Sheepdog Prosperity Partners
Due Diligence

Export Controls: BIS/EAR, ITAR, and the Technology Screen

by | Jun 9, 2026 | Daily DD, National Security Diligence | 0 comments

Educational only; not legal advice. SPP explains diligence issue-spotting, evidence collection, risk triage, and the accountant and certified-fraud-examiner workflow. It does not give export classifications, license opinions, sanctions opinions, International Traffic in Arms Regulations opinions, or filing advice. Regulatory status is current as of drafting (2026-06-15); see the status note at the end.

A buyer can acquire a company and discover, after the closing dinner, that the most valuable thing it bought cannot lawfully leave the building. Not because the thing is broken. Not because the customer refused it. Because the thing is controlled technology, because the customer is the wrong end user, because a release of source code to one engineer counts as an export, or because a foreign subsidiary did the part of the transaction everyone in the deal room assumed was safely outside the United States.

That is the export-control problem. It does not begin with a container at a port. It begins with a question about jurisdiction: what is this item, who controls it, where is it going, who will touch it, and what will they do with it. The answer can turn a normal sale into a license problem, a normal research collaboration into a deemed-export problem, a normal distributor relationship into a diversion problem, and a normal acquisition into a remediation project with the Bureau of Industry and Security, the Department of Justice, or the State Department watching from different angles.

The lead civil agency for the commercial side is the Department of Commerce’s Bureau of Industry and Security (BIS). The main rulebook is the Export Administration Regulations (EAR), codified at 15 CFR Parts 730 to 774. The statute underneath it is the Export Control Reform Act of 2018 (ECRA), now at 50 U.S.C. 4801 to 4852. For defense articles and defense services, the frame shifts to the Arms Export Control Act (AECA), 22 U.S.C. 2778, and the International Traffic in Arms Regulations (ITAR), 22 CFR Parts 120 to 130, administered by the State Department’s Directorate of Defense Trade Controls (DDTC). The words are dry. The effect is not. These rules decide whether a company can sell, ship, download, share, repair, finance, service, hire, integrate, or support a technology across borders and sometimes inside the United States.

The buy-side instinct is to treat export controls as a shipping function. That is wrong in exactly the way that treating the Committee on Foreign Investment in the United States as a closing-week legal filing is wrong. Export controls are a facts problem before they are a legal problem. The diligence team has to know what the target makes, which technologies it uses to make it, which classifications it has assigned, which customers and end users appear in the chain, whether foreign nationals can access controlled technology, whether the target sells through foreign affiliates or distributors, and whether anyone has been operating on an old classification that has drifted under a newer rule. Those are not abstract legal conclusions. They are records, workflows, invoices, drawings, bills of material, enterprise-resource-planning fields, visitor logs, user permissions, engineering repositories, export records, and emails.

This piece is the technology screen in the National-Security Diligence Stack. It explains what export controls were built to solve, who runs and enforces them, what changed in the 2024 to 2026 period, what trips the wire in a transaction, what the government can do, what a buyer asks for, what belongs in the risk memo, and when the diligence team hands the matter to qualified export-control counsel. The skill is not to automate classification. It is to build a disciplined triage file: source the target’s own classifications, test them against the public rule architecture, screen names and destinations, surface contradictions, and write the questions that force the real legal call into the open before closing.

What export controls were built to solve

Export controls solve a problem that open markets create by design. The same laboratory that produces a medical sensor can produce a component useful in targeting. The same lithography tool that supports commercial semiconductor fabrication can support military modernization. The same source code that makes a product more efficient can train a foreign engineer in technology the United States does not want transferred. The same customer that looks like a distributor can be a procurement cutout. In a world where valuable technology moves as files, services, models, masks, wafers, cloud access, technical assistance, and human knowledge, a border checkpoint is not enough.

ECRA states the policy with unusual clarity. Congress found that national security and foreign policy require the United States to maintain leadership in science, engineering, manufacturing, and technology, while also controlling exports of items that can pose a serious threat. The statute says controls should be transparent, predictable, and coordinated with multilateral regimes where possible. It also says implementation and enforcement require monitoring, intelligence, investigation, penalties, and the ability to interdict unapproved transfers. Most important for this series, ECRA states that export controls complement the national-security policies underlying foreign-direct-investment review, including the control of critical technologies to certain foreign persons. That sentence is the hinge between this article and the inbound CFIUS screen. A target’s export classification can decide whether an investment is a CFIUS filing problem, and a CFIUS review can expose an export-control weakness the buyer had never priced.

The modern system separates two large questions. The first is jurisdiction. Is the thing controlled by the Commerce Department under the EAR, by the State Department under the ITAR, by another agency, or not controlled in the way the parties thought? Under the EAR, the word “item” is broader than the word product. It includes commodities, software, and technology. Technology can be controlled even when no physical thing moves. Under the ITAR, the question is whether the article, technical data, or service is a defense article or defense service on the United States Munitions List (USML) or otherwise designated under the ITAR structure. A business that makes sensors, avionics, encryption tools, satellite components, robotics, simulation software, high-end cameras, or semiconductor equipment cannot answer the jurisdiction question from a sales brochure.

