ANNEX

EU GUIDANCE ON INTERNAL COMPLIANCE PROGRAMME (ICP) FOR DUAL-USE TRADE CONTROLS

INTRODUCTION

Effective controls on trade in dual-use items — goods, software and technology — are vital for countering risks associated with the proliferation of Weapons of Mass Destruction (WMD) and the destabilising accumulations of conventional weapons. Companies dealing with dual-use items are obliged to comply with strategic trade control requirements imposed under the laws and regulations of the European Union (1) and its Member States. They need to refrain from participating in transactions where there are concerns that items may be used for proliferation purposes.

Taking into consideration rapid scientific and technological advancements, the complexity of today's supply chains and the ever growing significance of non-State actors, effective trade controls depend to a great extent on the awareness of ‘companies’ (2) and their active efforts to comply with trade restrictions. To this end, companies usually put in place a set of internal policies and procedures, also known as an Internal Compliance Programme (ICP), to ensure compliance with EU and national dual-use trade control laws and regulations. The scope and the extent of these policies and procedures are usually determined by the size and the commercial activities of the specific company.

In order to support companies to maintain strict compliance with the relevant EU and national laws and regulations, this guidance provides a framework to identify and manage dual-use trade controls' impact and mitigate associated risks. The guidance focuses on the 7 core elements for an effective ICP. Each core element is further detailed by a section ‘What is expected’ that describes the objective(s) of each core element, and a section ‘What are the steps involved?’ that further specifies the actions and outlines possible solutions for developing or implementing compliance procedures. This document concludes with a set of helpful questions pertaining to a company's ICP and a list of diversion risk indicators and ‘red flag’ signs about suspicious enquiries or orders.

The development of EU ICP guidance for dual-use trade controls takes into consideration and builds on existing approaches to export control compliance, and in particular:

—	the 2011 Wassenaar Arrangement Best Practice Guidelines on Internal Compliance Programmes for Dual-Use Goods and Technologies (3),

—	the ‘Best Practice Guide for Industry’ from the Nuclear Suppliers Group (NSG) (4)

—	the ICP elements in the Commission Recommendation 2011/24/EU (5),

—	the results from the fourth Wiesbaden Conference (2015) on ‘Private Sector Engagement in Strategic Trade Controls: Recommendations for Effective Approaches on United Nations Security Council Resolution 1540 (2004) Implementation’

—	the 2017 United States Export Control and Related Border Security Program ICP Guide website (6).

The guidance contains 7 core elements that should not be considered as an exhaustive list, nor should their order be perceived as ranking from very important to less important. They are identified as cornerstones for a company's tailor-made ICP and aim at assisting companies in their reflections on the most appropriate means and procedures for compliance with EU and national dual-use trade control laws and regulations. Affected companies are expected to have a range of existing policies and processes in place in relation to export control. For these companies, the core elements' structure could facilitate benchmarking their compliance approach. A company's approach to compliance that includes policies and internal procedures for, at least, all the core elements could be expected to be in line with the EU ICP guidance for dual-use trade controls. For companies that are in the process of developing a compliance approach for dual-use trade, the core elements' structure offers a basic and generic skeleton for company compliance.

At a general level, the most important aspect of developing an ICP, is to keep it relevant to the company's organisation and activities, and to make sure that internal processes are easy to understand and follow, and capture the day-to-day operations and procedures. The individual requirements and characteristics of an ICP will depend on the size, structure and scope of the company's specific business activity, but also on the strategic nature of its items and possible end-uses or end-users, on the geographic presence of its customers and on the complexity of internal export processes. Therefore, it is important to stress that, during the development of this guidance, potential implementation challenges for Small and Medium Sized Enterprises (SMEs) were systematically considered.

Disclaimer

This guidance is of a non-binding character and should not to be considered as legal advice. This guidance is without prejudice to the decisions on authorisations, that are the responsibility of the competent authorities under Regulation (EC) No 428/2009.

In case you wish to share feedback on the content of this document, please contact your competent authority (see Annex 3).

EU ICP GUIDANCE FOR DUAL-USE TRADE CONTROLS

The following core elements are essential for an effective dual-use trade control Internal Compliance Programme:

1.	Top-level management commitment to compliance

2.	Organisation structure, responsibilities and resources

3.	Training and awareness raising

4.	Transaction screening process and procedures

5.	Performance review, audits, reporting and corrective actions

6.	Recordkeeping and documentation

7.	Physical and information security

For each core element, the section ‘What is expected?’ describes the ICP related objective(s). The section ‘What are the steps involved?’ further specifies the actions and outlines possible solutions for developing or implementing compliance procedures.

