Export Controls in the United States

This is an Insight article, written by a selected partner as part of GIR's co-published content. Read more on Insight


The US government controls exports of sensitive equipment, software and technology for reasons of national security and foreign policy. Generally, the goals of US export controls are to (1) protect the national security of the United States by limiting access to the most sensitive US technology and weapons, (2) promote regional stability, (3) prevent the proliferation of weapons and technologies, and (4) protect human rights around the world.

US export controls frequently apply extraterritorially, extending US export controls compliance obligations to non-US persons. For example, an item of US origin can remain controlled under US laws even after its initial export, and require a licence or authorisation for re-export – or even transfer within a single country – from one non-US person to another non-US person. Even certain items produced outside the United States may be subject to US export controls if they are the direct product of certain technology, software or machinery of US origin. In other cases, items that are not of US origin can become subject to US jurisdiction if they contain more than 25 per cent (or in some cases even less) controlled US-origin components, technology or software.

This chapter provides an overview of the US export controls regimes, with a focus on the Export Administration Regulations (EAR),[2] administered by the US Department of Commerce’s Bureau of Industry and Security (BIS), which controls dual-use items – meaning items that can be used for civil or military purposes – as well as certain less-sensitive defence articles, and the International Traffic in Arms Regulations[3] (ITAR), administered by the US Department of State’s Directorate of Defense Trade Controls (DDTC), which controls military items, ‘defense articles’ and ‘defense services’.

As discussed in Chapter 6 of this guide, the United States Department of the Treasury’s Office of Foreign Assets Control (OFAC) also restricts the export of items to certain destinations and entities. Sometimes there is overlapping jurisdiction between OFAC sanctions programmes and other US export control regimes, such as BIS. In some cases, a licence may be required from one or even multiple authorities to export items subject to US jurisdiction, particularly to embargoed destinations. It is important to determine which US export controls regimes may apply to a specific transaction and assess licensing requirements accordingly.

Various other US government entities also play a role in administering US export controls, including the US Department of Commerce’s Census Bureau, which is responsible for ensuring the accuracy of the trade control data reporting; the Nuclear Regulatory Commission and the Department of Energy, which regulate exports relating to nuclear items and technology; the Federal Emergency Management Authority, which is more recently responsible for overseeing exports of personal protective equipment from the United States; and the US Patent and Trademark Office, which administers regulations overseeing exports of technology in connection with patent applications and related filings.[4] You can find additional information about other US government agencies and offices with export control responsibilities at BIS’s website.[5]

Export Administration Regulations

The EAR,[6] administered by BIS, control the export, re-export or transfer (in-country) of certain items of US origin and, in some cases, of non-US origin. The EAR’s Commerce Control List (CCL),[7] sets out a technically focused list of goods, software and technology with varying levels of controls based on a variety of national security and foreign policy reasons and the country of destination. Apart from the CCL-based controls, the EAR also control the export of certain items to restricted destinations, end uses and end users. BIS has various offices dedicated to overseeing technical review, licensing, providing support to exporters, and investigating and enforcing potential regulatory violations.[8]

Scope of the EAR

The EAR apply to items that are in the United States, items of US origin, wherever located, foreign-produced items that contain more than a de minimis amount of controlled US-origin content, and items that are the direct product of certain US technology and software. This means that both US and non-US persons and companies may have compliance obligations under the EAR, and both US-origin and foreign-produced items may be subject to the EAR.

Subject to the EAR

All items physically located in the United States are subject to the EAR and remain subject to the EAR after export[9] from the United States, for re-export and transfer (in-country), with some exceptions. An item subject to the EAR that is sent from one foreign country to another foreign country is a ‘re-export’.[10] Relatedly a ‘transfer (in-country)’[11] under the EAR is a change in end use or end user within the same foreign country. In some cases, items in the United States, such as technology, can be considered exported even though the technology has not left the United States, if it is transferred to a non-US person located in the United States. This is referred to as a ‘deemed export’.[12] The EAR further clarify: ‘Any release in the United States of “technology” or source code to a foreign person is a deemed export to the foreign person’s most recent country of citizenship or permanent residency.’[13]

Some items in the United States are not subject to the EAR; these are discussed further below. Additionally there are foreign products that are subject to the EAR in certain circumstances if the foreign-produced item contains more than a de minimis[14] amount of controlled US content (the De Minimis Rule), and certain foreign produced items that are the direct product[15] of US-origin technology and software that is controlled for national security reasons, or are produced by equipment that is the direct product of that technology or software (the Direct Product Rule). In May 2020, the Foreign Direct Product Rule was modified to specifically target certain companies on the Entity List by expanding the scope of non-US origin items that are subject to US export licensing requirements when being transferred to the relevant Entity List entities.[16]

