cyber-security 09 January 2020

Netherlands issues ICP guidelines

The Netherlands has issued guidelines for companies looking to set up internal compliance programmes (‘ICPs’).

The document, ‘Internal Compliance Programme: Guidelines for Compiling an Internal Compliance Programme for Strategic Goods, Torture Goods, Technology and Sanctions’, comes from the Dutch Ministry of Foreign Affairs in close collaboration with the Central Office for Import and Export (‘CDIU’).

According to the guidelines, an ICP must cover seven core elements, listed as:

  • commitment to compliance with legal requirements;
  • structure and responsibility;
  • export screening procedure;
  • shipment control;
  • training;
  • audits, reporting and improvement measures; and
  • archiving.

The list closely resembles the EU’s ICP guidelines, issued in summer 2019, but is not identical. Where the Netherlands’ seven core elements include shipment control, the EU’s include physical and information security.

Detailed guidance is offered for each core element. In addition, the document offers supplementary sections on controlled technology, cyber surveillance and potential torture goods.

For controlled technology, both traditional export and intangible transfer of technology (‘ITT’) are covered. The section on cyber surveillance focuses on dual-use technologies that could be used for purposes that violate human rights.