The second question is authorization. If the item is subject to the EAR, that does not automatically mean a license is required. The EAR works through classification, destination, end use, end user, and transaction facts. An Export Control Classification Number (ECCN) on the Commerce Control List (CCL) points to reasons for control. Those reasons are then tested against the destination, license exceptions, end-use controls, and restricted-party rules. If the item is subject to the EAR but not listed on the CCL, it is generally designated EAR99. That sounds reassuring and often is, but it is not a free pass. EAR99 items can still require a license when the destination, end user, end use, or sanction program triggers one. A buyer who treats “EAR99” as “uncontrolled” has already made a mistake.

The policy problem is easy to describe and difficult to administer: prevent adversaries, proliferators, military programs, restricted end users, and evasion networks from getting sensitive US-origin and US-linked technology, without freezing ordinary commerce. The legal system does that through a dense set of controls. The diligence system has to translate that density into a small number of deal questions. Does the target know what it sells? Does it know who receives it? Does it know what the recipient does with it? Does it control access to technical data? Does it have a process for rule changes? Has it ever sold to a party that later landed on the Entity List? And if the answer is yes, what did it do when the list changed?

That last question is where the certified fraud examiner (CFE) discipline enters. Export-control failures often hide in the gap between what the policy says and what the business did. A distributor says it is buying for inventory, but every shipment goes to the same end user. A customer uses a benign alias near a restricted university. A foreign affiliate treats local in-country transfers as outside the US system, even when the items remain subject to the EAR. An engineer shares controlled source code in a collaboration folder because the repository permissions were built for speed. A classification file says “reviewed” but cannot identify who reviewed it, against what version of the CCL, and when. Those are evidence problems before they are legal conclusions.

Who runs, investigates, and enforces this screen

The export-control screen is not one agency. It is a jurisdictional split, and a buyer has to know which institution it is dealing with.

For most commercial and dual-use items, the central actor is BIS inside the Department of Commerce. BIS administers the EAR, maintains the CCL, processes license and classification requests through the Simplified Network Application Process Redesign (SNAP-R), publishes Entity List changes, issues guidance, and runs export enforcement. Inside BIS, Export Administration writes and administers the regulatory architecture. The Office of Export Enforcement (OEE) investigates apparent violations. BIS describes its enforcement process as running through administrative cases, penalty guidance, the Administrative Case Review Board (ACRB), temporary denial orders, and statutory denial authority after certain convictions. A buyer will usually not see that machinery unless something has gone wrong, but the target’s compliance files should be built as if OEE may someday read them.

OEE is not a paper tiger. BIS can impose civil administrative penalties, condition or revoke licenses, deny export privileges, issue temporary denial orders, exclude people from practice before BIS, and refer criminal matters. A Temporary Denial Order (TDO) can be issued on an ex parte basis to stop an imminent or ongoing export-control violation, generally for a period not to exceed 180 days, and can be renewed. A denial of export privileges is the commercial death penalty for an export-dependent business: it can prohibit the named person from participating in transactions subject to the EAR, and BIS warns that others may not participate in an export transaction subject to the EAR with a denied person.

Criminal enforcement sits with the Department of Justice (DOJ), and for national-security export and sanctions matters the National Security Division (NSD) is the core player. DOJ has made export-control and sanctions enforcement a national-security priority. Its 2026 national-security voluntary-self-disclosure guidance expressly includes ECRA, the AECA, and the International Emergency Economic Powers Act (IEEPA) among the primary regimes. The practical point for buyers is that administrative export-control violations and criminal national-security violations can live in the same factual file. A late discovery after closing is not merely a compliance cleanup. It may be a voluntary-self-disclosure decision, a preservation decision, a privilege decision, and a deal-indemnity decision at once.

For defense articles, defense services, and technical data, the lead civil agency is the State Department’s DDTC. Section 38 of the AECA authorizes controls over defense articles and defense services, and the ITAR implements that authority. The USML lives in 22 CFR Part 121. The ITAR landing page and the eCFR rule text make the basic point: defense articles, defense services, brokering, technical data, temporary imports, and exports sit in a different rulebook than commercial dual-use items. A company with defense-adjacent products cannot choose the easier regime. The order of review starts with the USML. If the item is described there, the ITAR controls; if it is not and is otherwise subject to the EAR, the team moves to the CCL.

Other agencies matter at the edges. Customs and Border Protection (CBP) sees exports at the border. Homeland Security Investigations and the Federal Bureau of Investigation can investigate criminal procurement networks. The Treasury Department’s Office of Foreign Assets Control (OFAC) may control the same transaction from the sanctions side. The Nuclear Regulatory Commission, the Department of Energy, and other agencies have narrower jurisdiction over specific nuclear or energy-related matters. In a clean diligence file, those agencies are not mashed together. The memo states which rulebook controls which part of the risk.

The institutional anatomy matters because it determines what the buyer asks for. A BIS issue means classification files, license history, Entity List screening, end-use certifications, voluntary disclosures, audits, SNAP-R submissions, commodity classification determinations, and correspondence with OEE. An ITAR issue means registration, USML analysis, technical-assistance agreements, manufacturing-license agreements, provisos, retransfer records, and DDTC correspondence. A DOJ issue means potential criminal exposure, preservation, internal-investigation structure, and the timing of voluntary disclosure. A sanctions issue means OFAC screening, blocked-property handling, licenses, and the 50 Percent Rule. The same sale can implicate more than one of them.

What changed from 2024 to 2026

Export controls are a moving target, and the 2024 to 2026 period proves it. The buyer’s problem is not just whether the target had a policy. It is whether the target had a mechanism for absorbing rule changes that arrived after the policy was written.

