The Bureau of Industry and Security's export enforcement records cover every administrative settlement, denial order, and criminal referral for violations of US export control law—the Export Administration Regulations that govern dual-use technology exports to adversary nations.
What BIS is and why it differs from OFAC and DDTC
The Bureau of Industry and Security sits within the Department of Commerce. Its core mission is administering the Export Administration Regulations, codified at 15 CFR Parts 730 through 774. The EAR govern the export, reexport, and in-country transfer of “dual-use” items: commercial goods, software, and technology that have legitimate civilian applications but could also contribute to military programs, weapons of mass destruction, or the capabilities of adversary intelligence services.
BIS is frequently confused with two other agencies that regulate related but distinct categories of exports. OFAC—the Office of Foreign Assets Control at the Treasury Department—administers sanctions programs that prohibit transactions with designated persons and countries entirely, regardless of the specific item being transferred. DDTC—the Directorate of Defense Trade Controls at the State Department—administers the International Traffic in Arms Regulations (ITAR), which cover items specifically designed for military applications: the United States Munitions List. BIS covers the middle ground: items not on the Munitions List but not freely exportable either. An advanced semiconductor fabrication tool, a drone airframe with civilian commercial uses, commercial encryption software with sufficiently strong key lengths—these are EAR-controlled items that BIS regulates, not ITAR items that DDTC controls, and not transactions with designated persons that OFAC prohibits.
BIS was established under the Export Administration Act of 1979, which lapsed in 2001 and has not been permanently renewed by Congress. Since the lapse, BIS has operated under authority delegated through the International Emergency Economic Powers Act (IEEPA), with the President issuing an emergency declaration that has been renewed annually. The Export Control Reform Act of 2018 (ECRA) provided a more durable statutory basis for BIS authority over dual-use controls, though IEEPA remains the vehicle for much of the enforcement discretion BIS exercises today.
The Export Administration Regulations: structure and classification
The EAR's operative instrument for controlling specific items is the Commerce Control List, contained in Supplement No. 1 to Part 774. The CCL organizes controlled items into ten categories:
| Category | Scope |
|---|---|
| 0 | Nuclear and miscellaneous materials, facilities, and equipment |
| 1 | Materials, chemicals, microorganisms, and toxins |
| 2 | Materials processing (machine tools, manufacturing equipment) |
| 3 | Electronics |
| 4 | Computers |
| 5 | Telecommunications and information security |
| 6 | Sensors and lasers |
| 7 | Navigation and avionics |
| 8 | Marine |
| 9 | Aerospace and propulsion |
Each item on the CCL is assigned an Export Control Classification Number in the format 3A001: category (3 = electronics), product group (A = systems, equipment and components; B = test equipment; C = materials; D = software; E = technology), and a three-digit sequence number. The ECCN determines whether a license is required for export to a particular destination under a particular end-use. An item not on the CCL is designated EAR99—subject to the EAR but presumptively exportable without a license except to embargoed destinations or for prohibited end-uses.
License requirement analysis runs through three sequential questions: does the item require a license to the proposed destination under the CCL entry's control parameters? If so, does a license exception apply—the EAR specifies roughly two dozen exceptions including TMP (temporary exports), LVS (low-value shipments), GBS (shipments to Group B countries), CIV (civil end-users), TSR (technology and software unrestricted), and ENC (encryption items)? If no exception applies, a license must be obtained from BIS before the export occurs.
The restricted party lists BIS maintains
BIS publishes four distinct lists of persons and entities subject to enhanced license requirements or outright denial of export privileges. Each list has a distinct legal basis and practical effect.
Entity List
The Entity List, found in Supplement No. 4 to Part 744, is the most consequential BIS-administered list for technology exporters. An entity added to the Entity List is subject to a license requirement for all EAR-controlled items destined to it, regardless of the item's normal CCL classification or applicable exceptions. The license review policy for Entity List entries is typically a presumption of denial, meaning that licenses to Entity List parties are almost never approved. In practice, Entity List addition functions as a prohibition on virtually all controlled technology transfer to the listed entity.
The Entity List has grown dramatically since 2018. Chinese telecommunications equipment manufacturer Huawei Technologies was added in May 2019, triggering a cascade of associated entities and affiliates. As of late 2026 the Entity List contains over 2,000 entries, with China and Russia together accounting for the majority. The pace of additions accelerated sharply after the February 2022 Russian invasion of Ukraine, when BIS added hundreds of Russian defense enterprises, research institutes, and financial institutions in a series of Federal Register notices. Iranian procurement networks, Belarusian defense entities, and Syrian government bodies also appear in significant numbers.
