Executive Summary (for founders, GCs, and compliance leads)

If your company innovates in software, hardware, AI, encryption, semiconductors, or cloud services, you almost certainly touch the U.S. Export Administration Regulations (EAR). The Bureau of Industry and Security (BIS) enforces the EAR and offers a Voluntary Self‑Disclosure (VSD) program to incentivize companies that identify and report their own potential violations. In policy updates during 2022, 2023, and 2024, BIS strengthened penalties for serious cases, but also streamlined and accelerated resolutions for minor or technical issues through a “fast‑track” approach and clarified when and how a VSD can cut penalties dramatically.

Remember three takeaways:

1. Speed and good faith matter. When you find a potential problem, seek counsel quickly, stop the activity unless authorized by counsel, and preserve records, and. Timely VSDs are one of the strongest mitigating factors under the EAR.
2. “Fast‑track” exists for small mistakes. Minor or technical violations can ideally be resolved within ~60 days of the final VSD submission with a warning or no‑action letter — and now you can use an abbreviated narrative in many of these cases.
3. Choosing to not disclose is complicated and can make penalties worse. BIS explicitly treats the failure to voluntarily disclose significant violations as an aggravating factor, raising penalties if the conduct comes to light later.

Introduction: Why this matters now

Startups and SMBs scale globally fast — shipping dev kits abroad, hiring remote teams, pushing code to foreign repos, providing cloud access to foreign users, and collaborating with international customers and partners. These ordinary business moves can be “exports” or “reexports” under the EAR. The rules are not intuitive, and the penalties for missteps can be steep, including high civil fines and, for willful conduct, potential criminal exposure. BIS has emphasized that controlling dual‑use tech is a core national‑security priority — and it has re‑tooled its enforcement program to deter violations and reward proactive compliance.

This article explains the fundamentals, then goes deep on the Voluntary Self‑Disclosure path: what it is, why it helps, how BIS’s policies changed from 2022–2024, and exactly what to do if you discover a potential problem.

Part I — Foundations

What are the Export Administration Regulations (EAR)?

The EAR control exports, reexports, and in‑country transfers of “dual‑use” items — commercial technologies with potential military or proliferation applications. Items are classified using the Commerce Control List (CCL), which assigns an Export Control Classification Number (ECCN). Items not on the CCL default to EAR99, but still can’t be shipped to comprehensively embargoed destinations or prohibited end‑users for prohibited end‑uses. For many early‑stage teams, the most frequent EAR touchpoints include:

• Software and encryption (source code, SDKs, APIs, SaaS features)
• Cloud and compute (access from abroad can be an export of technology)
• AI and advanced computing (models, training data, high‑end chips)
• Sensors, optics, RF, and drones (common in robotics and IoT)
• Semiconductors and manufacturing equipment
• “Deemed exports” (sharing controlled technology with a foreign national inside the U.S.)

Understanding this framework is essential; even unintentional violations are still violations.

Who is BIS and what is OEE?

The Bureau of Industry and Security is a U.S. Department of Commerce agency responsible for administering the EAR and enforcing export controls to protect U.S. national security and foreign policy interests. Its Office of Export Enforcement (OEE) investigates potential violations, brings administrative cases, negotiates settlements, and interacts with the Department of Justice (DOJ) in serious matters. BIS’s leadership has explained that adversarial nation‑state actors target sensitive U.S. technologies, which is why BIS has recalibrated policies to strengthen deterrence while encouraging rapid, honest disclosures by companies and universities.

Part II — Penalties, GP10, and Common Risk Areas

What are the penalties for violating the EAR?

Civil penalties under the Export Control Reform Act (ECRA) can reach the statutory maximum per violation (often several hundred thousand dollars, depending on the offense), along with denial of export privileges and mandated compliance enhancements. Criminal penalties are available for willful misconduct. BIS also made charging letters public at filing (rather than after resolution), increasing reputational risk and accelerating the compliance wake‑up call across industry.

