How Export Administration Regulations protect export control data

The Export Administration Regulations, or EAR, cast a wider net. Overseen by the U.S. Department of Commerce through the Bureau of Industry and Security (BIS), EAR applies to “dual-use” items. These are commercial items that could also serve military or security purposes.

Examples of dual-use items are everywhere. High-performance computers designed for research can also support nuclear weapons modeling. Certain chemicals used in manufacturing can also be ingredients for weapons. Encryption software developed for consumer privacy could also protect adversarial communications. Even everyday items like bicycles, tennis rackets, or golf clubs that use carbon fiber can trigger EAR controls, since the same material specifications used in these sporting goods are also used in aircraft fuselages and missile casings.

The EAR regulates these items primarily through the Commerce Control List (CCL). Each controlled item is assigned an Export Control Classification Number (ECCN), which determines the level of restriction.

While EAR is sometimes seen as “less strict” than ITAR, this can be misleading. Certain technologies, especially in computing, telecommunications, and aerospace, face extremely tight EAR restrictions. And the penalties for EAR violations can be just as severe.

Who needs to comply with EAR or ITAR?

Export controls are not just for large defense contractors. Many organizations fall under ITAR or EAR without realizing it.

ITAR covers companies that design, manufacture, or sell items specifically for military use. That includes defense and aerospace primes, but it can also include a small machine shop producing screws and fasteners for a defense aircraft. Even if the part never becomes a U.S. export, the technical data behind it is still ITAR-controlled.

EAR applies more broadly to dual-use technologies with both commercial and military applications. Advanced semiconductors, encryption software, telecommunications equipment, and specialty chemicals are common examples. Universities with foreign researchers, startups developing AI models, and manufacturers exporting electronics can all be subject to EAR.

In practice, if you design, build, or share technology with defense or advanced commercial applications, you should assume export controls apply. And there’s an added layer: export controlled information is considered a type of Controlled Unclassified Information (CUI). That means if you handle ITAR- or EAR-regulated data, you almost certainly fall under CMMC Level 2, which requires compliance with NIST SP 800-171 and a formal assessment by a C3PAO to keep DoD contract eligibility.

Here’s how to know for sure if your company falls under ITAR or EAR:

1. Start with your product, data, or service

The first step is to figure out whether what you produce, sell, or handle falls under ITAR or EAR.

• ITAR items are listed on the United States Munitions List (USML). If your product or related technical data is on that list, ITAR applies.
• EAR items are listed on the Commerce Control List (CCL). If your product or data is listed there, EAR applies. If it’s not listed but still subject to U.S. jurisdiction, it may default to the category “EAR99.”

If you’re not sure how to classify your item, you can file a Commodity Jurisdiction (CJ) request with the State Department (for ITAR) or a Commodity Classification (CCATS) request with the Bureau of Industry and Security (for EAR). This is the most definitive way to resolve gray areas.

2. Review your contracts and flowdown requirements

If you work with the Department of Defense or with a prime contractor, your contracts may already specify whether you are handling export controlled information (ECI). These flowdown clauses are binding, and if your contract references ITAR, EAR, or NIST 800-171 requirements, you are responsible for meeting them. Even subcontractors several layers down the supply chain can be pulled into scope this way.

3. Consider your customer base and destinations

Even if your product seems commercial, if you are exporting to embargoed countries, restricted parties, or end users involved in prohibited activities, EAR requirements may apply. Screening customers and partners against government lists can help determine your obligations.

4. When in doubt, get a determination

The export control system is designed so that you don’t have to guess. If classification or jurisdiction is unclear, filing a request with DDTC (for ITAR) or BIS (for EAR) is the definitive way to know where your item falls. Many companies build this step into their compliance program when developing new technologies or entering new markets.

Non-compliance penalties for EAR and ITAR violations

EAR and ITAR violations can both trigger severe penalties. Civil penalties can reach hundreds of thousands of dollars per violation, and criminal penalties can include multimillion-dollar fines and even prison sentences. Companies may also lose their ability to export altogether, which can be devastating for businesses dependent on international markets.