With this in mind, the core elements should be understood as ‘building blocks’ for the preparation of ICPs by companies involved in dual-use trade. Each company should describe within its own tailor-made ICP how it implements the relevant core elements in consideration of its specific circumstances.

In doing so, all companies involved in dual-use trade should consider in particular the actions contained in the section ‘What are the steps involved’, though companies may deviate from these actions if there are company-specific reasons for doing so.

RISK ASSESSMENT

An ICP needs to be tailored to the size, the structure and scope of the business, and, especially, to the company's specific business activity and related risks. Therefore, if a company wants to develop or review its compliance programme for dual-use trade control, it is recommended to start with a risk assessment to determine its specific dual-use trade risk profile. It will help the company to become aware of what parts of its business need to be covered by the ICP and target the ICP to the company's specific circumstances.

The risk assessment should carefully assess the product range, customer base and business activity that are or could be affected by dual-use trade control. It should identify relevant vulnerabilities and risks so that the company can incorporate ways to mitigate them under the ICP. Even though this risk assessment cannot identify all vulnerabilities and risks your company may face in future, it will give the company a better base to develop or review its ICP.

Companies often already have internal control processes in place and therefore, do not need to start from scratch when designing ICPs. The risk assessment supports a company to assess its existing corporate policies and procedures against export control related risks and come up with a course of action for adapting them, if necessary. In addition, promoting synergies between existing policies and export control requirements is a further step to consider from the beginning. For instance, it is a good practice to insert cross references to export control principles and requirements in the company's code of conduct, if available.

The outcomes of this risk assessment will affect the necessary actions and appropriate solutions for developing or implementing the company's specific compliance procedures.

A company may try to benefit as much as possible from the advantages of global, group-wide ICP solutions, but must always comply with all applicable EU and Member State laws and regulations.

AUTHORISED ECONOMIC OPERATOR (7)

If a company holds of a valid Authorised Economic Operator (AEO) authorisation, the assessment of the company's compliance covering relevant customs activities could be taken into account for the purpose of developing or reviewing an ICP.

Taking into consideration that customs authorities have checked the customs routines and procedures of your company, the AEO status could be an asset for establishing or reviewing procedures relating to ICP core elements such as recordkeeping and physical security.

1.   Top-level management commitment to compliance

Effective ICPs reflect a top-down process whereby the company's top-level management gives significance, legitimacy, and organisational, human and technical resources for the corporate compliance commitments and compliance culture.

What is expected?

Top-level management commitment aims to build compliance leadership (lead by example) and corporate compliance culture for dual-use trade control.

A written statement of support to internal compliance procedures by the top-level management promotes the company's awareness of the objectives of dual-use trade controls and compliance with the relevant EU and Member State laws and regulations.

The commitment indicates clear, strong and continuous engagement and support by top-level management. It results in sufficient organisational, human and technical resources for the company's commitment to compliance. The management communicates clearly and regularly to employees about the corporate commitment in order to promote a culture of compliance.

What are the steps involved?

Develop a corporate commitment statement stating that the company complies with all EU and Member State dual-use trade control laws and regulations.

Define the management's specific compliance expectations and convey the importance and value placed on effective compliance procedures (8).

Clearly and regularly communicate the corporate commitment statement to all employees (also employees with no role in dual-use trade control) in order to promote a culture of compliance (9).

2.   Organisation structure, responsibilities and resources

Sufficient organisational, human and technical resources are essential for effectively developing and implementing compliance procedures. Without a clear organisation structure and well-defined responsibilities, an ICP risks suffering from lack of oversight and undefined roles. Having a strong structure helps organisations work out problems when they arise and prevent unauthorised transactions from occurring.

What is expected?

The company has an internal organisational structure that is set down in writing (for instance in an organisational chart) and that allows for conducting internal compliance controls. It identifies and appoints the person(s) with the overall responsibility to ensure the corporate compliance commitments. Please be aware that in some Member States this must be a member of the top-level management.

All compliance related functions, duties and responsibilities are defined, assigned and connected to each other in an order that ensures the management that the company conducts overall compliance. Where appropriate or even necessary, functions and/or duties relating to export controls (but not the overall responsibility) may be delegated within the entity or shared between two or more corporate entities within the EU.

