Asset Management – Compliance & ESG | Beyond defense – Norway’s export controls target civilian investment sectors

Relevance for Norwegian asset managers

Export control rules may be applicable to Norwegian asset managers across multiple asset classes, including venture capital, buyout and growth equity, as well as family offices and unregulated investment companies. Furthermore, such rules are relevant to managers pursuing various investment strategies, including sectors where security implications may be less apparent or more nuanced. This encompasses, for example, asset managers with mandates focusing on technology-oriented companies across artificial intelligence, computing systems, semiconductors, biotechnology, cybersecurity, fintech, and digital infrastructure, but also other industries such as energy, maritime, pharmaceutical and research. Export controls extend beyond defense-related goods to encompass products, technology (including tangible and non-tangible items such as knowledge) and services with legitimate commercial applications that possess potential dual-use capabilities. Controlled items may include software-defined radio systems for telecommunications, medical imaging equipment (MRI, CT scanners), research on the use of chemical products, and production of equipment used in vaccine development such as containment facilities etc.

Consequently, export control rules apply broadly and may be relevant to more asset managers, and in more transactions than initially apparent. Given increasingly stringent export control regulations, it is essential to ensure that export control regulations are integrated into M&A processes where this is relevant. Portfolio companies should properly classify their products, technology and services to determine whether export control requirements apply, and to secure appropriate licenses where required.

Export control regulations in brief

The Norwegian export control framework is governed by the Export Control Act and the Export Control Regulation. The Export Control Regulation List I covers defense-related goods whereas List II captures dual-use goods including key categories such as special materials and equipment, materials processing, electronics, computers, telecommunications and information security, sensors and lasers, and marine equipment. The Norwegian government applies the same lists as the EU. Norway has also recently introduced a national control list, List III, capturing certain critical goods and technologies to produce advanced computer chips and quantum computers. It can be expected that the items on List III may be expanded in the future.

How is “technology” defined?

The term “technology” was recently clarified in a guidance published by the Ministry of Foreign Affairs on 22 August 20205 (the Guidance). Technology is widely defined and includes tangible items such as equipment and components, but also non-tangible items such as practical knowledge, insights and methods necessary to develop, produce, maintain or use a product. For example, research on the production or use of a chemical fulfilling the technical specifications on List II may warrant an export license, e.g. if information is shared with a foreign national (c.f. the definition of “export” below which provides further clarifications). There have been no amendments to the existing legal framework around export controls, but the Guidance serves to clarify and specify the existing control provisions.

There are some exemptions from licensing requirements, including publicly available information, basic scientific research, and minimum information necessary for patent applications.

What constitutes “export”?

Notably, also “export” is widely defined. It includes any transfer of controlled goods, services and technology from Norway. Export may also be electronic transfer, and even oral through training and seminars. For example, research projects in Norway involving foreign employees, or giving foreigners access to controlled research e.g. through international cloud platforms (such as Microsoft 365 and Google Workspace) legally counts as exporting that information to their home countries, even though nothing physically crosses any border (so-called “deemed exports”).

Export control requirements in practice

Export control is security politics in practice. Export of controlled goods, technology and services require license by the Directorate for Export Control and Sanctions (DEKSA). It is the duty of the exporter to obtain a license prior to exporting. Any application must be based on the formal criteria enlisted in the export control regulation and as otherwise stated by DEKSA. Companies are also expected to perform thorough end-user due diligence in support of license applications and to avoid exporting controlled items to sanctioned individuals or entities. Export controls and sanctions overlap and reinforce each other. Sanctions regimes frequently incorporate export control restrictions by prohibiting the transfer of specific dual-use items to sanctioned countries, entities, or individuals, whilst export control regulations may reference sanctions lists to determine licensing requirements and prohibited destinations.

Non-compliance with export control requirements may be subject to corporate fines and imprisonment.

The Norwegian export control framework includes “catch-all” provisions that under specific circumstances can impose licensing requirements on any goods, technology and services. Export control regulations change frequently as governments update controlled item lists and expand existing provisions. Asset managers and their portfolio companies should monitor these developments, as items not currently controlled may become regulated through list expansions or broader provisions.

BAHR comments – what can asset managers do

Against this backdrop, asset managers ought to develop adequate compliance frameworks that address both investment-level and portfolio-wide export control requirements. The following practical guidance draws directly from the new regulatory framework and enforcement expectations as outlined in the Guideline.

Prior to investment:

• Asset managers should ensure to assess export control risks prior to entering new investments tailored to their strategy. Failure to identify potential regulatory exposure could result in costly compliance violations and operational restrictions that impact investment returns.

During the ownership period, asset managers with portfolio companies that are subject to, or likely to become subject to, export control regulations should ensure their portfolio companies do the following:

• Perform risk assessment to assess if and how the company’s products, technology or services can fall withing the export control regulations and hence are subject to licensing. This includes a classification applying the technical categories as provided for in List II and III and in relevant guidance material.
• Identify who is the end user and what is the end use by risk-based due diligence procedures. For any items requiring a license, end-user documentation is normally required by DEKSA. Dual use capability assessments combined with thorough end user analysis may also be important in situations where for example items intended for civilian use are exported to business partners with ties to countries subject to arms embargoes. Such analysis includes beneficial ownership mapping and more thorough technical capability analysis, hereunder evaluation of stated end-use purposes against business needs.

• Include adequate compliance clauses in relevant agreements, such as no re-export clauses where required, relevant wording in employment contracts with foreign nationals, research collaboration agreements, technology licensing arrangements, and cloud service agreements etc.
• Establish systematic monitoring of regulatory updates. Control lists evolve frequently in response to technological developments and geopolitical changes. The lists are normally updated annually, and it is the lists attached to the regulation published on Lovdata that are valid at any time.