Export Administration Regulations: How to Stay Compliant with U.S. Export Controls

The EAR control three main categories: commodities, software, and technology. A commodity is a physical product. Software includes code in any form. Technology covers technical data needed to develop, produce, or use an item. Each item is classified under an Export Control Classification Number, or ECCN.

The Commerce Control List in Supplement No. 1 to Part 774 lists every ECCN. Items not specifically listed are designated EAR99. EAR99 items still require review against destination, end-user, and end-use rules. A U.S. .xport controls analysis must examine all four factors. Recent rule changes in October 2023 and December 2024 tightened controls on advanced computing chips. Companies handling export controlled goods should reclassify their portfolios annually.

Three regimes regulate U.S. .xports. The EAR cover dual-use items. The International Traffic in Arms Regulations cover defense articles and services. Office of Foreign Assets Control rules enforce sanctions against specific countries and persons. Each has its own licensing system and penalties.

A single transaction can trigger all three regimes. For example, exporting encryption software to a sanctioned country may involve EAR, OFAC, and ITAR review. Jurisdictional analysis is the first step in any compliance program. The Commodity Jurisdiction request to the State Department resolves close cases between EAR and ITAR. Coordinated ITAR and EAR advisory work prevents costly classification errors.

Start with the ECCN. Each ECCN is paired with reasons for control, such as national security or anti-terrorism. Then check the Country Chart in Supplement No. 1 to Part 738. The chart shows whether a license is required to ship a given ECCN to a given country. If both columns trigger, a license is required.

License exceptions may still apply. Common exceptions include LVS, TMP, and ENC. Each exception has strict conditions. Misuse of an exception is treated as an unlicensed export. Exporters must keep documentation for five years under 15 C.F.R. § 762. Working with experienced counsel on export compliance law reduces this risk.

Even an EAR99 item can require a license if the buyer is a restricted party. BIS maintains the Entity List, the Denied Persons List, and the Unverified List. The State Department and Treasury maintain their own lists. The Consolidated Screening List combines them in one searchable tool. Screening must check the buyer, freight forwarder, end-user, and any intermediaries.

Recent additions to the Entity List have targeted firms in China, Russia, and Iran. Many are tied to military or surveillance programs. Hits require enhanced due diligence or refusal of the order. Companies must also screen for "Red Flags" listed in Supplement No. 3 to Part 732. Ignoring a Red Flag may establish "knowledge" under EAR licensing requirements and trigger criminal liability.

The nine elements form the spine of any defensible program. They include management commitment, risk assessment, written policies, training, screening, recordkeeping, audits, internal handling of issues, and program testing. Each element should be tailored to the company's products and markets. A semiconductor manufacturer faces different risks than a software vendor.

Senior management must own the program in writing. Training should reach engineers, sales staff, and shipping personnel. Records must include classification decisions, screening results, and license documents. Annual audits identify gaps before BIS does. Companies engaged in technology transfer should include foreign-national access controls in their procedures.

A deemed export is the release of controlled technology or source code to a foreign national inside the United States. It is treated as an export to the person's home country under 15 C.F.R. § 734.13(b). Deemed exports often arise in research labs, engineering teams, and visiting-scholar programs. The license requirement is the same as for a physical export to that country.

A foreign engineer reviewing controlled drawings may need a license. Hiring decisions, lab access, and visa categories all interact with deemed export rules. Universities and tech firms face heightened risk. Recent BIS enforcement has focused on academic and biotech research. A robust export compliance program addresses these risks through visual markings, IT segregation, and access logs.

The BIS Office of Export Enforcement runs investigations alongside FBI, CBP, and DOJ partners. Common triggers include suspicious shipping records, customer complaints, or whistleblower tips. BIS uses subpoenas, "Is Informed" letters, and on-site inspections. Companies usually learn of an investigation through a subpoena or a request for records.

Cooperation matters greatly. Voluntary self-disclosure under 15 C.F.R. § 764.5 can cut penalties by up to 50%. The April 2023 BIS memorandum made clear that nondisclosure is now an aggravating factor. Settlements frequently include detailed remedial measures and external compliance monitors. Strong corporate compliance infrastructure can be the difference between a warning letter and a multimillion-dollar settlement.

Stop the activity immediately and preserve all related records. Do not destroy emails, shipping documents, or technical files. Engage outside counsel before notifying BIS. Counsel will lead an internal investigation under privilege. The investigation should establish what was shipped, to whom, and why.

Decide on voluntary self-disclosure based on the facts. A complete narrative, root cause analysis, and remediation plan are required. BIS expects concrete corrective action, not just acknowledgment. Recent enforcement cases have reached nine-figure penalties for willful violations involving sanctioned countries. Companies facing related sanctions exposure should also coordinate with OFAC sanctions compliance counsel.