I’ve dedicated my career to trade compliance, and after more than 27 years counseling businesses on international trade issues, I still find it one of the most dynamic and consequential areas of law. Almost every company today is global. Almost all of us are selling in international markets. That means we all need to understand the rules governing how we move goods, technology, and data across borders. Export controls sit at the heart of that obligation.
I recently walked through these issues in depth during an Axiom CLE session. Here's what in-house counsel and general counsel need to know.
What Are Export Controls?
Export controls are a system of laws and regulations that govern the transfer of certain goods, software, technology, and services outside the United States or to foreign persons, even within U.S. borders.
The U.S. government manages exports through licensing requirements, record-keeping obligations, reporting requirements, and, in some cases, mandatory registration before any exports can take place. Two primary regulatory frameworks govern this space: the International Traffic in Arms Regulations (ITAR), administered by the Department of State, and the Export Administration Regulations (EAR), administered by the Department of Commerce. If something isn't caught by the ITAR, it's caught by the EAR. There's very little that falls through the cracks.
Export controls regulations apply any time there's a transfer of a controlled item outside the United States. They also apply to the transfer of technology, technical data, or source code to a foreign person, wherever that person happens to be located. That's a point that surprises a lot of people. For example, if you have an Italian national working at your company in the U.S. and you give that person technical data or drawings related to your product, you have just made an export to that foreign person. The Export Control Act and the regulations it supports are clear on this.
Why Export Controls Matter for Businesses
The short answer? The stakes are extraordinarily high, and enforcement is only increasing.
Enforcement in the trade space has gone up exponentially over the last three years. Every relevant agency has made enforcement of trade laws and regulations a stated priority. They have hired more personnel and are actively pursuing individuals, entities, and companies that are breaking the rules.
The fines tell the story clearly. GE Aerospace was recently fined $36 million by the State Department for exporting technical data to China, a prescribed destination under the ITAR. Raytheon received a $200 million fine for unauthorized exports of defense articles. Boeing, a repeat offender, was hit with a $51 million fine for unauthorized exports and retransfers of data to foreign person employees and contractors, as well as unauthorized exports to China. On the sanctions side, Interactive Brokers paid nearly $12 million for providing brokerage and investment services to persons in Iran, Cuba, Syria, and Crimea.
These are the costs of non-compliance, and the pattern is consistent: Companies that don't have robust export compliance programs, that turn a blind eye to red flags, or don't enlist the help of a export controls lawyer, eventually face consequences.
Beyond the financial penalties, violations can also result in loss of export privileges, debarment, and reputational damage that is very difficult to undo. For in-house counsel, that risk sits squarely on your desk.
What Is ITAR?
ITAR controls defense articles, defense services, and related technology and software. The Department of State administers the ITAR, and its reach is broad. If your company manufactures, exports, or brokers defense items, or handles technical data related to those items, ITAR compliance is non-negotiable and engaging an ITAR lawyer can help.
One of the most frequently misunderstood aspects of the ITAR involves foreign person employees. If a company gives an employee who is a foreign national access to controlled technical data or defense-related software as part of his or her job, that is an export under the ITAR. A license from the State Department may be required before that access is granted.
Precision Castparts learned this the hard way. The company exported technical data to foreign person employees without the required licenses and received a $3 million fine. The licenses were available; the company simply didn't obtain them. And that distinction matters. Export controls do not prevent you from hiring a foreign national. They require you to follow the rules and get the appropriate licenses before making those exports.
China and certain other countries are what the ITAR calls “prescribed destinations,” or prohibited destinations for defense trade, defense technology, and defense-related software. This is an absolute restriction. GE Aerospace's $36 million fine came from exporting technical data to China. Boeing's fine included unauthorized exports to China. This is not a gray area.
Violations of the ITAR are enforced by the State Department's Directorate of Defense Trade Controls (DDTC). Companies that identify violations should understand that voluntary disclosure to DDTC, made before the government discovers the violation on its own, is a meaningful mitigation factor. Nets Island Pyrochemical, for example, received a reduced fine in part because it voluntarily disclosed, cooperated with the investigation, and implemented corrective actions. The approach of auditing yourself, finding problems early, and coming forward is one I strongly recommend.
Even licensable exports can become major ITAR violations without proper controls.
What Is EAR?
EAR covers commercial goods, lower-level controlled military items, and essentially everything that isn't subject to the ITAR. The Bureau of Industry and Security (BIS), which sits within the Department of Commerce, administers the EAR.
Under the EAR, controlled items are assigned an Export Control Classification Number (ECCN) that appears on the Commerce Control List. The ECCN determines what licensing requirements apply to a given item for a given destination. Some items are classified as EAR99, meaning they're subject to the EAR but not listed on the control list; those items generally don't require a license except to sanctioned countries or restricted parties.
The EAR also includes a Military End Use/End User Rule that requires extra diligence when there's reason to believe an item might be used for military purposes, even if the buyer isn't a traditional military organization. Universities are a good example. While not a typical military end user, a university conducting military-funded research or working on a military program may need to be treated as a military end user for export control purposes. Military end user restrictions under the EAR are currently focused on Belarus, Burma, Cambodia, China, Nicaragua, Venezuela, and Russia, but the analysis is required before any export where military end use is a possibility.
