Understanding EAR Compliance: Tips for US and non-US Companies

Coauthored with Eva Galfi, CEO & Principal Consultant, International Trade Advisors Pty Ltd

The Department of Commerce’s Bureau of Industry and Security (BIS) implements and enforces the Export Administration Regulations (EAR) to regulate the export, reexport and transfer (in-country) commercial and less sensitive military items. If you need to comply with or learn more about U.S. export control requirements, read our tips for U.S. and non-U.S. Companies on EAR compliance to help you meet these strict U.S. regulations.

What is EAR?

The Export Administration Regulations (EAR) are issued by the United States Department of Commerce, Bureau of Industry and Security (BIS) to control the export of:

• Less sensitive military items that are not considered defense articles or services, such as certain types of munitions and “military hardware”, including certain firearms, aircraft, military vehicles, materials, and chemicals. This also covers items controlled by the Wassenaar Munitions List (WAML).
• Commercial items that are ‘dual use’ or have both commercial and military or proliferation applications.
• Strictly commercial items without military applications.

What is an Export?

Under the EAR, any ‘item’, including commodities, software or technology, such as clothing, building materials, circuit boards, automotive parts, blueprints, design plans, retail software packages and technical information, sent from the United States to a foreign destination is an ‘export’.

While some items can be exported without a license, one is required for items on the Commerce Control List (CCL). For example, dual-use items that are designed for commercial purposes that could have military applications, such as computer hardware and software. Importantly, any items listed on the CCL require a license before they are exported.

It is also important to note that the mode of transportation does not impact requirements (e.g., mail, hand-carried, download, email, phone conversation, freight, etc.).

Additionally, EAR-controlled technology or source code that is released to a foreign national in the United States is considered an export to the foreign national’s home country.

What items are subject to EAR?

EAR applies to all items in the United States, including in a U.S. Foreign Trade Zone or being transported through the U.S. from one foreign country to another. It also includes foreign-made commodities that incorporate controlled U.S.-origin commodities, foreign-made commodities that are ‘bundled’ with controlled U.S.-origin software, foreign-made software that is commingled with controlled U.S.-origin software, and foreign-made technology that is commingled with controlled U.S.-origin technology. Consult the EAR for a comprehensive list of items that are regulated by EAR.

What is the Commerce Control List?

The exporter is responsible for determining if the export requires a license before a sale. You’ll need to consider the following questions to make a determination.

1. What are you exporting, and is it on the Commerce Control List?
2. Where are you exporting to?
3. Who will receive your item?
4. What will your item be used for?

Determining if the item is on the Commerce Control List (CCL) is essential to the evaluation process. The CCL comprises ten categories of items and five product groups. Listed items will have specific Export Control Classification Numbers (ECCN), as well as the reasons for control and licensing requirements.

Commerce Control List Categories

0 – Nuclear materials, facilities, and equipment (and miscellaneous items)

1 – Special Materials and Related Equipment, Chemicals, Microorganisms and Toxins

2 – Materials Processing

3 – Electronics

4 – Computers

5 – Telecommunications and Information Security

6 – Sensors and Lasers

7 – Navigation and Avionics

8 – Marine

9 – Aerospace and Propulsion

Who must comply with EAR?

EAR applies to all organizations that produce goods and technology in the U.S. or with U.S.-origin commodities that have either dual-purpose (commercial and military uses) or only commercial uses are bound by EAR rules. If your organization deals with Defense they are most likely impacted.

The rules governing EAR-controlled items apply to an organization’s internal and external users or groups with access to EAR-regulated content in the US and many other countries as defined in the requirements. Compliance can pose challenges for companies since data related to specific technologies may need to be transferred over the internet, via collaboration applications such as Microsoft 365 and SharePoint, or stored locally outside the United States.

How does EAR impact non-US Companies?

The EAR has extra-territorial reach and requires that companies outside of the US obtain re-export and retransfer authorization from the BIS for most items on the Commerce Control List. There are a variety of license exceptions available, and most items on the Commerce Control List can travel as ‘no license required’ between parties in Australia and the UK. However, all other compliance obligations remain, including record keeping, access controls, restrictions on sending to US embargoed destinations and denied parties, reporting on the use of exceptions, and voluntary self-disclosure in the event of a violation. Non-US companies must be aware of their compliance requirements in order to ensure they do not inadvertently violate the EAR, which could lead to reputational damage, cancellation of commercial contracts, costly government investigations and penalties.