Denied Persons List
The Denied Persons List (DPL) names individuals and companies whose US export privileges have been explicitly denied through BIS administrative enforcement proceedings. DPL listing is the direct outcome of a successful BIS enforcement action: a settlement or order revoking the subject's right to participate in any transaction subject to the EAR. Unlike the Entity List—which is a forward-looking control measure—the DPL is a backward-looking enforcement consequence. A US exporter that ships any item subject to the EAR to a DPL-listed person is committing a separate EAR violation, regardless of whether the specific item otherwise requires a license.
Unverified List
The Unverified List (UVL) contains entities for whom BIS has been unable to complete an end-use check. Before exporting to a UVL-listed party, the US exporter must obtain a statement from the end-user confirming the ultimate end-use and end-user, and must not proceed if any red flags remain unresolved. UVL listing is a precursor status: entities that cannot be verified are listed on the UVL, and if sufficient additional derogatory information develops, BIS can escalate to Entity List addition.
Military End-User List
The Military End-User List (MEU List), established in 2020 as part of the tightening of China and Russia controls, identifies specific entities determined to be military end-users for purposes of EAR Part 744 restrictions. The MEU List focuses on entities in China, Russia, and Venezuela. Exports of items listed in Supplement No. 2 to Part 744 to MEU-listed entities require a license regardless of the ECCN classification.
Major enforcement actions and policy milestones
The scope and intensity of BIS export enforcement has shifted substantially across administrations, with the 2018–2024 period representing the most active enforcement era since the end of the Cold War.
ZTE Corporation (2017): The Chinese telecommunications equipment maker agreed to a $1.19 billion penalty in 2017 to settle charges that it exported US-origin telecommunications equipment to Iran and North Korea in violation of US sanctions and the EAR. The settlement—then the largest BIS civil penalty on record—included a seven-year suspended denial order and a compliance monitorship. ZTE subsequently violated the terms of the settlement by making false statements to BIS about disciplining employees involved in the violations. In 2018, BIS activated the suspended denial order, briefly cutting ZTE off from US-origin components before a second settlement reinstated export privileges under enhanced compliance conditions and an additional $1 billion penalty.
Huawei Technologies (2019–present): Huawei's May 2019 Entity List addition represented a qualitative shift in how BIS uses the list. Rather than targeting a single export violation, the Huawei listing was a forward-looking national security measure designed to cut off a Chinese technology champion from US-origin components across its entire supply chain. In August 2020, BIS issued the foreign direct product rule as it applies to Huawei: any item produced anywhere in the world using US semiconductor manufacturing equipment or software is subject to EAR controls if destined for Huawei—a dramatic extraterritorial assertion of jurisdiction. A further tightening in 2022 extended the rule to cut off advanced node wafers fabricated for Huawei by TSMC and other foundries.
Russia post-February 2022: Following the invasion of Ukraine, BIS published a series of sweeping rules expanding controls on exports to Russia. These included extending the foreign direct product rule to Russia and Belarus, restricting exports of EAR99 items (previously freely exportable) to Russia when destined for military end-uses, and adding hundreds of Russian entities to the Entity List in batches published across 2022 through 2024. Items as mundane as commercial aircraft parts, automotive components, and general-purpose electronics were brought under license requirements for Russia—an unprecedented breadth of control for a country not subject to comprehensive OFAC sanctions.
Seagate Technology (2022): BIS proposed a $300 million civil penalty against Seagate for shipping hard disk drives to Huawei after the 2020 foreign direct product rule expansion. Seagate continued to supply Huawei after other US hard drive manufacturers—Western Digital and Toshiba—cut off the company, based on Seagate's assessment that its drives fell outside the scope of the foreign direct product rule. BIS disagreed. The case illustrated the extraterritorial scope of the foreign direct product rule and the significant per-violation exposure for companies that incorrectly assess their EAR classification status.
Advanced semiconductor controls (October 2022): BIS published the most significant unilateral export control rule since the Cold War in October 2022, imposing broad restrictions on exports of advanced computing chips (specifically referencing performance thresholds at or above NVIDIA's A100 and H100 GPUs), semiconductor manufacturing equipment capable of producing chips at advanced nodes, and associated software and technology to China. The rule required export licenses for these items to Chinese entities, with a policy of presumption of denial. It also imposed controls on US persons working for Chinese semiconductor manufacturers at advanced nodes without a license. Subsequent rules in 2023 and 2024 tightened the performance thresholds and expanded country coverage.
