The EU Dual-use Regulation, cyber-surveillance and human rights: the competing norms and organised hypocrisy of EU export controls

ABSTRACT This article analyses the process and outcome of the review and recast of the EU Dual-use Regulation which concluded in 2020. The recast was dominated by conflicts both among EU member states and between the European Council, European Commission and European Parliament about the interlinked issues of expanding the range of human rights states should consider when implementing the Regulation and controlling exports of “cyber-surveillance items”. The processes through which states individually and collectively determine their content of their export controls are often portrayed as a zero-sum contest between “norms” and “interests”. This article argues that the recast can be better understood if it is viewed as a competition between different constitutive and regulative norms grounded in humanitarian, economic and national security concerns. The article also argues that the outcome of the recast can be better understood if we apply Brunsson’s concept of “organized hypocrisy” and view it as a set of compromises which sought to address several competing norms. The article concludes by reflecting on the potential wider application of the “competing norms” and “organized hypocrisy” frameworks for other studies of states’ export controls and export control regimes.


Introduction
Dual-use export controls -i.e. the systems that states use to regulate the trade in goods and technologies that can be used in both civilian and military products -are an undertheorised but increasingly prominent aspect of state policy.Initially established primarlly to track and prevent the proliferation of weapons of mass destruction (WMD) their coverage and significance have expanded in recent years due to rising geo-political tensions and the growing use of civilian technology in the production of weapons systems.These trends are evident in the content and impact of the restrictions on exports of dual-use items to Russia that the United States, the European Union (EU) and other like-minded states have imposed since its invasion of Ukraine in February 2022.The range of items covered by these restrictions has expanded the notion of what constitutes "dual-use items" by including goods without clear military applications and which are being controlled due to their relevance for Russia's wider economy (European Council 2022).Conversely, analyses of military systems used by Russia in Ukraine indicate that Moscow is both reliant upon, and able to utilise, civilian technology manufactured abroad that have not previously been subject to dual-use export controls (Conflict Armament Research 2022).
This article analyses the process and outcomes of the review and recast of the EU Dual-use Regulation, the EU's main regulatory tool for dual-use export controls, which began in 2011 and concluded in 2020.The recast saw many complex and overlapping debates about how to modernise the Dual-use Regulation.However, the most important disagreements concerned differences among EU member states and between the European Council, the European Commission and the European Parliament about expanding the range of human rights concerns states should consider when exporting dual-use items and regulating exports of "cyber-surveillance items."In this respect, the recast fits a broader pattern in recent debates about the EU's exports of military and security equipment, which have been dominated by disagreements about how to apply international humanitarian law (IHL), international human rights law (IHRL) and the broader "human security" concept (see Maletta 2019;Sprenger 2019).
This article argues that the process of the recast can be best understood if it is viewed as a competition between a variety of different norms.Applying this framework enables us to see the Dual-use Regulation and the EU's wider set of export controls as a "regime" that has established and applied key constitutive norms -particularly ones concerning states' rights and states' responsibilities -and a variety of regulative norms focused on humanitarian concerns, national security concerns and market concerns.It also allows us to see the recast as a process in which the Commission and Parliament sought to advance proposals that reflected a variety of norms and that their ability to gain Council support and create changes in the Dual-use Regulation reflected whether they were embedded within a broader normative framework and if their content aligned or competed with the regime's existing constitutive and regulative norms.
The article also argues that the outcome of the recast can be better understood if we view it less as one in which a single norm achieved dominance at the expense of all others and more as a set of compromises which sought to simultaneously reflect and integrate proposals grounded in contrasting norms.Here, the article applies organisation theory and particularly Brunsson's concept of "organized hypocrisy" which highlights how political entities act when faced by competing normative expectations (Brunsson 1989(Brunsson , 2007)).Applying this concept helps to show how the outcome of the recast saw the EU incorporate proposals grounded in different competing norms by maintaining a level of disconnect between the "talk," "decisions" and "actions" of the Dual-use Regulation.
The first part of the article describes the history and content of the Dual-use Regulation and the wider set of export control instruments that the EU has established.It then outlines a framework for viewing these instruments as a "regime" that has established a set of standards and practices grounded in two constitutive norms of export controls and a range of regulative norms grounded in security, market, and humanitarian concerns.The following part describes the broader post-2011 debate about the export and use of cyber-surveillance items that proved central to the recast.The next section develops and applies the "competing norms" framework to the process of the recast by examining the proposals put forward and determining the key factors that accounted for their level of impact.The article then outlines the concept of "organized hypocrisy" and applies it to an analysis of the outcomes of the recast, arguing that a successful outcome required a level of disconnect between the "talk", "decisions" and "actions" of the Dualuse Regulation.
This analysis is based on a close reading of available primary and secondary literature and more than twenty Key Informant Interviews (KIIs) conducted during 2016-2021 with EU officials, EU member state officials and company and NGO representatives which informed the use and interpretation of available open-source material.The article seeks to apply an approach grounded in process tracing to uncover the underlying causal mechanisms that played out in one individual case, i.e. the review and recast of the Dualuse Regulation.In doing so, the article aims to develop what George and Bennett described as "middle-range typological theories" that seek to account for the pathways through which results are generated, i.e. the "competing norms" and "organized hypocrisy" theoretical frameworks (George and Bennett 2005).
