Security in international research and innovation collaboration (URIS guidelines)

Denmark is a world leader in research, innovation and technology in a number of fields. This is a major driver of the the Danish economy and contributes to solving global challenges, for example in relation to the green transition and health.

But it also means that Danish research institutions and companies are an attractive target for espionage, and it’s been confirmed that intelligence services in a number of countries have identified Danish research as a priority target.

The complexity of situation is compounded by the fact that universities and researchers in these countries are among the most attractive potential collaborators for Danish research, and that – naturally – international collaboration research remains indispensable to research.

The committee on guidelines for international research and innovation collaboration (URIS) has set out guidelines for Danish research institutions, including AU, that are intended to protect our research and research findings. When AU and the other Danish universities implement URIS in practice, it’s important that to strike the right balance, so that researchers and the university can work as openly as possible – as as securely as necessary.


From 1 November 2024, new guidelines apply for:

Designated ‘high-threat countries’

When working with the URIS guidelines, it’s necessary to know which countries require a heightened focus on risk management in before initiating any research collaboration. There is a list ‘high-risk countries’ that makes it relatively easy to assess whether there is a need for particular vigilance.

The high-risk countries on the list are identified by the Danish Security and Intelligence Service (PET). An up-to-date list is always available in the most recent edition of the PET publication ‘Assessment of the Espionage Threat to Denmark, the Faroe Islands and Greenland’ in the section on research.  As of 1 November 2024, PET has identified Iran, China and Russia as high-threat countries; however, this list is obviously subject to change. As a general rule, the other Danish universities use the same approach.

These particular states have been singled out for inclusion on the background of PET’s intelligence about which countries are particularly aggressive in their attempts to gain illicit access to research results from Danish research institutions and groups.

Collaboration with researchers who are citizens of these countries is not prohibited, but background screenings will be carried out in connection with recruitment, enrolment of PhD students and hosting guests. Background screenings will later be expanded to include project collaborations. The reason for the inclusion of these countries on the high-threat list is that unfortunately, Iranian, Russian and Chinese citizens are more vulnerable to attempts at manipulation on the part of their home countries’ intelligence services than the citizens of non-authoritarian states.

Read more in PET’s assessment of the espionage threat to Denmark (link to PDF).

Classifying ‘controlled’ and ‘critical’ research at AU

The URIS guidelines address all aspects of Danish universities’ international collaboration. One of the most important aims is to ensure that controlled and critical research is protected.

  • ‘Controlled research’ covers research subject to dual-use export controls, as described in the EU regulation. The focus is on non-proliferation of technologies and equipment that can be misused. In this connection, research subject to export controls refers to knowledge that could contribute to equipment or technologies falling within the threshold for equipment or technologies subject to export controls. Basic research is not subject to export controls, which means research at AU will only rarely be classified as controlled.
  • 'Critical research' refers to groundbreaking research in strategically important areas defined by the EU. The EU has identified 10 critical technology areas in regard to which there may be restrictions on choice of collaborators and how knowledge is shared and spread. While Denmark and AU might also identify critical research areas, there are currently no plans to do so.

Guidelines that protect controlled and critical research involve more extensive use of background screenings of guests, PhD students and foreign researchers prior to their arrival at AU, in addition to regulating access, both physically and digitally.

Controlled research is currently being assessed and classified at the departments/schools. When the EU issues clear definitions of critical research areas, such research will be assessed and classified as well. The departments/schools are working with AU Research, the Research Data Office to assess and classify controlled research.

On the background of information from the EU, this process will identify the research that meets the criteria for controlled and critical research. The relevant researchers will be involved in this process and will be advised on what security measures they need to take going forward. Researchers whose research meets the criteria for controlled and/or critical research as defined in the context of the URIS guidelines will be contacted directly. The Research Data Office has developed a decision tree that can give researchers a quick indication of whether their research qualifies as ‘critical’ or ‘controlled’ research.

Guidelines for sideline employment

AU's guidelines for sideline employmentcontain the following requirements that are related to the URIS guidelines:

  • Sideline employment related to high-threat countries must always be reported at least four days before the sideline employment is scheduled to begin.
  • Sideline employment within ‘critical or controlled research’ areas at Aarhus University must always be reported at least fourteen days before the sideline employment is scheduled to begin.

In both cases, such sideline employment must be reported directly to the head of department/school. If the sideline employment is assessed as compatible with the reseacher’s position at AU, it should be reported in Pure as usual.

