Software & Deemed Exports: 25 Compliance Questions Answered

BIS received at least 9 voluntary self-disclosures tied to deemed export violations in its most recent 10-year compliance review, most involving electronics, telecommunications, and aerospace technology released to foreign nationals without authorization (BIS Academic Compliance Note, 2025). Four of those cases centered on Iranian citizens who weren't U.S. persons under EAR definitions. We see variants of this same pattern regularly when onboarding new clients — a startup with 80 engineers, 15 of them foreign nationals, all pulling from the same source repository. Nobody checked the ECCN before handing out Git credentials.

For any company employing engineers from outside the United States, the deemed export question isn't academic. It's the thing that blows up a Monday morning.

Key Takeaways:

• A deemed export occurs when controlled technology or source code (not object code) gets released to a foreign person inside the U.S. (15 CFR § 734.13)
• BIS administrative penalties reached $374,474 per violation as of January 2025, with criminal penalties up to $1M and 20 years (BIS.gov, 2025)
• Cloud storage of controlled data doesn't automatically trigger deemed export rules if encrypted end-to-end per EAR § 734.18, but releasing decryption keys to foreign nationals does
• Publicly available source code under ECCN 5D002 falls outside EAR scope after BIS notification, but only for standard cryptography (15 CFR § 742.15(b)
• BIS enforcement guidelines now eliminate penalty caps for non-egregious cases, tying fines directly to transaction value (BIS Enforcement Guidelines, 2025)

1. What counts as a "deemed export" under EAR?

Under 15 CFR § 734.13(a)(2), a deemed export happens when controlled technology or source code gets released to a foreign person inside the United States. BIS treats the release as an export to that person's most recent country of citizenship or permanent residency. Object code doesn't count, only source code and technology. And "release" covers far more than handing someone a document. A whiteboard session walking through controlled design parameters, a shared-screen call revealing source architecture, even visual inspection of equipment showing controlled specs. All of that qualifies under 15 CFR § 734.15.

2. Does cloud access to controlled software trigger export control obligations?

BIS has consistently maintained that providing cloud computing capacity itself constitutes a service, not an export (BIS Advisory Opinions). The cloud provider generally isn't the exporter. But the subscriber putting controlled data on those servers carries the compliance burden. If a foreign national IT administrator at the cloud provider can access your controlled technical data, that's a deemed export by the subscriber, not the provider. We've walked multiple clients through this exact distinction. The service versus the data riding on it, that gap catches people. See our cloud software exports guide for the full analysis.

3. How do deemed exports apply to remote employees working from abroad?

A foreign national employee working remotely from, say, Bangalore doesn't create a deemed export scenario at all. That's an actual export, technology leaving the U.S. to a person abroad under 15 CFR § 734.13(a)(1). The licensing analysis might be identical, but the regulatory pathway differs. Companies that shifted to remote work without revisiting which employees had access to controlled repositories built a compliance gap many still haven't closed. We keep finding this in onboarding assessments: remote access policies from years ago that nobody updated.

4. Is open-source software exempt from export controls?

Conditionally. Publicly available encryption source code under ECCN 5D002 can fall outside EAR scope after notifying BIS and the ENC Encryption Request Coordinator (15 CFR § 742.15(b). Per current BIS guidance, that notification applies only to non-standard cryptography. Standard crypto posted publicly requires no notification. But downstream products built from that open-source code, where the source isn't publicly available, remain subject to the EAR. The exemption covers the project. Not everything derived from it.

5. How do we classify software under the commerce control list?

Start with function, not the label. The CCL organizes software ECCNs by what the software does, controls equipment, processes signals, manages encryption. Check the corresponding "D" entries in each CCL category. If the software doesn't match any specific ECCN, it falls to EAR99, carrying minimal restrictions. The trap we run into repeatedly: encryption functionality "taints" otherwise unrestricted software. A database application with standard TLS may land in Category 5 Part 2 territory regardless of its primary purpose.

6. What are eccns in category 5 part 2 (encryption) and when do they apply?

Four ECCNs matter most: 5A002 and 5D002 for non-mass-market encryption hardware and software; 5A992 and 5D992 for mass-market equivalents (BIS.gov, Category 5 Part 2). The mass-market determination under Note 3 turns on factors like retail availability and whether users can modify cryptographic functions. Items classified under 5D002 require a license to all destinations except Canada, though License Exception ENC (§ 740.17) covers the vast majority of commercial transactions. Getting the ECCN right matters less than getting the License Exception ENC subparagraph right, (a), (b)(1), (b)(2), or (b)(3) each authorize different transaction types with different reporting requirements.