The final section presents the main findings of the paper and outlines the potential for future work.Here, the article seeks to position itself in relation to previous literature that has applied Brunsson's notion of organized hyprocrisy to states' arms export controls and aspects of EU security policy and demonstrate the contribution it makes.In particular, the article opens the possibility for a wider application of its "competing norms" and "organized hypocrisy" theoretical frameworks for future studies of individual states' export controls and other export control regimes.

The EU's export control regime and the Dual-use Regulation
Export controls are the policies that states adopt and implement in order to impose restrictions on the international movement of arms and dual-use items.Since the end of World War I states have engaged in various regional, multilateral and international processes aimed at achieving some level of coordination and convergence in key aspects of their export controls, particular the range of goods and activities that are subject to control (their "scope"), and the standards that are applied when determining whether exports are approved or denied (their "criteria").This process gained pace after the end of the Cold War and has been pursued particularly actively by the EU and its member states.Since the early 1990s there have been a wide range of efforts at the EU level to increase the degree of coordination and convergence in the field of export controls.This process was supported by a variety of actors and stakeholders -including civil society organizations, different EU institutions, national governments, and sections of the defence industrythough for sometimes separate and sometimes overlapping reasons.
These efforts have resulted in the creation of a wide-ranging set of export control instruments that encompass controls on both military and dual-use items.
Its key elements are EU arms embargoes, the Dual-use Regulation, the 2008 EU Common Position on Arms Exports (Common Position) and the 2013 EU Intra-Community Transfers Directive (ICT Directive).These instruments have been developed and adopted under both the Common Foreign and Security Policy (CFSP) and European Community (EC) "pillars" of the EU -as conceived by the 1992 Maastricht Treaty -as well as the areas of "exclusive," "shared" and "special" EU competence -as conceived by the 2009 Lisbon Treaty (see Lustgarten 2013).
During the early 1990s the focus for EU action on export controls was the trade in dual-use items, a process that led to the first EU legislation in this area in 1994 (Davis 2002).Later in the 1990s attention shifted to the trade in military items which led to the adoption of the EU Council Decision on Arms Exports 1998 and which was transformed into the Common Position in 2008.A key motivation for both these efforts were revelations about Iraq's WMD programme and extensive pre-war military build-up in the wake of the 1991 Gulf War and the ways that the Iraqi government sourced many of the components and the weaponry from European companies.Several EU member states, including Germany and the UK, had adopted stricter national export controls in the wake of the Gulf War and sought to limit the resulting costs for domestic producers and promote wider adherence to these standards by "uploading" them to the EU level.However, particularly for dual-use items the Commission also played a key role in the early stages, motivated primarily by an interest in expanding the application of single market principles (Hofhansel 1999).
Since May 2009 controls on member states' trade in dual-use items have been governed by EC Regulation 428/2009.The Dual-use Regulation consists of the following elements: • a common set of activities (including exports and aspects of brokering and transit) that are subject to control, • a common set of items that are subject to control (as outlined in the "EU dual-use list"), • a common set of "catch-all controls" for regulating exports of items that do not appear on the EU dual-use list but may contribute to a programme to develop WMD, have a "military end use" in an embargoed state, or be used as parts and components in an illegally exported military item, • a common set of criteria to use when issuing export licences, • a common set of licences (individual, global and general authorisations) for states to issue, • a common set of EU General Export Authorisations (EUGEAs) covering "lesssensitive" items and destinations and which allow companies to carry out multiple shipments under the same licence, and • a set of mechanisms through which EU member states share information about their implementation of the Dual-use Regulation.
The establishment of the EU's set of controls on dual-use exports saw disagreements over whether this area of policy constituted a commercial issue and was therefore part of the EU's Common Commercial Policy (CCP) and subject to exclusive EU competence or constituted a foreign and security policy issue and was therefore part of EU's Common Foreign and Security Policy (CFSP) and subject to EU member states' veto powers (see Micara 2012, 581-582).Following a 1995 ruling by the Court of Justice of the European Union (CJEU) the Dual-use Regulation forms part of the CCP.However, member states insisted that it should be framed in a way that provides for national control over most of the key aspects of policy implementation.As a result, the EU dual-use list is drawn exclusively from the control lists that are adopted, by consensus, within the four multilateral export control regimes -the Australia Group (on chemical and biological weapons), the Missile Technology Control Regime, the Nuclear Suppliers Group, and the Wassenaar Arrangement on Export Controls for Conventional Arms and Dual-use Goods and Technologies.EU member states' membership of these regimes gives them a veto over which items are added to their control lists and by extension the EU dual-use list. 1 In addition, the Dual-use Regulation includes exemptions that place decisions about issuing export licenses and imposing penalties for non-compliance by exporters under exclusive national control.
Although key powers are delegated to EU member states, the inclusion of the Dual-use Regulation in the EU's CCP has implications stemming from the EU's broader legal and organisational framework which influenced the recast process.First, the Commission had a lead role in the process as it is charged with preparing and making proposals in relation to instruments adopted under EU's CCP.The Commission also had this role during the negotiation and adoption of the 2009 Regulation.Second, any positions adopted by the Council can be adopted through a qualified majority vote (QMV).This was also the case for the negotiation and adoption of the 2009 Dual-use Regulation, but in that process all positions adopted in the Council were agreed by consensus.Third, according to the 2009 Lisbon Treaty, the European Parliament had full powers of codecision, including the power to veto any changes to the Dual-use Regulation and any updates to the EU dual-use list.This was not the case for the 2009 Regulation, when only the Council and the Commission had powers of co-decision for CCP issues.