How BIS enforcement cases are structured
BIS enforcement authority is vested in the Office of Export Enforcement (OEE). OEE agents conduct investigations, coordinate with DOJ on criminal referrals, and work with the Office of Chief Counsel for Industry and Security on settlement negotiations. Enforcement outcomes take three forms:
Administrative settlements resolve civil violations without litigation. They may include civil monetary penalties (currently up to $364,992 per violation for most EAR violations, or twice the value of the transaction, whichever is greater, adjusted for inflation), a denial of export privileges (suspended or active), and enhanced compliance program requirements. BIS publishes settlement agreements as administrative actions on its website.
Temporary Denial Orders (TDOs) are emergency measures that immediately suspend a person's export privileges pending investigation or settlement. TDOs can be issued without the procedural requirements of a full administrative proceeding and are renewed in 180-day increments. A TDO prevents not only the named person from exporting EAR-controlled items, but also prevents US exporters from shipping to the TDO subject.
Criminal referrals go to DOJ when the conduct rises to willful violation of the EAR under 50 USC 4819. Criminal penalties under ECRA reach $1 million per violation and 20 years imprisonment for individuals, plus forfeiture of the proceeds of the violation. DOJ's National Security Division handles ECRA prosecutions, often in conjunction with export violations of OFAC sanctions or ITAR.
Accessing the BIS enforcement data
BIS does not publish a structured bulk download of enforcement cases. The Office of Export Enforcement publishes individual enforcement action notices as PDFs and HTML press releases at bis.doc.gov/index.php/enforcement/oee/enforcement-actions. These releases follow a consistent structure but require HTML scraping or manual review to aggregate across years.
Federal Register notices for Entity List additions are structured and searchable through the Federal Register API. Each Entity List addition notice follows a consistent CFR amendment structure, naming the entity, country, and Federal Register citation. The regulatory text is in machine-parseable XML through the Federal Register's developer API at federalregister.gov/api/v1. Filtering on agency code COMMERCE-BIS and document typeRULE retrieves all Entity List amendments.
The most accessible bulk data source is the BIS Consolidated Screening List, published through the International Trade Administration's developer API. The CSL merges the Entity List, the Denied Persons List, the Unverified List, the MEU List, and several OFAC and State Department lists into a single JSON feed at:
https://api.trade.gov/static/consolidatedscreening/consolidated.json
The JSON payload returns a results array where each entry carries fields including name, alt_names, source(identifying which list the entry comes from), country,federal_register_notice, start_date,license_requirement, and license_policy. Thesource field distinguishes Entity List entries from DPL entries from UVL entries, making it possible to analyze each list independently.
Python: parsing and analyzing the Consolidated Screening List
The following script fetches the CSL JSON, breaks out entries by source list, identifies the top countries represented on the Entity List, and flags entries whose name or remarks fields reference semiconductor-related terms—useful for tracking the semiconductor controls footprint:
import requests
import json
import collections
import re
# BIS Consolidated Screening List via api.trade.gov
# Merges Entity List + Denied Persons List + Unverified List in one JSON feed
CSL_URL = "https://api.trade.gov/static/consolidatedscreening/consolidated.json"
SEMICONDUCTOR_KEYWORDS = [
"semiconductor", "chip", "integrated circuit", "wafer", "fab",
"lithography", "gpu", "foundry", "advanced computing", "smic",
]
def fetch_csl():
print("Downloading Consolidated Screening List JSON...")
r = requests.get(CSL_URL, timeout=120)
r.raise_for_status()
return r.json()
def classify_source(entry):
"""Map the source field to a readable label."""
src = entry.get("source", "")
if "Entity List" in src:
return "Entity List"
if "Denied" in src:
return "Denied Persons List"
if "Unverified" in src:
return "Unverified List"
if "Military End" in src:
return "Military End-User List"
return src or "Unknown"
def is_semiconductor_related(entry):
"""Return True if any text field references semiconductor-related terms."""