Hong Kong is another important consideration under the EAR. Since a 2020 executive order, the U.S. treats Hong Kong as China for export control purposes. Many EAR exceptions that would otherwise permit license-free exports no longer apply to Hong Kong, and an ITAR arms embargo is now in effect. Many entities and individuals in Hong Kong have also been added to restricted party lists.
Enforcement under the EAR can be severe, so consulting a EAR lawyer can often be beneficial. Applied Materials received a $252 million fine for re-exporting items to a party on the Entity List. Cadence paid $140 million for exports to a restricted party. ExCyte received a $1.5 million fine not for making illegal exports itself, but for aiding and abetting someone else who did. The regulations make clear that facilitating an illegal export carries the same accountability as making one.
EAR enforcement targets gaps in operational oversight, not just intentional misconduct.
What In-House Counsel and GCs Need to Know
For legal teams supporting businesses with international operations, trade compliance cannot be treated as a back-office function. It requires active engagement across HR, IT, legal, physical security, and senior management.
A few areas deserve particular attention right now:
Foreign person employees
This is one of the hottest topics in trade compliance today. When a company releases technology or software to a foreign national employee as part of their work, that is an export. The regulations require you to identify what information may be shared with a foreign person, who will share it, when, and whether a license is required. Immigration and employment discrimination laws administered by the Department of Justice intersect with export control requirements in this space, so the analysis has to be cross-functional. Importantly, the fact that a license is available means a company cannot lawfully refuse to hire a foreign national based on export controls alone. The obligation is to get the license, not to avoid the hire.
Export diligence
Before any export, it’s imperative to screen all parties against U.S. restricted party lists and look beyond the company itself to its beneficial owners. A company that isn't on a bad-guy list may still be controlled by someone who is. Representations and certifications from the party receiving your export about their intended end use are important, both as diligence and as documentation. The Commerce Department has published a list of red flags worth reviewing: cash payment requests for high-value items, use of third-party intermediaries, and anything that simply doesn't feel right. Willful self-blinding, or seeing a red flag and ignoring it, is not a defense. The government will hold you accountable.
Sanctions
Administered by the Office of Foreign Assets Control (OFAC), sanctions are distinct from export controls in one important way: They don't care about what you're exporting: they care about who you're dealing with and where. Comprehensive U.S. sanctions currently apply to Cuba, Iran, North Korea, Crimea, and two regions of Ukraine. Russia and Belarus are not under comprehensive sanctions but are subject to extremely broad restrictions. If a party you're doing business with is on a restricted party list, you cannot transact with them. IMG Academy learned this when it accepted tuition payments from two individuals identified as Specially Designated Nationals and received a nearly $2 million fine. When dealing with the Office of Foreign Assets Control, it is often recommended to consult with an OFAC lawyer.
Voluntary disclosure
If your company identifies a violation, which happens even at well-run companies, voluntarily disclosing to the relevant agency before the government discovers the violation on its own is meaningful mitigation. The standard recommendation is to audit yourself regularly, investigate potential violations promptly, and come forward early if you find something.
Trends to watch
Russia and China will remain the primary focus for both export controls and sanctions enforcement for the foreseeable future. Withhold and Release Orders issued by U.S. Customs related to forced labor in imported goods are increasing. Human rights and climate-related policies are expected to inform future sanctions frameworks. And the current geopolitical environment, including tensions with U.S. allies over foreign policy direction, means the multilateral landscape on sanctions and export controls is more fluid than it has been in years.
Export Controls FAQ
What are export controls?
Export controls are U.S. laws and regulations that restrict the transfer of certain goods, software, technology, and services to foreign countries or foreign persons. They are designed to protect national security, advance foreign policy objectives, and prevent the proliferation of weapons. The two primary frameworks are the ITAR, administered by the Department of State, and the EAR, administered by the Department of Commerce.
What is ITAR?
The International Traffic in Arms Regulations (ITAR) controls defense articles, defense services, and related technical data and software. It is administered by the U.S. Department of State. Any company that manufactures, exports, brokers defense items, or handles related technology must register with the State Department and comply with ITAR licensing requirements. Transfers to foreign persons, including employees, may constitute exports requiring a license.
What is EAR?
The Export Administration Regulations (EAR) govern commercial goods, dual-use items, and lower-level military products that are not covered by the ITAR. Administered by the Bureau of Industry and Security (BIS) within the Department of Commerce, the EAR assigns Export Control Classification Numbers (ECCNs) to controlled items and sets out licensing requirements based on the destination, end user, and end use. Items not on the control list are classified as EAR99 but may still require a license for exports to sanctioned countries or restricted parties.
What is OFAC?
The Office of Foreign Assets Control (OFAC) is a division of the U.S. Department of the Treasury that administers and enforces economic and trade sanctions. Unlike ITAR and EAR, OFAC's sanctions programs focus on the countries, entities, and individuals involved in a transaction rather than the nature of the goods or technology being transferred.
What happens if a company violates export controls?
Violations can result in civil fines, criminal penalties, loss of export privileges, and reputational damage. Fines have reached hundreds of millions of dollars for major violations. Voluntary disclosure to the relevant agency, made before the government discovers the violation independently, is a significant mitigating factor and is strongly recommended when violations are identified.