The constitutive and regulative norms of the EU's export control regime
The idea that norms have explanatory power when it comes to understanding state behaviour in foreign and security policy gained a renewed acceptance in international relations literature in the 1990s.Much of this work follows the definition of "norms" provided by Finnemore and Sikkink, which describes them as "collective expectations for the proper behaviour of actors with a given identity" (Finnemore and Sikkink 1998, 891).
Another key point of agreement in more recent literature is the value of breaking down the distinction between constructivist and rationalist approaches and arguing that norms can be both "constitutive" (i.e. they "create new actors, interests, or categories of action") and "regulative" (i.e. they "order and constrain behaviour"). 2 (Finnemore and Sikkink 1998, 891) Finally, although several models have been developed that identify the factors that account for the strength and influence of norms, they tend to agree on the importance of "embeddedness" and "regimes."Hence, a norm's strength depends largely on the extent that it is embedded within a wider normative framework and integrated within a broader "regime," which Krasner defines as "sets of principles, norms, rules and decision-making procedures around which actor expectations converge in a given issuearea" (Krasner 1982, 185).
More contentious is the question of whether norms must be "good" or "progressive" to be counted as norms.Much of the early work in this area tended to focus on a single "good" norm (e.g.IHL, human rights, or opposition to apartheid) and sought to understand how it shapes or constrains state behaviour.More recent work has focused on "bad" or "oppositional" norms and the ways that these compete against or undermine "good" norms.This focus includes both "security norms" (e.g.counter-terrorism policies pursued in the wake of the September 11th attacks) and "market norms" (e.g. the liberalisation and de-regulation agenda that began to dominate much of state policymaking in the 1970s) (see Heller and Kahl 2013;Orbie and Khorana 2015).Some attempts have been made to apply this expanded concept of norms to the field of export controls (see Cooper 2018).However, the issue remains under-theorised and has yet to be applied to analyses of contemporary developments in export controls.Here, work has primarily focused on analysing the integration and application of "good" humanitarian norms and the ways states' security and economic interests limit their effective and consistent implementation (see Hansen 2016;Platte and Leuffen 2016).
Applying a broader conception of norms to the field of export controls can be used to argue that since World War I, and particularly since the end of the Cold War, states have constructed a complex set of international, multilateral, and regional export control regimes that have established rules and decision-making procedures grounded in a range of constitutive and regulative norms.These norms derive their strength both from their embeddedness within wider normative frameworks concerning issues like IHL, sovereignty, and human rights and their integration into these export control regimes.
A key constitutive norms of export controls is that states have a "sovereign right" to determine the scope and restraint of their controls, a right that has been increasingly acknowledged and asserted since at least the 17 th century.This is reflected in Article 51 of the UN Charter which states that "nothing in the present Charter shall impair the inherent right of individual or collective self-defence."As Erickson has noted, the article's articulation of "states' right to provide for their own defense as a fundamental principle of national sovereignty [. ..] has been upheld as justification for states to transfer arms as they choose" (Erickson 2015, 5).Conversely, states have also increasingly acknowledged and asserted a second constitutive norms of export controls of export controls since at least World War I, that states have a "sovereign responsibility" to have controls in place.This is reflected in Article 2.5 of the UN Charter which commits states "to give the United Nations every assistance in any action it takes in accordance with the present Charter."As Anthony has noted, the article "creates an indirect obligation on all governments [. ..] to establish standing mechanisms for the national regulation of their arms exports in order to be in a position to enforce mandatory UN arms embargoes."(Anthony 1991, 1).
The regulative norms of export controls include a mix of national security norms (e.g.preventing WMD proliferation, constraining rivals, and supporting allies), market norms (e.g.supporting domestic industry, and facilitating trade), and humanitarian norms (e.g.preventing armed conflict, preventing violations of human rights, and preventing violations of IHL).These norms have shifted and evolved against the background of broader normative, technological and political developments.For example, integration of human rights concerns into export control restrictions reflects broader shifts in the role and importance of human rights as a motivation and justification for state action.This process began in the 1970s and has been mapped in the work of the historian Moyn.As Moyn argues, "over the course of the 1970s, the moral world of Westerners shifted, opening a space for the sort of utopianism that coalesced in an international human rights movement that had never existed before" (Moyn 2012, i).These norms have both formed and been used to form the rules and decision-making procedures outlined in the various export control regimes and in state's export controls, including their criteria for determining when an export should be approved.