7. Does uploading technical data to a cloud server count as an export?

If the server sits outside the United States, yes, BIS treats transmission and storage of controlled technology abroad as an export or re-export. EAR provisions carved an exception for data encrypted end-to-end, stored on foreign servers, as long as decryption keys aren't shared with unauthorized parties (15 CFR § 734.18). That exception doesn't extend to ITAR-controlled technical data. State Department hasn't issued parallel cloud guidance, and we recommend ITAR practitioners treat foreign cloud storage as an export until told otherwise.

8. How does the EAR treat saas products vs. Downloadable software?

BIS advisory opinions confirm that allowing access to controlled software for use only in the cloud, where users never download or possess the code, doesn't constitute an export by the SaaS provider. Accessing functionality through a browser differs from receiving a copy. SaaS providers still need to screen customers and can't turn a blind eye to end-use concerns. The "knowledge" standard under the EAR includes awareness of a high probability of misuse (15 CFR § 772.1). After the $140M EDA exporter settlement in July 2025, nobody should treat that standard lightly (DOJ/BIS, 2025).

9. What's the difference between "technology" and "software" under EAR?

Technology means specific information necessary for the development, production, or use of a product (EAR Part 772). Software means executable code. The distinction matters enormously for deemed exports because the EAR controls technology and source code, not object code. Compile your source into an executable and hand that binary to a foreign national? No deemed export. Hand them the source files or the design specs behind the compiled product? You've crossed the line. Compiled applications ship freely. The blueprints don't.

10. When does a joint venture or r&d partnership trigger deemed export rules?

The moment controlled technology or source code gets shared with foreign national participants. A joint development agreement with a German partner doesn't trigger rules by itself. Sharing controlled source code with German engineers working on-site in your Austin office does. Each foreign participant needs individual assessment based on citizenship, ECCN, and the Country Chart in Part 738. We've seen partnerships stall for weeks because nobody ran the country chart analysis before signing the collaboration agreement.

11. How do we handle foreign national employees accessing controlled technology?

Screen first. Determine the ECCN of the technology they'll access, check the Country Chart for their citizenship country and apply for a deemed export license if required. Too many companies get this backward, they hire, onboard into controlled projects, then discover months later that a license was needed from day one. Our recommendation: build the ECCN check into onboarding workflow before granting any repository access. HR and engineering need to talk before day one, not after.

12. What's the fundamental research exclusion and can we rely on it?

Information arising from fundamental research, basic and applied research at accredited institutions, isn't subject to EAR licensing if results will be published without restriction and there are no access limitations on foreign national participation (15 CFR § 734.8). The exclusion breaks the instant a university accepts contractual restrictions on publication or bars foreign nationals from portions of the work. Sponsored research with confidentiality clauses frequently falls outside. For more context, see our guide on Trade Compliance FAQ: 25 Questions SMB Exporters Get Wrong. Worth checking every single time.

13. Does presenting at an international conference create export obligations?

Conference presentations covering information already in the public domain don't trigger EAR controls. Sharing unpublished controlled technology data with foreign national attendees (at a poster session, during a private sidebar meeting) potentially does. The test isn't the venue. It's the controlled status of the information and the nationality of who receives it.

14. How do encryption classification requirements (ECCN 5a002/5d002) work in practice?

Most commercial software with encryption lands in ECCN 5D002. From there, determine the applicable License Exception ENC subparagraph. Items qualifying under (b)(1) get immediate authorization after filing a self-classification report. Items under (b)(3) need a formal classification request to BIS before export. Mass-market products meeting Note 3 criteria reclassify to 5D992 after self-classification. We see companies do the classification work but skip the ENC subparagraph analysis, like filling out a tax return and forgetting to sign it.

15. What's a technology control plan (tcp) and do we need one?

A TCP documents how an organization restricts foreign national access to controlled technology, physical security, IT controls, training, record-keeping. BIS doesn't mandate TCPs by regulation, but they're effectively required for any deemed export license application and show up in every enforcement settlement we've reviewed Foreign nationals touching controlled tech without a TCP? That's operating without evidence of compliance.