The first change is that foreign-produced items moved deeper into the center of the screen. In April 2024, Congress enacted the No Technology for Terror Act as part of Pub. L. 118-50. BIS then implemented the Iran Foreign Direct Product Rule, published at 89 FR 60563 and effective July 23, 2024. The rule expanded the EAR’s Foreign Direct Product (FDP) treatment for certain foreign-produced items destined to Iran or involving the Government of Iran. That is not a shipment-at-the-border idea. It is a manufacturing-chain idea. A foreign-made item can become subject to the EAR because of the US technology, software, plant, major component, item, destination, end use, or end user that connects to it. In diligence, that means the target’s foreign subsidiaries and contract manufacturers cannot be treated as automatically outside the US export-control system.

The second change is that enforcement policy sharpened. BIS published a final rule on Administrative and Enforcement Provisions at 89 FR 75477, effective September 16, 2024. The rule revised the voluntary self-disclosure process and clarified charging and penalty determinations in administrative enforcement cases. BIS also points to Supplement No. 1 to Part 766 for the Office of Export Enforcement’s charging and penalty guidance. The practical effect is that the quality of the target’s disclosure, cooperation, remediation, and compliance program is not soft background. It is part of the penalty file.

The third change is semiconductor and advanced-computing control. On December 5, 2024, BIS published the interim final rule “Foreign-Produced Direct Product Rule Additions, and Refinements to Controls for Advanced Computing and Semiconductor Manufacturing Items,” 89 FR 96790, effective December 2, 2024. BIS described it as adding controls for semiconductor manufacturing equipment and related items, creating new FDP rules for certain commodities, adding controls on high-bandwidth memory, and clarifying controls on software keys. The same day, BIS published a companion Entity List final rule at 89 FR 96830, adding 140 entities, modifying 14 entries, and linking those additions to advanced-node integrated circuits, semiconductor manufacturing items, and the People’s Republic of China’s (PRC) Military-Civil Fusion strategy. BIS’s own press release summarized the package as new controls on 24 types of semiconductor manufacturing equipment, 3 types of software tools, new high-bandwidth-memory controls, new red-flag guidance, and 140 Entity List additions.

That is the kind of rule change that breaks stale diligence. A target that classified an item in 2023 may have been wrong by December 2024. A target that sold to a customer not listed in 2023 may have had a restricted customer in December 2024. A target that treated a foreign-made component as outside the EAR may have needed to revisit the analysis under a new FDP rule. The buyer does not have to solve all of that alone, but it does have to ask whether the target solved it at all.

The fourth change is artificial intelligence. BIS published the Framework for Artificial Intelligence Diffusion at 90 FR 4544, effective January 13, 2025. The rule revised controls on advanced computing integrated circuits and added a new control on model weights for certain advanced closed-weight dual-use artificial intelligence (AI) models. Then, in May 2025, BIS announced that it would rescind the Biden Administration’s AI Diffusion Rule, instructed enforcement officials not to enforce it, and said a replacement rule would come later. The Federal Register metadata for 90 FR 4544 lists the regulatory plan item as “Rescinding: Framework for Artificial Intelligence Diffusion.” For a diligence memo, the lesson is not to pretend the AI posture is settled. The lesson is to flag the status as volatile, cite both the rule and the BIS rescission announcement, and ask counsel to confirm the current operative requirements before a transaction involving advanced computing chips, model weights, data centers, or AI infrastructure closes.

The fifth change is a useful warning about overclaiming. On September 30, 2025, BIS published an interim final rule at 90 FR 47201 expanding end-user controls to cover certain affiliates of listed entities, using a 50 percent ownership standard. That sounded like a simple export-control cousin of the OFAC ownership rule. But on November 12, 2025, BIS published a final rule and stay at 90 FR 50857, staying the amendments from November 10, 2025 until November 9, 2026, absent a future extension. As of this draft, the rule is a watch item, not a fully operative screen. A serious memo says that. It does not treat a stayed rule as live because a trade alert headline was memorable.

The sixth change is that penalties made the boardroom. BIS announced in July 2025 that Cadence Design Systems would pay a 95,000,000 dollar administrative penalty for unauthorized exports of electronic design automation hardware, software, and semiconductor design technology to Chinese Entity List parties tied to military supercomputing, alongside a concurrent DOJ agreement that included 45,000,000 dollars in forfeitures. BIS announced in February 2026 that Applied Materials and Applied Materials Korea agreed to pay approximately 252,000,000 dollars for illegal exports of semiconductor manufacturing equipment to China, a penalty BIS described as twice the transaction value and the maximum allowed by statute. BIS also resolved 2026 matters involving Exyte and Teledyne FLIR that read like diligence case studies: in-country transfers through a China affiliate to an Entity List customer in Exyte, and post-acquisition integration of historical classification and export issues in Teledyne FLIR. Those matters are not generic cautionary tales. They show exactly what a buyer has to inspect.

What trips the wire

The export-control screen begins with a deceptively simple word: item. Under the EAR, the item may be a commodity, software, or technology. It may be a chip, camera, sensor, etcher, router, component, printed circuit board, source-code repository, design file, test protocol, manufacturing process, model weight, or technical manual. A diligence team that only asks for “products shipped internationally” will miss half the problem.

