LU - Law 27 June 2018 on export control

“Effective controls on trade in dual-use items — goods, software and technology — are vital for countering risks associated with the proliferation of Weapons of Mass Destruction (WMD) and the destabilising accumulations of conventional weapons. Companies dealing with dual-use items are obliged to comply with strategic trade control requirements imposed under the laws and regulations of the European Union and its Member States. They need to refrain from participating in transactions where there are concerns that items may be used for proliferation purposes.

Taking into consideration rapid scientific and technological advancements, the complexity of today's supply chains and the ever growing significance of non-State actors, effective trade controls depend to a great extent on the awareness of companies and their active efforts to comply with trade restrictions. To this end, companies usually put in place a set of internal policies and procedures, also known as an Internal Compliance Programme (ICP), to ensure compliance with EU and national dual-use trade control laws and regulations. The scope and the extent of these policies and procedures are usually determined by the size and the commercial activities of the specific company.”

Export control is a shared responsibility between industry and authorities. The introduction chapter of the 2019 European Commission Recommendation, as partly reproduced here before, also places the focus on private companies’ efforts to be aware and to comply with trade restrictions. The Internal Compliance Program (ICP) is here presented as a tool to ensure compliance with European and national trade control laws and regulations.

ICPs are not new to the field of trade or export control. (EC) Regulation 428/2009 of 5 May 2009, the main legal (and directly applicable) reference for dual use items, already obliges EU Member States, when assessing an application for a global export authorization, to take into consideration “the application by the exporter of proportionate and adequate means and procedures to ensure compliance with the provisions and objectives of this Regulation and with the terms and conditions of the authorization” (Article 12.2.).

The European Commission, in its proposal COM(2016) 0616 final of 28 September 2016 to amend Regulation 428/2009, suggested to replace the wording “application … of proportionate and adequate means and procedures to ensure compliance” by “implementation … of an effective internal compliance program” (Article 10.4.).

On the view of these European rules, Luxembourg lawmakers, in the new law of 27 June 2018 on export control, oblige operators submitting an application for a global authorization concerning dual-use items to have an internal compliance program, as well as any supporting documents justifying the implementation and execution of such a program which ensures the implementation of Regulation (EC) No 428/2009 (Article 5).

In the course of the execution of the Luxembourg legislation on export control, composed of the amended law of 27 June 2018 and the amended Grand Duke regulation of 14 December 2018, questions have been raised by Luxembourg based companies with regard to the content of the Internal Compliance Program.

The Ministers responsible respectively for Foreign Trade and for Foreign Affairs, as the members of Government competent for issuing authorizations on the basis of the law of 27 June 2018, and their supporting Office du contrôle des exportations, importations et du transit (OCEIT), have meanwhile, in the course of outreach activities with exporting companies, been able to process questions and points arising in relation with ICPs.

This document is intended to communicate the approach of the Luxembourg licensing authorities when assessing Internal Compliance Programs introduced by exporters as a supporting document to applications for a global authorization. Their approach is very closely based on two European Commission Recommendations, to which they completely adhere, reason why the reader will find, at the beginning of each of the following chapters, a detailed reference to the EU guidelines as published in the Official Journal of the European Union. These European guidelines are providing a standard for all ICPs relating to foreign trade legislation.

For dual-use items, the recommendation (EU) 2019/1318 of the European Commission dated 30 July 2019 (hereinafter named “2019 EU Guidance on Dual-Use Items”) asks EU Member States to consider the non-binding guidance provided in Annex to this recommendation in order to fulfill their obligations under Regulation (EC) 428/2009. It provides a framework to help exporters identify, manage and mitigate risks associated with dual-use trade controls, but also to support authorities in their assessment of risks, in the exercise of their responsibility for deciding on individual, global or national general authorizations.

In order to be as practical and transparent as possible, such reference is completed by a short explanation and/or reference to Luxembourg’s situation or context, if needed, on the one side, and a checklist and practical aspects on the other side.

The check-list serves two purposes. It does not only display the different steps followed by licensing authorities in assessing an Internal Compliance Program, and is as such transparent for applicants. It presents, at the same time, a valuable tool to guide companies in their ICP drafting efforts and may, as such, be followed by companies desiring to ensure that their ICP is meeting the authorities’ approach and guidelines.

This document is of a non-binding character and should not to be considered as legal advice. This guidance is without prejudice to the decisions on authorisations, that are the responsibility of the Ministers responsible for Foreign Trade and Foreign Affairs, who are the competent authorities under the Law of 27 June 2018 and Regulation (EC) No 428/2009. It does not provide (at this stage) specific advice for the different sectors and actors involved.

For the purpose of this document, the term “company” or “companies” should be understood in a broad sense. It includes research, academic and other persons and entities qualifying as “exporters” under the law of 27 June 2018.

Purpose to have an ICP

As outlined by the European Commission in their Guidance, the Internal Compliance Program allows companies to employ a risk-based approach to export control compliance. It ensures compliance with multilateral and unilateral sanctions, in particular vetting of clients and suppliers for reputation and security risks and enhances due diligence to secure supply chains or raw and semi-processed materials to ensure compliance with international regulations.

Through voluntary guidelines and other due diligence systems, it assists in designing to curb sanctions violations, human rights abuses and other breaches of international humanitarian law. It deals with training and educating of corporate staff in the provisions of multilateral and unilateral sanctions and all aspects of sanctions implementation, compliance and due diligence practice.

The ICP creates a valuable knowledge basis for internal compliance and export staff and should be used as a working basis for audits and risk assessments.

Eventually, the ICP demonstrates, not only to OCEIT and Luxembourg Government, but also to suppliers, customers and business partners, compliance with relevant export control legislation.

From a practical point of view, it allows to apply for and be granted global authorizations valid for 3 years (renewable for 18 months), whereas an individual authorization shall have a 1 year validity (renewable for 6 months). Once validated, it therefore simplifies license management at the level of the exporting company and has additional practical benefits, especially useful for companies involved with a large number of foreign partners and carrying out a large number of exports that are subject to authorization.

Advantages offered by global authorizations are associated with higher requirements on exporters in terms of reliability, compared to individual licenses. These requirements must be incorporated in the ICP.

An ICP is a tailor-made internal document

An ICP must be kept relevant to the company's organisation and activities. It shall integrate internal processes that are easy to understand and follow, and capture the day-to-day operations and procedures.

Any individual requirements and characteristics of an ICP will depend on the size, structure and scope of the company's specific business activity, but also on the strategic nature of its items and possible end-uses or end-users, on the geographic presence of its customers and on the complexity of internal export processes.

Preliminary notes

Each company has different risks and different risk tolerances.
There is no simple and clear formula for creating a successful compliance program.
No “copy-paste” from other companies’ ICPs.
Proper risk assessment provides the basis for an adequate and proportionate program.
ICP is an integrated program. Each element should build upon, and interconnect, with all other parts of the program.
Each organization should determine which procedures to apply for each element to ensure the most effective and efficient ICP to suit its purposes.

A particular focus is that the document should be readable and usable for company employees, but also contain all of the elements that licensing authorities consider essential to a successful program.

The ICP should be flexible and adaptable to changing rules, personnel, business and technology. Trade control rules often change suddenly in responsible to international or local concerns. Companies must monitor these regulatory developments and be ready to respond quickly. Successful programs should at the same time not be dependent on specific personnel to operate.