16. How does ITAR treat technical data differently from EAR?

ITAR doesn't use the term "deemed export," but the concept exists within its broader export definition (22 CFR § 120.10). ITAR treats a release of technical data to a foreign person as an export to every country where that person holds or has held citizenship or permanent residency. The EAR only considers the most recent country. Dual nationals under ITAR create licensing obligations for multiple countries simultaneously. Much harder to manage in practice.

17. Do we need a license to provide technical support to foreign customers?

If the support involves releasing controlled technology (sharing source code, providing development-level documentation, walking through controlled design specs) yes, deemed export analysis applies. Routine troubleshooting with published user manuals and publicly available information typically doesn't trigger controls. The gray area we encounter most often: advanced technical support involving controlled "use" technology, which under the EAR covers operation, installation, maintenance, as well as repair information for a controlled product.

18. How do deemed export rules intersect with immigration and visa categories?

They don't align. At all. Visa categories have zero bearing on export control. An H-1B holder from India requires the same deemed export analysis as a B-1 visitor from the same country. Permanent residents (green card holders) count as U.S persons under both EAR and ITAR and don't trigger deemed export requirements. The mistake we correct most often during client onboarding: assuming a work visa confers U.S. person status for export control purposes. It doesn't.

19. What's the "publicly available" exclusion and what qualifies?

Information published and generally accessible to the public (through bookstores, libraries, open websites, public conferences, published patents) falls outside EAR control (15 CFR § 734.3(b)(3). Corporate whitepapers on a gated website requiring registration might not qualify. Internal research shared privately at a closed workshop definitely doesn't. The information must have been made public before the release, not concurrently.

20. How do we handle controlled technology in multinational team environments?

Segment access by ECCN and nationality. Not every engineer needs access to every repository. Role-based access controls mapped to export classification categories give both compliance structure and audit evidence. We've audited teams running flat-access development environments where every contributor could pull every branch, works fine right up until someone from a Country Group D:1 nation joins. Then it becomes an enforcement matter overnight.

21. Does reverse engineering trigger re-export or deemed export controls?

Reverse engineering a controlled product to extract technology could produce information that becomes controlled under the corresponding "E" (technology) ECCN. If that derived information gets shared with a foreign national, deemed export rules apply based on its own classification The original product's ECCN doesn't automatically transfer, but the resulting knowledge may match or exceed the original control parameters.

22. What record-keeping requirements apply to technology and software transfers?

EAR Part 762 requires retaining records of exports, re-exports, plus deemed exports for 5 years. Records must include the parties involved, the ECCN, the license authority or exception used and the date. For deemed exports, that means documenting which foreign nationals accessed which controlled technology, when, as well as under what authorization. Companies that can't reconstruct this trail during an audit face the same exposure as companies that never screened at all. See BIS record requirements for details.

23. How do we screen foreign national employees for deemed export purposes?

Collect citizenship and permanent residency information during onboarding, not just country of birth. Run the Country Chart analysis against the ECCN of technologies they'll access. Screen names against the BIS Entity List, Denied Persons List, plus Unverified List. Re-screen when project assignments change or when BIS updates restricted party lists. An employee who cleared screening last quarter might need a new license after a mid-quarter list addition.

24. What are the penalties specifically for deemed export violations?

Same as any EAR violation. As of January 2025, BIS administrative penalties reach $374,474 per violation or twice the transaction value (BIS.gov, 2025). Criminal penalties run to $1M and 20 years under ECRA. Current enforcement guidelines eliminated previous caps on base penalties for non-egregious cases, and BIS now treats deliberate non-disclosure of significant violations as an aggravating factor. TE Connectivity's $5.8M penalty for unauthorized exports to parties connected to Chinese military programs shows the direction of enforcement (BIS Enforcement Actions, 2025).

25. What practical steps should hr and engineering take to manage deemed export risk?

HR needs to collect citizenship data at hiring, not after onboarding into controlled projects. Engineering needs technology inventories mapped to ECCNs, with access controls matching those classifications. Both departments need a shared workflow: HR flags foreign national hires, engineering identifies which projects involve controlled technology and compliance determines whether a license or exclusion applies before access gets granted. Companies running this backwards (granting access first, checking later) account for a disproportionate share of BIS's prior disclosure inbox.

Tools that consolidate screening with classification tracking (SAP GTS, Descartes, Lenzo) reduce the manual coordination between departments. But tooling alone doesn't replace the underlying process. Someone still needs to know the ECCN before screening against the right country chart.