Export Administration Regulations: Practical Checklist for SMBs

A Massachusetts electronics distributor with $14M in annual exports discovered in early 2025 that one of its long-standing UK customers had been quietly resold to a parent group with operations in Iran. The customer record had not changed. The product had not changed. What changed was a Federal Register notice in February 2025 expanding the foreign-produced direct product rule, and the distributor's product (an EAR99-classified inspection device) suddenly required a license. Nobody internally caught it for nine weeks. The Export Administration Regulations are full of these gaps, and SMBs feel them disproportionately.

This checklist works through what the EAR actually requires of an SMB exporter operating in 2025, ordered by the questions a real shipment forces you to answer.

What the EAR covers and what it does not

The Export Administration Regulations, codified at 15 CFR Parts 730–774, govern dual-use items. The Bureau of Industry and Security administers them. Items specifically designed for defense applications fall under the International Traffic in Arms Regulations administered by the State Department. The ear vs itar distinction matters because the two regimes have different jurisdictional triggers and penalty structures.

An item is "subject to the EAR" under 15 CFR §734.3 if it falls into any of these buckets:

• Items physically in the United States
• US-origin items wherever located
• Foreign-made items incorporating more than de minimis US-origin controlled content (10% for terrorist-supporting countries, 25% otherwise)
• Foreign-made direct products of certain US technology under §736.2
• Items produced abroad by a plant that is itself a direct product of US technology

The de minimis calculation tracks controlled US content value against the foreign product's fair market value, not the bill of materials. SMBs stumble here repeatedly.

The EAR does not cover items exclusively regulated by another agency (FDA-controlled drugs, NRC-controlled nuclear materials), publicly available technology under §734.7, fundamental research per §734.8, plus patent applications.

Deemed exports add another layer. Releasing controlled technology to a foreign national inside the US counts as an export to that person's country of citizenship under §734.13. The 2024 enforcement action against 3D Systems Corporation, which settled for $4.54 million in February 2024 over unauthorized releases to foreign-national employees, established that internal training and lab access can trigger the rule.

The five question jurisdiction test

Before a shipment leaves, the SMB exporter answers five questions in order:

1. Is the item physically in the United States, or is it US-origin?
2. If foreign-made, does it contain more than de minimis US-origin controlled content?
3. Is the foreign-made item a direct product of US technology covered by an ECCN with NS, MT, CB, or NP reasons for control?
4. Will the item be released to a foreign national inside the US?
5. Are any of the parties to the transaction listed on a Federal Register notice or screening list maintained by BIS, OFAC, or State?

The fifth question is where most SMB programs concentrate effort, and where most violations still slip through. The lists are not static. BIS published 47 Entity List additions and modifications in 2025 through October. Roughly 30% took effect within 24 hours of publication. An SMB that screens at order entry but not at shipment release will routinely export to entities that were clean at quote time and listed by the time the freight forwarder picks up the pallet.

How to determine your ECCN, and why EAR99 is not a free pass

Every item subject to the EAR has an ECCN or falls under EAR99. The ECCN number determines which License Exceptions might apply and which destinations require a license. SMBs default to assuming the manufacturer has classified the item correctly. They have not, in most cases.

Three classification pathways exist:

• Self-classification under 15 CFR §738. The exporter reads the CCL in Part 774, walks the relevant ECCN entries, then documents the determination.
• CCATS request to BIS under §748.3. Yields a binding classification but takes 30 to 90 days.
• Manufacturer confirmation in writing, ideally citing the manufacturer's own CCATS or BIS dialogue.

The CCL has ten Categories (0 through 9) plus five Product Groups (A through E). An ECCN number lookup starts with identifying the Category before drilling into parameter thresholds. We have watched SMBs ship under ECCN 3A001 when the correct classification was 3A991. That difference matters: 3A001 requires a license to most of the world, while 3A991 is largely controlled only for anti-terrorism reasons.

