On 30 July 2019 the European Commission adopted its Recommendation 2019/1318 on internal compliance programmes for dual-use trade controls under Council Regulation (EC) No 428/2009. "Dual-use items" are goods, including software and technology, that can be used for both civilian and military purposes. For example, telecommunications is included in this definition. While at first glance the focus of this recommendation seems quite narrow, its content is actually much broader, and may be of interest to any entity implementing an Internal Compliance Programme (ICP).

The recommendation is based on seven core elements. For each of them, the Commission sets out the expectations that professionals in the sector must be able to meet in an effective and proactive manner, and the steps necessary to achieve them. Attached to the recommendation are standard questions to quickly identify points for attention, as well as a series of warning signs that should attract the attention of the prudent and diligent exporter. In the event of suspicion, the exporter will, as the case may be, be requested or required to communicate all relevant information to the competent authorities.

Top-level management commitment to compliance

The implementation of an effective ICP requires a rigorous and disciplined corporate culture. People in high positions of authority must lead by example by adopting an irreproachable attitude that respects applicable European and national regulations. They must also foster effective communication with their employees regarding their company's ICP objectives and ensure an adequate allocation of organisational, human and technical resources to conduct their compliance policy.

Organisation structure, responsibilities and resources

This adequate allocation of resources requires an organisational structure that is set down in writing, allowing the identification of one or more responsible persons in a comprehensive manner. Sufficient staff must be available to meet client needs, and a specific member must be responsible for monitoring ICP follow-up. If necessary, staff must be able to stop any suspicious transactions. Conflicts of interest must be avoided and access to the most recent relevant legislative texts must be ensured

Training and awareness raising

Whether through internal or external seminars or specialised training, staff training and awareness is essential for an ICP on an ongoing basis and at all relevant levels.

Transaction screening process and procedures

This requires putting in place a series of procedures to verify the compliance of transactions. The Commission proposes concrete measures, such as:

  • item classification for goods, software and technology;
  • transaction risk assessment; and
  • post-licensing controls.

Performance review, audits, reporting and corrective actions

A well-functioning ICP has clear reporting procedures concerning the notification and escalation actions of members of staff when a suspected or known incident of non-compliance has occurred. As part of a compliance culture, the staff must feel confident and reassured when they raise questions or report concerns about compliance in good faith.

Recordkeeping and documentation

The recommendation contains criteria for recording and documenting transactions. These processes must be proportionate, accurate and capable of ensuring the traceability of dual-use trade control related activities. Such a comprehensive recordkeeping system is intended to help the company with conducting performance reviews and audits, complying with EU and/or national documentation retention requirements and to facilitate cooperation with competent authorities in case of a dual-use trade control enquiry.

Physical and information security

Trade controls for dual-use items, including software and technology, pursue security and foreign policy objectives. Appropriate security measures contribute to containing the risks of unauthorised removal of, or access to, controlled items. Physical security measures are important. In addition, by their very nature, controlled software or technology in electronic form may require additional information security measures.

All these measures, which are an integral part of a compliance programme, also serve as a source of inspiration for good practice in ensuring compliance with other legal obligations to which any exporting company is subject, such as compliance with economic sanctions and embargoes.