The company adequately staffs all areas of the business that are related to dual-use trade with employees who demonstrably have the required skills. At least one person in the company is (not necessarily exclusively) entrusted with a dual-use trade control function. This function can be shared between corporate entities within the EU as long as an appropriate level of controls is maintained. Please note however that in some EU Member States this may not be possible, as national export control legislation requires a dedicated person to be appointed locally.

Dual-use trade control staff should be protected as much as possible from conflicts of interest. This staff is entitled to directly report to the person(s) with the overall responsibility for dual-use trade controls and should additionally have the power to stop transactions.

Dual-use trade control staff must have access to the relevant legislative texts, including the latest lists of controlled goods and lists concerning embargoed or sanctioned destinations and entities. Appropriate operational and organisational processes and procedures, relevant for dual-use trade controls, are documented, gathered and distributed to all relevant personnel.

The company should have a compilation of the documented processes and procedures (e.g. in a compliance manual) that is up-to-date. Depending on its size and its business volume, the company should consider the need for IT support for internal compliance procedures.

What are the steps involved?

Determine the number of dual-use trade control staff, taking into account legal and technical aspects which need to be covered. Entrust at least one person in the company with the company's dual-use trade compliance and ensure that an equally qualified substitute can assume the task in case of absence (such as sickness, holiday and so on). Depending on the average volume of orders, this person may only have to handle tasks relating to dual-use export control on a part-time basis.

Clearly identify, define and assign all compliance related functions, duties and responsibilities, possibly in an organisational chart. Clearly identify back-up functions whenever possible.

Make sure that the internal organisational structure for dual-use trade control is known throughout the organisation and that the internal records of these assignments are routinely updated and distributed to employees. Make the contact details of the responsible person for dual-use trade control questions known within the company. If trade control duties are being outsourced, the interface to and the communication with the company needs to be organised.

Define the knowledge and skills needed by legal and technical dual-use trade control staff. Job descriptions are recommended.

Make sure that dual-use trade control staff is protected as much as possible from conflicts of interest. Depending on the size of the company, the responsibility for compliance may be laid down at a suitable department or division. For example: person(s) making the final decision whether goods can be shipped, are not part of the sales department, but part of the legal department. Allow this staff to function as expert advisors to guide company decisions resulting in compliant transactions.

Document and distribute the set of policies and procedures addressing dual-use trade controls to all relevant personnel.

Compile the documented policies and procedures and consider the format of a compliance manual.

3.   Training and awareness raising

Training and awareness raising on dual-use trade control is essential for staff to duly perform their tasks and take compliance duties seriously.

What is expected?

The company ensures via training that the dual-use trade control staff is aware of all relevant export control regulations as well as the company's ICP and all amendments to them. Examples of training material are external seminars, subscription to information sessions offered by competent authorities, in-house training events, and so on.

Furthermore, the company carries out awareness raising for the employees at all relevant levels.

What are the steps involved?

Provide compulsory, periodic training for all dual-use trade control staff to ensure they possess the knowledge to be compliant with the regulations and the company's ICP.

Ensure via training that all concerned employees are aware of all relevant dual-use trade control laws, regulations, policies, control lists and all amendments to them as soon as they are made public by the competent authorities. If possible, consider customised trainings.

Develop general awareness raising for all employees and dedicated training activities for e.g. purchasing, engineering, project management, shipping, customer care and invoicing.

Consider, whenever appropriate, to make use of national or EU training initiatives for dual-use trade control.

Incorporate lessons learnt from performance reviews, audits, reporting and corrective actions, whenever possible, in your training or export awareness programs.

4.   Transaction screening process and procedures

In terms of operational implementation, transaction screening is the most critical element of an ICP. This element contains the company's internal measures to ensure that no transaction is made without the required license or in breach of any relevant trade restriction or prohibition.

The transaction screening procedures collect and analyse relevant information concerning item classification, transaction risk assessment, license determination and application, and post-licensing controls.

Transaction screening measures also allow the company to develop and maintain a certain standard of care for handling suspicious enquiries or orders.

What is expected?

The company establishes a process to evaluate whether or not a transaction involving dual-use items is subject to national or EU dual-use trade controls and determine the applicable processes and procedures. In case of recurring transactions, transaction screening needs to be performed periodically.