Items not subject to the EAR

Items not subject to the EAR include, among other things, those that are under the exclusive jurisdiction of another US government agency; certain publications, including books, newspapers and periodicals; and information and software that are published, arise during, or result from, fundamental research, are released in an academic institution course (in certain circumstances) or appear in published patent applications.[17]

EAR basics

The EAR can be a complex area of US export controls. We provide the basics of the EAR below; further background details regarding the EAR can be found in Part 732 of the EAR, ‘Steps for Using the EAR’.[18]

To determine your obligations under the EAR, first, you must determine basic information regarding the transaction:

  • What is it? Knowing an item’s classification on the CCL is an important first step to determining your obligations under the EAR.
  • Where is it going? The country of ultimate destination often determines the licence requirements under the EAR.
  • Who will receive it? It is important to screen the end users to confirm that they are not restricted, and to determine whether certain licence exceptions may apply.
  • What will they do with it? Certain end uses can independently trigger licensing requirements under the EAR.
  • What else does the end user do? Some activities, such as proliferation activities, undertaken by the end user may prevent dealings with them.[19]

A key aspect of the EAR is the General Prohibitions at Part 736 of the EAR. General Prohibitions one to 10 cover a broad set of prohibited activities touching on almost all aspects of the EAR, including exports or re-exports to prohibited end uses or end users (General Prohibition Five); exports or re-exports to embargoed destinations (General Prohibition Six); and proceeding with a transaction with knowledge that a violation has occurred or is about to occur (General Prohibition Ten). General Prohibition Ten can particularly affect non-US companies, especially if they have items in their possession that may have been involved in violations of the EAR. In some cases, authorisation from BIS may be needed prior to return, disposal or any other dealings in items subject to the EAR if there is knowledge that a violation has or is about to occur in relation to those items.[20]


Jurisdiction is a threshold question in determining whether an item is subject to the EAR. For the purposes of the EAR, an item may be subject to the EAR unless it is under the exclusive control of another US regime, such as military items that are controlled under the ITAR. In that sense, the EAR are something of a catch-all regime. Items subject to the EAR also include:

  • all items located in the United States;
  • items moving in transit through the United States;
  • all US-origin items wherever located;
  • foreign-made items that incorporate more than a de minimis amount of controlled US-origin content; and
  • foreign-made items that are the direct product of certain US-origin technology or software.[21]


If an item is subject to the jurisdiction of the EAR, you will need to conduct a review of the CCL to determine whether the item is listed. The CCL contains a (mostly) positive list of items used by BIS to identify more sensitive dual-use or civil items, as well as some less sensitive defence articles not falling within ITAR control that BIS controls for export, re-export or re-transfer. The CCL entries contain technical parameters that often require the review of technical experts to make a determination. The CCL entries are identified by Export Control Classification Numbers (ECCNs), which are denoted by a five-digit alphanumeric reference. They begin with a number between zero and nine, indicating the general category of the item that is controlled (e.g., electronics, computers and information security); a letter identifying the product group of the item (e.g., software and technology); followed by a final three digits that indicate the type or reason for control (e.g., missile technology, nuclear non-proliferation and Wassenaar Arrangement Munitions List).[22]

If you determine that your item is subject to the jurisdiction of the EAR but is not listed on the CCL, then it is classified as EAR99, which is a catch-all classification. In general, EAR99 items may be exported to most destinations without a licence. However, key exceptions are detailed in the EAR, including where a General Prohibition applies. For example, an EAR99 item may not be exported without a licence to certain restricted destinations, for certain prohibited end uses, or to certain prohibited end users.[23] Currently the destinations that are subject to heightened restrictions under the EAR include Iran, North Korea, Syria, Cuba, Iraq, Russia and the Crimea region of Ukraine.[24]

Licence determination and licence exceptions

Determining whether a licence is required is a key step under the EAR, as the regime only requires a licence for certain exports. For items listed in an ECCN, one must look to see whether the item is controlled for the end destination as specified in the ECCN entry on the CCL and detailed in the Commerce Country Chart.[25] The Commerce Country Chart identifies the ‘reasons for control’ of the items and cross-references the reasons for control with each potential destination country. If the end destination is not subject to the ECCN’s reason for control then a licence is not required for reasons based on the product’s classification and the end destination.