EAR99 is the residual classification for items subject to the EAR but not on the CCL. It is the most misunderstood designation in the regulation. EAR99 does not mean "no license required." It means "no license required based on the item alone." A license is still required if:

• The destination is embargoed (Cuba, Iran, North Korea, Syria, Crimea, Donetsk, Luhansk)
• The end-user is on the Entity List or Denied Persons List
• The end-use involves a prohibited activity under §744 such as missile technology or biological weapons

The Microwave Engineering Corporation settlement of $876,000 in March 2024 involved EAR99 hardware shipped to an Entity List party in China. The classification did not save them.

Screening, license determination, and the country chart

Every party to an export transaction requires screening against the Consolidated Screening List. This includes the consignee, ultimate consignee, intermediate consignees, end-user, freight forwarder, plus the bank. The CSL aggregates the BIS Entity List, the Denied Persons List, the Unverified List, the Military End User List, the OFAC SDN List, plus the State Department's Debarred List.

What SMBs miss in screening is rarely the obvious match. It is the transliteration variant, the Cyrillic-to-Latin name change, the shell company two layers deep in the ownership chain. OFAC's 50% Rule treats any entity owned 50% or more, directly or indirectly, by SDN parties as itself blocked. The rule is aggregate: if SDN A owns 30% of Company C and SDN B owns 25%, Company C is blocked. A screening tool that does not check beneficial ownership will miss this entirely. The volume of such structures has risen sharply since the 2022 Russia sanctions cascade.

Timing matters as much as coverage. Screening at order entry catches the snapshot at that moment. Re-screening at shipment release closes the next window. A final pass at AES filing or bill of lading generation catches anything added in the final 48 hours. BIS does not consider "we screened at order" a defense if the party was added to the Entity List two weeks before shipment.

Once the ECCN is set and screening is clear, license determination begins. Supplement No. 1 to Part 738, the Commerce Country Chart, cross-references reasons for control on the ECCN against destination countries. Each ECCN entry lists its reasons for control: NS (National Security), MT (Missile Technology), CB (Chemical and Biological), NP (Nuclear Nonproliferation), RS (Regional Stability), or AT (Anti-Terrorism). An "X" in the destination column means a license is required absent an applicable License Exception.

License Exceptions in Part 740 are the operational backbone of routine exports. The most common for SMBs:

• LVS for items under specific dollar thresholds per ECCN
• GBS for shipments to Country Group B destinations
• TMP for tools of trade
• RPL for servicing parts and replacements
• TSU for operation technology and software
• ENC for encryption items
• STA for shipments to specific allied destinations

The 2025 expansion of the foreign-produced direct product rule, finalized in the January 15, 2025 Federal Register notice, narrowed License Exception NAC and added new license requirements for certain advanced computing items destined for 22 additional countries. The various export licenses under the EAR carry different documentation requirements and validity periods. When no License Exception applies, the exporter files a SNAP-R application with BIS. Standard processing runs 30 to 60 days.

Recordkeeping, red flags, and documentation discipline

Section 762 requires retention of all records relating to a transaction subject to the EAR for five years from the latest of the transaction date, document creation, or last action. Records that matter operationally include AES filings, commercial invoices, bills of lading, License Exception or license citations, screening results with timestamps, ECCN classification rationale with parameter analysis, end-use statements, plus technical specification sheets supporting the classification. The discipline is to capture this at transaction time, not reconstruct it during an audit. The 2024 BIS administrative settlement with a California aerospace component supplier turned on screening logs showing no record of OFAC SDN screening for 14 months despite continuous shipments to Eastern European customers. The settlement was $1.2 million.

Recordkeeping is meaningless without red-flag triage. Supplement No. 3 to Part 732 lists 11 red flags that trigger an affirmative obligation to investigate. The list is not exhaustive. BIS treats it as the floor:

1. Customer reluctance to offer information about end-use
2. Product capabilities not consistent with the buyer's line of business
3. Item incompatible with the technical level of the destination country
4. Customer willing to pay cash for a high-value order when financing is normal
5. Customer with little or no business background
6. Customer unfamiliar with the product's performance but wanting it anyway
7. Routine installation or maintenance services declined
8. Vague delivery dates or out-of-the-way destinations
9. Freight forwarding firm listed as the final destination
10. Abnormal shipping route or packaging inconsistent with the stated destination
11. Evasive answers when asked whether the product is for domestic use, export, or re-export

The implementation is what separates compliance theatre from a working program. Flags need to be coded into the order intake workflow, not buried in a training deck. When an order trips a flag, the workflow halts and routes to a designated compliance reviewer who documents the inquiry, the customer's response, plus the reasoning for proceeding or stopping.

