Reevol

EAR and ITAR export controls: a primer for B2B exporters

Jurisdiction (EAR vs ITAR), classification (ECCN), license exceptions, end-use/end-user screening, and the recordkeeping that survives an audit.

By Carrie Zerby and Or Kapelinsky··15 min read

EAR and ITAR Export Controls: A Primer for B2B Exporters

If you ship products across borders, you need to know whether the Export Administration Regulations (EAR) or International Traffic in Arms Regulations (ITAR) control your items. EAR covers dual-use commercial goods that could have military applications. ITAR covers items specifically designed for defense. Different agencies, different rules, different penalties.

This distinction shapes everything: which agency you apply to for licenses, how long approval takes, what records you keep, and what happens when something goes wrong. BIS processed approximately 37,000 export license applications in FY2023 under EAR. DDTC maintains over 13,000 active registrants under ITAR. Both systems run in parallel, and many B2B exporters with mixed product portfolios must navigate both.

Disclaimer: This article provides educational information about U.S. export control regulations. It does not constitute legal advice. Consult qualified export control counsel for guidance on your specific situation.

For broader context on trade compliance, see our guide to tariffs and trade compliance fundamentals.

What Are EAR and ITAR, and Why Do B2B Exporters Need to Know Both?

EAR: Dual-Use Items Under Commerce Department Jurisdiction

The Export Administration Regulations (15 CFR Parts 730-774) govern commercial items that could serve both civilian and military purposes. The Bureau of Industry and Security (BIS) within the Commerce Department administers these controls.

EAR covers a broad range: encryption software, certain chemicals, precision machine tools, electronics with specific capabilities. The Commerce Control List (CCL) catalogs items requiring licenses for specific destinations. Items subject to EAR but not specifically listed on the CCL receive an EAR99 designation. EAR99 items generally ship freely to most destinations, though restrictions apply for embargoed countries, prohibited end-uses, and denied parties.

ITAR: Defense Articles Under State Department Jurisdiction

The International Traffic in Arms Regulations (22 CFR Parts 120-130) control defense articles, defense services, and related technical data. The Directorate of Defense Trade Controls (DDTC) within the State Department administers ITAR.

ITAR's scope is narrower but stricter. The United States Munitions List (USML) enumerates controlled items across 21 categories. If your product appears on the USML, ITAR applies. Before engaging in any ITAR-controlled activity, you must register with DDTC. No registration, no exports. No exceptions.

Why the Distinction Matters for Your Supply Chain

EAR vs. ITAR: Key Differences
FactorEARITAR
Administering AgencyBureau of Industry and Security (Commerce)Directorate of Defense Trade Controls (State)
Statutory AuthorityExport Control Reform Act of 2018Arms Export Control Act
Controlled ItemsDual-use commercial items (CCL + EAR99)Defense articles (USML)
Registration RequiredNoYes, mandatory before any activity
Average License Processing32 days (FY2023)60-90 days typical
Civil Penalty Maximum (2024)$330,947 per violation$1,282,041 per violation
Criminal PenaltiesUp to $1M and 20 yearsUp to $1M and 20 years
Record Retention5 years5 years

The penalty gap alone demands attention. A single ITAR violation can cost nearly four times what an EAR violation costs. Beyond fines, both regimes can deny export privileges, effectively shutting down your international business.

How Do You Determine Which Regime Controls Your Product?

The Jurisdictional Determination Decision Tree

Classification follows a specific sequence. Work through these steps for each product:

Export Control Classification Decision Process
  1. STEP 01
    Step 1: Check for Exclusive Agency Control
    Is the item exclusively controlled by another agency (NRC for nuclear materials, DOE for certain energy items, DEA for controlled substances)? If yes, those regulations apply instead of EAR or ITAR.
  2. STEP 02
    Step 2: Check the USML
    Is the item on the United States Munitions List? Review all 21 categories. If the item is specifically designed, developed, configured, adapted, or modified for military application and appears on the USML, ITAR controls it.
  3. STEP 03
    Step 3: Check the CCL
    If not on the USML, does the item have an Export Control Classification Number (ECCN) on the Commerce Control List? Match your item's technical parameters against CCL entries.
  4. STEP 04
    Step 4: Default to EAR99
    If no ECCN applies, classify the item as EAR99. The item remains subject to EAR but generally exports without a license to most destinations.