The EU's set of export control instruments represents the most detailed export control regime that states have established.Much of the norm-focused literature that has examined the evolution of the EU's export control regime has focused on the Common Position, the main EU legislative instrument in the field of arms export controls, and the way it has integrated and applied humanitarian norms.The Common Position includes operative provisions on information exchange and eight common criteria for assessing arms export licences.These criteria focus on the risk that exported arms will inter alia be used in violations of human rights or IHL, exacerbate an ongoing armed conflict, used aggressively against a neighbouring state, or affect the "sustainable development" of the buyer state.The Dual-use Regulation requires member states to apply the eight criteria when assessing licences for exports of dual-use items to "the armed forces or internal security forces or similar entities." Less acknowledged is the extent to which the EU's export control regime integrates and applies the constitutive norms of export controls.The constitutive norm of sovereign responsibility is deeply embedded within all aspects of the EU's export control regime, as it is within all international, regional and multilateral export control instruments.The constitutive norm of sovereign right is also present but has been the subject of debate and contestation in the EU context.The Commission has sought to move aspects of export controls to the intra-state or supra-state level to reduce the regulatory barriers to intra-EU transfers and enhance the EU's ability to "speak with one voice."This agenda has achieved some successes, including the creation of the ICT Directive, which reduces the barriers to intra-community transfers of military items.However, although the ICT Directive was a Commission-led initiative, its success and content largely reflect the preferences of EU member states, particularly those of France, which was seeking to simplify its export controls (Béraud-Sudreau 2020, 108-114).The broader pattern is that while EU member states are often willing to support aspects of the Commission's agenda with regards to the "Europeanisation" of export controls, they broadly oppose the creation of fixed constraints on if and how that process occurs.As a result, the constitutive norm of sovereign right has rarely been infringed by the EU's export control regime and is often reaffirmed.
Also less acknowledged is the extent to which the EU's export control regime integrates and applies not only regulative norms grounded in humanitarian concerns but also ones grounded in national security concerns, including constraining rivals, supporting allies, maintaining regional stability and preventing WMD proliferation.References to all these concerns feature in the criteria of the Common Position.Finally, the unique way that the EU's export control regime applies regulative norms grounded in market concerns, particularly ones concerned with facilitating trade and supporting domestic industry, is also often overlooked.This can be seen in the content of the ICT Directive, the range of EUGEAs attached to the Dual-use Regulation, and way the Common Position is applied to exports of components that will be integrated into a weapon system produced by another member states and reexported to a third country.In such cases, member states "shall fully apply the Common Position" but may also consider a range of other factors, including "the importance of their defence and security relationship with that country" (European Council 2019b, 8).This integration of market norms alongside humanitarian does not have a parallel in the other export control regime states have established.As such, it reflects points made about other aspects of EU trade policy, particularly its Free Trade Agreements, and the way that they promote both "'market liberal norms' and 'cosmopolitan norms' (such as human rights)."(Orbie and Khorana 2015, 258)

Controlling cyber-surveillance items
Cyber-surveillance items enable the monitoring and exploitation of data or content that is stored, processed, or transferred via information communication technologies (ICTs), including computers, mobile phones and telecommunications networks (see Table 1 for a description of the main categories of cyber-surveillance items).They are widely used by Law Enforcement Agencies (LEAs) and intelligence agencies (See Insider Surveillance 2017).The use of cyber-surveillance items raises a range of national security concerns, particularly in connection with theft of classified data or attacks on critical infrastructure, and human rights concerns, particularly in states that lack effective laws and regulations governing their use.The human rights concerns range from potential violations of the right to privacy and freedom of expression to more serious breaches, including of the right to freedom from arbitrary arrest and detention and freedom from torture and inhuman or degrading treatment.
All EU member states' LEAs and intelligence agencies use cyber-surveillance items but they differ in terms of the extent they can either draw on "in-house" capabilities provided Table 1.Types of cyber-surveillance items.
Mobile telecommunications interception equipment, also known as "IMSI Catchers", are used to remotely track, identify, intercept and record mobiles phones.
Intrusion software can be inserted into computers and mobile phones without detection and used to remotely monitor and, in certain cases, control them.
Internet Protocol (IP) network surveillance systems are used to intercept, collect and, in some cases, analyse data as it passes through an IP network.
Data retention systems are used by network operators to comply with legal requirement for "meta data" storage of their users for potential later use by LEAs or intelligence agencies.
Lawful Interception (LI) systems are used by network operators to enable them to comply with requests from LEAs and intelligence agencies for the provision of their users' communications data.
Monitoring centres are used by LEAs and intelligence agencies to collect, store and analyse different forms of communications data from various surveillance sources.
Digital forensics systems are used by LEAs or intelligence agencies to retrieve and analyse data stored on networks, computers and mobile devices.
by their national authorities or rely on private companies headquartered outside their national territory (Insider Surveillance 2017).However, there have only been limited attempts to develop EU-wide standards for governing the use of cyber-surveillance items.
The European Telecommunications Standards Institute (ETSI) has established standards concerning the use of LI systems and data retention systems.ETSI standards contain certain safeguards aimed particularly at preventing their use in mass surveillance, but they are mainly technical standards aimed at allowing different systems to communicate (Privacy International 2014).Moreover, nothing has been developed for other cybersurveillance items, such as IMSI Catchers, intrusion software and monitoring centres.In addition, certain processes of EU standard-setting in the field of data retention have become highly contentious, resulting in deep divisions between EU member states and Brussels.This is visible in the dispute between the CJEU and EU member states over the amount of data that communication service providers should be legally required to store and make available to LEAs via their data retention systems (Privacy International 2020).