The first wire is whether the item is subject to the EAR. Part 734 of the EAR is the first stop. The regulation says that “subject to the EAR” describes the items and activities over which BIS exercises regulatory jurisdiction. The scope includes US-origin items wherever located, certain foreign-made items with controlled US content, certain foreign-produced direct products of US technology or software, and certain activities of US persons. It also excludes some categories, including publicly available technology, fundamental research in defined circumstances, certain patent-related activity, and items subject to the exclusive jurisdiction of another agency, but those exclusions have conditions. A buyer cannot infer them from a product description.

The second wire is the ITAR. If an article, technical data, or service is described on the USML, the Commerce Control List is not the starting point. BIS’s own CCL Order of Review says that if an item is described on the USML of the ITAR, including one of its catch-all paragraphs, then it is a defense article subject to the ITAR and there is no need to review the CCL for that item. This matters in acquisitions because targets often live in the gray zone between commercial and defense. A camera, satellite component, navigation module, antenna, training simulator, propulsion part, or technical service can have a defense-control question even when the target’s revenue deck calls it commercial.

The third wire is classification. For items subject to the EAR, the company has to determine whether the item is described in an ECCN on the CCL, or whether it is EAR99. BIS says there are three ways to determine whether an item is described in an ECCN: go to the source by contacting the manufacturer, producer, or developer; self-classify with technical understanding and familiarity with the ECCN structure; or request an official classification from BIS under the classification request process. That is why export classification is not a keyword search. It is a technical exercise. An item may have multiple product characteristics, and the CCL order of review tells the analyst how to move through categories, product groups, 600 series entries, 9×515 entries, and specially designed analysis.

The fourth wire is destination. Once an item is classified, the reasons for control in the ECCN point to licensing obligations by destination, usually through the Commerce Country Chart and other country-specific rules. But destination is not only the country printed on the commercial invoice. It includes reexports, transfers in-country, and known onward movement. The target’s distributor files, drop-ship records, reseller agreements, and end-use statements can matter as much as the invoice.

The fifth wire is end use. Part 744 of the EAR imposes end-use and end-user controls. Certain nuclear, missile, chemical and biological weapons, military, military-intelligence, supercomputer, advanced-computing, semiconductor, and other restricted end uses can trigger license requirements even where item classification or destination alone would not. The dangerous fact pattern is the one that looks ordinary until the end use appears. A machine tool, test instrument, software key, or repair service may look low risk in isolation and high risk in the hands of the wrong program.

The sixth wire is end user. The Entity List, Military End User List, Denied Persons List, Unverified List, OFAC lists, and other government lists turn names and addresses into control facts. BIS’s Entity List identifies persons and addresses reasonably believed to be involved in, or to pose a significant risk of becoming involved in, activities contrary to US national security or foreign policy interests. A listed party is not automatically the same thing as an OFAC Specially Designated National, but the memo has to screen both the export-control and sanctions surfaces. The International Trade Administration’s Consolidated Screening List (CSL) helps with that first pass by consolidating multiple Commerce, State, and Treasury lists, but the CSL itself warns users to conduct additional due diligence and check the official source list when a potential match appears.

The seventh wire is knowledge. General Prohibition Ten is the catch that prevents a person from going forward with a transaction with knowledge that an export-control violation has occurred, is about to occur, or is intended to occur in connection with an item subject to the EAR. ECRA also makes it unlawful to aid, abet, cause, solicit, attempt, conspire, evade, make false statements, or fail to comply with reporting and recordkeeping requirements. In diligence terms, knowledge is not just what one executive admits. It includes warning signs: evasive customers, inconsistent addresses, suspicious routing, a known listed-party affiliate, a reseller who refuses end-use information, technical staff bypassing repository permissions, and old shipments to a party that later appeared on a restricted list.

The eighth wire is the deemed export. Section 734.13 says that any release in the United States of technology or source code to a foreign person is deemed an export to that person’s most recent country of citizenship or permanent residency. For a buyer, this turns workforce diligence into export-control diligence. Who can access controlled technology? Which engineers are foreign nationals? What country is used for the deemed-export analysis? Are access controls built by nationality, project, technology, and need to know, or by whatever default permissions the engineering platform shipped with? Does the target rely on a license, a license exception, a technology-control plan, or an assumption nobody documented?

The ninth wire is the foreign affiliate. The Exyte and Applied Materials fact patterns show why. The target may believe that a local foreign subsidiary’s in-country transfer is local business. The EAR may disagree if the items are subject to the EAR and the recipient, end use, or destination requires a license. A buyer with a global target needs to inspect transfer records, not just exports from the United States.

What the government can do

The remedy set is broader than a fine. BIS can deny a license, add parties to lists, impose license conditions, issue a TDO, impose civil administrative penalties, deny export privileges, exclude people from practice before BIS, and refer cases for criminal investigation. DOJ can prosecute willful violations and related crimes. DDTC can pursue ITAR enforcement and consent agreements. OFAC can pursue sanctions penalties on the same transaction. For some criminal export-control violations, ECRA includes forfeiture of property used to commit or facilitate the violation, gross proceeds, or the item or technology exported or intended to be exported in violation of the statute.