BIS’s April 2023 policy clarification reiterates how a timely, comprehensive VSD reduces the base penalty in non‑egregious cases to one‑half of the transaction value (capped at $125,000 per violation); even in egregious cases, a VSD reduces the base amount up to one‑half of the statutory maximum.

General Prohibition 10 (GP10): What it means after you spot a problem

Once you know or have reason to know that a violation occurred with a specific item or technology, you cannot keep dealing with that item — buying it, selling it, transferring it, storing it, etc. This is GP10. BIS’s January 2024 update recognizes that companies often need to fix past issues (e.g., retrieve or redirect an item). BIS therefore allows parties to request special permission to engage in otherwise prohibited activities under GP10 and clarifies that requests may be made even by parties that did not themselves violate the EAR. Where an unlawfully exported item is abroad, OEE’s presumptive recommendation will be to authorize reexport back to the United States so it can be placed back into lawful commerce.

Common risk areas for SMB tech and software companies

1. Encryption and cybersecurity tools.
   Many teams assume widely used encryption is “uncontrolled.” Not true. Encryption functionality can trigger ECCNs in Category 5, Part 2 (e.g., 5A002/5D002/5E002 for more tightly controlled items; 5A992/5D992 for mass‑market). Even open‑source encryption can require classification or notification, and remote access by foreign developers can be a controlled export of technology.
2. SaaS features and cloud access.
   Providing foreign users access to controlled functionality (e.g., intrusion detection, network analysis, advanced compute orchestration) can be an export
3. Deemed exports.
   Sharing controlled source code, CAD files, or process know‑how with foreign nationals in the U.S. can require licensing.
4. Prototype shipments and dev kits.
   Sensors, RF modules, drones, high‑end accelerators, and HPC components often live on the CCL and may require a license to some destinations or end‑users.
5. “It’s just EAR99.”
   Misclassification is a frequent root cause. EAR99 is not a blanket permission slip — sanctions, end‑use, and end‑user restrictions still apply.

The safest path is to classify high‑risk items (especially encryption) early and build lightweight, scalable controls (screening, customer diligence, and code‑release gates) as part of technical operations.

Part III — The VSD program

What is a VSD and why does BIS offer it?

A Voluntary Self‑Disclosure is a mechanism for a company to tell BIS: “We found a potential EAR violation; here’s what happened, how it happened, who was involved, what items were affected, and what we are doing to fix it.” BIS rewards this behavior because self‑policing advances national security and deters repeat issues. In exchange for candor and speed, BIS offers material penalty reductions and, for minor issues, fast, non‑punitive outcomes (warning or no‑action letters).

Core components of a VSD file

• Initial notification to OEE describing the potential violation in brief (who/what/when/where/how).
• Narrative account (EAR §764.5(c)(3)) with:
  – Type of violation (e.g., export without a required license)
  – When/how it occurred (facts and timeline)
  – All parties involved (domestic and foreign)
  – License numbers or references (if any)
  – Item description, ECCN, value, and quantities
  – Mitigating circumstances and corrective actions
• Supporting documents (contracts, emails, shipping records, code change logs), retained and provided if requested.

How a VSD reduces penalties

BIS’s April 2023 memo plainly explains the math: for non‑egregious cases, a timely VSD sets the base penalty at 50% of transaction value, capped at $125,000 per violation; even in egregious cases, the VSD reduces the base to half the statutory maximum. BIS may also suspend some or all of the penalty based on the company’s cooperation and remediation.

Just as importantly, BIS has clarified the downside of not disclosing: if your compliance program uncovers a significant possible violation and you choose not to file a VSD, that decision can now count as an aggravating factor if the conduct later comes to OEE’s attention (e.g., via competitor tips, government leads, or supply‑chain intelligence).