A licence may also be required if one of the 10 General Prohibitions is triggered. As noted above, General Prohibitions can trigger licence requirements, even for EAR99 items not otherwise subject to a licence requirement under the EAR, if they involve a restricted end use or end user, among other things. For example, General Prohibition Nine specifically prohibits violations of any order, term or condition of a licence or licence exception.[26] General Prohibition Five prohibits knowingly exporting or re-exporting any items subject to the EAR to or for a prohibited end user or end use as described in Part 744 of the EAR. For example, certain exports to military end users and for military end uses are prohibited under Section 744.21 of the EAR.[27]

As a final step, if a licence appears to be required under the EAR for the export, re-export or transfer of an item, you should review the Licence Exceptions at Part 740 of the EAR and determine whether any of the Licence Exceptions may apply. The application of an EAR Licence Exception is fact specific; each exception varies in application and has detailed compliance requirements.

BIS lists of parties of concern

BIS has three lists of parties of concern.[28] Inclusion on these lists can have a dramatic effect on the listed parties’ ability to lawfully obtain items subject to US jurisdiction. The BIS Entity List prohibits the listed entities from receiving some or all items subject to the EAR without a licence.[29] The Entity List has been increasingly used in recent years for national security and foreign policy reasons. The Denied Persons List is a list of individuals and entities that have been denied export privileges from the United States.[30] An order to deny export privileges generally restricts the ability of the named party to participate in export and re-export transactions involving, or restrict access to, items subject to the EAR. Finally, the Unverified List is a list of parties whose bona fides BIS has been unable to verify. BIS conducts end-use and end-user visits all over the world via its export enforcement officers (EEO), who are embedded at US embassies. Generally, if an EEO is unable to verify an end user or the end use of an item that was previously exported to a non-US party under a BIS licence, the party is placed on the Unverified List. No licence exceptions may be used to export to these parties and a statement must be obtained prior to shipping anything subject to the EAR (even if not subject to a licence requirement).[31]

Extraterritorial aspects of the EAR

In addition to the foregoing discussion regarding re-exports or transfers of unchanged or unmodified US-origin items that remain subject to the EAR, wherever located, we highlight a few other key extraterritorial aspects of the EAR.

The De Minimis Rule

The De Minimis Rule described in Part 734 of the EAR, requires that certain foreign-produced items that incorporate controlled items of US origin to be subject to the EAR if the percentage of controlled US-origin content is over 25 per cent or (for some countries) 10 per cent. There are a few items that are not eligible for the De Minimis Rule, such as some types of computers and certain encryption technology. General Prohibition Two prohibits the re-export and export from abroad of foreign-made items incorporating more than a de minimis amount of controlled US content. Non-US companies should be aware of the potential compliance obligations under the EAR of incorporating controlled US-origin content into foreign-made items.

Foreign Direct Product Rule

The Direct Product Rule is found in Part 734.3(a), paragraphs (4) and (5) of the EAR. The Direct Product Rule applies to certain foreign-made items that are the direct product of certain US-origin technology or software described in General Prohibition Three.[32] General Prohibition Three also applies to certain items produced in a plant or by a major component of a plant outside the United States that are the direct product of certain technology or software of US origin. It is important to understand that items produced outside the United States, may, in some cases be caught by the Direct Product Rule under the EAR and be subject to US export controls.

EAR export compliance programme

An effective BIS export compliance programme (ECP) is crucial to any company that interacts with items of US origin or items subject to the EAR. As demonstrated above, the EAR are a complex regime and require a tailored and targeted compliance programme to ensure that appropriate regulatory compliance processes and procedures are in place. Compliance programmes implemented by a US-based company and non-US based company may look different depending on the exposure to items subject to the EAR of the non-US company, industry of the company and risk of participating in higher risk transactions. BIS provides several resources on BIS compliance programmes on its website, including elements of an ECP, export compliance guidelines and other background documents.[33] The EAR also contain resources (in Part 732), including an export control decision tree, know-your-customer guidance and red flags at Supplement Nos. 1 and 3, respectively. Proactively identifying US export control risks in your company and establishing a targeted export compliance programme that fits your business is a first step to preventing future violations and identifying potential past problematic transactions.

International Traffic in Arms Regulations

US export controls on most defence articles and defence services are regulated by the ITAR,[34] administered by the DDTC.[35] The ITAR implement the Arms Export Control Act[36] and regulate temporary and permanent exports, as well as temporary imports, of defence articles on the United States Munitions List (USML), defence services and brokering of defence articles and services. The ITAR also contain reporting requirements for certain political contributions, fees or commissions.