After the Arab Spring uprisings in 2011 a series of NGO and media reports highlighted the role played by EU-and US-based companies in supplying cyber-surveillance items and related services to the states involved (FIDH 2014).In some cases, the systems supplied were used in connection with violations of human rights by the recipient state's security forces, including cases of torture, arbitrary arrest and detention.In response, NGOs, EU member states and members of the European Parliament sought to restrict the use of cyber-surveillance items by oppressive regimes.These demands led to several steps being taken at the EU level to regulate the trade in cyber-surveillance items.However, the first steps were taken within the Wassenaar Arrangement, where states were motivated by a mix of national security and humanitarian concerns.This paper briefly summarises those measures before discussing the steps taken at the EU level.

Cyber-surveillance items and Wassenaar arrangement controls
In 2012 the Wassenaar Arrangement began expanding the scope of its dual-use export controls to capture a wider range of cyber-surveillance items.Controls on "mobile telecommunications interception equipment" were added to the Wassenaar Arrangement's dual-use control list in 2012 and controls on "intrusion software" and "internet protocol (IP) network surveillance systems" were added in 2013.In 2019, controls on "monitoring centres" and "digital forensics systems" were also added.As with many developments in multilateral export controls, this process was driven by individual states creating national-level controls and then seeking to "upload" them to the multilateral level.For example, the UK adopted national controls on intrusion software and then proposed them for adoption within the Wassenaar Arrangement (Privacy International 2013).France did the same for the controls on IP network surveillance systems, and Germany for controls on monitoring centres.
The initial adoption of national controls on cyber-surveillance items was often driven by NGO-led lobbying motivated by the human rights concerns associated with the use of the items.For example, the UK's adoption of controls on intrusion software came after the NGO Privacy International launched a legal action to determine if exports of intrusion software from the UK by Gamma International were subject to export controls (Knight 2014).However, when proposing and adopting controls on these items at the Wassenaar level, states did not reference human rights but focused on the national security concerns associated with their use.For example, the controls on intrusion software were justified on the grounds that they "may be detrimental to international and regional security and stability."(Wassenaar Arrangement 2013)

Cyber-surveillance items and EU controls
In 2011 and 2012, the EU arms embargoes on Iran and Syria were expanded to include a wide range of cyber-surveillance items. 3As well as capturing all the cyber-surveillance items listed in Table 1, the embargoes also created restrictions on the supply of telecommunications networks and related services to Iran and Syria.Similar restrictions were applied to Venezuela in 2017, Myanmar in 2018, and Belarus in 2021. 4In addition, all the cyber-surveillance items that were added to the Wassenaar Arrangement control list in 2012, 2013, and 2019 were subsequently added to the EU dual-use list along with all the other updates made to the different regime control lists.
However, these steps were viewed as insufficient, particularly by NGOs and voices in the European Parliament, who argued that the controls left too many gaps and were being unevenly applied and pushed for additional action at the EU level (see Goslinga and Tokmetzis 2017).Against this background, the European Parliament pushed for stronger controls on exports of cyber-surveillance items in the Dual-use Regulation.In 2012, the European Parliament used its powers of co-decision in CCP issues to try to add a dedicated "catch-all control" for exports of unlisted cyber-surveillance items during the annual update of EU's dual-use list resulting in a two-year delay in the update of the list (European Parliament 2012).The issue was only resolved in 2014 when the Commission, Council and European Parliament issued a joint statement committing them to exploring how to use the Dual-use Regulation to create stronger controls on exports of cybersurveillance items (see Immenkamp 2021).The length of time needed to adopt a final compromise text was largely due to differences over the creation of stronger controls on exports of cyber-surveillance items.Here, the Commission's proposal and the European Parliament's amendments focused on three areas: expanding the range of human rights concerns states are required to consider when issuing export licences; creating a new catch-all control to capture exports of unlisted cyber-surveillance items; and controlling cyber-surveillance items not covered by the Wassenaar Arrangement through a new "autonomous" EU list.These proposals created divisions among EU member states, which delayed the adoption of the Council's negotiating mandate, and divisions between the Council and European Parliament, which prolonged the trilogue process (Cerulus 2020).

The recast process and "competing norms"
In each case, the ability of the proposals to gain the support of the Council and result in changes to the Dual-use Regulation largely supports the predictions of the "competing norms" theoretical framework.Hence, the proposed expansion in human rights concerns gained limited traction as it was not embedded within a wider normative framework, the proposed new catch-all control saw resistance but gained traction as it aligned with existing national security norms, and the proposed creation of a new autonomous EU list faced resistance as it posed a challenge to the constitutive norm of sovereign right.

Expanding the range of human rights concerns
The Commission's proposal added new language to the Dual-use Regulation stating that in deciding whether to grant a license, member states "shall take into account [. ..] respect for human rights in the country of final destination."This would have been the first explicit mention of human rights in the Dual-use Regulation.The European Parliament's amendments went significantly further by expanding the range of human rights concerns beyond those related to "internal repression" and which are referenced in the Common Position.Under the European Parliament's amendments, EU member states and exporting companies would be obliged to assess the risk of violations of "the right to privacy, the right to free speech and the freedom of assembly and association" when deciding whether to export cyber-surveillance items.Both the Commission and the European Parliament also called for the development of guidance material that would inform member states' export license decision-making.In contrast, the Council's mandate kept the existing link with the Common Position criteria but removed all references to both human rights issues and guidance material in the operative provisions of the Dual-use Regulation.
