25 February 2025

Understanding the Requirements

The AUKUS exemptions are a critical element of the trilateral security partnership between Australia, the United States, and the United Kingdom. They allow for the streamlined transfer of certain defence technology, and services between the partner nations to enhance collaboration. However, Australian entities must register with Defence Export Controls (DEC) to become AUKUS Authorised Users or Australian Authorised Users to leverage this exemption. For Australian Authorised Users, registration alone is not sufficient—organisations must meet additional compliance obligations, including the development and maintenance of security policies and Technology Control Plans (TCPs). These plans must be readily available for inspection if and when requested.

What is a Technology Control Plan (TCP)?

A TCP is a customised document that formalises the procedures an organisation will use to control access to and release of export-controlled items in compliance with federal export regulations. It ensures personnel are aware of their responsibilities and protects sensitive technologies from breaches.

When is an TCP required?

Through the dissemination of terms and conditions, DEC has advised that Australian Authorised users require a TCP. In fact, all companies dealing with Defence and dual use controlled technology should have an TCP to support their compliance.

Key Elements of a TCP

A tailored TCP includes:

• Institutional commitment to compliance.
• Commodity jurisdiction and classification details.
• Physical and information security measures.
• Personnel screening requirements.
• Administrative elements like training, inspections, and record keeping.

Broader Importance of TCPs

Beyond meeting DEC requirements, having robust TCPs is increasingly important for engagement with domestic and international supply chain partners. Tier 1 and Tier 2 suppliers, in particular, are beginning to request evidence of TCPs and other internal export control compliance documentation from Australian entities. This trend underscores the growing emphasis on secure and compliant handling of sensitive technologies across the defence industry.

Custom Approach

Unlike template documents, an effective TCP must be uniquely designed for the organisation’s specific operations, supply chain, facilities, personnel, and technology systems. This tailored approach ensures comprehensive security aligned with operational realities. The best way to identify what needs to be in your TCP and what doesn’t, is by doing an initial baseline assessment and gap analysis of your organisation as it relates to export controls.

This requires looking across all organisational functions to identify where there is an export control touch point, what jurisdictions apply, what specific rules apply and then finally, how your company will set up internal processes to comply.

Organisations must implement these controls before handling export-controlled items, with regular updates to address emerging threats and regulatory changes. By fulfilling these obligations, Australian Authorised Users enhance compliance, build trust, and contribute to a secure defence ecosystem.