When to Request a Formal Commodity Jurisdiction Determination

Some items sit near the boundary between USML and CCL. Components originally designed for defense systems but now used commercially. Items with dual applications where the "specifically designed" test yields ambiguous results.

For these cases, request a formal Commodity Jurisdiction (CJ) determination. Submit form DS-4076 through the DECCS portal. DDTC typically processes CJ requests in 30-60 days. The determination is binding: once DDTC rules your item is USML-controlled, that classification sticks unless you successfully petition for reconsideration.

Request a CJ when:

  • Your item shares technical characteristics with USML entries but serves commercial markets
  • You acquired technology or components from a defense contractor
  • Customers or partners question your self-classification
  • You plan significant investment in a product line and need regulatory certainty

How Does ECCN Classification Work Under EAR?

Decoding the ECCN Structure

Every Export Control Classification Number follows a five-character alphanumeric format. Understanding this structure helps you navigate the CCL efficiently.

The 10 CCL Categories:

  • 0: Nuclear materials, facilities, and equipment
  • 1: Special materials and related equipment
  • 2: Materials processing
  • 3: Electronics
  • 4: Computers
  • 5: Telecommunications and information security
  • 6: Sensors and lasers
  • 7: Navigation and avionics
  • 8: Marine
  • 9: Aerospace and propulsion

Product Groups (second character):

  • A: Systems, equipment, and components
  • B: Test, inspection, and production equipment
  • C: Materials
  • D: Software
  • E: Technology

Example: ECCN 3A001 breaks down as Category 3 (Electronics), Product Group A (Systems/equipment/components), followed by the specific control entry number.

Reasons for Control determine which destinations require licenses:

  • NS: National Security
  • MT: Missile Technology
  • NP: Nuclear Nonproliferation
  • CB: Chemical & Biological Weapons
  • CC: Crime Control
  • RS: Regional Stability
  • AT: Anti-Terrorism

Self-Classification Methodology: A Worked Example

You manufacture industrial sensors. Here's how to classify them:

  1. Gather technical specifications. Collect data sheets, engineering drawings, and performance parameters. Focus on characteristics the CCL uses as control thresholds: accuracy, range, operating frequencies, materials.

  2. Identify candidate ECCNs. Search the CCL index for relevant entries. For sensors, start with Category 6 (Sensors and lasers). Review 6A entries for equipment.

  3. Compare parameters against control thresholds. ECCN 6A002 controls optical sensors meeting specific performance criteria. Does your sensor exceed those thresholds? If yes, that ECCN applies.

  4. Check for decontrol notes. Many ECCNs include notes excluding certain items. Read these carefully. Your sensor might meet the technical threshold but fall under a decontrol provision.

  5. Document your analysis. Record the ECCN determination, the technical basis, the date, and the analyst. Maintain this documentation for five years.

  6. Reassess when specifications change. Product updates can shift classification. A firmware upgrade improving accuracy might push an EAR99 item into a controlled ECCN.

When self-classification proves difficult, request an official classification ruling from BIS. Submit your technical documentation and BIS will issue a binding determination.

What Are the 21 USML Categories B2B Exporters Encounter Most?

USML Structure and Enumeration Approach

Unlike the CCL's catch-all structure, the USML uses positive enumeration. Items must be specifically listed to be controlled. Each category contains detailed paragraphs describing controlled articles, with asterisks marking Significant Military Equipment (SME) subject to additional restrictions.