Virtually every item subject to the ITAR requires a licence for export, re-export or transfer from DDTC, unless an ITAR exemption applies.

DDTC has offices focused on licensing, policy, and compliance and enforcement.[37]

Scope of the ITAR

Similar to the EAR, the ITAR cover a broad array of items. In understanding the ITAR it is helpful to have an overview of certain key terms, set out below.

‘Defense article’

A ‘defense article’ is any item or technical data designated in the USML[38], typically having a military, satellite or intelligence application or purpose. It includes ‘forgings, castings, and other unfinished products, such as extrusions and machined bodies, that have reached the stage in manufacturing where they are clearly identifiable by mechanical properties, material composition, geometry, or function as defense articles’.[39]

It also includes ‘technical data’[40] recorded or stored in any physical form that reveal technological information directly related to USML items, or ‘software’ directly related to ‘defense articles’. Specifically, the technical data definition captures information ‘required for the design, development, production, manufacture, assembly, operation, repair, testing, maintenance or modification of defense articles. This includes information in the form of blueprints, drawings, photographs, plans, instructions or documentation’.[41] Technical data does not include information relating to general scientific, mathematical or engineering principles commonly taught at education institutions, or information in the public domain,[42] as well as basic marketing information on function or purposes or general system descriptions of ‘defense articles’.[43] It also does not include technical data that has been approved for public release by the responsible US government agency.[44]

‘Defense service’

A ‘defense service’[45] is defined to include (1) the furnishing of assistance (including training) to foreign persons, whether in the United States or abroad in the design, development, engineering, manufacture, production, assembly, testing, repair, maintenance, modification, operation, demilitarisation, destruction, processing or use of ‘defense articles’ or (2) the furnishing to a foreign person of any technical data controlled under the ITAR, whether in the United States or abroad, and (3) military training of foreign units and forces, broadly defined.

US persons and foreign persons

A US person is defined under the ITAR as a person who is a lawful, permanent US resident or protected individual as defined in US law, and corporations or other entities that are incorporated to do business in the United States, and any government (federal, state or local) entity.[46]

A foreign person, as defined in the ITAR, is ‘any natural person who is not a lawful permanent resident’ or certain other protected individual (such as certain refugees or asylees) under US law, as well as foreign companies and other entities that are not incorporated or organised to do business in the United States. International organisations, foreign governments and any agency or subdivision of foreign governments (e.g., diplomatic missions) are also considered foreign persons under the ITAR.[47]

Subject to the ITAR


Identifying whether an item is on the USML[48] is the first step in determining what ITAR controls may apply to the export or transfer of that item. There are 21 categories of ‘defense articles’ described on the USML, including certain military electronics, launch vehicles, guided missiles, personal protective equipment, and many others. Within each category the USML describes the types of ‘defense articles’, technology and software controlled, in general by describing, for each category, the controlled: end items; major systems and equipment; parts components, accessories and attachments; and technical data and ‘defense services’ relating to the USML category. Certain USML items and related technical data are identified as significant military equipment[49] and are subject to more stringent controls.[50] Certain items on the USML are controlled only if they are ‘specially designed’ for a certain purpose, and must be assessed according to specified criteria as set out in the ITAR.[51]

If it is unclear whether an item is controlled under the ITAR, an exporter may seek a commodity jurisdiction determination (CJ determination) from the DDTC. A CJ determination is submitted to the DDTC via its online application system and may involve review by several US government agencies, including BIS and the Department of Defense, and any other agencies relevant to the specific application. Some CJ determinations are available on the DDTC’s website.[52]

Registration requirements

The US government maintains registration requirements for (1) any person who engages in the United States in the business of manufacturing or exporting or temporarily importing ‘defense articles’ or furnishing ‘defense services’[53] and (2) any US person, wherever located, any foreign person located in the United States and any foreign person located outside the United States that is owned or controlled by a US person that is performing brokering activities (defined to mean any action on behalf of another to facilitate the manufacture, export, permanent import, transfer, re-export or retransfer of a US or foreign ‘defense article’ or ‘defense service’, regardless of its origin).[54] Note that manufacturers of ‘defense articles’ located in the United States are required to register with the DDTC, even if they do not export any of their products.[55] Registration is required to be renewed annually and comes with various notification requirements to the DDTC, such as the requirement to notify the DDTC within five days of any material change to the information contained in the registration statement (e.g., changes in senior management or business structure)[56] as well as a 60-day notification in advance of a sale or transfer of ownership or control to a foreign person.[57] Registration with the DDTC does not authorise the export of ‘defense articles’. Registration, rather, is a prerequisite to submission of a licence or eligibility to use an ITAR exemption.