The statutory penalty numbers are enough to get attention. Under ECRA, a willful criminal violation can carry a fine of not more than 1,000,000 dollars and, for an individual, imprisonment for not more than 20 years. Civilly, the statute authorizes a fine of not more than 300,000 dollars or twice the value of the transaction, whichever is greater, subject to inflation adjustment. BIS’s own penalties page states that as of January 15, 2025, the maximum administrative monetary penalty is 374,474 dollars per violation or twice the value of the transaction, whichever is greater, and that the amount is adjusted annually for inflation. That figure should be rechecked before publication and before any client memo, because inflation adjustments move.

The Applied Materials matter shows why the “twice the value” clause matters. BIS said the value of merchandise illegally shipped was approximately 126,000,000 dollars, and the penalty was approximately 252,000,000 dollars, twice the transaction value and the maximum allowed by statute. That is not a theoretical ceiling. It is a live enforcement number from February 2026.

The Cadence matter shows that technology is not just a box. BIS said the unauthorized exports involved electronic design automation hardware, software, and semiconductor design technology, and that Cadence admitted employees of a Chinese subsidiary knowingly transferred sensitive US technology to entities tied to military supercomputers. The settlement involved 56 EAR violations between September 2015 and September 2020, plus a concurrent DOJ agreement with 45,000,000 dollars in forfeitures. For a buyer, the diligence point is uncomfortable: a local subsidiary, a long sales history, an alias, software, hardware, technology, and Entity List parties can converge in one file.

The Exyte matter shows that EAR99 can still hurt. BIS’s order and charging letter describe in-country transfers of approximately 884 EAR99 items used to fabricate semiconductors to Semiconductor Manufacturing International (Beijing) Corporation, an Entity List party, without required authorization. Exyte admitted the conduct in settlement and paid 1,500,000 dollars. The useful lesson is not the dollar amount. It is that low-classified or EAR99 items can require a license because of the end user and transaction facts.

The Teledyne FLIR matter shows why acquisitions need export-control integration. BIS’s February 2026 final order describes 19 violations involving thermal imaging cameras and related components and sensors, with some conduct predating Teledyne’s 2021 acquisition of FLIR and later conduct involving affiliates. BIS assessed a 1,000,000 dollar penalty and included a suspended one-year denial of export privileges if payment was not made. The diligence lesson is direct: when the buyer acquires a technology company, it acquires the classification history, access history, shipment history, and affiliate behavior unless the deal documents and integration plan say otherwise.

The government can also act without waiting for a final penalty. A TDO can stop export privileges while an imminent or ongoing violation is prevented. Entity List additions can cut off a customer or supplier overnight. License-review policy can move from case-by-case to presumption of denial. The CCL can change. The USML can change. A target can be legally compliant on Monday and operationally blocked on Friday if its business model depends on a customer, destination, item, or affiliate that just moved.

What a buyer asks for

A good export-control memo is not a wall of caveats. It is a decision tree with evidence behind each node.

The first node is product and technology inventory. The buyer asks for a live inventory of commodities, software, technology, technical data, services, prototypes, samples, evaluation kits, design files, software keys, and support offerings. For each item, the target should identify the jurisdictional basis, the ECCN or EAR99 designation if under the EAR, any USML category if under the ITAR, the person who classified it, the date of review, the technical documents used, and the next review date. If the target says “all products are EAR99,” the diligence team should not argue. It should ask for the support. An unsupported EAR99 conclusion is not a finding. It is a lead.

The second node is the order of review. For a potential defense or space item, the target should show that it started with the USML and exclusive-jurisdiction questions before moving to the CCL. For a Commerce item, the target should show the CCL category, product group, 600 series and 9×515 analysis where relevant, specially designed analysis where relevant, and the reasons for control. If a classification came from a supplier, the buyer asks whether the target reviewed it against the current CCL, because BIS itself warns that ECCNs may change over time and should be reviewed against the current CCL.

The third node is authorization. The memo ties classification to destination, end use, end user, license exceptions, and any special rules. It identifies licenses, license exceptions, provisos, denied or returned-without-action applications, advisory opinions, commodity classification determinations, and open questions. It also flags what the target did not classify but should have: demos, repairs, support, source-code access, cloud portals, training, software updates, and technical meetings.

The fourth node is party screening. The target should produce its screening policy, screened fields, lists used, screening frequency, fuzzy-match thresholds, escalation records, false-positive documentation, release decisions, and customer master files. A serious buyer tests the policy against samples. Did the target screen the purchaser, intermediate consignee, ultimate consignee, freight forwarder, end user, bank, and beneficial owner where the transaction structure required it? Did it rescreen when lists changed? Did it preserve screening evidence? Did it check official source lists after a CSL hit?

The fifth node is geography and routing. The buyer asks for shipment data by origin, destination, intermediate consignee, freight forwarder, and route; in-country transfer records; foreign affiliate sales; drop shipments; repair returns; demonstration units; hand-carried technology; and cloud access by country. The point is to catch the transactions that do not look like exports in the sales ledger but are exports, reexports, or transfers under the rules.

The sixth node is people and access. The buyer asks for a deemed-export population: foreign-national employees, contractors, interns, visitors, researchers, support engineers, customer engineers, and foreign affiliate personnel with access to technology or source code. It maps those people to repositories, design files, build systems, labs, clean rooms, data rooms, support portals, and technical meetings. It identifies licenses or license exceptions where the target says access is authorized. If there is no map, the finding is not “violation.” The finding is “the company cannot show who can access controlled technology.”

