EU Dual-Use Export Controls: A Practical Guide for Semiconductor Teams

The Framework: Regulation (EU) 2021/821

Regulation (EU) 2021/821 entered into force on 9 September 2021, replacing the framework that had governed EU dual-use exports since 2009. It was the most significant overhaul of European export control architecture in over a decade.

The term dual-use refers to goods, software, and technology with legitimate civilian applications that can also serve military purposes or enable weapons development. In the semiconductor context, this covers a lot of ground. High-performance chips, advanced manufacturing equipment, chip design software. The same silicon powering a data centre can, with the right integration, enable hypersonic guidance systems or advanced surveillance infrastructure. That is why the controls exist.

The 2021 regulation brought several changes worth understanding. The most significant was the introduction of "human security" controls: a new catch-all category targeting technology that can be used for internal repression or human rights violations. This did not exist in the 2009 framework. It reflects a post-Snowden, post-NSO Group shift in European political thinking about what export controls are for.

The EU Dual-Use List: What Semiconductors Fall Under

The EU Dual-Use List is contained in Annex I to Regulation 2021/821. It mirrors, in structure, the US Commerce Control List — though the two are not identical and alignment gaps between them create compliance complexity for companies selling into both markets. The list is organised into ten categories (0–9), of which three are directly relevant to most semiconductor companies:

• Category 3 — Electronics: Covers electronic components, assemblies, and related equipment. This is the most directly relevant category for semiconductor manufacturers and traders. It includes specific entries for microprocessors and microcomputers above certain performance thresholds, as well as application-specific integrated circuits (ASICs), field-programmable gate arrays (FPGAs), and analogue-to-digital converters beyond threshold specifications.
• Category 4 — Computers: Covers high-performance computing systems, including those built from controlled Category 3 components. The performance thresholds here — measured in Adjusted Peak Performance (APP) — have been updated multiple times as computing power has advanced. Understanding whether a specific configuration crosses the threshold requires technical assessment, not just a product lookup.
• Category 5 — Telecommunications and Information Security: Relevant for semiconductors designed for encrypted communications, signal processing, or radio frequency applications. Parts 1 (Telecommunications) and Part 2 (Information Security) each carry different control structures.

Each entry in Annex I carries control codes specifying the reasons for control and the destinations to which those controls apply. This mirrors the US ECCN structure but uses different codes and does not map directly onto US classifications. A product that is EAR99 in the US can be listed in Category 3 of the EU Dual-Use List. The inverse is also true.

Catch-All Controls: The Most Misunderstood Provision

The catch-all is the provision most semiconductor teams overlook, and it is where enforcement risk is highest. Under Article 4 of Regulation 2021/821, a licence may be required for items not listed in Annex I at all if the exporter knows, has grounds to suspect, or has been informed by their national authority that the items may be intended for:

• Development, production, handling, operation, or stockpiling of chemical, biological, radiological, or nuclear (CBRN) weapons
• Military end-uses in embargoed countries
• Use as parts or components of military items exported without the required authorisation
• Internal repression or serious human rights violations (the new 2021/821 addition)

The catch-all means that unlisted, low-specification, ostensibly commercial items can fall under EU export controls if the transaction context raises red flags. For semiconductor teams, this creates an obligation to conduct meaningful end-use due diligence — not just a checklist of whether a product is listed in Annex I.

The burden of this due diligence falls on the exporter. If you proceed with a transaction despite having reasonable grounds to suspect a problematic end-use, the catch-all does not provide a safe harbour. National enforcement authorities have taken enforcement action under catch-all provisions in Germany, France, and the Netherlands in recent years.

EU General Export Authorisations vs. Individual Licences

Regulation 2021/821 introduced a significantly expanded set of Union General Export Authorisations (UGEAs) — pre-approved licence exemptions that allow exports to specified destinations without requiring a case-by-case licence application. For semiconductor companies with significant European operations, understanding which UGEAs apply to your product portfolio and destinations can meaningfully reduce compliance overhead.

The key UGEAs for semiconductor companies are EU001 (exports to Australia, Canada, Japan, New Zealand, Norway, Switzerland, UK, and US), EU002 (exports after repair or replacement), and EU003 (temporary exports for exhibitions). Each carries specific registration and record-keeping requirements. The UK's departure from the EU means it is now a UGEA destination rather than an exempt intra-EU movement — a change that created significant administrative burden for supply chains that span the Channel.

Where no UGEA applies, an individual licence from the national competent authority of the member state from which the export departs is required. Processing times, fee structures, and information requirements vary significantly by member state. Germany's BAFA, France's SBDU, the Netherlands' CDIU, and Sweden's ISP all operate under the same regulation but with different administrative characteristics.

Russia Sanctions: The Dominant Compliance Challenge Since 2022

Since February 2022, the European Council has enacted fourteen successive packages of economic sanctions against Russia in response to the invasion of Ukraine. For the semiconductor sector, these sanctions represent a qualitatively different compliance challenge from the standard dual-use framework — one that has redrawn entire supply chains.

The sanctions are implemented via Council Regulations published in the Official Journal of the EU (L-series), and they have progressively expanded the list of controlled goods, the list of restricted Russian entities, and the list of third countries subject to anti-circumvention provisions. Crucially, the Russia sanctions introduced controls on a broad range of common commercial components — including microcontrollers, semiconductors, and electronic assemblies far below the technical thresholds of the Annex I dual-use list — on the grounds that these components were being recovered from consumer electronics and integrated into Russian military systems.

The anti-circumvention provisions in later sanction packages are particularly significant. They prohibit exports to third countries — including Turkey, the UAE, Kazakhstan, and others — of goods that the exporter knows or has reasonable grounds to suspect may be re-exported to Russia. This extraterritorial element has forced semiconductor companies to revisit distributor relationships across Central Asia and the Middle East.

The pace of Russia sanctions updates — typically one to three new regulations or amending regulations per month — has overwhelmed the monitoring capacity of teams that were previously tracking EU OJ updates on a quarterly or ad-hoc basis. Every Council Regulation amending the sanctions framework requires re-screening of existing customer relationships, distributor agreements, and pending orders.

How EU OJ Updates Actually Work

The EU Official Journal is the only authentic source of EU law. Regulations, decisions, and directives take legal effect upon publication in the OJ — not when they are reported in the press, not when they appear on national authority websites, not when your trade association circulates a bulletin. The OJ is published daily in digital form at eur-lex.europa.eu and is free to access.

From a compliance monitoring perspective, the OJ is challenging because it is a general legal publication covering the full scope of EU activity — agriculture, fisheries, state aid, financial regulation, and everything else, alongside export controls. Identifying the export-relevant notices within each day's OJ requires filtering by publication series (L-series for binding legislation, C-series for information and notices) and by subject matter.

The typical workflow for an EU-exposed semiconductor company should be:

• Daily monitoring of the OJ L-series for new Council Regulations and Commission Delegated Regulations affecting dual-use or sanctions
• Immediate impact assessment when a new regulation is published — specifically identifying whether new goods, entities, or country restrictions are introduced
• Cross-referencing new entity designations against the customer and distributor database
• Updating internal screening and ERP systems before the regulation's entry-into-force date (which may be the same day as publication)