by Anand Sithian, Caroline Brown, Scott Clever, and Kelsey Clinton

Left to proper: Anand Sithian, Caroline Brown, Scott Clever, and Kelsey Clinton (images courtesy of Crowell & Moring)
Key takeaway #1
Nationwide safety stays a high enforcement precedence for the U.S. authorities, as evidenced by this joint settlement involving DOJ, NSD, and BIS. Voluntary disclosure of potential violations and cooperation proceed to have tangible advantages for corporations.
Key takeaway #2
Non-U.S. corporations ought to evaluation whether or not merchandise they manufacture outdoors america are topic to the International Direct Product Rule, and due to this fact topic to U.S. jurisdiction, and take acceptable compliance steps if that’s the case.
Key takeaway #3
Each U.S. and non-U.S. corporations ought to consider their export controls coaching to make sure compliance personnel have sufficient assets and sufficiently perceive the scope of the FDPR and related prohibitions.
On June 17, 2026, the U.S. Division of Justice’s (DOJ( Nationwide Safety Division (NSD) introduced that it had issued a declination for Robert Bosch GmbH (Bosch) regarding potential violations of the Export Management Reform Act, 50 U.S.C. § 4819 (ECRA). Particularly, the DOJ declined to criminally prosecute Bosch’s violations of the Export Administration Rules’ (EAR) International Direct Product Rule (FDPR), which apparently resulted from two Bosch subsidiaries’ export of merchandise and software program manufactured with tools that was the direct product of U.S. software program or know-how to Huawei Applied sciences Co., Ltd. and its “Entity Listing” associates, together with Huawei Tech. Funding Co., Ltd., Hong Kong (collectively, Huawei). The identical day, the U.S. Division of Commerce Bureau of Trade and Safety (BIS) introduced a parallel civil administrative settlement with Bosch.
That is the primary time that NSD has declined the prosecution of an organization beneath the department-wide Company Enforcement Coverage (CEP) launched by DOJ on March 10, 2026. Assistant Lawyer Common for Nationwide Safety John A. Eisenberg underscored the advantages which will inure to corporations that voluntarily disclose potential violations to the DOJ, remarking that “[t]his declination displays the clear advantages for corporations that promptly disclose potential violations and absolutely help in our investigations.”
Bosch is a German-based know-how and companies firm. Between September 2020 and September 2024, Bosch, by two non-U.S. subsidiaries — Bosch Sensortec GmbH (BST) and ETAS GmbH (ETAS) — exported over $70 million price of foreign-produced Micro-Electro-Mechanical Methods sensor merchandise and CycurHSM software program to Huawei and not using a requisite license or authorization from BIS. In consequence, Bosch made roughly $11.4 million in pre-tax income.
Upon discovering these unauthorized exports, Bosch performed an inside investigation and voluntarily self-disclosed the matter to NSD and BIS. NSD in the end declined to prosecute the matter, citing the next components beneath the CEP: (1) Bosch’s well timed voluntary self-disclosure; (2) Bosch’s cooperation in NSD’s investigation, together with provision of related details and paperwork, and immediate, voluntary responses to requests; (3) Bosch’s remediation efforts, together with the addition of 66 workers to its commerce compliance group, the enlargement of its U.S. commerce compliance assets, and updates to inside insurance policies and procedures; and (4) the adequacy of the BIS civil penalty.
NSD’s declination is conditioned upon Bosch’s disgorgement of the $11.4 million in pre-tax income.
In a concurrent enforcement motion, BIS alleged Bosch engaged in 109 violations of the EAR linked to its export of sensor merchandise and software program to Huawei. BIS decided that BST’s commerce compliance personnel “didn’t have adequate experience or assets” to handle the FDPR, culminating in an worker erroneously advising administration that BST merchandise weren’t topic to the FDPR restrictions.
Critically, the BIS charging letter documented a sample of repeated missed alternatives: between 2020 and 2024, at the least 5 separate third-party corporations warned Bosch or BST concerning the potential applicability of the FDPR — together with by compliance certifications, direct correspondence, and, in a single occasion, an express reference to the $300 million penalty BIS imposed on Seagate Know-how LLC for related Huawei-related FDPR violations. In every case, BST personnel both dismissed the warnings or didn’t comply with up.
In a single notable occasion, a senior BST supervisor deflected a request for data from Bosch’s personal U.S. commerce compliance staff, citing a “dire allocation scenario,” and a BST managing director instructed the identical BST supervisor to “guarantee that solutions listed here are managed by you” when inside compliance steerage was flagged as probably related. Individually, Bosch commerce compliance personnel erroneously concluded that the FDPR utilized solely to bodily items and to not software program, resulting in incorrect recommendation that the FDPR restrictions didn’t apply to ETAS’s CycurHSM automotive firmware.
On June 16, 2026, BIS and Bosch entered right into a settlement settlement to resolve these violations. Underneath the settlement, Bosch agreed to pay a civil penalty within the quantity of $36,184,680, which was half the full income generated from these gross sales. Within the settlement, BIS credited Bosch for (1) instantly halting associated transactions upon identification of the conduct; (2) well timed submitting a voluntary self-disclosure; (3) absolutely cooperating with BIS’s Workplace of Export Enforcement; and (4) dedicating vital assets to remediation. Although not explicitly acknowledged, BIS’s affirmation that Bosch made a voluntary self-disclosure and the full penalty quantity means that BIS didn’t deal with Bosch’s violations as “egregious” beneath the BIS Penalty Tips.