Companies have been fined for allowing foreign nationals to access ITAR-controlled blueprints, for shipping EAR-controlled items without licenses, and even for inadvertently storing controlled technical data in foreign cloud servers.

In 2024, TE Connectivity Corporation agreed to pay $5.8 million in civil penalties for violating EAR. The company shipped seemingly low-level components such as wires and printed-circuit-board connectors to Chinese parties linked to hypersonics, unmanned aerial vehicles, and military electronics programs. While these parts did not look like advanced weapons, the end users and intended applications triggered EAR restrictions. 

These cases highlight that noncompliance is not always about cutting-edge weapons. Sometimes it is overlooked components, poorly trained staff, or inadequate processes that trigger violations. Beyond fines and prison time, companies that mishandle export-controlled data risk reputational damage that can linger for years.

ITAR vs EAR: Key differences and similarities explained

Both ITAR and EAR serve the same goals of maintaining U.S. national security. Both regulate sensitive items and data, require licensing, and demand rigorous recordkeeping and training. But there are key differences that shape how and when they are applied.

Scope

The key distinction between ITAR and EAR is scope. As mentioned above, ITAR applies to defense articles and defense services on the U.S. Munitions List. These items are designed specifically for military use, from weapons and spacecraft to protective equipment and the technical data behind them.

EAR applies to dual-use items on the Commerce Control List. These are technologies with commercial applications that could also be adapted for military or security purposes, such as advanced semiconductors, encryption software, or certain chemicals.

If something is designed specifically for military use, assume ITAR. If it is a commercial product or technology with potential military applications, assume EAR.

Enforcement 

Another distinction lies in who enforces these regulations. ITAR is administered by the U.S. Department of State, specifically through the DDTC. That makes sense, since ITAR items are all about weapons and defense capabilities, and the State Department is responsible for national security and foreign policy. When companies register under ITAR, apply for export licenses, or report violations, they deal directly with the State Department.

EAR is managed by the U.S. Department of Commerce through the BIS. The Commerce Department’s role reflects EAR’s focus on balancing economic activity with national security. BIS is responsible for determining how items on the Commerce Control List are classified, reviewing license applications, and issuing guidance to industry. For companies, understanding which agency they are dealing with is crucial because it determines both the rules they follow and the government body they engage with for approvals or enforcement matters.

Data access

ITAR regulations place strict restrictions on who can view or handle controlled items and data. In almost all cases, only U.S. persons (meaning U.S. citizens or permanent residents) are permitted access unless a special license is obtained. Even something as simple as allowing a foreign national employee to view a controlled document on a shared drive could count as a violation if no authorization is in place. Because of this, ITAR compliance often requires organizations to limit access to systems, facilities, and data only to vetted personnel.

While EAR also places access restrictions, they are more nuanced. The level of restriction depends on the classification of the item, the destination country, the intended end use, and the end user. For many EAR-regulated items, foreign nationals in the United States can have access without triggering a license requirement. However, if those same items were destined for a country under sanctions or a prohibited end user, restrictions could apply. In other words, ITAR assumes “no access unless licensed,” while EAR allows broader access but tailors restrictions to context.

Flexibility

ITAR is rigid by design. Because it covers defense articles and services, there is little room for interpretation. Either an item is on the Munitions List or it is not. Licenses are required for exports almost across the board, and violations are enforced with little leniency. For organizations, this creates a compliance environment where rules are black-and-white.

EAR takes a more flexible approach. While many items do require licenses, there are also broad license exceptions and considerations that take into account the commercial nature of global trade. BIS evaluates not just the item, but also where it is going, who will receive it, and what they will do with it. This flexibility allows U.S. companies to participate in international business while still safeguarding technologies that could be misused. That said, the complexity of EAR can create challenges of its own, since organizations need to carefully analyze each export decision rather than rely on blanket rules.