haystack = " ".join([
entry.get("name", ""),
entry.get("alt_names", ""),
entry.get("remarks", ""),
entry.get("license_requirement", ""),
entry.get("license_policy", ""),
]).lower()
return any(kw in haystack for kw in SEMICONDUCTOR_KEYWORDS)
def run_analysis(data):
results = data.get("results", [])
print(f"Total entries: {len(results)}\n")
# Count by source list
by_source = collections.Counter(classify_source(e) for e in results)
print("Entries by source list:")
for src, count in by_source.most_common():
print(f" {src}: {count:,}")
print()
# Count Entity List entries only
el_entries = [e for e in results if classify_source(e) == "Entity List"]
# Top countries by Entity List entry count
country_counts = collections.Counter(
e.get("country", "Unknown") for e in el_entries
)
print("Top 10 countries on Entity List:")
for country, count in country_counts.most_common(10):
print(f" {country}: {count:,}")
print()
# Semiconductor-related Entity List entries
semi_entries = [e for e in el_entries if is_semiconductor_related(e)]
print(f"Semiconductor-related Entity List entries: {len(semi_entries)}")
print("Sample names:")
for e in semi_entries[:10]:
name = e.get("name", "")
country = e.get("country", "")
print(f" [{country}] {name}")
if __name__ == "__main__":
data = fetch_csl()
run_analysis(data)
Running against the live CSL feed returns approximately 35,000 to 45,000 total entries depending on the current state of all contributing lists. The Entity List component alone exceeds 2,000 entries as of late 2026, with China and Russia together accounting for well over half. The semiconductor-related keyword filter surfaces SMIC (Semiconductor Manufacturing International Corporation), its subsidiaries, and dozens of Chinese fabless design houses, research institutes, and procurement fronts that appeared on the Entity List following the October 2022 advanced chip controls.
Red flag guidance and end-use certificate requirements
The EAR imposes an affirmative obligation on exporters to recognize and resolve “red flags” before proceeding with an export. BIS publishes red flag guidance as Supplement No. 3 to Part 732: indicators that a transaction may involve a prohibited end-use, end-user, or destination. Common red flags include a customer's unwillingness to provide end-use information, requests to ship to a freight forwarder rather than a named end-user, payment in cash by an unknown party, a customer whose stated business is inconsistent with the technical sophistication of the requested item, and requests to omit the item from packing lists or customs documentation.
The red flag standard is not strict liability: an exporter that encounters a red flag is not automatically liable if it proceeds. But proceeding without resolving the flag—by obtaining end-use certificates, conducting enhanced due diligence on the customer, or seeking a BIS advisory opinion—creates exposure for a “reason to know” violation, which carries the same penalties as actual knowledge violations.
The country groups system (Groups A through E, defined in Supplement No. 1 to Part 740) determines which license exceptions are available for which destinations. Group A countries include members of multilateral export control regimes (Wassenaar Arrangement for conventional arms and dual-use goods, the Nuclear Suppliers Group, the Australia Group for biological and chemical precursors, and MTCR for missile technology). Group D countries are subject to national security controls. Group E countries are subject to comprehensive embargoes. China occupies an intermediate position that has been progressively restricted through a series of regulatory amendments beginning in 2018.
How BIS intersects with OFAC, DDTC, and DOJ
Large export control prosecutions almost always involve multiple agencies simultaneously. A typical Iran-related export evasion case will involve BIS violations (shipping EAR-controlled items to Iran without a license), OFAC violations (transacting with Iranian entities on the SDN list), and potentially ITAR violations (if any items on the Munitions List were involved). DOJ's National Security Division coordinates with all three agencies. The ZTE, Huawei, and numerous Iran network cases have combined BIS civil penalties, OFAC civil penalties, and DOJ criminal charges under ECRA and IEEPA in a single global resolution.
The Foreign Corrupt Practices Act adds a fourth dimension in cases where bribes were paid to facilitate export approvals or customs clearances. DOJ's Fraud Section and the SEC (for publicly traded companies) participate in those cases alongside the national security enforcement apparatus.
The distinction between BIS and OFAC controls matters practically because the licensing exceptions and policy frameworks differ. OFAC sanctions are typically absolute prohibitions with specific license carve-outs for humanitarian goods and authorized government activities; BIS controls operate through a more nuanced license exception system tied to the specific item, destination, and end-use. A transaction involving a Russian entity may require analysis under both frameworks simultaneously: OFAC to determine whether the entity is SDN or SSI-listed, and BIS to determine whether the item requires a license to Russia and whether any exception applies.
Related: Treasury OFAC sanctions · SEC enforcement actions
Part of the Federal Regulatory Data Hub.