Export of ‘defense articles’

Any person intending to export, or temporarily import a ‘defense article’, including hardware, software or technical data, must obtain authorisation from the DDTC prior to the transaction, unless an exemption or exception applies. Additionally, DDTC authorisation is required to transfer technical data in the United States to a foreign person, re-export, resell, transfer, trans-ship or dispose of ITAR-controlled items, to a new non-US end user, end use or destination, unless authorised by the DDTC under a licence or other form of authorisation, exemption or exception. DDTC licences and other specific authorisations discussed below must be applied for, and come with defined time periods, strict limitations and requirements regarding compliance. Exemptions may be used by an exporter without submitting a specific application to the DDTC provided all the requirements of the exemption are met. ITAR exemptions can be nuanced and complicated; a careful review of the requirements of an exemption should be undertaken to ensure all compliance responsibilities and requirements are understood and met before proceeding. In addition, the DDTC has other vehicles for authorising certain activity. For example, ‘general correspondence’ letters are often used to authorise re-exports or retransfers from abroad. In addition, the DDTC uses ‘technical assistance agreements’ to authorise certain instances in which US persons are providing non-US persons with continuing technical assistance, for example, to provide ‘defense services’ or to support certain design, development or manufacturing activity, among other things. The DDTC uses ‘manufacturing licence agreements’ to authorise the granting of a licence to a non-US entity to manufacture ITAR-controlled items, such as items manufactured using ITAR-controlled technical data.

126.1 proscribed countries

It is the DDTC’s policy to deny licences and other authorisations for exports and temporary imports of ‘defense articles’ and ‘defense services’ involving ITAR 126.1 countries.[58] These countries are proscribed for various reasons, including being the subject of a United Nations arms embargo, or as countries determined by the US Secretary of State to be state sponsors of terrorism. At the time of writing, exports to the following proscribed countries are subject to a licensing policy of denial: Belarus, Burma, China, Cuba, Iran, North Korea, Syria and Venezuela.[59] There are additional countries at ITAR 126.1(d)(2) that are not authorised to receive ITAR-controlled items, except as specifically detailed in that section of the ITAR.

Brokering and political contributions under the ITAR


In addition to the controls described above, the ITAR also control ‘brokering’ of ‘defense articles’ and ‘defense services’.[60] In addition to covering the ‘brokering activities’ of US persons, the ITAR brokering restrictions can cover the activities of non-US persons – particularly of foreign persons located in the United States, and foreign persons who are owned or controlled by a US person.[61] Brokering activities include, but are not limited to: ‘financing, insuring, transporting, or freight forwarding defense articles and defense services; soliciting, promoting, negotiating, contracting for, arranging, or otherwise assisting in the purchase, sale, transfer, loan, or lease of a defense article or defense service’.[62] If one engages in brokering activities subject to the ITAR, they may be subject to registration and reporting requirements. There are some carve-outs to the brokering restrictions, including in relation to activities by US persons in the United States that are limited exclusively to US domestic sales not intended for export, US government employees acting in their official capacity, and regular employees acting on behalf of an employer, subject to certain limitations.[63]

Part 130 – political contributions, fees and commissions

The ITAR contain reporting requirements for political contributions, fees or commissions ‘offered, or agreed to pay, related to any sale for which a licence or approval is requested’.[64] Generally, these rules apply to certain authorisations under the ITAR valued at US$500,000 or more and ‘being sold commercially to or for the use of the armed forces of a foreign country or international organization’.[65] Suppliers contracting with the Department of Defense for the sale of ‘defense articles’ or ‘defense services’ also have reporting requirements under Part 130.[66]


Both US persons and non-US persons can be subject to significant penalties and other consequences for violations of the EAR and ITAR. Both civil and criminal penalties can be assessed on companies and individuals, including, for example, criminal or deferred prosecution agreements for companies and imprisonment for individuals. In recent years the US government, through the individual US government agencies, has intensified enforcement of US export control laws, assessing steep penalties and imposing other consequences, such as debarment from exports of ‘defense articles’ under the ITAR, placement on the BIS Entity List, restricting access to items subject to the EAR or the BIS Denied Persons List, denying export privileges from the United States. These restrictions can have a significant effect on a company’s bottom line, cut off access to US-origin items, technology and software, and result in the investigation and prosecution of individuals within a company, among other things.