Part IV — The 2022–2024 BIS policy updates

These three memoranda materially changed both the carrots (incentives to disclose) and the sticks (deterrence for serious conduct). Here is what changed and why it matters to SMBs and startups.

June 30, 2022: Strengthening administrative enforcement and creating a “fast‑track” VSD lane

BIS’s 2022 memo (by MATTHEW S. AXELROD, Assistant Secretary for Export Enforcement) announced four major moves:

1. Higher penalties for serious cases.
   BIS committed to applying aggravating factors more consistently and designating “egregious” violations when warranted, raising monetary exposure. This underscored national‑security harms as central to penalty calculus.
2. Non‑monetary settlements for less serious cases.
   Where harm is limited yet more than a mere technicality, BIS can resolve matters through suspended denial orders with conditions (e.g., training, audits) instead of cash penalties.
3. Eliminating “no admit, no deny” settlements.
   To receive a reduced penalty, companies must admit the factual conduct. This provides clarity to industry about what behavior triggered enforcement.
4. Dual‑track VSD processing with a “fast‑track” for minor or technical violations.
   Most routine VSDs would be resolved in about 60 days via warning or no‑action letters; more serious disclosures would be assigned both an OEE agent and counsel (and potentially DOJ) for deeper follow‑up. This was the origin of the fast‑track that startups rely on today.

Why founders should care: The “fast‑track” gives you a practical, low‑friction path to fix honest mistakes quickly, while the higher‑penalty posture for serious cases clarifies the stakes if you ignore red flags.

April 18, 2023: Clarifying incentives — and consequences — around VSDs and reporting others

The 2023 memo clarified two pivotal points:

• Bigger benefits for meaningful self‑reporting: Timely, complete VSDs substantially reduce penalties (see the 50%/cap rules above). Companies can also bundle multiple minor/technical violations into a single overarching disclosure when they occur close in time, lowering process overhead.
• Real costs for staying quiet on significant problems: BIS will treat a deliberate decision not to disclose significant possible violations as an aggravating factor when it later evaluates penalties. This is a major shift that should change board‑level calculus.

The memo also encouraged disclosures about others’ misconduct and noted that information provided to FinCEN or DOJ may lead to whistleblower awards if it results in successful sanctions or related enforcement. This is intended to promote a level playing field: companies that comply shouldn’t be undercut by competitors who don’t.

Why founders should care: If your internal review uncovers a serious problem, not filing a VSD is now riskier than before. Conversely, if you’re choosing between filing five tiny VSDs or one consolidated quarterly submission, BIS prefers the latter for small, technical errors.

January 16, 2024: Making VSDs easier to file — and clarifying GP10 relief

The 2024 memo made the process even more practical:

• Email is preferred for initial notifications, extension requests, and narratives, with electronic signatures accepted (use the OEE VSD intake address indicated by BIS).
• Abbreviated narratives are now acceptable for VSDs that lack aggravating factors — no need to submit every supporting document up front. (OEE can always request more.)
• The five‑year lookback often recommended for VSDs is not required for abbreviated submissions unless OEE later asks for it.
• GP10 and unlawfully exported items: BIS clarified that parties may request permission to handle items otherwise caught by GP10 prohibitions so they can be corrected or returned to the U.S.; OEE’s presumptive recommendation will be to authorize reexport back to the United States. It also confirmed that third parties (not just violators) may notify OEE and request permission, and that such notifications will be treated as satisfying the EAR’s VSD requirement in certain circumstances.

Part V — The VSD process

1. Spotting a potential violation: common signals

• A customer or reseller asks you to ship to a different end‑user or relabel shipments.
• A support engineer realizes that a foreign contractor has had source‑code access to controlled encryption or advanced compute features without a license.
• Ops notices an export screening hit tied to a sanctioned party or a military‑linked end‑user.
• Legal becomes aware of hardware (e.g., sensors, RF modules, drones, advanced accelerators) shipped to a restricted destination without prior classification or license.
• Due diligence flags downstream reexport to a comprehensively embargoed destination.
• An investor or acquirer asks whether you ever filed “BIS paperwork” and no one can find a consistent export classification for major products.