The seventh node is change management. Export controls changed materially in 2024 and 2025. The target should show how it monitors Federal Register notices, BIS guidance, Entity List additions, CCL changes, license-exception changes, enforcement guidance, and State Department ITAR updates. It should show who owns rule-change intake, who updates classifications, who communicates changes to sales and engineering, and who stops shipments while questions are resolved. A policy last reviewed in 2021 is not a comfort document. It is a gap.

The eighth node is incident history. The buyer asks for voluntary self-disclosures, enforcement inquiries, subpoenas, administrative charging letters, penalty orders, warning letters, no-action or caution letters, CBP detentions, customer holds, license denials, returned-without-action applications, internal investigations, audit findings, whistleblower reports, hotline complaints, terminated distributors, and customers rejected for export-control reasons. The absence of a problem is useful only if the target can show the process that would have found one.

What belongs in the export-control risk memo

The export-control section of a buy-side diligence report should be short enough for a principal to read and detailed enough for counsel to trust. It should not announce a legal conclusion the diligence team is not qualified to give. It should identify the facts, the sources, the inconsistencies, the open questions, and the deal consequences.

The first part is the risk summary. It states what the target makes and sells, which rulebook appears to apply, which products or technologies are high priority, whether classifications are documented, whether any products are ITAR-controlled or potentially ITAR-controlled, whether any items are classified under sensitive ECCNs, whether any products are EAR99 but sold to restricted end users or destinations, and whether foreign-national access to technology is controlled. It separates confirmed facts from unverified management statements.

The second part is the source trail. Each classification relied on in the memo should have a source: supplier classification, internal self-classification memo, BIS commodity classification, DDTC commodity jurisdiction, license application, technical file, CCL citation, USML citation, or counsel memo. Each restricted-party finding should have a source: CSL hit, official Entity List record, Denied Persons List, OFAC list, Federal Register notice, or agency order. The memo should preserve screenshots or exports with dates, because lists change.

The third part is exposure. The buyer should not model every export-control issue as a maximum penalty. That is lazy. It should group exposure by category: potential unlicensed exports, reexports, or transfers; potential deemed exports; potential restricted-party transactions; potential false statements or recordkeeping failures; potential license-breach issues; potential ITAR registration or authorization issues; and potential criminal referral indicators such as evasion, aliases, concealment, senior-management knowledge, repeated warnings, or sensitive end users.

The fourth part is the operating constraint. Export-control risk is not only past liability. It can shrink future revenue. If a material customer is on the Entity List, if a key product requires a license to a large destination market, if a foreign affiliate cannot service a customer without authorization, or if source code cannot be shared with a planned offshore engineering team, the buyer is not merely buying a compliance problem. It is buying a different business.

The fifth part is the deal response. The acquisition agreement should carry export-control and sanctions representations that are specific enough to matter: classification records are accurate and current; required licenses and authorizations have been obtained; no exports, reexports, transfers, deemed exports, defense services, brokering, or technical-data releases occurred without required authorization; no pending or threatened export-control inquiries exist except as disclosed; no restricted-party transactions occurred except as disclosed; records required by the EAR and ITAR have been maintained; and no voluntary self-disclosure is pending except as disclosed. Generic “compliance with laws” reps are too thin for a technology target.

The sixth part is closing conditions and covenants. On a clean deal, the covenant may be a pre-closing refresh of classifications and screening. On a serious deal, it may require counsel review, escrow, special indemnity, remediation before closing, license applications, export holds, terminated distributor relationships, revised technology-control plans, DDTC registration cleanup, or a voluntary self-disclosure decision. If the issue is severe enough, export-control clearance or remediation becomes a condition precedent to closing. If the buyer closes first and investigates later, the buyer may own both the conduct and the delay.

The seventh part is integration. The first 100 days matter. The buyer should lock down restricted technology, rescreen customers and vendors, refresh high-risk classifications, map foreign-national access, review foreign affiliates, align sales holds, update distributor certifications, and preserve records. If the target is a platform acquisition, the buyer should decide whether the export-control program becomes a platform standard for add-ons. The worst answer is to let each acquired company keep its own classification logic and screening thresholds until one of them fails.

When to escalate to export-control counsel

Export-control counsel should be brought in when a product may be ITAR-controlled, when an ECCN is uncertain or material, when the business depends on sensitive destinations or end users, when the target has foreign-national access to controlled technology, when a customer or affiliate hits a restricted list, when any voluntary self-disclosure is being considered, when DOJ exposure is plausible, or when a rule change affects a material revenue line. The diligence team can write the questions. Counsel owns the legal conclusion.

Practitioner Skill Built By This Article

Stripped to its core, the skill this piece builds is the ability to run an export-control triage screen on a technology target and reduce the result to a defensible diligence memo.

  • What you can now recognize: the difference between jurisdiction and authorization; the split between the EAR and the ITAR; the role of ECCNs, EAR99, the CCL, the USML, Entity List screening, foreign direct product rules, deemed exports, and General Prohibition Ten.
  • What source you verify it against: ECRA at 50 U.S.C. 4801 to 4852; the EAR at 15 CFR Parts 730 to 774, especially Parts 734, 736, 744, 764, 766, and 774; the AECA at 22 U.S.C. 2778; the ITAR at 22 CFR Parts 120 to 130; BIS classification guidance; BIS enforcement pages; Federal Register rulemakings; and official Commerce, State, Treasury, and DOJ lists and guidance.
  • What you can produce: the export-control section of a diligence report, the artifact below, and a screened public-list workpaper that identifies leads and questions for counsel.
  • When you escalate: at any plausible ITAR item, uncertain ECCN, foreign-national technology access issue, restricted-party hit, sensitive destination, foreign direct product question, voluntary self-disclosure question, or evidence of evasion or concealment.