Onboarding of new hires

It’s important that new employees are made aware that a focus on research security and complying with the URIS guidelines are part of their responsibility as university employees. AU’s guidance on onboarding has been updated to reflect the URIS guidelines. The following points are particularly important:  

  • The importance of taking the course on responsible research practice.
  • Researchers should inform their manager if they are subjected to unwanted attention or pressure from foreign intelligence services. Researchers who wish to report such incidents anonymously can do so through AU’s whistleblower scheme.
  • Please be aware that some Danish funders may require background screenings in connection with grants.

Read more about onboarding at AU.

Background screening

In connection with the implementation of the URIS guidelines at AU, the senior management team has decided to introduce background screenings based on publicly available sources in connection with the assessment of all potential new hires and PhD students, guests and in connection with changes of research setting. Background screenings must be performed if at least one of the following two criteria apply to persons in the categories above:

  1. The candidate/applicant is a citizen of a high-threat country.
  2. When the process of assessing and classifying controlled and critical at AU has been completed, more extensive background screenings will be carried out in connection with research in these areas. Assessment and classification of controlled research is expected to be completed in late 2024/early 2025. Affected research groups will be informed accordingly.

For more information, see AU HR's information about background screening.

  • Recruitment and changes of research setting - A background screening must be performed before inviting a candidate to an interview and before offering employment or an invitation to visit. In the event that a background screening on a candidate is required, employees will automatically be notified. When background screenings are performed, the hiring manager must provide information about the research area in question and other by filling out a form, and the administrative unit Background Screening Office (BSO) carries out a background screening based on publicly-available sources. The head of department/school, in consultation with the dean (or a representative authorised to act on the dean’s behalf) is responsible for carrying out a security risk assessment of the candidate and either approving or rejecting the candidate. Read more about background screening at AU HR's webpage.
  • Ph.d.
    Prospective PhD students The graduate school adheres to the AU guidelines for international research and innovation. Please find more information here.
  • Visiting scholars, guest Ph.D. students
    When inviting visiting scholars and guest Ph.D. students from high-risk countries, a background screening must be conducted before the person can be invited to a guest stay at AU. The departments are responsible for identifying any visiting scholars from high-risk countries. It is also the department's responsibility to initiate the background screening. Read about which groups are included, the process etc. at the AU International Staff Offices website.

The procedure for background screenings has been designed based on input from AAU, background screening pilot projects at NAT and TECH and guidance from PET. Background screenings are exclusively based on publicly-available sources.


Brian Vinter, chair of the URIS implementation group, answers questions about URIS guidelines at AU:

Who decides when a country is a high-threat country from a research perspective?

PET identifies risk countries. As at 1 July, the high-threat countries to research are: Iran, Russia and China.

What does Aarhus University risk by collaborating with researchers from a high-threat country?

In the vast majority of cases, there is no risk in collaborating with researchers from countries identified by PET as high-threat countries. There are only a few areas where we need to pay special attention. These include in particular dual use areas - research with both military and civilian applications.

Why should the university do PET's work and safeguard research from being misused/stolen?

We’re not. At Aarhus University, we’re responsible for implementing the URIS guidelines to protect researchers and research from abuse and unwanted attention. That’s our responsibility. We can’t outsource background checks to PET because assessing a potential employee's field of research and their application requires the university's expertise, but PET has provided input on how background checks can be performed.

Why is AU responsible for implementing the Government's foreign policy?

Our focus is on the potentially risky use of research and the people who are at risk of coming under pressure.

According to the University Act, research must be free and without restriction - how does this harmonise with URIS guidelines?

Freedom of research means that researchers are free to choose what they want to research within their field, what methodology they use, and where they publish. Sharing raw data with is regulated under other parts of the University Act than the definition of freedom of research.

Who will be conducting the background checks?

The background checks will involve several people, but primarily the hiring manager in collaboration with the new HR unit. Briefly, the HR unit will conduct an open source search, and the hiring manager will answer a questionnaire, which includes questions about the type of research the potential employee will be involved in. Based on this, in consultation with the dean, the head of department will then assess the overall security risk and either approve or reject the applicant.

Who will train the people conducting the background checks?

HR at the NAT/TECH administrative centre will set up a new unit trained by PET and others, to conduct screenings.

What sources does AU use to perform a background check - and are they reliable?

The background checks will use open sources that are accessible via the internet. Training includes distinguishing between credible and non-credible sources.

Is there any evidence that background checks work?

We don't know exactly how effective the tool is. During the pilot period at Tech and Nat, some applicants have been turned down. The reason was that we weren’t 100 per cent certain that we could protect the person from being pressured into disclosing confidential information.