The European Parliament's attempt to expand the range of human rights concerns referenced in the Dual-use Regulation beyond those related to "internal repression" was based on the argument that privacy, free speech and freedom of assembly issues are the most frequent concerns in cases where cyber-surveillance items are misused (European Parliament 2018, Amendment 2).They also argued that existing EU legal instruments such as the Treaty on European Union create an obligation for member states to uphold their commitment to these rights "in its relations with the wide world" (Amnesty International 2020, 11).By contrast, the Council's strong opposition was based largely on the argument that it would create confusion for companies and legal uncertainties for the regulating authorities.However, the lack of a wider set of EU standards concerning the governance of cyber-surveillance items and the lack of any reference to privacy, free speech and freedom of assembly issues in existing export control regimes at either the EU level or elsewhere seems to have been decisive factors in both the Council's opposition to these proposals and their failure to be included in the revised version of the Dual-use Regulation.Although the inclusion of expanded language on human rights was a key part of the European Parliament's proposed and was supported by NGOs, it appears to have been dropped at an early stage of the trilogue process.The new version of the Dual-use Regulation leaves the language on criteria intact and creates no new obligations connected to human rights concerns.

Creating a new catch-all control
Both the Commission's proposal and the European Parliament's amendments supported the creation of a new "catch-all control" for capturing exports of unlisted cybersurveillance items and a requirement for companies to conduct "due diligence" to ensure that their exports are not used to violate human rights or IHL.However, member states opposed these proposals on the grounds that they created unclear and unnecessary regulatory obligations for governments and exporters and the Council's negotiating mandate made no mention of them (European Council 2018a, 2018b).Nevertheless, the European Parliament continued to push the demand, and the new version of the Dual-use Regulation creates a new catch-all control for unlisted cyber-surveillance items that may be used for "internal repression and/or the commission of serious violations of international human rights and international humanitarian law [IHL]."Exporters are also obliged to inform their national authorities if they are "aware according to [their] due diligence findings" of any such risks.
The inclusion of a new catch-all control for unlisted cyber-surveillance in the Dual-use Regulation items represents a key concession by the Council.However, the new version of the Dual-use Regulation defines "cyber-surveillance items" far more narrowly than the Commission or European Parliament had proposed, thereby greatly limiting its scope.In addition, the new version of the Dual-use Regulation does not create any legal obligation for companies to have due diligence measures in place, a requirement that both the Commission and European Parliament had proposed.However, from the perspective of the competing norms framework, the key point is that EU member states had shown that they were not opposed in principle to the creation of expanded controls on exports of cyber-surveillance items or in the use of catch-all controls to capture exports of items that are not covered by the EU dual-use list.Moreover, they viewed both measures as being broadly aligned with national security norms and the constitutive norm of sovereign responsibility.The addition of new cyber-surveillance items at the Wassenaar Arrangement level and the rationales used indicate that EU member states view the trade in cyber-surveillance items as having important national security implications, that states have a responsibility to have some oversight over their trade, and that export controls are a key tool for achieving that goal.Although the proposals put forward by the European Parliament were grounded in humanitarian norms, the fact that they gained the conditional support of the Council and the way they were integrated in the new version of the Dual-use Regulation reflect the fact that their content also aligned with both regulative norms grounded in security concerns and the constitutive norm of sovereign responsibility.

Creating an autonomous EU list
Under the Commission's proposal, the EU would have established an "autonomous list" for controlling items at the EU level that were not already captured by the Wassenaar Arrangement's control list.Initially, the list would have only included controls on Monitoring Centres and Data Retention Systems, items that Germany added to its control list in 2015.However, the Commission would have the option of adding items in the future through new delegated powers.The European Parliament's amendments endorsed the Commission's proposal and expanded the range of situations where the new delegated powers could be used.This aspect of the Commission's proposal proved to be the most divisive during EU member states' discussions in the Council.In early 2018, two groups of EU member states published working papers outlining their respective positions on the Commission proposal (European Council 2018a, 2018b).Although broadly agreeing on many issues, the two papers differed on the creation of an autonomous list with one group, which included France and Germany, endorsing the proposal, and another group, which included Finland and Sweden, strongly opposing.
Opposition to the autonomous list on the part of member states has often been presented as being motivated by a concern that it would lead to unfair regulatory obligations for EU-based companies and diminish the global appeal of the Dual-use Regulation as a regulatory model (European Council 2018b).However, an underdiscussed implication of the Commission's and European Parliament's proposal is that, due to the fact that modifications to the Dual-use Regulation can be made through QMV procedures, it would have created a situation where an EU member state could potentially be forced to make items subject to control at the national level.This would have represented a direct challenge to the constitutive norm of sovereign right.These arguments appear to have been crucial in convincing member states to oppose the proposal, and the Council's negotiating mandate makes no reference to an autonomous EU list.The new version of the Dual-use Regulation states that if an EU member state uses the new catch-all control to regulate an unlisted cyber-surveillance item and if all other EU member states approve, the EU will publish details "in the C series of the Official Journal of the European Union."EU member states are also required to "consider" supporting the addition of these items to the "appropriate" control regime.The Commission presented this element of the new Regulation as a mechanism for adopting autonomous EU controls on cyber-surveillance items (Dombrovskis 2020).However, the way the mechanism is framed ensures that any member state can veto the addition of a new items on the list.As such, it applies and reaffirms the constitutive norm of sovereign right.