It goes without saying that the ICP should be routinely updated, not only on the view of a change in the company’s products, customers or destination countries, but also because export control rules are changing constantly, not to speak about sanctions and embargoes against States and exposed entities which are potentially changing every day and require specific measures to ensure permanent compliance.

Core elements of an ICP

On the basis of the 2019 EU Guidance on Dual-Use Items and the 7 core elements therein included, we have, in the following pages, defined 10 chapters which could serve as a structure for the Internal Compliance Program.

All may be seen as cornerstones for a company's tailor-made ICP and aim at assisting companies in their reflections on the most appropriate means and procedures for compliance with EU and Luxembourg trade control laws and regulations. They offer a basic and generic skeleton for company compliance and should be understood as “building blocks” for the preparation of ICPs by companies involved in trade with dual-use and/or other sensitive products. Each company should describe within its own tailor-made ICP how it implements the relevant elements in consideration of its specific circumstances. Companies may deviate from these guidelines if they justify that there are company-specific reasons for doing so.

Scope of this document

This document only relates to global authorizations in the field of export, import, transfer, transit and brokering operations concerning dual-use items.

It does not apply to defence-related products and other goods covered by the law of 27 June 2018, nor to technical assistance and intangible transfer of technology, as long as they are covered by the 2018 export control law.

Be reminded however that the wording “internal compliance program” appears a second time in the Export Control Law of 27 June 2018 in the context of defence-related products. The reliability of the recipient of such products shall be assessed according, in particular, to a description of the internal compliance program or the transfer and export management system implemented in the undertaking. This description shall provide details of the human, organizational and technical resources allocated to the management of transfers and exports, the chain of responsibility in the undertaking, internal audit procedures, awareness-rising and staff training, physical and technical security measures, traceability of transfers and exports, as well as the modalities of the control exercised by the administrator over the staff of the units responsible for exports and transfers … (Article 25.3., point 6).

For defence-related products, the European Commission has published Recommendation 2011/24/EU of 11 January 2011 on the certification of defence undertakings under Article 9 of Directive 2009/43/EC (hereinafter named “2011 EU Guidelines on Defence-Related Products”). Annex I provides questions and guidelines on the description of internal compliance programmes and for subsequent assessment. EU Member States are empowered to add further questions, which should be directly relevant to the certification assessment process.

In the particular field of intangible technology transfer, the Luxembourg legislation requires that license applications must be accompanied by: … a description of the measures implemented or to be implemented to ensure information security, both at the level of the provider of the know-how and of the relationship between provider and recipient of the know-how; … identification of risks associated with the transfer operation; and … a detailed presentation of the organizational, human and technical resources implemented to address these risks (Grand Duke Regulation of 14 December 2018, Article 11, points 2, 4 and 5).

These specific fields shall be subject of separate communications. Companies dealing with such products or providing such services may however, already, inspire themselves by this document when drafting an ICP covering such products and services.

When to present an ICP to the licensing authorities

An Internal Compliance Program (ICP) may be submitted at any time to OCEIT. Companies do not have to wait for a particular global license application, but may take the initiative beforehand to provide OCEIT with their program as soon as validated by the company’s board of directors or top-level management.

Companies should take into account that, if an ICP is presented together with a global license application, the deadline of 60 business days (which may be renewed one time for another 30 business days) that applies to OCEIT and the two ministers for dealing with the license application, may not be sufficient for assessing the ICP at the same time. In order to avoid the risk of not being granted the global license because the ICP assessment process is still ongoing, it is recommended to provide OCEIT with the ICP well in advance of license applications.

It should not be forgotten that OCEIT and the ministers may, in the course of the ICP assessment, reach out to the applicant company in order to ask for additional documents, for specific information in relation with particular points of the ICP or for personal meetings with company’s representatives. This may impact the duration of the assessment process.

It is advisable to transmit the ICP (including all attachments) in two original paper versions, and send at the same time an electronic copy by email to oceit@eco.etat.lu.

Chapter 1- Top-level management commitment to compliance

2019 EU Guidance on Dual-Use Items

Effective ICPs reflect a top-down process whereby the company's top-level management gives significance, legitimacy, and organisational, human and technical resources for the corporate compliance commitments and compliance culture.

What is expected?

Top-level management commitment aims to build compliance leadership (lead by example) and corporate compliance culture for dual-use trade control.
A written statement of support to internal compliance procedures by the top-level management promotes the company's awareness of the objectives of dual-use trade controls and compliance with the relevant EU and Member State laws and regulations.
The commitment indicates clear, strong and continuous engagement and support by top-level management. It results in sufficient organisational, human and technical resources for the company's commitment to compliance. The management communicates clearly and regularly to employees about the corporate commitment in order to promote a culture of compliance.

What are the steps involved?

Develop a corporate commitment statement stating that the company complies with all EU and Member State dual-use trade control laws and regulations.
Define the management's specific compliance expectations and convey the importance and value placed on effective compliance procedures.
Clearly and regularly communicate the corporate commitment statement to all employees (also employees with no role in dual-use trade control) in order to promote a culture of compliance.

The top-level management commitment referred to in the EU Guidelines is one the most important factors in determining its success. This support is essential in ensuring the Internal Compliance Program receives adequate resources and is fully integrated into the company’s daily operations.

An ICP that is not legitimized by Management, is not empowering the company staff and is not fostering a compliance culture throughout the company is not worth the paper it is written on. On the contrary, internal staff and Government authorities must read from this document that there is a clear commitment to respect and comply with trade controls and to ensure that any compliance measures are effective and supported permanently.

The Management must really buy into and commit to the success of the program and, through the statement, set the tone for the entire staff and foster a culture of integrity, transparency and compliance. At the same time, it must promote an openness to a self-reporting of possible trade control violations.

There is no general template to be recommended to exporters while drafting the text of the Management commitment. This is a case sensitive exercise, taking into account the risk associated to company’s operations, its products, services and customers, and corporate structures.

Government authorities shall assess the Management commitment through a number of points which they want to see in the commitment (see check-list below).

Check-List

Top-level management commitment clearly stating the company's commitment to trade controls applicable to sensitive products and services.
Explanation of the basic purpose of export controls, i.e. that export compliance is vital to protection the national security and foreign policy interests of the Grand Duchy of Luxembourg, and that unauthorized transfers of even low-level technology can potentially jeopardize national security of further the development of weapons of mass destruction.
Clear management commitment that under no circumstances will sales be made contrary to relevant export control rules, such a commitment including the statement that export compliance is good for business and compliance with export laws and regulations, and that the company’s export policy will not be compromised for commercial gain.
Statement that it is the responsibility of the company and its employees to be familiar and compliant with export controls.
Listing of specific risks as they relate to the company’s products, technology, destinations and activities, as a preventive measure to help employees understand possible non-compliance scenarios.
Description of penalties for non-compliance, to include business fines and penalties, including imprisonment, against the company and individual employees, possible loss of export control privileges and licences, and/or employee contract termination.
Affirmation of the Management’s commitment of appropriate resources to export control compliance.
Designation of an individual (with name, title, phone, email) to be responsible for updating the Management statement and for the dissemination of the statement within the company.
Designation of the appropriate responsible (with name, title, phone, email) to whom any question concerning the legitimacy of a transaction or potential violation should be referred to.
Indication of the means Management will use to build a pervasive compliance-oriented corporate culture and an environment wherein employees feel that they are helping the company by voicing concerns regarding possible problems with export transactions.
Indication of the means how employees will have access to Management Commitment and ICP, and acknowledge commitment to the company’s export compliance policy and procedures in support of the company’s compliance efforts.