This core element is divided into:

—	Item classification, for goods, software and technology;

—	Transaction risk assessment, including — Checks on trade-related embargoed, sanctioned or ‘sensitive destinations and entities’ (10); — Stated end-use and involved parties screening; — Diversion risk screening; — ‘Catch-all controls’ for non-listed dual-use items;

—	Determination of license requirements and licence application as appropriate, including for brokering, transfer and transit activities; and

—	Post-licencing controls, including shipment control and compliance with the conditions of the authorisation.

In case of doubt or suspicion during the transactions screening process, in particular about the results of the stated end-use and involved parties or diversion risk screening, please consult with the competent authority in the EU Member State where your company is established.

Transaction screening can be done manually or with the support of automated tools, depending on your company's needs and available resources.

What are the steps involved?

Item classification

Item classification is about determining whether the items are listed. This is done by comparing the technical characteristics of an item against the EU and national dual-use control lists. If applicable, identify whether the item is subject to restrictive measures (including sanctions) imposed by the EU or the EU Member State in which your company is established.

Understand that dual-use items, whether a physical product, software or technology, could require a license for various reasons.

Pay particular attention to the classification of dual-use components and spare parts, and to the classification of dual-use software and technology that can be transferred by email or made available via, for instance, a ‘Cloud’ service abroad.

Gather information about the possible misuse of your dual-use items in the context of e.g. conventional military or WMD proliferation. Share this information within the company.

It is recommended to request information from your supplier(s) about the dual-use classification of materials, components, subsystems that are processed or integrated by your company, including machinery used in the production. It is still your company's responsibility to check the classification received from the supplier(s).

As required by Article 22(10) of the EC dual-use Regulation (EC) No 428/2009, mention — with a reference to the relevant legislation — in the commercial documents relating to intra-EU-transfers that the transaction involves listed dual-use items and are subject to controls if exported from the EU.

Transaction risk assessment

Checks on embargoed, sanctioned or sensitive destinations and entities

Ensure that none of the involved parties (intermediaries, purchaser, consignee or end-user) are subject to restrictive measures (sanctions) by consulting the up-to-date sanctions lists (11).

Stated end-use and involved parties screening;

Know your customers and their end-use of your products.

Consult the information provided by your competent authority for EU and national rules and requirements concerning end-use statements. Even without a national obligation to submit a correctly filled-out and signed end-use statement, an end-use statement may be a useful means to check the reliability of the end-user/consignee and the information can be used to determine if an authorisation is required for non-listed dual-use items where there are stated end-use concerns under the terms of Article 4 of Regulation (EC) No 428/2009 (12).

Be vigilant for diversion risk indicators and signs about suspicious enquiries or orders e.g. assess if the stated end-use is consistent with the activities and/or markets of the end-user. Annex 2 contains a list of questions to support stated end-use and involved parties screening.

Diversion risk screening

Be vigilant for diversion risk indicators and signs about suspicious enquiries or orders. Annex 2 contains a list of questions to support diversion risk screening.

Pay particular attention to the catch-all controls for non-listed dual-use items, if the stated end-use and involved parties screening or the diversion risk screening provide information of concern under the terms of Article 4 of Regulation (EC) No 428/2009.

‘Catch-all’ controls for non-listed dual-use items

Ensure that the company has procedures in place to determine if it is ‘aware’ that there is information of concern about the stated end-use (under the terms of Article 4 of Regulation (EC) No 428/2009). If the exporter is ‘aware’, the company ensures that no export occurs without notifying the competent authority and without having received the competent authority's final decision.

For cases in which the exporter is being ‘informed’ by the competent authorities that there is information of concern about the stated end-use (under the terms of Article 4 of Regulation (EC) No 428/2009), then the company needs to have procedures in place to ensure the swift flow of information and the immediate stop of the export. It must be ensured that the export does not occur without having received an authorisation by the competent authority.

License determination and application, including for brokering, transfer and transit activities

Ensure that your company has the contact details of the competent export control authority.

Gather and disseminate information about the range of license types (including individual, global and general licenses) and controlled activities (including export, brokering, transfer and transit), and about the license application procedures relating to the applicable EU and national dual-use trade controls.

Be aware of less obvious controlled types of export (such as export via the ‘Cloud’ or via a person's personal baggage) and of dual-use trade control measures for activities other than export, such as technical assistance or brokering.

Post-licencing controls, including shipment control and compliance with the conditions of the authorisation

Before the actual shipment, there should be a final check that all steps ensuring compliance were duly taken. This is a good moment to check if items are correctly classified, if ‘red flags’ have been identified, if the screening of entities was effectively performed and if there is a valid licence for the shipment.

