Navigating the intricate landscape of US export control compliance can be daunting, especially with the myriad of acronyms such as ITAR, EAR, ECCN, and CCL. However, for businesses involved in exporting technology, components, or software, understanding these terms is not just beneficial — it’s essential to ensure compliance and avoid severe penalties.
ITAR — International Traffic in Arms Regulations
Administered by: Directorate of Defense Trade Controls (DDTC), U.S. Department of State
ITAR governs the export and import of defence-related articles and services listed on the United States Munitions List (USML). The USML contains 21 categories of defence articles, from firearms and ammunition to spacecraft and classified articles.
Key points:
- Any company that manufactures, exports, or brokers USML items must register with DDTC
- Exports of USML items generally require a license or other authorization
- ITAR applies extraterritorially — non-US companies can be subject to ITAR
- Violations: up to 20 years imprisonment and $1 million per violation
- Even sharing technical data with a foreign national (a “deemed export”) can require authorization
EAR — Export Administration Regulations
Administered by: Bureau of Industry and Security (BIS), U.S. Department of Commerce
The EAR governs the export of dual-use items — goods and technologies with both civilian and military applications. Items subject to EAR that appear on the Commerce Control List (CCL) are assigned an ECCN.
Key points:
- EAR applies to items that are NOT on the USML — if ITAR doesn’t control it and it has an ECCN, EAR does
- EAR99 is the designation for items subject to EAR but not listed on the CCL — generally no license required
- License requirements depend on the item’s ECCN, destination country, end user, and end use
- Violations: up to 10 years imprisonment and $500,000 per violation
CCL — Commerce Control List
The CCL is a comprehensive list detailing specific items subject to export controls under the EAR. It is organized into 10 categories (0–9) and 5 product groups (A–E), each associated with corresponding ECCNs. The CCL outlines the licensing requirements based on the item’s characteristics and destination.
Items on the CCL are controlled for specific reasons, indicated by control codes:
- AT — Anti-Terrorism
- CB— Chemical & Biological Weapons
- CC — Crime Control
- EI — Encryption Items
- MT — Missile Technology
- NS — National Security
- NP — Non-Proliferation
- RS — Regional Stability
- SS — Short Supply
- UN — UN Embargo
- SL — Surreptitious Listening
ECCN — Export Control Classification Number
The ECCN is the classification code that places an item on the CCL. It is a five-character alphanumeric identifier (e.g., 9A004 for spacecraft) that determines the item’s control reasons and applicable license requirements.
See our dedicated ECCN guide for the full breakdown of structure, determination methodology, and practical implications.
How the Frameworks Interact
Is the item on the USML?
├── YES → ITAR applies → DDTC authorization required
└── NO → Is it on the CCL?
├── YES → EAR applies → ECCN assigned → license assessment
└── NO → EAR99 → generally no license, but sanction/end-use checks still applyThe Consequences of Non-Compliance
Failure to comply with US export control regulations leads to:
- Substantial fines — up to $1M per ITAR violation, $500K per EAR violation
- Imprisonment — up to 20 years for ITAR, 10 years for EAR
- Denial of export privileges — effectively barring a company from US trade
- Reputational damage — loss of contracts, partnerships, and investor confidence
- Debarment from US government contracts
Non-compliance can result from intentional violations but also from negligence — failing to classify products correctly, not screening end users, or not maintaining required records.
Building a Compliance Program
A robust US export control compliance program includes:
- Product classification — determine ECCN for all products, software, and technology
- License determination — assess which exports require authorization
- Denied party screening — check all customers, suppliers, and partners against restricted and denied party lists
- Training — ensure all relevant staff (engineering, sales, logistics) understand their obligations
- Record keeping — maintain export records for minimum 5 years (EAR) or as required by ITAR
- Audits — regularly review and test your compliance program
- Incident management — have a process for identifying, reporting, and remediating violations
Conclusion
ITAR, EAR, ECCN, and CCL are not just acronyms — they are the pillars of US export control compliance. For European companies dealing with US technology, components, or partners, understanding these frameworks is no longer optional. The extraterritorial reach of US regulations means that non-compliance by a French, German, or British company can result in US enforcement action.
At Borie Consulting, we help companies navigate this complexity — from initial classification through license applications, compliance program design, and staff training.