ITAR also controls:

  • Technical data: Information required for design, development, production, manufacture, assembly, operation, repair, testing, maintenance, or modification of defense articles
  • Defense services: Furnishing assistance to foreign persons in the design, development, engineering, manufacture, production, assembly, testing, repair, maintenance, modification, operation, demilitarization, destruction, processing, or use of defense articles

Categories Most Relevant to B2B Supply Chains

Category XI: Military Electronics Covers electronic equipment specifically designed for military applications: command and control systems, electronic warfare equipment, military computers meeting specific criteria. B2B suppliers of electronic components often encounter Category XI when their parts integrate into defense systems.

Category XIII: Materials and Miscellaneous Articles A broad category including armor, military training equipment, and various materials. Many B2B manufacturers find their specialty materials controlled here.

Category XV: Spacecraft and Related Articles Controls satellites, launch vehicles, and related components. The commercial space industry frequently navigates Category XV controls.

Component Inheritance: Parts and components specifically designed for USML-controlled articles inherit that control. Your circuit board designed for a military radar system falls under the same USML category as the radar itself.

What Is the Deemed Export Rule and How Does It Affect Your Workforce?

Defining Deemed Exports Under EAR and ITAR

A deemed export occurs when you release controlled technology or technical data to a foreign national within the United States. The regulations treat this release as an export to that person's home country.

Under EAR (15 CFR 734.13), releasing technology or source code to a foreign national requires the same authorization as physically exporting it to their country of citizenship or permanent residence.

Under ITAR (22 CFR 120.17), disclosing technical data or providing defense services to foreign persons requires authorization regardless of where the disclosure occurs.

Compliance Strategies for International Teams

Technology Control Plans (TCPs): ITAR compliance requires written procedures controlling foreign person access to technical data. Your TCP should address:

  • Physical security: badge access, visitor escorts, secure storage
  • IT security: network segmentation, access controls, encryption
  • Personnel security: citizenship verification, need-to-know determinations
  • Visitor protocols: foreign national registration, escorted access only

Deemed Export Licenses: When foreign national employees need access to controlled technology, apply for deemed export licenses. The license authorizes release to specific individuals for defined purposes.

Common Pitfalls:

  • Conference presentations revealing controlled technical data to foreign attendees
  • Collaborative R&D with foreign universities or partners
  • Cloud storage accessible from foreign locations
  • Email threads including foreign national colleagues

For detailed screening procedures, see our guide to comprehensive denied party screening procedures.

What Licenses and Exceptions Are Available?

EAR License Exceptions Most Useful for B2B Trade

License exceptions allow exports without individual licenses when specific conditions are met. Key exceptions for B2B exporters:

License Exception TMP (Temporary Exports): Covers items exported temporarily for repair, exhibition, or demonstration. The item must return to the U.S. within one year (or four years for certain tools and equipment).

License Exception RPL (Servicing and Replacement Parts): Permits exports of replacement parts and components for equipment previously exported legally. Useful for aftermarket support.

License Exception TSR (Technology and Software Restricted): Allows exports of certain technology and software to specified destinations. Conditions vary by ECCN and destination.

Each exception has specific eligibility requirements and documentation obligations. Review 15 CFR Part 740 for complete conditions.

ITAR Exemptions and Agreement Types

ITAR exemptions are narrower than EAR license exceptions. Most ITAR exports require either a license or an agreement.

Technical Assistance Agreements (TAA): Authorize the provision of defense services or disclosure of technical data to foreign persons. Required when you're sharing know-how, not just hardware.

Manufacturing License Agreements (MLA): Authorize foreign production of defense articles. Required when foreign entities will manufacture ITAR-controlled items.

Both agreement types require DDTC approval and typically include provisos restricting further transfer.

License Application Timelines and Planning

License Processing Timelines
AgencyAverage Processing TimeFactors Affecting Timeline
BIS (EAR)32 days (FY2023 average)Destination, ECCN, end-use, referrals to other agencies
DDTC (ITAR)60-90 days typicalAgreement complexity, SME involvement, congressional notification
Congressional NotificationAdds 15-30 daysRequired for defense sales exceeding dollar thresholds

Build license lead times into your sales cycle. A customer expecting 30-day delivery on ITAR-controlled items will be disappointed when licensing takes 90 days.