A final transaction risk assessment is necessary in case of a change of relevant legislation in the meantime, for example if the commodity is now a listed dual-use item or the end-user is now sanctioned.

Implement a procedure in which items can be stopped or put on hold when any of the requirements are not met, or when any ‘red flags’ are raised. The items should only be released by a person with responsibility for compliance.

Ensure that the terms and conditions of the licence have been complied with (including reporting).

Be aware that any changes to the exporting company's details (such as name, address and legal status), to the details of the end-user and/or intermediaries and to the details of the authorised items may affect the validity of your license.

5.   Performance review, audits, reporting and corrective actions

An ICP is not a static set of measures and therefore must be reviewed, tested and revised if proven necessary for safeguarding compliance.

Performance reviews and audits verify whether the ICP is implemented to operational satisfaction and is consistent with the applicable national and EU export control requirements.

A well-functioning ICP has clear reporting procedures about the notification and escalation actions of employees when a suspected or known incident of non-compliance has occurred. As part of a sound compliance culture, employees must feel confident and reassured when they raise questions or report concerns about compliance in good faith.

Performance reviews, audits and reporting procedures are designed to detect inconsistencies to clarify and revise routines if they (risk to) result in non-compliance.

What is expected?

The company develops performance review procedures to verify the day-to-day compliance work within the company and to check whether the export control operations are implemented appropriately according to the ICP. Performance review is executed internally, enables the early detection of instances of non-compliance and the development of follow-up measures for damage control. Performance review thus reduces risks for the company.

The company has procedures in place for audits, being systematic, targeted and documented inspections to confirm that the ICP is correctly implemented. Audits can be performed internally or by qualified external practitioners.

Reporting is the set of procedures for dual-use trade control staff and other relevant employees regarding the notification and escalation measures to take in the event of suspected or known incidents of dual-use trade non-compliance. It does not refer to external reporting obligations, e.g. in case your company is registered for the use of a union general export authorisation under the terms of Regulation (EC) No 428/2009.

Corrective actions are the set of remedial actions to guarantee the proper implementation of the ICP and the elimination of identified vulnerabilities in the compliance procedures.

What are the steps involved?

Provide for random control mechanisms as part of daily operations to monitor the trade control workflow within the company to ensure that any wrongdoings are detected in an early stage. Another approach is to use the ‘four eyes principle’, where trade control decisions are reviewed and double-checked.

Develop and perform audits to check the design, adequacy and efficiency of the ICP.

Make sure to include all aspects of the internal compliance programme into the audit.

Ensure that employees feel confident and reassured when they raise questions or report concerns about compliance in good faith.

Establish whistleblowing and escalation procedures to govern the actions of employees when a suspected or known incident of dual-use trade non-compliance has occurred. Third parties may be given this option as well.

Document any suspected breaches of national and EU dual-use control legislation and the associated corrective measures in writing.

Take effective corrective actions to adapt the export control operations or the ICP according to the findings of the performance review, the ICP system audit or the reporting. It is recommended to share these findings, including the revision to procedures and corrective actions with dual-use trade control staff and management. Once the corrective actions have been implemented, it is recommended to communicate the amended procedures to all employees concerned.

A dialogue with your competent authority can contribute to damage control and possible ways to strengthen the company's export control.

6.   Recordkeeping and documentation

Proportionate, accurate and traceable recordkeeping of dual-use trade control related activities is essential for your company's compliance efforts. A comprehensive recordkeeping system will help your company with conducting performance reviews and audits, complying with EU and/or national documentation retention requirements and it will facilitate cooperation with competent authorities in case of a dual-use trade control enquiry.

What is expected?

Recordkeeping is the set of procedures and guidelines for legal document storage, record management and traceability of dual-use trade control related activities. Recordkeeping of some documents is required by law but it may also be in your company's best interest to keep records of some other documents (e.g. an internal document describing the technical decision to classify an item). Where all required records are captured and correctly filed, this allows for more efficient search and retrieval during the day-to-day dual-use trade control activities, and also during the periodic audits.

What are the steps involved?

Verify the legal requirements for recordkeeping (period of safekeeping, scope of documents, etc.) in the relevant EU and national legislation of the EU Member State where the company is established.

In order to make sure that all relevant documentation is at hand, consider determining the record retention requirements in contracts with intermediaries, including freight forwarders and distributors.

Create an adequate filing and retrieval system for dual-use trade control. Both for paper and electronic systems, performant indexing and search functionalities are essential.

