EAR (Export Administration Regulations)

The Export Administration Regulations (EAR), codified at 15 CFR Parts 730–774 and administered by the Bureau of Industry and Security (BIS), control the export, re-export, and in-country transfer of dual-use goods, software, and technology enumerated on the Commerce Control List (CCL). The CCL uses Export Control Classification Numbers (ECCNs) organized into ten product groups (0–9) across five country groups. Items not on the CCL are designated EAR99, but EAR99 items may still require a license if destined for embargoed countries (Cuba, Iran, North Korea, Syria, Russia post-2022 expansions) or to denied parties. BIS maintains the Denied Parties List, Entity List, and Unverified List; screening against all three is a legal obligation before every transaction.

Engineering reality under EAR is dominated by software and technology controls. ECCN 5D002 captures most commercial encryption software (symmetric key lengths exceeding 56-bit, asymmetric exceeding 512-bit), though License Exception ENC (§740.17) provides a path for mass-market products after a one-time BIS notification. ECCN 5E002 covers cryptographic technology, meaning that publishing a cryptographic algorithm in source code form — including to open-source repositories — may require a BIS encryption registration. AI/ML model weights and training datasets are increasingly scrutinized under ECCNs 4E001 and 4D001; BIS's October 2023 AI chip export rules (targeting A100/H100-class GPUs) extended EAR reach deep into cloud inference infrastructure serving non-US persons.

The de minimis rule (§734.4) exempts foreign-made products containing ≤25% US-controlled content (or ≤10% for certain country groups) from EAR jurisdiction — but this calculation must be performed on the value of all EAR-controlled US-origin content, not just the classified components. Deemed export rules mirror ITAR for EAR-controlled technology: releasing controlled source code to a foreign national in the US without a license is an export to that person's home country. The foreign direct product rule (FDPR), expanded dramatically in 2022 against Russia and China, means that foreign-manufactured chips or software that are the direct product of US-origin technology or US fab equipment may be subject to EAR even with no US content.

We implement automated ECCN classification workflows that tag software components and datasets at commit time, integrate BIS denied-party screening APIs into procurement and onboarding pipelines, and architect encryption key management systems that satisfy License Exception ENC notification requirements. Our regulatory intelligence team tracks BIS rule changes — including AI and semiconductor export controls — and maps them to client infrastructure within 30 days of publication.

Compliance-Native Architecture Guide

Design principles and a structured checklist for building software that is compliant by default — not compliant by retrofit. Covers data architecture, access controls, audit trails, and vendor due diligence.