This is forensic-accounting work pointed at technology. The evidence habits are familiar: source the representation, reconcile the records, preserve the date, separate management’s claim from the document that proves it, and refuse to convert a lead into a finding before the record supports it. Export-control diligence rewards that discipline because the most dangerous errors often look like ordinary operational shortcuts.

The shipped artifact: export-control diligence screen

Use this at intake for any target that makes, designs, tests, repairs, supports, licenses, hosts, exports, reexports, or transfers products, software, technical data, or services with possible military, dual-use, semiconductor, aerospace, encryption, sensor, AI, energy, nuclear, telecom, or advanced-manufacturing applications. It produces leads for the memo, not legal conclusions.

  1. Jurisdiction
  • Does any product, software, technology, technical data, service, component, prototype, sample, demo unit, support activity, or repair activity appear on the USML?
  • Has the target ever registered with DDTC, filed a commodity jurisdiction request, used an ITAR authorization, signed a technical-assistance agreement, or handled defense technical data?
  • For Commerce items, which products and technologies are subject to the EAR, and what evidence supports that conclusion?
  1. Classification
  • For each material item, what is the ECCN or EAR99 designation?
  • Who classified it, when, using what technical file and what version of the rule?
  • Was the classification sourced from the manufacturer, self-classified, or requested from BIS?
  • Has the target refreshed classifications after the 2024 to 2026 rule changes affecting advanced computing, semiconductor manufacturing, foreign direct product rules, and Entity List policy?
  1. Authorization
  • Which destinations, end uses, and end users require licenses?
  • Which license exceptions does the target use, and what conditions support them?
  • What licenses, provisos, denials, returned-without-action applications, advisory opinions, or commodity classifications exist?
  1. Restricted parties and diversion
  • Are all parties screened: purchaser, intermediate consignee, ultimate consignee, end user, freight forwarder, bank, distributor, reseller, and relevant beneficial owner?
  • Does the target screen against the Entity List, Denied Persons List, Military End User List, Unverified List, OFAC lists, and the CSL?
  • How are fuzzy matches, aliases, addresses, and ownership links escalated?
  1. Technology access
  • Which foreign-national employees, contractors, visitors, researchers, customer engineers, or affiliate personnel can access controlled technology or source code?
  • Are access rights mapped to country of citizenship or permanent residency where a deemed-export analysis is required?
  • Are engineering repositories, data rooms, build systems, cloud portals, and lab access controls aligned with the classification file?
  1. Foreign affiliates and supply chain
  • Do foreign subsidiaries, distributors, contract manufacturers, repair centers, or support teams export, reexport, or transfer items subject to the EAR?
  • Does any foreign-produced item rely on US-origin technology, software, equipment, plant, or major components in a way that raises an FDP question?
  • Are in-country transfers documented and screened?
  1. Incident and disclosure history
  • Any past or pending BIS, DDTC, OFAC, CBP, Homeland Security Investigations, Federal Bureau of Investigation, or DOJ inquiry?
  • Any voluntary self-disclosure, charging letter, settlement, order, license suspension, denied-person issue, or internal investigation?
  • Any customers or revenue lines stopped because of export-control or sanctions concerns?
  1. Deal response
  • Which findings require counsel review before signing?
  • Which findings require remediation, escrow, special indemnity, closing condition, license application, technology-control plan, or voluntary-self-disclosure decision?
  • Which revenue lines depend on continued licensing, list status, foreign-national access, or customer eligibility?

Applied DD Lab: Replicate the Screen

The lab for this article does not classify products. It does not determine ECCNs. It does not decide whether a license is required. Export classification is not automated, and a public code exercise cannot substitute for technical review, counsel, or an official classification request. The lab teaches a narrower, useful skill: how to screen public parties and generate diligence questions from official public lists.

  • Dataset: the International Trade Administration’s Consolidated Screening List search and Application Programming Interface, plus official BIS and Treasury source-list links where a potential match appears. The sample target list is synthetic.
  • What it shows: whether a synthetic customer, reseller, freight forwarder, or affiliate name resembles a party on a US government screening list, which source list produced the hit, and what follow-up questions belong in the memo.
  • How to run it: take a synthetic counterparty file with names, addresses, countries, roles, and product lines; query the CSL; store the returned source, list name, matched name, address, and source-list URL; then classify the result as no hit, exact lead, fuzzy lead, address lead, or ownership/escalation lead. For any lead, the workpaper instructs the analyst to check the official source list and obtain counsel review before any conclusion.
  • What it can prove: that a public list generated a screening lead on a given date, and that the diligence team asked the right questions.
  • What it cannot prove: that an entity is legally the same party as a listed entity, that a transaction is prohibited, that an item is classified under a particular ECCN, that a license is required, or that a license exception is available.

The lab guardrail is strict: the code produces leads and questions only. It uses public or synthetic data only. It keeps product classification out of scope. It treats CSL output as an aid to screening, not as the official legal source, and it sends every potential match back to the official source list, transaction documents, and counsel.