Penalties for violations of the ITAR and EAR can be severe.[67]

For violations of the EAR, criminal penalties can include a fine of up US$1 million per violation for a company and up to US$1 million or imprisonment for up to 20 years, or both, for an individual.[68] Civil penalties can include penalties of up US$300,00 or twice the value of the transaction for each violation, whichever is greater.[69] Other penalties under the Export Control Reform Act include revocation of a licence issued by BIS, and prohibitions or restrictions on a person or company’s ability to export, re-export or transfer any items subject to the EAR.[70]

Criminal penalties for violations of the ITAR include a fine of up to US$1 million per violation for a company and the same monetary penalty or imprisonment for up to 20 years, or both, for an individual.[71] Civil penalties can exceed US$1 million per violation.[72] The ITAR also contain ‘statutory’ and ‘administrative’ debarment as both a civil and criminal penalty. Debarred persons are prohibited from participating in the export of ‘defense articles’ (including technical data) and ‘defense services’, directly or indirectly.[73] Settlements with the DDTC are done under consent agreements.

In recent years, the use of monitorships to oversee a company’s compliance has been used by both BIS and the DDTC and factored into the penalty assessment, as monitorships can last for years and be costly to the company under scrutiny. Other types of penalties include seizure and forfeiture of property, which may also be available in some enforcement actions under both the EAR and ITAR.

Voluntary self-disclosure

Companies seeking to mitigate potential penalty exposure may choose to file a voluntary self-disclosure (VSD) with the appropriate agency. Whether to voluntary self-disclose an export controls violation is a fact-specific decision. There are some benefits that may come with submission of a VSD, such as mitigation of penalties and credit for cooperation.

Although a VSD is by definition voluntary, there are situations in which a disclosure is mandatory, or in which a company finds itself in a situation of needing to disclose a prior violation. The ITAR, for example, require immediate notification to the DDTC if there is a violation of the ITAR with respect to a country that is proscribed pursuant to Part 126.1 of the ITAR.[74] Certain ITAR consent agreements also mandate disclosure of violations.

The need to conduct activity on a forward-looking basis may also compel a disclosure as a practical matter. Under General Prohibition Ten of the EAR, it is prohibited to engage in virtually any activity with respect to an item that one knows has been exported in violation of the EAR. This means that any time a company wants to do something involving an item that has been unlawfully exported, it must seek BIS permission – which is often accompanied by a voluntary disclosure. Finally, under both the EAR and the ITAR, companies applying for a licence for forward-looking activity, when the applicant has been involved previously in substantially similar activity involving the same product and customer without proper authorisation, may also feel compelled to disclose past violations in an effort to avoid a ‘material omission’ in their licence application.

BIS strongly encourages the submission of VSDs by providing a 50 per cent reduction in the base penalty amount in most cases, with possible full penalty suspension for VSD cases with a combination of mitigating factors, such as cooperation.[75] Without a VSD, mitigation will generally not exceed 75 per cent of the base penalty.[76] BIS often closes VSD cases without imposing a penalty.

The DDTC also strongly encourages disclosure and may consider the submission of a VSD to be a mitigating factor.[77] Unlike BIS, however, the DDTC will consider the failure to submit a VSD to be an adverse factor when determining the disposition of a case.[78] The DDTC often resolves VSDs without imposing any penalties – typically reserving the imposition of penalties for more egregious cases threatening US national security, or cases where the DDTC believes the exporter acted wilfully or with gross negligence.

For both the DDTC and BIS, to be deemed voluntary a disclosure must be received before any government agency obtains knowledge of the ‘same or substantially similar information from another source’.[79]

Other US government agencies, such as OFAC and DOJ also have VSD rules that, depending on the scope of the violation, should be considered when evaluating whether to submit a VSD.

VSD rules are codified in each of the relevant regulations, and generally include the opportunity for a high-level initial notification to the government agency followed in a timely manner by a full report of the potential violations. The timeline requirements for disclosures are found in each agency’s regulations.[80]

Other enforcement information

Key enforcement trends for both BIS and the DDTC include (1) the use of monitorships (or under the ITAR, a special compliance officer) to monitor a company’s compliance with the relevant regulations for a specified period after settlement and provide the results via written reports to the regulators,[81] (2) using interim measures, such as placement on the BIS Entity List or revocation of export privileges, to encourage cooperation during an active enforcement investigation,[82] and (3) the use of global settlements to address violations of various US laws involving related conduct.[83]

BIS has published Administrative Enforcement Guidelines ‘to promote greater transparency and predictability to the administrative enforcement process’.[84] These Guidelines align fairly closely with those issued by OFAC, discussed elsewhere in this guide. The DDTC has not provided similar enforcement guidelines.