When any of these occur, pause, preserve records, and loop in counsel.

If your company uncovers a potential export violation, take immediate action:

1. Next Steps
2. Preserve All Records

Emails, shipment data, source code versions, communications, and compliance reports may become critical.

2. Engage an Experienced Export Controls Lawyer

Export controls are highly specialized. Counsel can:

• Assess EAR applicability
• Perform internal investigations
• Classify items
• Draft the VSD
• Communicate with BIS
• Navigate GP10 authorization requests

This step is essential to avoid compounding errors.

3. Conduct an Internal Review

Determine:

• The scope
• The item classification
• The involved parties
• Whether national security‑sensitive countries or entities were implicated

4. Stop the Identified Activity

• Comply with GP10 — cease handling the item or technology unless cleared by legal guidance.

5. Consider Submitting an Initial Notification to BIS
6. Prepare a Full or Abbreviated Narrative – if Warranted

Depending on whether aggravating factors appear, prepare the required narrative or an abbreviated version.

7. Implement Corrective Measures

This may include:

• Updating screening tools
• Conducting staff training
• Reclassifying items
• Strengthening compliance programs

BIS considers corrective actions during penalty assessment.

1. Filing sequence and format

1) Initial notification.
Send a concise notice to OEE explaining that you discovered a potential violation, the item/ECCN (if known), parties, and steps taken to contain. The 2024 policy encourages email submission and accepts e‑signatures. If you need more time for internal investigation, request a reasonable extension and provide periodic updates.

2) Narrative account.

• For minor/technical issues with no aggravating factors, file an abbreviated narrative covering the elements of EAR §764.5(c)(3) (violation type; when/how; parties; license; item details; mitigation) and be prepared to furnish documents only if OEE asks. The five‑year lookback is not required unless OEE later requests it.
• For significant issues or where aggravation is possible, submit a full narrative, include supporting materials, and conduct the customary lookback (up to five years) to surface any related violations.

3) GP10 relief (if needed).
If you must move, return, or otherwise handle items touched by the violation to correct the issue, submit a request for permission to BIS’s Office of Exporter Services (with a courtesy copy to OEE to expedite). Expect OEE to support reexport back to the U.S. where appropriate.

4) Bundling minor issues.
If you have multiple minor/technical missteps that occurred close in time, you may bundle them into a single filing — now specifically permitted on a quarterly cadence — which greatly reduces process burden for growing companies.

5) Cooperation and remediation.
Demonstrate concrete fixes (updated screening, training, code‑release gates for encryption, engineering checklists for shipments, audit logging for access to model weights). These steps directly influence penalty outcomes.

1. Ideal Timelines and outcomes

• Fast‑track, minor/technical: BIS aims to resolve within ~60 days of final submission via warning or no‑action letter.
• Significant matters: Expect extended engagement with OEE and counsel, potential administrative penalties, and in rare serious cases, DOJ involvement.
• Penalty reductions: A proper, timely VSD steeply reduces the base penalty (see April 2023 memo for the 50%/cap methodology).
• Non‑monetary resolutions: For less serious but non‑trivial cases, BIS can structure suspended denial orders with compliance conditions, avoiding cash penalties while ensuring remediation.

Part VI — Decision‑making: Should you file a VSD?

Consult counsel. The business‑legal calculus (for boards and executives):

1. Severity of the Violation

Significant violations (controlled exports to restricted countries, knowing transfers, diversion risk) favor self‑disclosure. BIS has made clear that failing to disclose significant violations will now be treated as an aggravating factor.