Practical aspects

The Management commitment should wear original signatures by the company’s top-level management, empowered to legally commit the company.
The commitment should be integrated as an original copy or PDF document into the ICP document, at the beginning of the document.

Chapter 2 - Applicable legislation

Even if the EU Guidelines are not providing specific guidelines for that point, the drafting of a specific chapter dealing with the applicable legislation fulfils an important purpose.

On the one hand, as the ICP is an internal working document to be used in daily operations, it should provide users of the ICP with a complete and detailed overview of the legal framework of export control compliance, with precise legal references where to find the laws and regulations to which the company is subject to, and, above all, with (legally justified) answers to precise questions.

On the other hand, the ICP must show the licensing authorities that the ICP is built on the right foundations and that the company is aware of the rules covering export control and the penalties it may face in case of violations of the laws and regulations. At the same time, it must demonstrate that the company has analysed and integrated into the ICP relevant legislation of countries other than the Grand Duchy of Luxembourg, because they are destination countries of products or services, or geographical location of affiliated companies or corporate sale agencies, or location of customers or business partners and have therefore an impact on overall, worldwide, compliance.

Government authorities shall assess this chapter through the following points:

Check-List

Detailed explanation of the export control laws and regulations of the Grand Duchy of Luxembourg.
Detailed explanation of the relevant export control legislation of the European Union.
Detailed explanation of the export control legislation of other countries where the company has business entities, affiliates, relations or links, and which are likely to apply to the company, its products and/or services.
Description of administrative and criminal penalties for offenses to export control rules.

Practical aspects

The integration into the ICP document of complete legal texts, for example the law of 27 June 2018 and Grand Duke regulation of 14 December 2018, is useful (in that case, preferably in attachment to the main ICP document, due to the volume), but certainly not sufficient. What is required in the main document is an explanation of the legal texts, written in a simple language to be understood by all internal staff, who are mainly not lawyers.
The explanation should always contain references to legal texts which can be found at other places in or in attachment to the ICP document (for example: “Law of 27 June 2018, art. 26 (3), see page 157 of ICP document”, or “European Regulation 428/2009 on dual-use items, art. 9 (2), see Attachment 09 of ICP document”).
Entire legal texts must be provided at all times in their latest, coordinated version. Legal references should always been made in accordance with the currently applicable text.
Any modification of relevant laws, regulations and rules on export control must generate an update of the ICP document.
Integrating FAQ (frequently-asked-questions) for legal points into a specific section in this ICP chapter would constitute an example of good business practice.
An example of how to describe applicable legal rules could be to establish a table with 4 columns: the first one dealing with goods (dual-use, military, civil …), the second one indicating the different operations (export, import, transit, brokerage …), and the third one the possible restriction (prior authorization requirement, prohibition, no restriction) for each product/operation. The fourth column would indicate the legal basis for each of the results. Additional notes, needed to explain furthermore the steps or precise the meaning of legal wording, could be displayed in a note section or in footnotes.

Chapter 3 - Risk assessment

2019 EU Guidance on Dual-Use Items

An ICP needs to be tailored to the size, the structure and scope of the business, and, especially, to the company's specific business activity and related risks. Therefore, if a company wants to develop or review its compliance programme for dual-use trade control, it is recommended to start with a risk assessment to determine its specific dual-use trade risk profile. It will help the company to become aware of what parts of its business need to be covered by the ICP and target the ICP to the company's specific circumstances.

The risk assessment should carefully assess the product range, customer base and business activity that are or could be affected by dual-use trade control. It should identify relevant vulnerabilities and risks so that the company can incorporate ways to mitigate them under the ICP. Even though this risk assessment cannot identify all vulnerabilities and risks your company may face in future, it will give the company a better base to develop or review its ICP.

Companies often already have internal control processes in place and therefore, do not need to start from scratch when designing ICPs. The risk assessment supports a company to assess its existing corporate policies and procedures against export control related risks and come up with a course of action for adapting them, if necessary. In addition, promoting synergies between existing policies and export control requirements is a further step to consider from the beginning. For instance, it is a good practice to insert cross references to export control principles and requirements in the company's code of conduct, if available.

The outcomes of this risk assessment will affect the necessary actions and appropriate solutions for developing or implementing the company's specific compliance procedures.

A company may try to benefit as much as possible from the advantages of global, group-wide ICP solutions, but must always comply with all applicable EU and Member State laws and regulations.

The risk assessment is the basis for drafting an effective ICP. It constitutes the first chapter to work on, and will serve to tailor the ICP to the company-specific corporate structure and risk situation.

While there is no “one-size-fits-all” template, the risk assessment should review the company from top-to-bottom and assess its touchpoints to the outside world. The goal is to identify potential areas of risk.

It should at least:

describe company profile and corporate structure, including locations, activities or business partnerships outside Luxembourg;
indicate the business activity & type of customers, supply chain, intermediaries, consignees and end-users;
detail the geographical location of the customers and the destination of exports or services provided;
describe (all) the goods and services handled or provided by the company, even those not listed in relevant export control lists (catch-all !);
expose the end-use (military/civil/dual) of the company products;
describe how the company has organized its export process (starting with the initial customer request until shipment);
indicate how the company has set-up and ensured compliance with export control regulations in the country of its head office and abroad (destination countries of exports and services, location of business partners).

While implementing this risk assessment, it is advisable to be transparent and better show risks and measures taken or to be implemented to master them, than hiding relevant information. In order to allow Luxembourg licensing authorities to get a true and entire overview of the company, its products and customers, it gains to be complete (regarding companies part of the group, customers, business partners, goods ….).

As the risk assessment will be the first chapter which will be read by authorities, the company should here demonstrate professional approach in order to gain trust, be concrete, and not use general wording which could be part of any company’s ICP.

Government authorities shall assess this chapter through the following points:

Check-List

(A) Company Profile

Description of the company structure.
Recent RCS extract.
Narrative and organization chart indicating shareholders, composition of corporate bodies, location of corporate headquarters, operating divisions, manufacturing facilities, and domestic and foreign subsidiaries and affiliates.
List of human resources dedicated to the company group in the different divisions and locations.
Business permit (“autorisation d’établissement)” issued by the Minister of Economy.
List of all domestic and foreign divisions/offices/facilities that have a role in export transactions.

(B) Business Activity Profile

Description of the industry sector and business type (manufacturer, retailer, distributor, trading company, purchasing agent, OEM, system integrator, servicing agent, freight forwarder, other).
Description of field services the company performs.
Percentage of business (annual turnover) depending on exports and operations relating to licensable items.
Yearly number of exports and operations relating to items subject to an authorization.

(C) Customer Profile

Description of business type of customers and end-users, and their relation to the company.
List of potential locations of customers (by geographic region and countries).