US export controls are a complex area of US law that can have a far-reaching extraterritorial effect if items, software or technology of US origin are involved. To ensure compliance, it is important to identify potential risk exposure under US export controls and design a compliance programme to address that risk adequately, such as implementation of appropriate due diligence and ensuring an understanding of items in the supply chain that may be subject to US controls. Not all US and non-US companies will have the same level of risk under US export controls, but failure to identify the potential risks can lead to serious issues for US and non-US companies alike.


1 Meredith Rathbone is a partner and Hena Schommer is of counsel at Steptoe & Johnson LLP.

2 15 C.F.R. § 730 et seq.

3 22 C.F.R. § 120 et seq.

4 See 37 C.F.R. pt. 5.

5 See https://www.bis.doc.gov/index.php/about-bis/resource-links.

6 15 C.F.R. § 730 et seq. The Export Control Reform Act [ECRA], 50 U.S.C. §§ 4801 to 4852 (2018), became law on 13 August 2018 and provides the permanent statutory authority for the Export Administration Regulations [EAR].

7 15 C.F.R. § 744 (Supp. 1).

8 An organisation chart is available from the US Department of Commerce’s Bureau of Industry and Security [BIS], at https://www.bis.doc.gov/index.php/documents/about-bis/692-bis-organization-chart/file.

9 The term ‘export’ is defined at 15 CFR § 734.13(a) and includes: ‘An actual shipment or transmission out of the United States, including the sending or taking of an item out of the United States, in any manner.’

10 15 C.F.R. § 734.14.

11 15 C.F.R. § 734.16.

12 See 15 C.F.R. § 734.13(a)(2).

13 15 C.F.R. § 734.13(b).

14 See 15 C.F.R. § 734.3.

15 See 15 C.F.R. § 734.3(a)(4).

16 See EAR: Amendments to General Prohibition Three (Foreign-Produced Direct Product Rule) and the Entity List, 85 Fed. Reg. 29,849 (19 May 2020).

17 See 15 C.F.R. § 734.3(b) for a complete list of items that are not subject to the EAR.

18 15 C.F.R. pt. 732.

19 See 15 C.F.R. § 732.1(b).

20 See 15 C.F.R. § 736.2(b)(10).

21 See 15 C.F.R. § 734.3(a) for a complete list of items that are subject to the EAR.

22 For more guidance, visit BIS’s website or review this BIS presentation on how to classify your item.

23 See generally C.F.R. § 736.2. The General Prohibitions provide the framework for restrictions on activities or circumstances when a licence may be required.

24 See 15 C.F.R. pt. 746. This part of the EAR ‘Embargoes and Other Special Controls’ imposes comprehensive and targeted controls.

25 15 C.F.R. § 738 (Supp. 1).

26 See 15 C.F.R. § 736.2(b)(9).

27 See 15 C.F.R. § 736.2(b)(5) and 15 C.F.R. § 744.21.

28 https://www.bis.doc.gov/index.php/policy-guidance/lists-of-parties-of-concern.

29 See 15 C.F.R. pt. 744 (Supp. 4), Entity List.

30 See generally, 15 C.F.R. pt. 766.

31 15 C.F.R. § 744.15(b).

32 See 15 C.F.R. § 736.2(b)(3).

33 See BIS’ website for further information at https://www.bis.doc.gov/index.php/compliance-a-training/export-management-a-compliance/compliance.

34 See 22 C.F.R. pts. 120 to 130.

35 See https://www.pmddtc.state.gov/ddtc_public.

36 See 22 U.S.C. § 2778. The Arms Export Controls Act of 1976, as amended [AECA] is the primary statutory authority for the International Traffic in Arms Regulations [ITAR].

37 https://www.pmddtc.state.gov/ddtc_public?id=ddtc_public_portal_org_chart.

38 See 22 C.F.R. pt. 121.

39 22 C.F.R. § 120.6.

40 See 22 C.F.R. § 120.10.

41 id., at 120.10(a)(1). The technical data definition also includes: classified information relating to defense articles and defense services (and some items controlled on the EAR’s Commerce Control List); information covered under an invention secrecy order; and software related to defence articles. See id., at § 120.10(a), paras. (2) to (4).