Will researchers have additional work as a result of the URIS guidelines?

Yes, if they want to hire an employee, enrol a PhD student or bring in a guest from a high-threat country, they will need to help ascertain the background of the prospective employee or guest.

Are our current colleagues from the high-threat countries potential spies?

No, we have no reason to believe that our employees from Iran, Russia or China are potential spies. This initiative is also about safeguarding our employees from being put under pressure by those regimes. If they receive unwanted attention or an unpleasant enquiry from their home country's intelligence services, employees should always be able to go to their manager. In theory, any researcher with access to sensitive data can be put under pressure, including Danish researchers. We screen researchers from URIS countries because PET believes they are at a higher risk of being contacted.

Should we be suspicious of foreign researchers when they ask (relevant) questions about dual-use research?

No. We shouldn't be wary of any researcher who asks relevant questions. We do checks at the front door.

How do we avoid side-eyeing colleagues who are citizens of a high-threat country?

Having a healthy and positive work culture is a shared responsibility. We shouldn't start being concerned about colleagues with citizenship from certain countries.

What about employees from high-threat countries who leave AU - will they be off-boarded?

Yes, an off-boarding procedure is on the way, and it will be included in the second roll-out of URIS procedures, expected in late 2024.

What about students who perform research-related tasks, do they also need a background check if they come from high-threat countries?

In general, no. If they are hired then they should be treated as any other employee. It will be up to the individual laboratory to determine what information the student should have access to.

Does that mean no more inviting upper secondary school students to visit laboratories - just in case there is a student from a high-threat country in the group?

Visitors to AU don’t have access to sensitive information, and thanks to GDPR guidelines, we’ve become much more aware of protecting information. Upper secondary school students are still very welcome.

We risk rejecting talented early career researchers just because they come from a high-threat country - isn't that too big a loss for AU and Danish research?

Yes of course, which is why we need to be very careful about not over-implementing the guidelines.  I can't guarantee that we won't say no once too often, but we won't automatically say no because a person is a citizen of a high-threat country. 

Should computers and mobile phones brought on trips be destroyed afterwards to avoid spyware?

No. There will be a procedure for devices when travelling, which means that when you travel to a high-threat country, you’ll be given a computer and mobile phone that will be reset by the IT department when you return.

Are the URIS guidelines relevant to everyone - including an archaeologist?

Not necessarily. But an archaeological researcher may have knowledge about the location of underground cables, for example, which may be sensitive information that should not be shared with hostile states.

Should all researchers at AU be on the alert for espionage?

No. But we can’t know exactly who has knowledge that could be of interest to hostile states. I usually compare it to the rules for handling radioactive material: I expect all researchers at AU to know that there are rules for working with radiation. I don't expect many people to know the rules in detail because the rules are only relevant to those who work with radiation. It’s the same with the URIS guidelines; everyone should know that it's a regulated field. But no many need to know the rules in depth.

The URIS guidelines rollout schedule

The rollout and development of the URIs guidelines and initiatives will be phased and gradual. At present, three phases are being planned, to be approved by the senior management team, at different times in 2024-25. The phases will be rolled out in order of importance as well as on the basis of the implementation group’s assessment of their impact on risk mitigation. However, another factor involved in the planning is whether the basic prerequisites for drafting URIS guidelines are in place at AU.

Tentative schedule:

  • On 23 May, the senior management team approved the first set of guidelines, which have been implemented on 1 November 2024.
  • On 24 October, the URIS implementation group has considered recommendations for phase 2 of URIS guidelines, which consist of:
    • Project collaborations
    • Travel policy 
    • Physical security of 'critical' research
    • Offboarding
  • On 18 November, AU's research committee will consider phase 2 of the URIS guidelines.
    • Phase 2 is expected to be approved by the senior management team in late 2024 and implemented in early 2025. .
  • In late 2024 and early 2025, phase 3 of guidelines will be developed. They are expected to contain, e.g.:
    • URIS and commercialising research (patents, licenses, spin out etc.)

The URIS implementation group at AU

The URIS implementation group was created by the senior management team in order to develop proposals for URIS guidelines at AU. The proposals must be approved by the senior management team before they are implemented.

In 2020, the Ministry of Higher Education and Science set up the Committee on Guidelines for International Research and Innovation Collaboration (URIS), which in May 2022 published "Guidelines for International Research and Innovation Collaboration" (URIS Guidelines). The task of the implementation group is to adapt these these guidelines to an AU context to enable researchers at AU can engage in research collaborations as openly as possible - and as safely as necessary.  

Members of the URIS implementation group: