Export Control Compliance

Export control compliance governs the transfer of goods, software, technology, and services across international borders — and in some cases between parties within the United States — when those transfers carry national security, foreign policy, or economic implications. The framework is administered by multiple federal agencies, each operating under distinct statutory authority and maintaining separate control lists. Violations can result in civil and criminal penalties reaching into the tens of millions of dollars, making export control one of the highest-stakes areas within the broader landscape of federal compliance requirements.

Definition and scope

Export control compliance refers to the body of obligations imposed on individuals, companies, and institutions that export, re-export, transfer, or otherwise transmit controlled items or information. Control extends to physical shipments, electronic transmissions, oral disclosures, and deemed exports — a concept where sharing controlled technology with a foreign national inside the United States constitutes an export under U.S. law.

Three primary regulatory frameworks govern this space:

1. The Export Administration Regulations (EAR) — administered by the Bureau of Industry and Security (BIS) within the Department of Commerce, governing dual-use goods and technology classified under the Commerce Control List (CCL). Authority derives from the Export Control Reform Act of 2018 (50 U.S.C. §§ 4801–4852).
2. The International Traffic in Arms Regulations (ITAR) — administered by the Directorate of Defense Trade Controls (DDTC) within the Department of State, covering defense articles and services listed on the United States Munitions List (USML). Authority derives from the Arms Export Control Act (22 U.S.C. § 2778).
3. The Office of Foreign Assets Control (OFAC) sanctions programs — administered by the Department of the Treasury, restricting transactions with designated countries, entities, and individuals under programs such as the Specially Designated Nationals (SDN) list.

BIS civil penalties under the EAR can reach $364,992 per violation or twice the transaction value, whichever is greater (BIS, 15 C.F.R. Part 764). ITAR criminal penalties reach $1,000,000 per violation and 20 years imprisonment (22 C.F.R. Part 127).

How it works

Export control compliance follows a structured determination process. Understanding where an item or technology sits within this process determines what licenses, exceptions, or prohibitions apply.

1. Item classification — Determine whether the item, software, or technology is controlled. Under EAR, each item is assessed against the CCL to identify its Export Control Classification Number (ECCN). Items not on the CCL may fall under EAR99, a low-control category. Under ITAR, items are mapped to one of 21 USML categories.
2. Jurisdiction determination — Establish whether EAR or ITAR applies. Jurisdiction depends on the item's primary function and design intent. Defense articles designed specifically for military application generally fall under ITAR; dual-use commercial items with potential military applications generally fall under EAR.
3. Destination, end-user, and end-use screening — Screen against OFAC's SDN list, BIS's Entity List, Denied Persons List, and Unverified List, plus the State Department's Debarred List. No license exception or exemption overrides a prohibited party screen.
4. License determination — Determine whether a license is required based on ECCN, destination country, end-user, and end-use. If a license is required, submit an application to the relevant agency or assess applicable license exceptions (EAR) or exemptions (ITAR).
5. Recordkeeping and documentation — Maintain transaction records for a minimum of 5 years under EAR (15 C.F.R. § 762.6) and ITAR. Documentation includes shipping records, end-user certificates, license copies, and screening records.

This process integrates directly with compliance documentation requirements across the organization.

Common scenarios

Export control obligations arise across a wide range of business contexts, not only in traditional defense manufacturing:

• Technology transfers at universities — Sharing controlled research with foreign national students or researchers triggers deemed export rules. Universities operating under fundamental research exclusions must verify the exclusion's conditions are met before each disclosure.
• Cloud and software licensing — Providing access to controlled software via cloud platforms to users in embargoed countries (Cuba, Iran, North Korea, Syria, and the Crimea region) implicates both EAR and OFAC programs, even without a physical shipment.
• Mergers and acquisitions — Acquiring a company holding ITAR-registered status or BIS licenses requires transfer of those authorizations; unlicensed transfers of ITAR-controlled technical data during due diligence can themselves constitute violations.
• Encryption technology — Encryption products classified under ECCN 5E002 or 5D002 require specific EAR license review before export to certain destinations, even when the encryption is commercially available.
• Repair and return shipments — Returning a foreign-origin item after repair in the United States may require a re-export license depending on the item's classification and the destination.

Decision boundaries

The clearest classification boundary in export control compliance runs between EAR and ITAR jurisdiction. A product designed and developed for commercial purposes that incidentally has a military use is presumptively EAR-controlled. A product specifically designed, modified, configured, or adapted for a military application is presumptively ITAR-controlled. Dual-use designation under EAR does not reduce obligation severity — ECCN 5A001 (telecommunications equipment) carries strict regional controls that require licensing for exports to many non-allied destinations.

A second critical boundary separates license exceptions from license exemptions. EAR license exceptions (defined at 15 C.F.R. Part 740) are self-asserted; ITAR exemptions (defined at 22 C.F.R. Part 123–126) carry their own documentation conditions and cannot be used if any element of the transaction involves a denied or debarred party.

Voluntary Self-Disclosure (VSD) programs exist at both BIS and DDTC. BIS treats VSD as a mitigating factor in penalty calculation (15 C.F.R. Part 764, Supplement 1); DDTC's VSD program operates under 22 C.F.R. § 127.12. Neither program guarantees penalty avoidance, but both are recognized mitigating factors in enforcement proceedings. Organizations with established compliance risk assessment protocols are better positioned to identify potential violations before they require disclosure.

References

• Bureau of Industry and Security (BIS) — U.S. Department of Commerce
• Export Administration Regulations (EAR) — 15 C.F.R. Parts 730–774 (eCFR)
• Directorate of Defense Trade Controls (DDTC) — U.S. Department of State
• International Traffic in Arms Regulations (ITAR) — 22 C.F.R. Parts 120–130 (eCFR)
• Office of Foreign Assets Control (OFAC) — U.S. Department of the Treasury
• Export Control Reform Act of 2018 — 50 U.S.C. §§ 4801–4852 (GovInfo)
• Arms Export Control Act — 22 U.S.C. § 2778 (House.gov)
• BIS Recordkeeping Requirements — 15 C.F.R. Part 762 (eCFR)