42 See 22 C.F.R. § 120.11. Generally items in the public domain are public information, which is published, generally accessible or available to the public through news sources, libraries, unlimited distribution at conferences and tradeshows, and available through unlimited distribution, not necessarily in published form, including fundamental research, as described in § 120.11(a)(8).

43 See 22 C.F.R. § 120.10(b).

44 The agency responsible for these reviews is the Department of Defense, Defense Office of Prepublication and Security Review – more information is available at https://www.esd.whs.mil/DOPSR/.

45 See 22 C.F.R. § 120.9.

46 See 22 C.F.R. § 120.15; see also 22 C.F.R. § 120.14 for the definition of ‘person’ under the ITAR.

47 22 C.F.R. § 120.16.

48 See 22 C.F.R. § 121.1.

49 See 22 C.F.R. § 121(a)(2).

50 See 22 C.F.R. § 120.41.

51 id.

52 The US Department of State’s Directorate of Defense Trade Controls’ website contains more information regarding commodity jurisdition determinations at https://www.pmddtc.state.gov/ddtc_public?id=ddtc_kb_article_page&sys_id=%20249f7c0adb6cf7007ede365e7c9619fd.

53 See 22 C.F.R. § 122.1 (registration requirements for manufacturers and exporters).

54 See 22 C.F.R. § 129.3 (registration requirements for brokering activities subject to the ITAR).

55 See 22 C.F.R. § 122.1(a).

56 See id., at § 122.4(a).

57 See id., at § 122.4(b).

58 See 22 C.F.R. § 126.1, see also 22 C.F.R. § 126.2 and § 126.3 for suspension, modification, or exceptions that may be granted by the Deputy Assistant Secretary for Defense Trade Controls.

59 id., at 126.1(d)(1).

60 See 22 C.F.R. pt. 129.

61 id., at § 129.2.

62 id., at § 129.2(b)(1), paras. (i) and (ii).

63 See id., at § 129.2(b)(2) and § 126.18, for further details regarding exemptions for intra-company, intra-organisation and intra-governmental transfers.

64 See 22 C.F.R. § 130.9(a)(1).

65 id., at § 130.2.

66 See id., at § 130.7 and § 130.9(b).

67 The relevant penalties to be considered include those set forth under the AECA, 22 U.S.C. §§ 2778 to 2780 (2012); ECRA, 50 U.S.C. §§ 4801 to 4852 (2018); and 18 U.S.C. § 3571 (2012) (the alternative criminal fine provision). Note that penalties provisions are frequently amended and penalty amounts are adjusted for inflation.

68 See ECRA, 50 U.S.C. § 4819(b) (2018).

69 See id., at § 4819(c)(1)(A) (2018).

70 See id., at § 4819(c)(1) paras. (B) and (C) (2018).

71 See AECA, 22 U.S.C. § 2778(c).

72 See 22 C.F.R. § 127.10(a)(1)(i) (‘for each violation of 22 U.S.C. 2778’).

73 See id., at § 127.7.

74 See id., at § 126.1(e)(2).

75 15 C.F.R. pt. 766 (Supp. 1).

76 id.

77 See 22 C.F.R. § 127.12(a) (2018).

78 id.

79 See generally 15 C.F.R. § 764.5(b)(3); 22 C.F.R. § 127.12(b)(2).

80 See generally 15 CFR § 764.5; 22 C.F.R. § 127.12.

81 See US Dep’t of State, Bureau of Political-Military Affairs, In the Matter of: Airbus SE (29 January 2020), at https://www.pmddtc.state.gov/sys_attachment.do?sysparm_referring_url=tear_off&view=true&sys_id=136d4db3db6204907ede365e7c9619ea, as an example under the ITAR; see also Judgment, United States v. ZTE Corp., No. 3:17-cr-00120-K-1 (N.D. Tex. 22 March 2017), as an example under the EAR.

82 See Addition of an Entity to Entity List, 81 FR 12004, 15 C.F.R. pt. 744 (2016) (adding ZTE Corporation and several affiliates to the Entity List).

83 See US Dep’t of Justice press release, ‘Airbus Agrees to Pay Over $3.8 Billion in Global Penalties to Resolve Foreign Bribery and ITAR Case’ (31 January 2020), at https://www.justice.gov/opa/pr/airbus-agrees-pay-over-39-billion-global-penalties-resolve-foreign-bribery-and-itar-case.

84 See 15 C.F.R. § 766 (Supp.1) (‘Guidance on Charging and Penalty Determinations in Settlement of Administrative Enforcement Cases’).

Unlock unlimited access to all Global Investigations Review content