(D) Commodity Profile

Description and export classification numbers of goods and/or services to be exported (commodity, software with or without encryption, technical data with or without encryption, services i.e. repair, technical assistance, brokerage).
Description of military and/or dual-use risks and/or export restrictions related to the company’s goods and/or services.
Indication of the technical specifications of the company products, if they are mentioned the legislation as dual-use items or military goods (if yes, under which category on the control lists the products are falling), if they are mentioned in sanctions regulations against specific countries.

(E) End-Use Profile

Description of how customers are using the company’s products and/or services.
Analysis if the company’s products may be used for proliferation activities (chemical, biological or nuclear weapons, technology to develop destructive systems).

(F) Order Processing Profile

Description of the steps of the company’s export order process.
Indication of the ways orders are received and will follow processing routes.
Functions and responsibilities within the company (e.g. purchasing, engineering, project management, shipping).

(G) Shipping Profile

Indication how products are delivered and their receipt is tracked.

Practical aspects

It constitutes good practice to conclude this chapter by an overall assessment of export control risks, which could be visualized via a matrix indicating the low, medium or risk area in which the different elements assessed are.

Chapter 4 - Organisation structure, responsibilities and resources

2019 EU Guidance on Dual-Use Items

Sufficient organisational, human and technical resources are essential for effectively developing and implementing compliance procedures. Without a clear organisation structure and well-defined responsibilities, an ICP risks suffering from lack of oversight and undefined roles. Having a strong structure helps organisations work out problems when they arise and prevent unauthorised transactions from occurring.

What is expected?

The company has an internal organisational structure that is set down in writing (for instance in an organisational chart) and that allows for conducting internal compliance controls. It identifies and appoints the person(s) with the overall responsibility to ensure the corporate compliance commitments. Please be aware that in some Member States this must be a member of the top-level management.
All compliance related functions, duties and responsibilities are defined, assigned and connected to each other in an order that ensures the management that the company conducts overall compliance. Where appropriate or even necessary, functions and/or duties relating to export controls (but not the overall responsibility) may be delegated within the entity or shared between two or more corporate entities within the EU.
The company adequately staffs all areas of the business that are related to dual-use trade with employees who demonstrably have the required skills. At least one person in the company is (not necessarily exclusively) entrusted with a dual-use trade control function. This function can be shared between corporate entities within the EU as long as an appropriate level of controls is maintained. Please note however that in some EU Member States this may not be possible, as national export control legislation requires a dedicated person to be appointed locally.
Dual-use trade control staff should be protected as much as possible from conflicts of interest. This staff is entitled to directly report to the person(s) with the overall responsibility for dual-use trade controls and should additionally have the power to stop transactions.
Dual-use trade control staff must have access to the relevant legislative texts, including the latest lists of controlled goods and lists concerning embargoed or sanctioned destinations and entities. Appropriate operational and organisational processes and procedures, relevant for dual-use trade controls, are documented, gathered and distributed to all relevant personnel.
The company should have a compilation of the documented processes and procedures (e.g. in a compliance manual) that is up-to-date. Depending on its size and its business volume, the company should consider the need for IT support for internal compliance procedures.

What are the steps involved?

Determine the number of dual-use trade control staff, taking into account legal and technical aspects which need to be covered. Entrust at least one person in the company with the company's dual-use trade compliance and ensure that an equally qualified substitute can assume the task in case of absence (such as sickness, holiday and so on). Depending on the average volume of orders, this person may only have to handle tasks relating to dual-use export control on a part-time basis.
Clearly identify, define and assign all compliance related functions, duties and responsibilities, possibly in an organisational chart. Clearly identify back-up functions whenever possible.
Make sure that the internal organisational structure for dual-use trade control is known throughout the organisation and that the internal records of these assignments are routinely updated and distributed to employees. Make the contact details of the responsible person for dual-use trade control questions known within the company. If trade control duties are being outsourced, the interface to and the communication with the company needs to be organised.
Define the knowledge and skills needed by legal and technical dual-use trade control staff. Job descriptions are recommended.
Make sure that dual-use trade control staff is protected as much as possible from conflicts of interest. Depending on the size of the company, the responsibility for compliance may be laid down at a suitable department or division. For example: person(s) making the final decision whether goods can be shipped, are not part of the sales department, but part of the legal department. Allow this staff to function as expert advisors to guide company decisions resulting in compliant transactions. Document and distribute the set of policies and procedures addressing dual-use trade controls to all relevant personnel.
Compile the documented policies and procedures and consider the format of a compliance manual.

The internal organization for export control compliance follows the risk assessment outlined in chapter 3 of the ICP.

The level of sophistication of a company’s internal compliance controls will depend on the nature and scale of the business. What is essential is that policies, procedures and controls be carefully thought out, clearly set down in writing, and effectively communicated to all employees, agents and business partners.

The company must exercise particular care in selecting in appointing the employees responsible for export control. All business areas related to foreign trade should be adequately staffed with employees having the required specialist skills (legal and technical) and are also personally reliable. Individual compliance responsibilities should be expressly included in job descriptions and performance evaluations of personnel, as appropriate.

The ICP should demonstrate that the Export Control Compliance Officer (or a person with a similar function) has a direct line of communication to the Board of Directors and Senior Management, is knowledgeable concerning the applicable international and national regulations and has a good working understanding of the company’s products, services, technologies, suppliers and customer base. He or she should have full authority to look into all compliance-related matters and put together a project team to address and resolve problems when they arise. Responsibility should extend to the daily monitoring of official announcements and press releases from regulators, to developments or enforcement actions that could impact the company’s line of business or its suppliers, and to the communication of changes in regulations, policies, or procedures to company personnel by means of in-house e-mails, newsletters, announcements or notices posted on the company intranet.

Licensing authorities would appreciate if the responsible person has sole responsibility for managing communications with regulatory agencies for all compliance-related issues and, for the need of effective communication, will be located in Luxembourg.

Government authorities shall assess this chapter through the following points:

Check-List

Organisational chart allowing for conducting internal compliance controls.
Appointment of the person(s) with the overall responsibility to ensure the corporate compliance commitments (including title – for example Export Control Compliance Officer (ECCO) -, qualifications, job description, contact details)
Designation of an equally qualified substitute who can assume the task in case of absence (including knowledge and skills in trade controls, and job description).
Appointment (including contact details) of the person(s) in charge of answering employees' questions on the company's compliance procedures, on a suspicious enquiry or on possible violations.
Description of knowledge and skills of staff in trade controls.
Job description of trade control staff.
Indication of how conflict of interests situations shall be avoided and independence of export control staff (including authorization granted to export control staff to halt a transaction or inform the responsible compliance officer directly when they require permission to stop a transaction) ensured.
Description of the interaction with other departments within the company.
In case of outsourcing of trade control compliance management, organisation of the interaction of external providers with internal staff.
Description of the means of access to the relevant legislative texts, including the latest lists of controlled goods and lists concerning embargoed or sanctioned destinations and entities.
Indication of IT support for internal compliance procedures.

Practical aspects

To demonstrate adequate knowledge and skills required from export control staff, it is advised to include portrait pictures, detailed job descriptions (in the main document) and curriculum vitae (in attachment), with a focus on studies, qualifications and trainings in the field of trade control management.

Chapter 5 - Training and awareness raising

2019 EU Guidance on Dual-Use Items

Training and awareness raising on dual-use trade control is essential for staff to duly perform their tasks and take compliance duties seriously.

What is expected?

