding which applies, and when, is foundational to compliance. Union General Export Authorisations permit exports of specified goods to specified destinations without individual licence applications, subject to registration and record-keeping requirements. EU001 covers exports of most dual-use items to a defined list of low-risk allied destinations, including the United States, United Kingdom, Canada, Japan, Australia, New Zealand, Norway, Switzerland, Iceland, and Liechtenstein, without individual licence applications. The inclusion of the United Kingdom reflects post-Brexit arrangements. However, EU001 does not cover all controlled goods to those destinations: exporters must verify whether specific items are excluded under Annex II of the authorisation, and all UGEAs remain subject to conditions including the prohibition on use for end-uses that would trigger individual licence requirements. UGEA eligibility must be confirmed for each product category and transaction rather than assumed on the basis of destination alone. EU002 through EU008 cover specific categories including encryption, satellites, and certain chemicals. National General Export Authorisations are issued by Member States within their own jurisdictional frameworks and supplement the UGEA regime; their scope and conditions vary materially between Member States, which is a source of genuine compliance complexity for businesses operating across multiple EU jurisdictions. Individual Export Licences are required where no UGEA or NGEA applies. Global Export Licences permit multiple exports of specified items to a specified end-user or range of end-users over a defined period, reducing the administrative burden for established trading relationships.
The catch-all clause: underestimated and increasingly enforced
Article 4 of Regulation (EU) 2021/821 contains the catch-all provision, arguably the most significant area of regulatory exposure for businesses that do not deal in obviously listed goods.
The catch-all requires an authorisation for the export of goods not appearing on the control list where the exporter knows, has been informed by a competent authority, or has reason to believe, that the items are or may be intended for use in connection with weapons of mass destruction programmes, certain military end-uses in arms-embargoed destinations, or, under the human rights provision introduced in the 2021 Regulation, for internal repression or serious human rights violations.
The practical implication is that compliance cannot be limited to a list-checking exercise. Businesses must maintain a credible end-user screening programme, document their due diligence, and establish internal escalation procedures for transactions that raise concerns regardless of whether the goods involved are formally controlled.
Enforcement activity under the catch-all has increased materially across EU Member States since 2022, driven in large part by the Russia sanctions regime and the identification of controlled goods reaching sanctioned destinations through third-country diversion routes. As of 2026, this remains a priority enforcement area, with competent authority audit activity focused particularly on technology transfers, including intangible and electronic transfers, rather than solely on physical goods movements. Businesses with supply chains passing through Central Asian, Middle Eastern, or other identified transit jurisdictions should treat this as an elevated and actively monitored risk area.
National Implementation: Key Member State Considerations
Regulation (EU) 2021/821 is directly applicable across all Member States, but its implementation involves significant national discretion in licensing administration, enforcement priorities, and the availability of NGEAs.
Germany. The Federal Office of Economics and Export Control (BAFA) is the competent licensing authority. Germany operates one of the most active enforcement regimes in the EU, with criminal prosecution of export control violations sitting with the public prosecutor under the Außenwirtschaftsgesetz rather than the administrative authority. BAFA has enhanced its audit activity on technology transfers, including deemed exports and cloud-based technical assistance, since 2023, and this focus has continued into 2026.
Netherlands. The Netherlands Enterprise Agency (RVO) administers licensing. The Netherlands is a significant transit jurisdiction for dual-use goods, and Dutch enforcement has sharpened considerably since semiconductor equipment became a strategic trade control priority, a development reflecting both Regulation (EU) 2021/821 implementation and separate Dutch national controls on specific photolithography equipment not fully captured by the EU list.
Poland. The Ministry of Development and Technology administers dual-use licensing in Poland, with enforcement coordination through the customs service. Poland's strategic position as a transit route and its growing role in defence-related manufacturing have increased the practical relevance of its export control framework. The national NGEA regime is less developed than those in Germany or the Netherlands, meaning individual licence applications are more frequently required for transactions that would qualify for general authorisations elsewhere.
France. The Directorate General of Customs and Excise and the Ministry of Economy jointly administer the French regime. France operates a robust NGEA framework and maintains particular sensitivity around nuclear-related Category 0 items, reflecting its strategic nuclear infrastructure.
Compliance programme essentials
A credible EU dual-use compliance programme has five components that regulators and enforcement authorities consistently assess.
Classification. A systematic process for determining whether products, software, and technology meet any entry in Annex I to Regulation (EU) 2021/821, now as amended by Delegated Regulation (EU) 2025/2003, maintained and updated as both product specifications and the control list evolve. The November 2025 update makes a fresh classification review necessary for any business active in quantum, semiconductors, additive manufacturing, or biotechnology.
End-user screening. A documented process for assessing the declared end-user and end-use against restricted party lists, embargoed destinations, and catch-all indicators, applied consistently across the sales and procurement cycle, not only at the point of physical export.
Licence determination. A clear internal procedure for determining the applicable authorisation for each transaction, with documented rationale for reliance on UGEAs or NGEAs, including confirmation that specific goods and end-uses are not excluded from the applicable authorisation's scope, and a defined escalation path for transactions requiring individual licences.