What is the penalty for an EAR violation?

EAR carries a US $1 million+ per violation and criminal penalties of up to 20 years in prison or both. In addition, administrative monetary penalties of up to $300,000 per violation or twice the value of the transaction, whichever is greater, can apply. In addition to fines, violators can be ‘debarred’ or lose the ability to export goods.  The U.S. government can also seize any goods involved in a violation, further impacting a company’s bottom line and reputation.

EAR violations can cost a company tens of millions, so understanding the requirements is essential.

• Seagate was fined $300 million for EAR violations and placed under a 3-year ITAR debarment for shipping China’s Huawei 7 million hard drives.
• Access USA Shipping paid a $27 million settlement for EAR violations involving illegally shipped rifle scopes, night vision lenses, weapons parts and EAR99 items.
• TE Connectivity Corporation was fined $5.8 million for shipments of low-level items to parties tied to the People’s Republic of China hypersonics, UAV, and military electronics programs.

Other US Export Controls

In addition to EAR, there are several other regulations that apply to US Export Control, including:

• ITAR (International Traffic in Arms Regulations): The Department of State’s ITAR regulations govern the export and re-export of defense-related articles under the Arms Export Control Act. This includes items on the United States Munitions List (USML), such as military hardware, guidance systems, submarines, armaments, military aircraft, IT and software.
• FTR (Foreign Trade Regulations) are administered by the Foreign Trade Division of the U.S. Census Bureau, which governs the reporting of an export shipment.

Securing EAR-controlled Data and Access

Ensuring EAR-controlled information, including Controlled Unclassified Information (CUI), can only be accessed by authorized individuals is a critical part of compliance.  NIST SP 800-171 is the minimum cybersecurity requirement for EAR and ITAR as documented in NARA’s CUI Notice 2020-04, Assessing Security Requirements for CUI in Non-Federal Information Systems. Non-federal entities meet the CUI security requirements in NIST SP 800-171.

archTIS helps you easily manage your Export Control and NIST 800-171 cyber security compliance obligations using data-centric policy-based access control and enforcement.

Our solutions use dynamic attribute-based access control (ABAC) and data protection policies to manage CUI and other sensitive data in your organization’s custody. Fine-grained access, usage and sharing policies are enforced at the individual file level using attributes for more precise control. Dynamic access and protection policies evaluate a combination of user, file and environmental attributes, including information categorization/classification, user nationality, country, and more, to grant or deny access. Additional data protection capabilities control what authorized users can do with information once access is granted for a holistic solution to manage data access and security.

NC Protect for M365, GCC, GCC High and SharePoint Server

NC Protect simplifies the management and protection of ITAR-controlled information in Microsoft 365, GCC, GCC High, SharePoint Server, and file shares. Attribute-based access control (ABAC) policies dynamically secure ITAR data access based on user nationality, location, device and file classification.  Policies can also automatically apply encryption, visual markings, and other security trimmings to ensure ITAR data remains secure while auditing file access and actions.

Kojensi document management and collaboration platform

Kojensi is a document management and collaboration platform designed from the ground up to meet the specific needs of the Government, Defence, and Defence Industry. It is designed with access controls to assist organisations with meeting their compliance obligations. Export Control/ITAR compartments enforce dissemination controls and visually alert users that they are working on export-controlled materials to reduce human error. With Kojensi, you can securely share any number of files that may have different export controls internally, with partners, and with Defense.

Get in touch with archTIS today to discover how our specialized information security solutions are tailored to meet the stringent security and compliance requirements of Defense.

About the Authors

This blog was written in collaboration with Eva Galfi, CEO & Principal Consultant, International Trade Advisors Pty Ltd. Eva brings 25 years of experience as an international trade consultant to assisting her Australian clients with understanding how to comply with U.S. export controls, including the ITAR and EAR. Ms. Galfi advises on creating and implementing export control policies and procedures, conducting risk assessments to identify compliance issues, and designing training for engineering staff. Her passion is helping Australian companies to become ‘defence ready’ and participate in Australian government defence projects.