The company ensures via training that the dual-use trade control staff is aware of all relevant export control regulations as well as the company's ICP and all amendments to them. Examples of training material are external seminars, subscription to information sessions offered by competent authorities, in-house training events, and so on.
Furthermore, the company carries out awareness raising for the employees at all relevant levels.

What are the steps involved?

Provide compulsory, periodic training for all dual-use trade control staff to ensure they possess the knowledge to be compliant with the regulations and the company's ICP.
Ensure via training that all concerned employees are aware of all relevant dual-use trade control laws, regulations, policies, control lists and all amendments to them as soon as they are made public by the competent authorities. If possible, consider customised trainings.
Develop general awareness raising for all employees and dedicated training activities for e.g. purchasing, engineering, project management, shipping, customer care and invoicing.
Consider, whenever appropriate, to make use of national or EU training initiatives for dual-use trade control.
Incorporate lessons learnt from performance reviews, audits, reporting and corrective actions, whenever possible, in your training or export awareness programs.

For export control compliance, regular employee training is critical, due to the dynamic nature of international and local trade control regulations, and sanctions and embargoes.

All the compliance policies, procedures, and “best practices” in the world are worthless unless they are known, correctly understood, and followed by employees. Even worse, they may create a sense of false security.

While automated screening can only help to detect sanctions violations, alert trained employees will spot red flags and inconsistencies that software cannot.

Corporate training programs must ensure that staff training is conducted regularly and frequently enough, that deadlines for completing or renewing training are enforced, that training content is being updated, and that training is deployed with a test or questionnaire to verify knowledge retention.

Authorities will refer to the following check-list for assessing the company’s efforts and measures in training and awareness rising.

Check-List

Appointment of the responsible person(s) for overseeing export compliance training.
Appointment of the responsible person(s) for conducting the export compliance training.
Indication of staff to be trained (include a timetable for new employees and existing employees).
Indication of the types of tailored training to be provided.
Definition of the topics of the training to be provided to senior management, to all new employees (introductory training), to employees with export-related jobs (intermediate training) and export compliance personnel (advanced training).
Measures to implement awareness raising activities.
Description of how often will training be provided and/or required.
Description of the means to document training and maintain training records.
Description of the means to keep training materials relevant and up to date.
Measures to integrate performance reviews, audits, reporting and corrective actions in training or trade control compliance awareness programs

Practical aspects

In case the ICP has been validated by licensing authorities for the granting of global authorizations, the follow-up to be demonstrated to authorities on the implementation of the ICP shall include supporting documents on trainings (agenda, topics, materials, list of participants). It is therefore recommended to keep detailed and structured records on training and awareness raising activities implemented on the level of the company.

Chapter 6 - Transaction screening process and procedures

2019 EU Guidance on Dual-Use Items

In terms of operational implementation, transaction screening is the most critical element of an ICP. This element contains the company's internal measures to ensure that no transaction is made without the required license or in breach of any relevant trade restriction or prohibition. The transaction screening procedures collect and analyse relevant information concerning item classification, transaction risk assessment, license determination and application, and post-licensing controls. Transaction screening measures also allow the company to develop and maintain a certain standard of care for handling suspicious enquiries or orders.

What is expected?

The company establishes a process to evaluate whether or not a transaction involving dual-use items is subject to national or EU dual-use trade controls and determine the applicable processes and procedures. In case of recurring transactions, transaction screening needs to be performed periodically. This core element is divided into:

Item classification, for goods, software and technology
Transaction risk assessment, including:
- Checks on trade-related embargoed, sanctioned or “sensitive destinations and entities” ,
- Stated end-use and involved parties screening,
- Diversion risk screening,
- “Catch-all controls for non-listed dual-use items

Determination of license requirements and licence application as appropriate, including for brokering, transfer and transit activities; and
Post-licencing controls, including shipment control and compliance with the conditions of the authorisation

In case of doubt or suspicion during the transactions screening process, in particular about the results of the stated end-use and involved parties or diversion risk screening, please consult with the competent authority in the EU Member State where your company is established.
Transaction screening can be done manually or with the support of automated tools, depending on your company's needs and available resources.

6.1. Item classification

2019 EU Guidance on Dual-Use Items

What are the steps involved?

Item classification is about determining whether the items are listed. This is done by comparing the technical characteristics of an item against the EU and national dual-use control lists. If applicable, identify whether the item is subject to restrictive measures (including sanctions) imposed by the EU or the EU Member State in which your company is established.
Understand that dual-use items, whether a physical product, software or technology, could require a license for various reasons.
Pay particular attention to the classification of dual-use components and spare parts, and to the classification of dual-use software and technology that can be transferred by email or made available via, for instance, a “Cloud” service abroad.
Gather information about the possible misuse of your dual-use items in the context of e.g. conventional military or WMD proliferation. Share this information within the company.
It is recommended to request information from your supplier(s) about the dual-use classification of materials, components, subsystems that are processed or integrated by your company, including machinery used in the production. It is still your company's responsibility to check the classification received from the supplier(s).
As required by Article 22(10) of the EC dual-use Regulation (EC) No 428/2009, mention — with a reference to the relevant legislation — in the commercial documents relating to intra-EU-transfers that the transaction involves listed dual-use items and are subject to controls if exported from the EU.

A proper product classification constitutes often the starting point of the compliance program. The assessment if a particular item is a “controlled” good, that means listed on the EU and/or national dual-use list, requires a perfect knowledge of the product’s technical features, the ability to compare these features with the (not always easy to read) relevant codes descriptions in the control lists and a good understanding of export control principles and rules.

The correlation table published by the European Commission indicates the potential dual-use codes associated with the TARIC customs nomenclature. However, this table is for information purposes only and is only an aid. Companies must therefore, after having determined the TARIC code, check one after the other the "dual-use" codes in column C of the correlation table, which is regularly updated, and document in the classification sheet the elements on which there is (or is not) a correlation between the technical characteristics of their products and the criteria contained in the technical description of the "dual-use" code. However, they should not forget to ensure that their product is not listed under another "dual-use" code(s).

The classification is the responsibility of the company. Licensing authorities are checking the classification when dealing with license applications, but shall not substitute to the company in such classification process.

The question regains still more importance when knowing that even non-listed products should be considered when determining an authorization requirement, given the impact of catch-all provisions now fully implemented in Luxembourg export control legislation.

The following check-list points will be assessed by licensing authorities:

Check-List

Indication of the (technical, legal, export control) person(s) responsible for item classification.
Reproduction of the product classification sheet used internally for classification purposes.
Results of the product classification process: number of products manufactured and/or exported by the company, their classification with regard to export control lists.
Indication if company’s products are subject to restrictive measures (including sanctions) imposed by the EU or Luxembourg.
Description of controlled and/or non-listed software and technology that can be transferred by email or made available via a “Cloud” service.
Description of methods used to establish goods classification (self-classification, manufacturer-classification, external).
Electronic data processing system in place to record the classification of products received or manufactured by the company.
Description of the means translating changes in the national and EU control lists translated into the company's classification procedures.

Practical aspects

A template product classification sheet is reproduced in Attachment 1 to this document. It indicates the different steps which should be fulfilled during the classification process. It is well understood that such document is provided for reference only and could be tailored to each company’s situation, needs and internal IT processes.