The recast outcomes and "organised hypocrisy"
Although the content of the key changes that were made to the Dual-use Regulation via the recast process can be understood and explained through the application of the "competing norms" theoretical framework, it does not capture all the alterations produced.The most important of these alterations concern the amount of information states make public about their exports of dual-use items and the inclusion of language on human rights concerns in the preamble to the Dual-use Regulation.The new version of the Dual-use Regulation creates a set of new and ambitious targets for the release of public data on dual-use exports.The commitments are most far-reaching for cybersurveillance items.Here, the EU commits itself to publishing annual data on "the number of applications received by items, the issuing Member State and the destinations concerned by these applications, and on the decisions taken on these applications."In addition, new language on "internal repression," "serious violations of human rights," and IHL have been added to the preamble of the Dual-use Regulation, noting that these are issues that EU member states should consider when exporting dual-use items, particularly cyber-surveillance items.
The inclusion of both these elements in the new version of the Dual-use Regulation aligns with demands made by the European Parliament and goes against the position outlined in the Council's negotiating mandate.Moreover, their inclusion was crucial to Parliament agreeing to the adoption of the new Regulation (Gregorová 2020).As such, the decision to include them and the way that it was done does not appear to conform with the "competing norms" framework outlined above.One way to better understand their inclusion is to apply Brunsson's concept of "organised hypocrisy."This helps explain why commitments on reporting and references to human rights in the preamble became an effective mechanism for balancing the competing positions of the Commission, European Parliament, and Council and provides insights into the potential long-term implications of this decision.
Brunsson developed his concept of "organised hypocrisy" during studies of the work of Swedish local authorities in the 1980s and later applied the concept with reference to other political organisations.He argued that the vast range of competing norms to which these organisations are subject makes a consistent interpretation and assimilation of external inputs impossible.In response, political organisations often seek to manage these pressures and maintain their legitimacy by creating a disconnect between their "talk," their "decisions," and their "actions."Hence, they "talk in a way that satisfies one demand . . .decide in a way that satisfies another, and [. ..] supply products in a way that satisfies a third" (Brunsson 1989).Krasner refers to Brunsson's work in his 1999 book "Sovereignty: Organized Hypocrisy" but Krasner's version of the concept differs from Brunsson's in ways that make it less suitable for understanding the outcomes of the recast process and this article.While Brunson is concerned with understanding how political institutions manage conflicting normative pressures, Krasner is more focused on understanding the logics of appropriateness that flow from notions of "Westphalian sovereignty" and mapping how and when logics of consequence lead states to pursue actions that ignore their precepts (Krasner 1999;Lipson 2007).
Brunsson's notion of "organised hypocrisy" has been applied to several studies on the implementation of states' arms export controls (see Hansen and Marsh 2015;Perkins and Neumayer 2010).However, in these studies the term has generally been used in a negative sense to argue that states voice support for progressive norms while systematically ignoring them when deciding what to export.However, the creation of conscious mechanisms for masking true intentions was not what Brunsson was seeking to describe or what this paper is seeking to highlight.Rather, what Brunsson was describing is how political organisations sometimes act when subject to the pressures and expectations created by contradictory norms.Brunsson's notion of "organised hypocrisy" has also been applied to studies of particular aspects of EU policy, particularly migration policy and its associated maritime operations in the Mediterranean, and environmental policy (Cusumano 2019;Knill, Steinebach, and Fernández-I-Marín 2018;Lavenex 2018).However, no studies have applied it to the EU's policies in dual-use export controls.Moreover, previous studies of EU policies tended to view organised hypocrisy as a coping strategy that generates sub-optimal outcomes and, particularly in the case of migration policy, produces credibility gaps and legitimacy issues.As such, they don't represent examples of cases, highlighted by Brunsson, in which "hypocrisy is not necessarily a problem" and either "creates opportunities" or "facilitates action in conflict situations" (Brunsson 2007, 120).As Brunsson noted, organised hypocrisy allows an organisation to speak and decide in ways that align with a "good" norm while acting in a way that aligns with a "bad" norm but this is often preferable to aligning all three with the "bad" norm.More importantly, the resulting disconnect facilitates agreement when the alternative might be inaction, creates accountable commitments for the organisation, and generates access to information that can be used to achieve that goal.
When applying the "organised hypocrisy" framework to the Dual-use Regulation its "talk" can be viewed as consisting of its criteria and its scope but also the broader goals and that it sets for itself and which are outlined in its preamble.Meanwhile, its "decisions" can be understood as the amount of information that is made public about exports and the level of parliamentary oversight that is permitted.Finally, its "actions" can be viewed as the actual processes of deciding which exports require a licence and which export licences are approved.Moreover, the recast of the Dual-use Regulation can be seen as a case in which a political organisation was forced to accommodate the demands of competing and, at a certain level, incommensurate norms.Hence, the Commission and Parliament's proposals on cyber-surveillance which were grounded in regulative norm of respecting human rights clashed directly with the positions of the Council which were grounded in the constitutive norm of sovereign right.