Ensure that export control related documents are maintained in a consistent manner and can be made available promptly to the competent authority or other external parties for inspections or audits.

It is recommended to keep a record of past contacts with the competent authority, also in relation with end-use(r) controls for non-listed dual-use items and in case of technical classification advice.

7.   Physical and information security

Trade controls for dual-use items, including software and technology, occur for reasons of (inter)national security and foreign policy objectives. Due to their sensitivity, therefore dual-use items should be ‘protected’, and having appropriate security measures contributes to containing the risks of unauthorised removal of, or access to, controlled items. Physical security measures are important but, because of the very nature of controlled software or technology in electronic form, ensuring compliance with dual-use trade regulations can be particularly challenging and also requires information security measures.

What is expected?

Physical and information security refers to the set of internal procedures that are designed to ensure the prevention of unauthorised access to or removal of dual-use items by employees, contractors, suppliers or visitors. These procedures cultivate a security culture within the company and ensure that dual-use items, including software and technology, do not get lost, are not easily stolen or exported without a valid license.

What are the steps involved?

Physical security

Ensure, according to the company's risk assessment, that controlled dual use items are secured against unauthorised removal by employees or third parties. Measures that could be considered include, for example, physically safeguarding the items, the establishment of restricted access areas and personnel access or exit controls.

Information security

Establish basic safeguarding measures and procedures for secured storage of and access to controlled dual-use software or technology in electronic form, including antivirus checks, file encryption, audit trails and logs, user access control and firewall. If applicable to your company, consider protective measures for uploading software or technology to the ‘Cloud’, storing it in the ‘Cloud’ or transmitting it via the ‘Cloud’.

---

(1)  Regulation (EC) No 428/2009.

(2)  For the purpose of this document, the term ‘companies’ should be understood in a broad sense. It includes research, academic and other entities qualifying as ‘exporters’ under Regulation (EC) No 428/2009. This guidance does not provide (at this stage) specific advice for the different sectors and actors involved.

(3)  See also https://www.wassenaar.org/app/uploads/2015/06/2-Internal-Compliance-Programmes.pdf

(4)  See also http://www.nuclearsuppliersgroup.org/images/Files/National_Practices/NSG_Measures_for_industry_update_revised_v3.0.pdf

(5)  Commission Recommendation 2011/24/EU of 11 January 2011 on the certification of defence undertakings under Article 9 of Directive 2009/43/EC of the European Parliament and of the Council simplifying terms and conditions of transfers of defence-related products within the Community (OJ L 11, 15.1.2011, p. 62).

(6)  See also http://icpguidelines.com

(7)  See also https://ec.europa.eu/taxation_customs/general-information-customs/customs-security/authorised-economic-operator-aeo_en

(8)  The corporate commitment statement could, for example, state that under no circumstances exports, brokering, transit or transfer can be made contrary to EU and Member State dual-use trade control laws and regulations by any individual operating on behalf of the company. In order to strengthen the understanding of the necessity of export controls, the statement may briefly explain their objectives. It could also stress the importance of employees being compliant with export controls, so that the employees understand possible non-compliance scenarios by communicating the risks of unauthorised transactions and possible consequences (criminal, reputational, financial, disciplinary etc.) for the company and the involved employees. It is recommended to keep the management commitment to compliance as simple as possible.

(9)  Companies could also consider disseminating the statement publicly through corporate websites and other commercial channels to inform third parties of the company's commitment to export control compliance.

(10)  So-called ‘sensitive destinations and entities’ are not only embargoed or sanctioned destinations, but also other destinations to which the shipment of (certain) dual-use items can be critical in specific cases, for example because of WMD proliferation or human rights concerns, as determined by the competent authority. Concerning human rights concerns, please note that other Regulations may apply, e.g. Regulation (EU) 2019/125 of the European Parliament and of the Council (OJ L 30, 31.1.2019, p. 1) that introduces controls on the export of goods that could be used for capital punishment or for torture.

(11)  The consolidated EU sanctions list (https://eeas.europa.eu/topics/sanctions-policy/8442/consolidated-list-sanctions_en) as well as the EU Sanctions Map (https://www.sanctionsmap.eu) may provide assistance in carrying out the sanctions screening.

(12)  In case your customer is unfamiliar with the request for an end-use statement, consider drafting a (one-page) accompanying letter explaining the very basics of dual-use trade controls and indicating that the requested document speeds up applying for a licence or might even be necessary for receiving a license.