How Do You Screen Parties Against Restricted Lists?

The Consolidated Screening List and Its Component Lists

The U.S. government maintains multiple restricted party lists. The Consolidated Screening List aggregates 12+ lists into a single searchable database. Key lists include:

Entity List (BIS): Over 700 entities across 30+ countries subject to license requirements. Additions often target companies supporting foreign military or surveillance programs.

Specially Designated Nationals List (OFAC): Individuals and entities subject to sanctions. Transactions with SDNs are generally prohibited.

Denied Persons List (BIS): Individuals and entities denied export privileges. No exports permitted.

Unverified List (BIS): Parties where BIS could not verify bona fides. Requires enhanced due diligence.

Implementing Effective Screening Workflows

Restricted Party Screening Workflow
  1. STEP 01
    Step 1: Collect Party Information
    Gather complete name, address, country, and any aliases for all transaction parties: buyer, consignee, end-user, freight forwarder, financial institutions.
  2. STEP 02
    Step 2: Screen Against Consolidated List
    Run all parties through screening software or the Consolidated Screening List. Use fuzzy matching to catch name variations and transliterations.
  3. STEP 03
    Step 3: Evaluate Potential Matches
    Review hits manually. Compare identifying information beyond names: addresses, dates of birth, passport numbers. Many hits are false positives.
  4. STEP 04
    Step 4: Escalate Confirmed Matches
    If a match is confirmed, escalate to compliance leadership. Do not proceed with the transaction without authorization.
  5. STEP 05
    Step 5: Document Results
    Record screening date, lists checked, results, and analyst determination. Retain for five years.
  6. STEP 06
    Step 6: Re-screen at Milestones
    Screen again at order confirmation, shipment, and payment. Lists update frequently.
  7. STEP 07
    Step 7: Maintain Audit Trail
    Ensure screening records support regulatory examination. Auditors will ask for proof you screened before each transaction.

What Does a Compliant Export Management Program Look Like?

The Eight Elements of an Effective EMCP

An Export Management and Compliance Program (EMCP) provides the infrastructure for consistent compliance. BIS and DDTC both look for these elements:

  1. Management Commitment: Senior leadership allocates resources, sets policy, and holds the organization accountable.

  2. Risk Assessment: Identify which products, destinations, and customers present elevated risk. Focus compliance resources accordingly.

  3. Classification Procedures: Documented processes for determining ECCN/USML classification. Regular review when products change.

  4. Order Processing: Screening, license determination, and documentation at each transaction stage.

  5. Screening Protocols: Systematic checks against restricted party lists with clear escalation paths.

  6. Record-Keeping: Five-year retention of export documentation, licenses, classifications, and screening results.

  7. Training: Regular training for employees involved in export activities. Document attendance and content.

  8. Audits and Corrective Action: Periodic internal audits to identify gaps. Documented corrective actions when problems surface.

Technology Control Plans for ITAR Compliance

If you handle ITAR technical data, your TCP must address:

  • Physical security: Controlled access to facilities where technical data is stored or discussed
  • IT security: Network segmentation, access logging, encryption for technical data at rest and in transit
  • Personnel security: Citizenship verification, background checks, need-to-know determinations
  • Visitor protocols: Registration, escort requirements, prohibited areas
  • Subcontractor management: Flow-down of TCP requirements to partners with access

What Are the Penalties for Violations, and How Does Voluntary Disclosure Help?

Civil and Criminal Penalty Frameworks

Penalty Comparison: EAR vs. ITAR
Penalty TypeEAR (15 CFR 764)ITAR (22 CFR 127)
Civil Penalty Maximum (2024)$330,947 per violation$1,282,041 per violation
Criminal Fine Maximum$1,000,000$1,000,000
Criminal Imprisonment Maximum20 years20 years
Administrative ConsequencesDenial of export privilegesDebarment from defense contracts
Aggravating FactorsWillfulness, prior violations, harm to national securitySame, plus SME involvement

Denial of export privileges effectively ends your international business. Debarment from defense contracts can be equally devastating for suppliers in that sector.

