Export of cyber technology can undermine human rights in countries of destination. In the aftermath of the Arab Spring, political controversies have arisen around EU-exported cyber surveillance technology, which allegedly helped autocratic states monitor and arrest dissidents. While cyber technology is indispensable to our lives, it can be used to suppress the right to privacy, the freedom of expression and the freedom of association, not only in the EU, but also in the countries it trades with. The EU has taken a proactive role in reforming the export of human rights-sensitive cyber technology. In September 2016 the European Commission proposed the integration of human rights due diligence in the process of export control. The Commission’s proposal, however, invited strong contestations both from industry and Member States. Essentially, dual-use export control has developed in order to mitigate military risks. Attempts to integrate human rights risks in export control have thus invited discomfort among stakeholders. This paper unpacks normative tensions arising from the EU’s attempts to integrate human rights risks in its export control regimes. By so doing, the paper highlights fundamental tensions embedded in the EU’s value-based Common Commercial Policy, of which dual-use export control forms an integral part.