While many of the Commission's and Parliament's demands were successfully resisted by the Council, the Parliament's powers of co-decision meant that their consent had to be provided for the adoption of a new version of the Dual-use Regulation.This meant that the demands they were making and the regulative norms upon on which they were based had to be meaningfully reflected in the outcome of the process.This was achieved by creating a certain level disconnect between the "talk," "decisions" and "actions" of the Dual-use Regulation in ways that align with the "organised hypocrisy" theoretical framework.Hence, the position of the Commission and European Parliament and its underlying norms were reflected in changes to the "talk" and "decisions" of the Dual-use Regulation, via the promise of greater public transparency and the inclusion of new language on human rights in the preamble.However, the position of the Council and its underlying norms were reflected in the lack of change to the "actions" of the Dual-use Regulation, which left decision-making on export licensing at the national level.
In both its application of Brunsson's framework and the findings generated this case study has clear parallels with previous applications of the concept to EU policymaking and particularly Lavenex's analysis of the Common European Asylum System.In that case Lavenex finds that the "the move towards 'core state powers' commends the EU and in particular the Commission to seek conformity with . . .'protective' (rights-enhancing) norms" while "its constituency and institutional set-up privilege compromise on common 'protectionist' (access-reducing) policies" (Lavenex 2018, 2).However, while the findings are similar, the case of the recast indicates a slightly more dynamic process in which processes of compromise have both re-affirmed the status quo while also establishing new avenues for future policy development.As such, it would be wrong to assert that the changes made to the Dual-use Regulation amount to merely window dressing.The commitments and pathways that have been created will mean that the European Parliament will have new ways to identify exports of cyber-surveillance items and to push for greater restrictiveness in the future content and application of states' controls.

Conclusions and suggestions for future research
This paper argues that the process that took place during the recast of the Dual-use Regulation and, particularly, why certain proposals were made and which ones led to substantive changes in the Dual-use Regulation can be better understood if we apply a "competing norms" theoretical framework.Hence, the ability of different proposals to gain traction during the trilogue and result in concrete changes to the Dual-use Regulation reflect the degree to which the underlying norms on which they were based were embedded in wider normative frameworks and the extent to which they were aligned with or in competition with the norms already reflected in the EU's export control regime.However, aspects of the outcome of the Recast can be best understood if we apply an "organised hypocrisy" theoretical framework.Hence, the veto powers held by the Parliament and the differences between its positions and those of the Council meant that the process had to find a way of accommodating what were, in effect, directly competing norms.This was achieved by creating a certain level of disconnect between the "talk," "decisions" and "actions" of the Dual-use Regulation.
The "competing norms" and "organised hypocrisy" theoretical frameworks seem particularly appropriate when analysing the EU's export control regime.Processes of norm contestation are made more likely by the way the EU simultaneously channels and promotes several competing "constitutive" and "regulative" norms in the field of export controls.This can be seen in the way the EU exposes member states to each other's norms, the various contradictions in the content and objectives of the EU's export control regime, and in the channels of influence it creates for "norm entrepreneurs" in civil society and the European Parliament.In addition, the disconnect between "talk," "decisions," and "actions" that are outlined in the "organised hypocrisy" theoretical framework is made more possible by the way the regime transfers aspects of export controls to EU level while leaving others in the hands of EU member states.As is the case for many other areas of trade and security policy, when it comes to export controls, the EU has "acquired features of a state [. ..] but in an incomplete and ultimately incoherent way" (Müller 2021).
Nonetheless, the "competing norms" and "organised hypocrisy" theoretical frameworks potentially have wider applications in analyses of other export control regimes and of individual state's export controls.These frameworks can help explain which norm promotion efforts in the field of export controls fail and which succeed, how states seek to manage competing normative pressures through processes of "disconnect," and how these efforts create paths and pressures that facilitate future efforts to promote norms.For example, applying these frameworks to the Arms Trade Treaty could help explain why states with poor track records of applying humanitarian norms in their export controls, such as China and Israel, have been willing to either sign or -in the case of China -ratify the treaty.Here, the "talk" of the state's export controls has been aligned with the humanitarian norms reflected in the ATT in order to become part of the multilateral process or send signals to domestic or international political actors, while its "decisions" -i.e. the processes through which export licences are issued and the outcomes of these processes -remain more aligned with security and market norms.In addition, applying these frameworks to the UK's export controls could help explain why it has developed and promoted detailed export licensing criteria that reflect IHL norms, which it then appeared to systematically ignore in its exports to Saudi Arabia in the face of strong opposition from NGOs.Here, the alignment of the "talk" and the "decisions" of the UK's export controls with humanitarian norms in the 1990s has led to a growing misalignment with its "actions," generating pressures which domestic political actors have been highlighting to push for changes in policy.

Notes
As mandated by Article 25, the Dual-use Regulation began to undergo a review process in 2011.The Commission published a "recast" proposal in the form of a new draft version of the Dual-use Regulation in September 2016 (European Commission 2016).In response, the European Parliament published a set of proposed amendments in January 2018, and the Council published a negotiating mandate in June 2019 (European Council 2019a; European Parliament 2018).In accordance with EU legislative procedures, the Commission's proposal then underwent a process of "trilogue," involving the Commission, the European Parliament, and the Council which concluded in November 2020 when the Council and European Parliament announced that they had reached a provisional agreement on a revised version of the Dual-use Regulation (European Council 2020).