During the classification process, information obtained from a supplier about the dual-use or military classification of materials, components, subsystems that are processed or integrated by the company, including machinery used in the production, should be checked again. Any supporting documents obtained or consulted should be attached to the classification sheet.

The ICP could contain a description of the CN classification and the means to determine if the good is subject to any restriction, based on the CN code. The same applies to dual-use, military and torture good classification.

The internal product classification sheets could be attached to the ICP manual. Beside providing complete and transparent information to authorities assessing the ICP, this would have the advantage to avoid presenting the relevant classification sheets again as a supporting document with each license application.

6.2. Transaction risk assessment

2019 EU Guidance on Dual-Use Items

What are the steps involved?

Checks on embargoed, sanctioned or sensitive destinations and entities
Ensure that none of the involved parties (intermediaries, purchaser, consignee or end-user) are subject to restrictive measures (sanctions) by consulting the up-to-date sanctions lists.

Stated end-use and involved parties screening
Know your customers and their end-use of your products.
Consult the information provided by your competent authority for EU and national rules and requirements concerning end-use statements. Even without a national obligation to submit a correctly filled-out and signed end-use statement, an end-use statement may be a useful means to check the reliability of the end-user/consignee and the information can be used to determine if an authorisation is required for non-listed dual-use items where there are stated end-use concerns under the terms of Article 4 of Regulation (EC) No 428/2009.
Be vigilant for diversion risk indicators and signs about suspicious enquiries or orders e.g. assess if the stated end-use is consistent with the activities and/or markets of the end-user. Annex 2 contains a list of questions to support stated end-use and involved parties screening.

Diversion risk screening

Be vigilant for diversion risk indicators and signs about suspicious enquiries or orders. Annex 2 contains a list of questions to support diversion risk screening.
Pay particular attention to the catch-all controls for non-listed dual-use items, if the stated end-use and involved parties screening or the diversion risk screening provide information of concern under the terms of Article 4 of Regulation (EC) No 428/2009.

‘ Catch-all’ controls for non-listed dual-use items
Ensure that the company has procedures in place to determine if it is ‘aware’ that there is information of concern about the stated end-use (under the terms of Article 4 of Regulation (EC) No 428/2009). If the exporter is “aware”, the company ensures that no export occurs without notifying the competent authority and without having received the competent authority's final decision.
For cases in which the exporter is being ‘informed’ by the competent authorities that there is information of concern about the stated end-use (under the terms of Article 4 of Regulation (EC) No 428/2009), then the company needs to have procedures in place to ensure the swift flow of information and the immediate stop of the export. It must be ensured that the export does not occur without having received an authorisation by the competent authority.

Administrative authorities will assess this chapter through the following points:

Check-List

(A) Screening procedures

Definition of accountability for maintaining screening procedures.
Allocation of responsibility for performing checks.
Scheduling of checks within the entire system flow chart.
Indication of tool(s) used to ensure completion of checks during the approval process of customers and transactions.
Indication of compliance audit tools used.
Reproduction of the customer profiling documentation used by the company.
Appointment of the responsible person(s) for training on screenings.
Instructions regarding the treatment of questionable transactions or activities, including methods of resolution.
Description of precautions taken against the delivery of unlicensed products or the delivery of licensed products to unlicensed recipients.
Procedures for dealing with positive and negative results from the transaction risk assessment.
Description of means of resolution of “false positive” results (i.e. an unnecessary hit of concern) from the transaction risk assessment.
Instructions to staff for dealing with situations of intangible transfer of technology and technical assistance (visits, conferences and seminars) in relation with dual-use items.

(B) Checks on embargoed, sanctioned or sensitive destinations and entities

Description of processes ensuring that none of the involved parties (intermediaries, purchaser, consignee or end-user) are subject to restrictive measures (sanctions)

(C) Stated end-use and involved parties screening;

Description of Know your customers processes and the checks of their end-use of products.
Definition of the periodic screening of existing customers.
Description of means implemented with regard to diversion risk indicators and signs about suspicious enquiries or orders, ensuring that all personnel are considering red flags and are documenting resolution of red flags;
Definition of procedures of end-use, end-user and final destination screening.

(D) Diversion risk screening

Description of means implemented with regard to catch-all controls for non-listed items, if the stated end-use and involved parties screening or the diversion risk screening provide information of concern.

(E) “Catch-all” controls for non-listed dual-use items

Description of procedures in place to determine if the company is “aware” that there is information of concern about the stated end-use.
Description of procedures in place for cases in which the exporter is being “informed” by the competent authorities that there is information of concern about the stated end-use, where there is a need to ensure the swift flow of information and the immediate stop of the export until the required authorization has been obtained.

Practical aspects

The means implemented to ensure that items, customers, end-users and transactions are screened in order to ensure compliance with export-related procedures should be integrated into an internal process flow chart, showing relevant screenings on a timeline basis. This chart should be integrated into the ICP manual.

2019 EU Guidance on Dual-Use Items

“Red flags” relating to suspicious enquiries

Being vigilant for signs of suspicious enquiries or orders is vital for countering the risks of the proliferation of Weapons of Mass Destruction, their means of delivery, and the destabilising accumulations of conventional weapons. Sharing such information with your competent authority is highly recommended and in some cases may be mandatory under EU and national laws and regulations. In case of doubt, consult with the competent authority.

The below non-exhaustive list of ‘red flags’ is based on existing best practice and is derived from:

the Wassenaar Arrangement list of advisory questions for industry (Agreed at the 2003 Plenary and review agreed at the 2018 Plenary)
the 2010 Compliance Code of Practice (Department for Business Innovation & Skills, United Kingdom) and
ICP approaches from competent authorities in other EU Members States

Based on your company's experience, additions or amendments to the list below can be made. You know best what is suspicious within your business area. Your company should be vigilant if one or more of the following ‘red flags’ are detected:

Your product(s):

your product is still being developed or has not yet found many customers in your domestic market;
the characteristics of your product are technically superior to those of established competitors;
your customer requested unusual customization of a standard product, or modification requests raise concerns about potential applications of the customized product;
your product has known dual-use, military, or sensitive application;

End use and End user:

the customer is new to your company and your knowledge about him(her) is incomplete or inconsistent or it is difficult to find information about the customer in open sources;
the stated end user is a trading company, distributor or based in a free trade zone so that your company might be unaware where your product(s) finally ends up;
the end user is tied to the military, the defence industry or a governmental research body and the stated end use is civilian;
the customer seems not to be familiar with the product and its performance characteristics (e.g. an obvious lack of technical knowledge);
the customer requests a product that seems overly capable for the intended application;
the contact information in enquiries (e.g. phone numbers, email and addresses) is located in other countries than the stated company, or changed to that over time;
the company has a foreign company name (e.g. in a language that is unexpected for the country where headquarter is located);
the company website lack content in comparison to what is normally found on a legitimate company website;
the customer is reluctant to offer information about the end use of the items (e.g. via an end-user statement), provide clear answers to commercial or technical questions which are routine in normal negotiations or to provide an end user statement;
an unconvincing explanation is given as to why the items are required, given the customer’s normal business, or the technical sophistication of the items;

Shipment

unusual shipping, packaging or labelling arrangements are requested; usual incoterms for shipment, the sealing of containers/trucks and the confirmation of receipt by the consignee/end-user are refused

Finance and contract conditions

unusually favourable payment terms such as paying an unreasonable high price, full payment in advance or want to do a full cash payment immediately unusual;
the payment is made by other parties than the customer or stated intermediaries and follow another route than the products;
routine installation, training or maintenance services are declined;
the installation site is in an area under strict security control or is in an area to which access is severely restricted;
the installation site is unusual in view of the exporter's line of business or is unusual in view of the type of equipment being installed;
there are unusual requirements for excessive confidentiality about final destinations, or customers, or specifications of items;
there are requests for excessive spare parts or lack of interest in any spare parts.