Voluntary Self-Disclosure as a Mitigation Strategy

When you discover a violation, voluntary self-disclosure (VSD) significantly reduces penalties. Both BIS and DDTC view timely, complete disclosures favorably.

VSD Procedures:

  • Initial notification within 60 days of discovery
  • Full written disclosure within 180 days
  • Include root cause analysis and corrective actions taken

Typical Outcomes: Voluntary self-disclosures typically result in 50-75% penalty mitigation compared to violations discovered through investigation.

Expectations During Follow-Up:

  • Cooperate fully with agency inquiries
  • Provide additional documentation promptly
  • Implement corrective actions and demonstrate effectiveness
  • Accept responsibility without minimizing the violation

How Do Re-Export Rules Affect Your Global Supply Chain?

De Minimis Thresholds for Foreign-Made Items

Foreign-made items incorporating U.S.-origin content may require U.S. authorization for re-export. The de minimis threshold determines when:

10% Threshold: Applies to re-exports to embargoed destinations (Cuba, Iran, North Korea, Syria, and the Crimea region). If U.S.-origin controlled content exceeds 10% of the foreign item's value, U.S. authorization is required.

25% Threshold: Applies to other controlled destinations. If U.S.-origin controlled content exceeds 25%, U.S. authorization is required.

Calculation Methodology: Include the value of U.S.-origin controlled components, technology, and software. Exclude EAR99 content. Compare to the fair market value of the foreign-made item.

Re-Export and Retransfer Authorization Requirements

Your foreign subsidiaries and partners may need U.S. authorization to:

  • Re-export U.S.-origin items to third countries
  • Transfer items within a country to different end-users
  • Re-export foreign items exceeding de minimis thresholds

Foreign-Produced Direct Product Rules: Items produced abroad using U.S.-origin technology or equipment may be subject to EAR. These rules expanded significantly in recent years, particularly for semiconductor manufacturing equipment.

Supply Chain Mapping: Know where your products go after initial export. Require end-use certificates. Include re-export restrictions in contracts. Audit compliance by distributors and subsidiaries.

Frequently asked questions

How do I classify products under EAR?+
Gather technical specifications, search the Commerce Control List for matching ECCNs, compare your product's parameters against control thresholds, check decontrol notes, and document your analysis. If no ECCN applies, classify as EAR99. Request a BIS classification ruling when self-classification proves difficult.
What is the difference between EAR and ITAR?+
EAR controls dual-use commercial items through the Commerce Department's BIS. ITAR controls defense articles through the State Department's DDTC. ITAR requires registration before any controlled activity and carries higher penalties (up to $1.28 million per violation vs. $330,947 under EAR).
What are ITAR registration requirements?+
Any person or entity engaged in manufacturing, exporting, or brokering defense articles must register with DDTC before conducting any ITAR-controlled activity. Registration is mandatory and must be renewed annually. Submit registration through the DECCS portal.
How does the deemed export rule affect foreign employees?+
Releasing controlled technology or technical data to foreign national employees in the U.S. counts as an export to their home country. You may need deemed export licenses for foreign national employees who require access to controlled technology. Implement Technology Control Plans to manage access.
What are export control compliance program requirements?+
An effective program includes: management commitment, risk assessment, classification procedures, order processing controls, restricted party screening, record-keeping (5 years), training, and internal audits with corrective action procedures. ITAR compliance also requires Technology Control Plans for technical data.
How do I know if my product is on the USML?+
Review all 21 USML categories in 22 CFR Part 121. Items must be specifically enumerated to be controlled. If your item is specifically designed, developed, configured, adapted, or modified for military application and matches a USML entry, ITAR controls it. Request a Commodity Jurisdiction determination from DDTC when classification is unclear.

Related reading