2. Probability of Detection

BIS encourages disclosures partly because U.S. and foreign intelligence capabilities make detection more likely, especially in areas like AI, semiconductors, cybersecurity tools, and dual‑use electronics. GP10 also significantly complicates business transactions such as customer support, business financing and M&A transactions

3. Potential Business Impact

A proactive disclosure may prevent:

• Public enforcement
• Denial of export privileges
• Higher penalties

4. Complexity and Cost

VSDs require resources, but the cost of non‑disclosure is much greater in the long run.

5. Good‑Faith Compliance Culture

Demonstrating robust compliance is a long‑term risk‑mitigation investment — and expected by BIS.

Part VII —  Remediation ideas that resonate with BIS

• Governance: Assign an executive export‑controls owner and tie program health to risk reporting.
• People: Onboard training for engineers and field teams; annual refreshers; specialist training for release managers.
• Process: Pre‑release ECCN check gates; customer screening at quote and ship; contract clauses on reexports.
• Technology: Screening integrations with CRM/ERP; repo tags for controlled code; automated location‑based access controls; immutable audit logs.
• Audit & Assurance: Periodic internal audits; spot checks; mock disclosures and post‑mortems.

These measures show BIS you take the issue seriously and reduce the chance of recurrence — both important mitigating factors.

Part VIII — Deeper dive: Encryption exports for software teams

Because encryption touches so many products, a few practical notes:

• Classify early. Identify whether functionality (e.g., TLS libraries, key management, VPN, EDR, IDS/IPS, secure messaging, end‑to‑end crypto) places you in 5A002/5D002/5E002 (more controlled) or 5A992/5D992 (mass‑market).
• Don’t ignore open source. Open‑source status doesn’t nullify export controls.
• Mind “deemed exports.” Providing controlled design details or source code to foreign engineers inside the U.S. can require licensing.
• Document your rationale. Keep a crisp ECCN memo that engineering, security, and legal can understand.
• Bake controls into the SDLC. Make encryption classification and destination/user screening an automated pre‑release step.

A surprising number of first‑time VSDs stem from encryption.

Part IX — Special topics for founders and GCs

M&A and fundraising implications

• Disclosure duties: Buyers, investors and banks increasingly ask for export‑controls representations; known issues handled via VSDs are more manageable than unknown landmines.
• Clean rooming: For code or hardware that may be controlled, use carefully scoped access for diligence teams; document controls.
• GP10 pitfalls: If a target has a past violation, GP10 may limit the target’s ability to move/update/service implicated items; a permission request to BIS after a VSD can de‑risk closing logistics.

Part X — Putting BIS’s posture in context

BIS’s recent enforcement and policy posture reflects two priorities:

1. Deterrence where national security is at risk.
   By: higher penalties; public charging letters; elimination of “no admit, no deny”; consistent use of aggravating factors.
2. Pragmatism to keep responsible companies building.
   By: fast‑track resolutions; abbreviated narratives; quarterly bundling; email submissions; GP10 permission pathways; explicit recognition that compliance is a partnership with industry.

For high‑growth companies, this is good policy design: it sets firm boundaries for serious conduct while rewarding speed, honesty, and remediation — the attributes you can operationalize today.

Conclusion

Export controls touch more of your business than you think — from Git repos to customer support consoles, from evaluation kits to cloud provisioning. The Voluntary Self‑Disclosure program is the safety valve BIS built to ensure that when responsible companies find problems, they can fix them quickly and lawfully, learn from them, and move forward. With the 2022–2024 updates, BIS clarified consequences for serious misconduct while making it easier for startups and SMBs to disclose minor or technical issues through fast‑track, abbreviated filings, quarterly bundling, and practical GP10 permissions.

If you suspect an issue:

• Stop the activity (GP10), preserve records, and call experienced export‑controls counsel.
• Remediate with visible, durable controls and document everything.
• Consider reporting with the assistance of export counsel.

Handled correctly, a VSD can turn a compliance hazard into an asset — evidence that your company can scale innovation responsibly, build trust with regulators and partners, and protect its long‑term growth.