Sharing information about suspicious enquiries with your competent authority is highly recommended and a good business practice. Additionally, where appropriate, information-sharing within the companies' supply chain and with other exporters may be valuable in light of the risk that proliferators send requests to different companies, hoping that one of the requests may be successful or with the aim of acquiring a critical amount of material from different sources (where each individual request would not yet raise suspicion). In case of doubt, consult with the competent authority.

Source: European Commission Recommendation (EU) 2019/1318 of 30 July 2019

6.3. License determination and application, including for brokering, transfer and transit activities

2019 EU Guidance on Dual-Use Items

What are the steps involved?

Ensure that your company has the contact details of the competent export control authority.
Gather and disseminate information about the range of license types (including individual, global and general licenses) and controlled activities (including export, brokering, transfer and transit), and about the license application procedures relating to the applicable EU and national dual-use trade controls.
Be aware of less obvious controlled types of export (such as export via the ‘Cloud’ or via a person's personal baggage) and of dual-use trade control measures for activities other than export, such as technical assistance or brokering.

To determine whether an authorization is required for a particular operation, several criteria come into play, including the classification of the product, the nature of the transaction, the profile and location of the customer and/or end user, the end use of the product, and the method of delivery. The ICP must show the internal process that the company adopts to ensure that at all times, no exports or transactions of any kind are initiated or executed without government authorization having been requested and granted in cases where such authorization is required.

Competent authorities will assess this chapter through the following points:

Check-List

Description of internal procedures to determine whether a license is required based on applicable laws and regulations.
Description of the legislation applicable to authorizations application and granting process, including authorization types and deadlines to be respected by the authorities for processing applications.
Indication of the competent licensing authorities and administration.

Practical aspects

Within the description of the legislation concerning applications for authorizations, the ICP should explain the difference between individual / global / general authorizations, indicate the information to be provided as a support to license applications, and refer to the different forms for license applications as defined by the Grand Duke regulation of 14 December 2018, as published on www.guichet.lu/oceit.

6.4. Post-licencing controls, including shipment control and compliance with the conditions of the authorisation

2019 EU Guidance on Dual-Use Items

What are the steps involved?

Before the actual shipment, there should be a final check that all steps ensuring compliance were duly taken. This is a good moment to check if items are correctly classified, if ‘red flags’ have been identified, if the screening of entities was effectively performed and if there is a valid licence for the shipment.
A final transaction risk assessment is necessary in case of a change of relevant legislation in the meantime, for example if the commodity is now a listed dual-use item or the end-user is now sanctioned.
Implement a procedure in which items can be stopped or put on hold when any of the requirements are not met, or when any ‘red flags’ are raised. The items should only be released by a person with responsibility for compliance.
Ensure that the terms and conditions of the licence have been complied with (including reporting).
Be aware that any changes to the exporting company's details (such as name, address and legal status), to the details of the end-user and/or intermediaries and to the details of the authorised items may affect the validity of your license.

Competent authorities will assess this chapter through the following points:

Check-List

Description of internal procedures to ensure that a final compliance check is made before the actual shipment
Description of the procedure in which items can be stopped or put on hold when any of the requirements are not met, or when any ”red flags” are raised.
Definition of means ensure that the terms and conditions of the licence have been complied with (including reporting).

Chapter 7 - Recordkeeping and documentation

2019 EU Guidance on Dual-Use Items

Proportionate, accurate and traceable recordkeeping of dual-use trade control related activities is essential for your company's compliance efforts. A comprehensive recordkeeping system will help your company with conducting performance reviews and audits, complying with EU and/or national documentation retention requirements and it will facilitate cooperation with competent authorities in case of a dual-use trade control enquiry.

What is expected?

Recordkeeping is the set of procedures and guidelines for legal document storage, record management and traceability of dual-use trade control related activities. Recordkeeping of some documents is required by law but it may also be in your company's best interest to keep records of some other documents (e.g. an internal document describing the technical decision to classify an item). Where all required records are captured and correctly filed, this allows for more efficient search and retrieval during the day-to-day dual-use trade control activities, and also during the periodic audits.

What are the steps involved?

Verify the legal requirements for recordkeeping (period of safekeeping, scope of documents, etc.) in the relevant EU and national legislation of the EU Member State where the company is established.
In order to make sure that all relevant documentation is at hand, consider determining the record retention requirements in contracts with intermediaries, including freight forwarders and distributors.
Create an adequate filing and retrieval system for dual-use trade control. Both for paper and electronic systems, performant indexing and search functionalities are essential.
Ensure that export control related documents are maintained in a consistent manner and can be made available promptly to the competent authority or other external parties for inspections or audits.
It is recommended to keep a record of past contacts with the competent authority, also in relation with end-use(r) controls for non-listed dual-use items and in case of technical classification advice.

A sound recordkeeping system should define responsibilities and apply standards that encompass all record formats including but not limited to hard copy and electronic media, records from websites, management information systems, e-mail correspondence, and documents in individual and shared workspaces. Ongoing training and awareness programs should ensure and promote the effective capture, retrieval, and management of records.

This system should identify who will keep the records, specifically list the records that are to be maintained and in what format and detail the filing and retrieval systems and procedures. It should clarify the records retention period and determine methods to verify compliance with the recordkeeping requirements.

In this policy field, those designated with recordkeeping responsibility shall be publicly identified.

All required records should be captured and correctly filed to allow for efficient search and retrieval by conducting periodic audits of the recordkeeping system. Documents should be kept in easily retrievable form and location, and the filing system, whether hard copy or electronic, should allow easy matching, for any particular transaction, of invoices, delivery notes, air waybills, bills of lading, packing slips, and records such as technical data logs; and that regular internal reviews of recordkeeping to ensure proper practices and procedures are followed.

The company should as well show how it manages the risk of losing records by describing the physical storage site, the safeguarding and recovery measures of electronic records and systems and processes of data deletion.

The following check-list will guide competent authorities in their assessment:

Check-List

Description of the company-wide policy defining responsibilities and applying standards that encompass all record format, including but not limited to hard copy and electronic media, records from websites, management information systems, e-mail correspondence, and documents in individual and shared workspaces.
Description of filing, record-management, safeguarding and protection systems.
Description of logs to track exports, imports, transits and re-exports.
Description of recordkeeping of foreign-national visitors at the company’s facilities for the purposes of risk management attached to an intangible transfer of technology with regard to dual-use items.
Description of recordkeeping of communications with Governments and public authorities.

Practical aspects

Legal requirements for recordkeeping are contained in the law of 27 June 2018, in particular Articles 4, 7, 8, 13, 24, 39, §40, 41, 48 and 49. The ICP should contain a reference to such provisions, and explain them in an easily understandable way.
Specific penalties do apply for failures in relation with recordkeeping. Type of offenses and references to the law of 27 June 2018 (article 61) should be mentioned in the ICP.

