Export controls · United Kingdom & EU

ECJU & OFSI,
built to defend.

Posture assessment, Internal Compliance Programme build, and end-user / end-use due diligence under the Export Control Order, the EU Dual-Use Regulation and the UK sanctions regime.

225 FT 4 IN Westminster Abbey · west front HAWKSMOOR TOWERS · PORTLAND STONE · 1745
SIEL · 2026 Granted
ECJU · SPIRE
Standard Individual Export Licence
ECO 2008 · two-year validity · ICP cross-reference
3 regimes
ECO 2008 · EU 2021/821 · OFSI
3 engagements
Diagnostic · Build · Per-transaction
7 ICP elements
ECJU-recognised structure
6 gates
From intake to handover
§ A — Position

A bounded role,
by design.

The role is advisory and it stays advisory. We do not classify goods, rate against the control list, or opine on whether a licence is needed. That discipline is what keeps the work usable in front of the ECJU.

— 01

Assess the system

Whether the Internal Compliance Programme would stand up to an ECJU compliance visit, a prime contractor audit or a licence renewal, read element by element against ECJU and EU dual-use guidance.

  • Applicability mapped across ECO 2008 and EU 2021/821
  • Maturity graded per ICP element
  • Findings ranked by exposure
— 02

Build the programme

When the diagnostic surfaces material gaps, or there is no programme to assess, we build one: policies, procedures, screening protocols, training, recordkeeping and an audit framework, handed to the designated senior officer with the SPIRE / LITE record in order.

  • Procedure set drafted to operation
  • ECJU senior officer designation supported
  • Handover demonstrated at G6
— 03

Diligence the transaction

For a specific shipment or transfer, the management-system due diligence: red-flag analysis under ECJU end-user guidance, screening against the OFSI consolidated list with EU and UN overlays, a diversion-risk view, and an evidence pack that goes on the file.

  • OFSI / EU / UN consolidated screen
  • Red Flag matrix per ECJU guidance
  • Decision record signed by client
— 04

Stay current

Sanctions designations move faster than annual reviews. A quarterly governance retainer keeps procedures current, the screening cadence live, and the programme ready for the next compliance visit.

  • Quarterly refresh and re-screen
  • Procedure updates under change control
  • Annual programme audit report
§ B — Engagements

Three engagement
types.

All three run through the six-gate quality system from intake to handover; scope, sequencing and fee are fixed in the engagement letter.

§ C — Regimes

The frameworks
we work to.

The UK strategic export-controls surface, the EU dual-use regime, the sanctions overlay, and the supplier-side assurance frameworks that travel alongside.

UK Export Control Order 2008 Export Control Act 2002 · ECJU Notices to Exporters

The UK strategic export controls regime. Military List, dual-use schedule (post-Brexit retained law from EU 2021/821), trade controls and the extraterritorial provisions binding UK persons. Where the ECO 2008 applies, ICP scope expands accordingly.

EU Dual-Use Regulation Regulation (EU) 2021/821

The EU dual-use regime applying to EU-incorporated operations. Annex I control list, catch-all controls under Article 4, cyber-surveillance controls, the brokering definition, and the explicit ICP expectation under Article 2(21). Drafted within for EU-side operations.

OFSI sanctions Sanctions and Anti-Money Laundering Act 2018

UK financial sanctions administered by the Office of Financial Sanctions Implementation. UK Sanctions List, country and thematic programmes, reporting obligations under SAMLA 2018. Travels alongside the export-controls regime in every transaction-level due diligence.

NATO supplier quality AQAP 2110:2016 · AQAP 2210 · NCAGE

NATO supplier quality assurance for design, development, production and software. AQAP-recognised programmes hold a different evidence shape from ISO 9001-only programmes. Drafted within where the contract surface requires it.

UK MoD & cyber JSP 440 · JSP 604 · Def Stan 05-138 · DCPP · Cyber Essentials Plus

The MoD security and cyber-assurance surface that travels with the contract. Defence cyber risk profile tier and the supplier baseline expectations under DCPP, and the Cyber Essentials Plus expectation common to MoD-flow-down PQQs.

§ D — Dual exposure

When UK & EU suppliers
touch US controls.

A UK or EU supplier rarely faces one regime in isolation. The programme is designed with that overlap in view.

— Case 01

UK supplier into a US prime

A UK-incorporated supplier takes a flow-down contract from a US prime. On the UK side the Export Control Order governs the export; on the US side the same goods, services or technical data may fall under ITAR or EAR, with DFARS cyber expectations arriving through the prime's flow-down clauses.

One management system has to satisfy two regulator audiences with a single, consistent set of records.

Route · UK base programme + ITAR / EAR overlay + DFARS cyber rider
— Case 02

EU supplier with a US-origin component

An EU-incorporated supplier incorporates US-origin content into a product destined for an EU end-user. The EU side is subject to the Dual-Use Regulation; the US-origin content carries forward EAR re-export and re-transfer obligations regardless of the supplier's domicile.

The ICP must track US-origin content through the product structure and apply EAR re-export discipline alongside the EU 2021/821 management-system expectations.

Route · EU programme · US-origin component tracking · re-export discipline

Where exposure is genuinely dual, the diagnostic covers both regimes from day one, the programme build produces artefacts that stand in front of either audience, and each transaction is screened against both list sets in one pass. See also ITAR & EAR for the US framings.

§ E — Fit

When this lands
on your desk.

Three situations that put this work on the desk.

A prime is asking

A prime contractor's questionnaire on export controls or cyber has arrived, and the answers are not yet ones you would want on the record.

A licence is due

A SIEL or OGEL is up for renewal, or a fresh licence application is approaching, and the supporting programme needs to look the part.

A transaction is live

A shipment, sale or technology transfer is close to contract, and the end-user and end-use need to be diligenced before anything moves.

§ Next step

Start with
the trigger.

Tell us the regime and what prompted the question. You'll get back a scoped diagnostic, programme build or per-transaction engagement, and the boundary in writing.

Send the situation — 24h response