Terms used in this article

The full glossary lives in the section’s master glossary; the terms you need for this piece:

  • BIS (Bureau of Industry and Security): the Commerce Department bureau that administers the EAR and runs civil export-control enforcement for commercial and dual-use items.
  • EAR (Export Administration Regulations): the Commerce Department export-control regulations at 15 CFR Parts 730 to 774.
  • ECRA (Export Control Reform Act of 2018): the statute at 50 U.S.C. 4801 to 4852 that provides the permanent statutory basis for modern Commerce export controls.
  • ECCN (Export Control Classification Number): the CCL code that describes controlled items by category, product group, and technical parameters.
  • CCL (Commerce Control List): Supplement No. 1 to Part 774 of the EAR, listing items controlled by BIS.
  • EAR99: the designation for an item subject to the EAR but not listed under a specific ECCN on the CCL; it can still require a license based on destination, end use, end user, or sanctions.
  • ITAR (International Traffic in Arms Regulations): the State Department rules at 22 CFR Parts 120 to 130 governing defense articles, defense services, technical data, brokering, and related authorizations.
  • AECA (Arms Export Control Act): the statute at 22 U.S.C. 2778 authorizing controls over defense articles and defense services.
  • USML (United States Munitions List): the ITAR list at 22 CFR Part 121 identifying defense articles and defense services.
  • FDPR (Foreign Direct Product Rule): EAR rules that can make certain foreign-produced items subject to the EAR because of specified US-origin technology, software, equipment, plant, major components, destinations, end uses, or end users.
  • Deemed export: a release in the United States of controlled technology or source code to a foreign person, treated as an export to that person’s most recent country of citizenship or permanent residency.
  • Entity List: a BIS list in Supplement No. 4 to Part 744 identifying parties and addresses subject to supplemental license requirements because of national-security or foreign-policy concerns.
  • CSL (Consolidated Screening List): an International Trade Administration screening aid that consolidates multiple Commerce, State, and Treasury lists and points users back to official source lists for compliance.
  • TDO (Temporary Denial Order): a BIS order denying export privileges temporarily to prevent imminent or ongoing export-control violations.
  • VSD (Voluntary Self-Disclosure): a disclosure to BIS, DDTC, OFAC, or DOJ of potential violations, considered under each agency’s own policy and facts.

Selected sources

  • Statute: Export Control Reform Act of 2018, 50 U.S.C. 4801 to 4852, especially 50 U.S.C. 4819 (penalties), uscode.house.gov.
  • Regulations: Export Administration Regulations, 15 CFR Parts 730 to 774, especially Part 734 (scope), Part 736 (general prohibitions), Part 744 (end-use and end-user controls), Part 764 (enforcement and protective measures), Part 766 (administrative enforcement proceedings), and Part 774 (Commerce Control List), eCFR and BIS EAR pages.
  • ITAR/AECA: Arms Export Control Act, 22 U.S.C. 2778; International Traffic in Arms Regulations, 22 CFR Parts 120 to 130; United States Munitions List, 22 CFR Part 121; DDTC ITAR guidance.
  • Classification guidance: BIS, “Classify your item”; BIS, Supplement No. 4 to Part 774, Commerce Control List Order of Review; BIS, Interactive Commerce Control List.
  • Screening guidance: International Trade Administration, Consolidated Screening List and CSL Application Programming Interface; BIS Entity List page and Entity List Frequently Asked Questions.
  • 2024 rulemakings: Iran Foreign Direct Product Rule, 89 FR 60563 (effective July 23, 2024); Administrative and Enforcement Provisions, 89 FR 75477 (effective September 16, 2024); Foreign-Produced Direct Product Rule Additions and Refinements to Controls for Advanced Computing and Semiconductor Manufacturing Items, 89 FR 96790 (effective December 2, 2024); Entity List additions and modifications, 89 FR 96830 (effective December 2, 2024).
  • 2025 to 2026 rule posture: Framework for Artificial Intelligence Diffusion, 90 FR 4544 (effective January 13, 2025); BIS announcement of intended rescission and non-enforcement, May 2025; Expansion of End-User Controls to Cover Affiliates of Certain Listed Entities, 90 FR 47201 (effective September 29, 2025), stayed by 90 FR 50857 until November 9, 2026 absent extension.
  • Enforcement: BIS penalties page; BIS Cadence Design Systems release, July 28, 2025; BIS Applied Materials release, February 12, 2026; BIS Exyte final order, January 2026; BIS Teledyne FLIR final order, February 2026.
  • DOJ: National Security Division voluntary-self-disclosure guidance, updated March 30, 2026; DOJ White Deer / Unicat declination and non-prosecution announcement, June 16, 2025.

Status note

  • Last reviewed: 2026-06-15
  • Next scheduled review: 2026-09-15
  • Current watch items: any formal Federal Register rescission or replacement for the AI Diffusion Rule; the stayed affiliates rule scheduled to remain stayed until November 9, 2026 absent extension; any 2026 Commerce civil monetary penalty adjustment replacing the January 15, 2025 BIS penalty figure; further semiconductor, advanced-computing, high-bandwidth-memory, and FDP updates; new BIS enforcement settlements involving acquisitions, foreign affiliates, in-country transfers, or Entity List customers; DDTC ITAR rule updates; and the next BIS annual enforcement or policy guidance update.

By Noah Green CPA CFE, for Sheepdog Prosperity Partners. Educational only; not legal advice.

Submit a Comment

Your email address will not be published. Required fields are marked *