Continue your mission
EAR governs the export of commercial and dual-use items from the U.S., including encryption and cybersecurity tools, administered by the Bureau of Industry and Security.
The Export Administration Regulations (EAR) govern the export, reexport, and transfer of commercial and dual-use items from the United States. Administered by the Bureau of Industry and Security (BIS) within the U.S. Department of Commerce, EAR controls items that have both commercial and potential military or proliferation applications. Unlike ITAR, which covers purely defense articles, EAR covers a broader range of goods, software, and technology including commercial encryption products, certain cybersecurity tools, high-performance computing equipment, and telecommunications technology. The Commerce Control List (CCL) organizes controlled items into ten categories with Export Control Classification Numbers (ECCNs).
Organizations must determine whether their items are subject to EAR by classifying them against the CCL. Items not specifically listed may still be designated as EAR99, subject to baseline controls. License requirements depend on the item classification, destination country, end user, and end use. BIS maintains several restricted party lists including the Entity List, Denied Persons List, and Unverified List. Organizations must screen all transactions against these lists. EAR includes a de minimis rule where foreign-made items containing less than 25% (or 10% for certain destinations) controlled U.S.-origin content may not require a license. License exceptions exist for certain low-risk transactions. Organizations must maintain export records for five years, file Shipper's Export Declarations for items above certain values, and implement Internal Compliance Programs covering order processing, classification, screening, and training.
EAR violations can result in civil penalties up to $300,000 per violation or twice the transaction value, and criminal penalties up to $1 million and 20 years imprisonment. BIS has increased enforcement actions, particularly around technology exports to restricted entities. For cybersecurity teams, EAR is relevant because encryption software, penetration testing tools, and intrusion detection systems may be controlled. Organizations developing or distributing such technology must understand EAR classification and licensing requirements to avoid inadvertent violations.
CDA Theater missions that address topics covered in this article.
Technical requirements for complying with California's privacy laws, including data mapping, consumer rights, and security obligations.
The CCPA is California's landmark privacy law granting consumers rights over their personal data and imposing obligations on businesses that collect it.
Written by CDA Editorial
Found an issue? Help improve this article.