This chapter presents the Wassenaar experience with regard to cyber tools and introduces the human rights context in which the regulation of cyber tools came about and explains the resulting focus on surveillance and intrusion tools. Despite the specific context and limitations of the additions to Wassenaar, the export control experience can provide valuable insights for broader efforts to regulate cyber tools internationally. Export controls fall under ‘exclusive’ European Union (EU) competence, meaning that regulations are legally binding and directly applicable in member states although they are drafted and adopted by EU organs rather than national parliaments. In addition to the implementation of the 2013 additions to the Wassenaar Arrangement, regulation of cyber tools has been a part of the official review of the EU dual-use export control regime that began in 2011. Export license requirements would negatively impact the ability of industry to perform red team-blue team exercises, and share information within a company with other stakeholders.