We talk to SMBs that catch red flags at intake but never document the resolution. Three years later, BIS pulls the file, sees the flag in the order notes with no resolution memo, then treats it as evidence of willful blindness. The 1995 General Electric case established that ignoring red flags can constitute a knowing violation, and BIS still cites it.

Building an export compliance program that survives a BIS audit

The BIS Export Compliance Guidelines, last updated in 2025, identify nine elements of an effective program:

1. Management commitment
2. Risk assessment
3. Written EMCP (Export Management and Compliance Program)
4. Training
5. Party screening
6. Item and end-use screening
7. Recordkeeping
8. Audits and monitoring
9. Handling violations and corrective action

Management commitment is documented through a written policy statement signed by the CEO, allocation of resources to the compliance function, plus integration of export controls into business decisions. The policy is a board-approved document referenced in the EMCP, which describes how the company implements each of the other eight elements. The EMCP names roles, references procedures, identifies escalation paths. It is the document BIS asks for first in any audit.

Handling violations is where most SMB programs fall apart. When a violation surfaces, the company conducts a root cause analysis, implements corrective action, then decides whether to file a Voluntary Self-Disclosure under §764.5. VSDs reduce penalties by 50% on average and shift BIS's posture from enforcement to settlement. The decision window is short. Lenzo automates the screening, classification, plus recordkeeping elements that consume the most operational hours in an SMB compliance function. Versioned screening logs satisfy §762 documentation requirements without the manual log assembly that SMBs typically scramble for during an audit.

FAQ

What is the difference between the EAR and ITAR?

The EAR covers dual-use items (commercial goods with potential military applications), administered by BIS. ITAR covers defense articles specifically designed for military use, administered by State's DDTC. An item falls under one regime based on commodity jurisdiction, which the exporter determines or requests via a CJ to State.

Do I need an export license if my product is classified EAR99?

EAR99 means the item is subject to the EAR but not on the CCL. A license is still required if the destination is embargoed, any party is on a screening list, or the end-use involves prohibited activities under §744.

How often do I need to screen customers against the BIS Entity List?

At minimum: at order entry, at shipment release, plus at AES filing. The Entity List had 47 modifications in 2025 through October, and roughly 30% took effect within 24 hours of publication. BIS does not accept order-date screening as a defense for shipments executed after a designation.

What records must I keep under the EAR and for how long?

15 CFR §762 requires five years of retention from the latest of the transaction date, document creation, or last action. Records cover AES filings, commercial documents, screening logs, classification rationales, end-use statements, license citations, plus correspondence supporting the export decision.

What are deemed exports under the EAR?

A deemed export is the release of controlled technology to a foreign national inside the United States, treated as an export to that person's country of citizenship under 15 CFR §734.13. The release can occur through visual inspection, oral exchange, or transfer of technical data, and includes employees and contractors.

What happens if I violate the Export Administration Regulations?

Civil penalties reach $374,474 per violation as of January 15, 2025, assessed cumulatively across related shipments. Criminal penalties for willful violations include fines up to $1 million per violation and imprisonment up to 20 years. Voluntary Self-Disclosure under §764.5 reduces civil penalties by 50% on average.

---

The pattern we keep watching repeat through 2025: SMBs build screening and classification workflows around their largest customers, then leave the long tail of small-volume transactions to manual handling that nobody audits until BIS does. The §762 audit invariably starts with the long tail. A $4,000 shipment to a forwarder in Singapore that never got logged the way the $400,000 shipment to a direct OEM customer did, because the operations team treated it as routine. That is where the gaps live, and that is where the next 12 months of enforcement attention is going to land. The fix is not more rigor on the big shipments. It is the same workflow discipline applied uniformly, because the regulation does not scale its requirements to invoice value, and neither does the penalty.