Chapter 8 - Physical and information security

2019 EU Guidance on Dual-Use Items

Trade controls for dual-use items, including software and technology, occur for reasons of (inter)national security and foreign policy objectives. Due to their sensitivity, therefore dual-use items should be “protected”, and having appropriate security measures contributes to containing the risks of unauthorised removal of, or access to, controlled items. Physical security measures are important but, because of the very nature of controlled software or technology in electronic form, ensuring compliance with dual-use trade regulations can be particularly challenging and also requires information security measures.

What is expected?

Physical and information security refers to the set of internal procedures that are designed to ensure the prevention of unauthorised access to or removal of dual-use items by employees, contractors, suppliers or visitors. These procedures cultivate a security culture within the company and ensure that dual-use items, including software and technology, do not get lost, are not easily stolen or exported without a valid license.

What are the steps involved?

Physical security

Ensure, according to the company's risk assessment, that controlled dual use items are secured against unauthorised removal by employees or third parties. Measures that could be considered include, for example, physically safeguarding the items, the establishment of restricted access areas and personnel access or exit controls.

Information security

Establish basic safeguarding measures and procedures for secured storage of and access to controlled dual-use software or technology in electronic form, including antivirus checks, file encryption, audit trails and logs, user access control and firewall. If applicable to your company, consider protective measures for uploading software or technology to the “Cloud”, storing it in the “Cloud” or transmitting it via the “Cloud”.

The following points shall be assessed by Luxembourg competent authorities:

Check-List

Description of internal procedures ensuring the prevention of unauthorised access to or removal of sensitive items (with regard to physical safeguarding of items, the establishment of restricted access areas and personnel access or exit controls).
Description of measures and procedures for secured storage of and access to controlled software or technology in electronic form, including antivirus checks, file encryption, audit trails and logs, user access control through password-protected systems, firewall and surveillance system for electronic equipment and e-mails
Description, if applicable, of protective measures for software or technology to be uploaded to, stores in or transmitted via the “cloud” for the purposes of management of risks attached to an intangible transfer of technology concerning dual-use items.

Chapter 9 - Performance review and audits

2019 EU Guidance on Dual-Use Items

An ICP is not a static set of measures and therefore must be reviewed, tested and revised if proven necessary for safeguarding compliance. Performance reviews and audits verify whether the ICP is implemented to operational satisfaction and is consistent with the applicable national and EU export control requirements. Performance reviews, audits (…) are designed to detect inconsistencies to clarify and revise routines if they (risk to) result in non-compliance.

What is expected?

The company develops performance review procedures to verify the day-to-day compliance work within the company and to check whether the export control operations are implemented appropriately according to the ICP. Performance review is executed internally, enables the early detection of instances of non-compliance and the development of follow-up measures for damage control. Performance review thus reduces risks for the company.
The company has procedures in place for audits, being systematic, targeted and documented inspections to confirm that the ICP is correctly implemented. Audits can be performed internally or by qualified external practitioners.

What are the steps involved?

Provide for random control mechanisms as part of daily operations to monitor the trade control workflow within the company to ensure that any wrongdoings are detected in an early stage. Another approach is to use the ‘four eyes principle’, where trade control decisions are reviewed and double-checked.
Develop and perform audits to check the design, adequacy and efficiency of the ICP.
Make sure to include all aspects of the internal compliance programme into the audit.

Beside a written and documented program, a successful compliance program requires effective internal controls that implement that program. It is up to the company itself to determine, on the basis of its risk profile and organisational structure, the nature, extent and intensity of these controls. These mechanisms include controls of different types: controls as part of daily operations regular audits and random controls. During daily operations, products will be released based on the 4-eyes principle. Random inspections will take place any time this is necessary in order to ensure that operational procedures within all of the company's export-related divisions and locations reflect the company’s ICP and government export regulations.

To maintain and maximise the efficiency of the ICP, it is advised to carry out an internal audit at regular intervals. This is part of a process of continuous improvement of internal business processes.

Depending on the company profile, it can also be opted to contract out the audit to an external specialist.

The company must evaluate the effectiveness of its compliance efforts by formally verifying/evaluating all elements of its compliance program. All verification criteria must be specified in writing in advance and the results of audits must be documented.

Competent authorities will assess this chapter by reference to the following check-list:

Check-List

Description of the random trade control performance reviews implemented in daily business operating procedures.
Description of the internal audit program (agenda, content).
Demonstration of the qualification and experience level, and the training program, of (internal/external) audit personnel.
Description of procedures and practices for audit reporting.
Description of procedures to implement audit recommendations and follow-up on corrective actions taken.

Practical aspects

In case the ICP has been validated by licensing authorities for the granting of global authorizations, the follow-up to be demonstrated to authorities on the implementation of the ICP shall include supporting documents on audits (agenda, composition of audit teams, audit reports). It is therefore recommended to keep detailed and structured records on audits, including on daily random performance reviews.

Chapter 10 - Internal reporting and corrective actions

2019 EU Guidance on Dual-Use Items

A well-functioning ICP has clear reporting procedures about the notification and escalation actions of employees when a suspected or known incident of non-compliance has occurred. As part of a sound compliance culture, employees must feel confident and reassured when they raise questions or report concerns about compliance in good faith. (…) reporting procedures are designed to detect inconsistencies to clarify and revise routines if they (risk to) result in non-compliance.

What is expected?

Reporting is the set of procedures for dual-use trade control staff and other relevant employees regarding the notification and escalation measures to take in the event of suspected or known incidents of dual-use trade non-compliance. It does not refer to external reporting obligations, e.g. in case your company is registered for the use of a union general export authorisation under the terms of Regulation (EC) No 428/2009.
Corrective actions are the set of remedial actions to guarantee the proper implementation of the ICP and the elimination of identified vulnerabilities in the compliance procedures.

What are the steps involved?

Ensure that employees feel confident and reassured when they raise questions or report concerns about compliance in good faith.
Establish whistleblowing and escalation procedures to govern the actions of employees when a suspected or known incident of dual-use trade non-compliance has occurred. Third parties may be given this option as well.
Document any suspected breaches of national and EU dual-use control legislation and the associated corrective measures in writing.
Take effective corrective actions to adapt the export control operations or the ICP according to the findings of the performance review, the ICP system audit or the reporting. It is recommended to share these findings, including the revision to procedures and corrective actions with dual-use trade control staff and management. Once the corrective actions have been implemented, it is recommended to communicate the amended procedures to all employees concerned.
A dialogue with your competent authority can contribute to damage control and possible ways to strengthen the company's export control.

The objective herein is to provide clear guidance to company employees regarding notification, escalation, and corrective action for times when there are problems or suspected problems with export transactions.

The ICP must describe, when a violation of export control regulations or ICP procedures occurs, how a report shall be made to the person responsible for export controls and how any corrective action shall be implemented to ensure similar violations will be avoided.

The following check-list will be used by competent authorities during the ICP validation process:

Check-List

Instructions on where suspected incidents of export-related non-compliance should be reported.
Identification of the office or individual(s) (including name, phone number, e-mail address) assigned the responsibility for taking reports.
Description of internal procedures to be followed when a suspected incident of export-related non-compliance has been reported.