Record-keeping. Regulation (EU) 2021/821 requires records to be maintained for a minimum of five years from the date of export. Member State enforcement practice frequently focuses on record quality as a proxy for overall compliance maturity.
Training and governance. Documented training for personnel involved in trade, procurement, technology transfer, and customer-facing functions, with board or senior management accountability for the compliance programme.
FAQ
What is the EU dual-use regulation and who does it apply to?
Regulation (EU) 2021/821 applies to any natural or legal person established in the EU who exports dual-use goods, software, or technology; provides technical assistance in connection with such items; or brokers transactions involving them. It applies regardless of whether the exporter is a manufacturer, distributor, research institution, or service provider. The 2021 Regulation extended its reach to intangible transfers, including electronic transmission of controlled technology, which brings a significantly wider range of businesses within scope than was the case under the previous regime.
What did Delegated Regulation (EU) 2025/2003 change, and when did it take effect?
Delegated Regulation (EU) 2025/2003 was adopted on 8 September 2025, published in the Official Journal on 14 November 2025, and entered into force on 15 November 2025. It amended and replaced Annex I to Regulation (EU) 2021/821, implementing 2024 multilateral export control regime outcomes and adding EU-specific controls in areas where multilateral consensus was not reached. The principal tightenings affected quantum computing hardware and components, semiconductor fabrication and testing equipment, metal additive manufacturing systems and materials, and gene and peptide synthesis equipment. Businesses in these sectors should treat their pre-November 2025 classification assessments as potentially no longer current.
Does the EU dual-use regulation apply to software and technology, or only physical goods?
It applies to all three. Software and technology, including source code, technical specifications, and know-how, are controlled where they meet the parameters set out in the software or technology entries of Annex I. The 2021 Regulation made explicit that electronic transmission, cloud access, and the provision of technical assistance by EU-established persons are all within scope. Academic research institutions, technology companies, and professional services firms providing technical consulting with non-EU counterparts should treat this as a live compliance question.
What is a deemed export and does EU law address it?
A deemed export arises when controlled technology is transferred to a non-EU national, for example through employment, research collaboration, or access to controlled systems, without a physical export taking place. Deemed exports are not codified in Regulation (EU) 2021/821 in the same explicit terms as in the US Export Administration Regulations, and there is no uniform EU-wide rule. However, competent authorities in several Member States, Germany and the Netherlands most notably, have taken enforcement positions that produce equivalent effects in practice. Businesses with international workforces or research programmes involving non-EU nationals should assess their exposure under the applicable Member State framework rather than assuming the concept does not apply.
What are the penalties for non-compliance with EU dual-use export controls?
Penalties are determined at Member State level and vary significantly. In Germany, criminal penalties for intentional violations include custodial sentences of up to five years under the Außenwirtschaftsgesetz. In the Netherlands and France, both criminal and administrative penalties apply, including significant fines and licence suspensions. In all Member States, serious violations carry reputational consequences, including public disclosure of enforcement actions, that frequently exceed the direct financial penalties in their practical impact.
How do EU export controls interact with US Export Administration Regulations?
The regimes are separate but overlapping. Goods with US-origin content or technology may be subject to US EAR re-export controls regardless of whether they are also controlled under Regulation (EU) 2021/821. Businesses that manufacture or distribute products incorporating US-origin components must assess both regimes independently. The US Commerce Department's Entity List and the EU's own restricted party frameworks are not identical, and a counterparty that passes one screen may appear on the other.
Do EU dual-use controls apply to exports to the United States or United Kingdom?
Union General Export Authorisation EU001 covers exports of most dual-use items to a list of allied destinations including the United States and United Kingdom, the latter's inclusion reflecting post-Brexit arrangements, without individual licence applications. However, EU001 does not cover all controlled goods even for these destinations, and exporters must confirm that specific items are not excluded under Annex II of the authorisation and that the transaction does not involve end-uses that would trigger separate requirements. UGEA eligibility should be verified for each product category rather than assumed on the basis of destination alone.
How does the catch-all clause create exposure for businesses not dealing in listed goods?
Article 4 of Regulation (EU) 2021/821 requires an export authorisation for goods not on the control list where the exporter knows or has reason to believe they may be intended for weapons of mass destruction programmes, military end-uses in arms-embargoed destinations, or, under the 2021 Regulation's human rights provision, for internal repression. The catch-all has been actively enforced since 2022, with particular focus on goods diverted to Russia through third-country routes. As of 2026, enforcement authorities are auditing not only physical exports but technology transfers and intangible transmissions. List-based compliance programmes that do not address catch-all risk are structurally incomplete.
Sources: Regulation (EU) 2021/821 of the European Parliament and of the Council on the Union regime for the control of exports, brokering, technical assistance, transit and transfer of dual-use items; Delegated Regulation (EU) 2025/2003 of 8 September 2025 amending Annex I, published OJ 14 November 2025; Wassenaar Arrangement Plenary outcomes 2024; BAFA guidance on technology transfer controls (updated 2024); Außenwirtschaftsgesetz (AWG), Germany.
This article is for general information purposes only and does not constitute legal advice. Export control compliance requirements are jurisdiction-specific and fact-dependent. Businesses should seek qualified legal advice before making any export, transfer, or licensing determination.