The parallel DOJ and BIS resolutions with Bosch supply a number of takeaways for corporations, significantly overseas know-how corporations and producers that use tools or know-how with a U.S. origin:
- Voluntary self-disclosure stays the clearest path to a positive final result. Bosch’s voluntary self-disclosure, full cooperation, and well timed remediation certified it for a declination beneath DOJ’s CEP given the absence of aggravating circumstances. BIS credited related details in its settlement settlement with the corporate, which probably result in a “non-egregious” BIS settlement. To attenuate potential penalties, corporations that uncover potential export controls violations ought to retain counsel accustomed to export controls and nationwide safety issues so they might contemplate whether or not to self-disclose to 1 or each of DOJ and BIS and any potential cooperation.
- Corporations ought to deal with third-party warnings concerning export controls and provider compliance certifications as actionable pink flags. The Bosch case illustrates that dismissing warnings from suppliers, contract producers, and even an organization’s personal inside compliance personnel — significantly when these warnings reference recognized enforcement precedents — can considerably compound an organization’s publicity. Corporations ought to set up procedures to escalate and independently consider third-party communications about compliance and export controls reasonably than counting on prior inside steerage which may be outdated or misguided. A greater observe can be assessing the validity of such communications on a case-by-case foundation.
- The FDPR applies broadly, together with to non-U.S. producers, and noncompliance could result in legal enforcement. Notably, this seems to be the primary enforcement motion by DOJ involving the FDPR. The FDPR imposes a license requirement on foreign-produced gadgets (together with commodities, software program, and know-how) when (a) the “product scope” is met; and (b) the “finish person/vacation spot/finish use” scope is met. The “product scope” is met if the gadgets concerned are a sure Export Management Classification Quantity (ECCN) and they’re both (i) the direct product of sure pre-described software program or know-how that’s topic to the EAR (together with if through the de minimis rule) or (ii) they’re produced by any plant or main element of a plant (e.g., testing tools) the place the plant or main element of the plant is the direct product of sure pre-described U.S.-origin know-how or software program. The “finish person/vacation spot/finish use” is met if there’s information (together with purpose to know) the related finish person, vacation spot, or finish use is concerned. There are 11 lively iterations of the FDPR, however most embrace finish customers, locations, or finish makes use of that contain Chinese language individuals on the Entity Listing, Russia, Belarus, Crimea, or Iran, and/or finish makes use of involving superior computing, supercomputers, semiconductor manufacturing tools, navy, or area gadgets (typically with the final 5 targeted on China or different arms-embargoed international locations). Because the Bosch settlement and declination display, the FDPR doesn’t flip on whether or not a product accommodates U.S.-origin content material; it activates whether or not U.S.-origin know-how and tools are used within the manufacturing course of. In different phrases, U.S. export controls could apply to a wholly foreign-made product if U.S. software program or know-how is used to make the product, even when no elements are from america. The FDPR has a broad attain and non-U.S. corporations ought to evaluation their manufacturing processes and know-how to find out if the FDPR applies to their merchandise, together with by the usage of U.S. software program or know-how.
- There are a number of extraterritorial export controls which may apply to an organization. BIS defined within the settlement that one of many errors Bosch made was in commingling the idea of the de minimis rule, which will depend on a certain quantity of integrated managed U.S. origin content material, with the FDPR. The de minimis rule is a distinct however vital means that BIS can assert jurisdiction over an merchandise, however it’s distinct from the FDPR. Corporations ought to pay attention to the variations between the de minimis rule and the FDPR and methods to search for each.
- Export controls coaching should hold tempo with regulatory adjustments. The BIS settlement highlighted the insufficient assets and lack of knowledge of adjusting U.S. export laws and enforcement inside Bosch’s commerce compliance staff as direct contributors to the continued violations. Along with adequately staffing commerce compliance capabilities, corporations ought to spend money on periodic, substantive U.S. export controls coaching, significantly: (1) for sophisticated and altering areas just like the FDPR and BIS enforcement actions; (2) if they’ve common dealings with events on U.S. restricted celebration lists such because the Entity Listing; and (3) when dealing in essential know-how areas reminiscent of semiconductors, synthetic intelligence, quantum computing, and superior computing.
Anand Sithian, Caroline Brown, and Scott Clever are Companions and Kelsey Clinton is an Affiliate at Crowell & Moring. This text first appeared on the agency’s weblog.
The views, opinions and positions expressed inside all posts are these of the writer(s) alone and don’t signify these of the Program on Company Compliance and Enforcement (PCCE) or of the New York College College of Regulation. PCCE makes no representations as to the accuracy, completeness and validity or any statements made on this web site and won’t be liable any errors, omissions or representations. The copyright of this content material belongs to the writer(s) and any legal responsibility on the subject of infringement of mental property rights stays with the writer(s).
by Anand Sithian, Caroline Brown, Scott Clever, and Kelsey Clinton

Left to proper: Anand Sithian, Caroline Brown, Scott Clever, and Kelsey Clinton (images courtesy of Crowell & Moring)
Key takeaway #1
Nationwide safety stays a high enforcement precedence for the U.S. authorities, as evidenced by this joint settlement involving DOJ, NSD, and BIS. Voluntary disclosure of potential violations and cooperation proceed to have tangible advantages for corporations.
Key takeaway #2
Non-U.S. corporations ought to evaluation whether or not merchandise they manufacture outdoors america are topic to the International Direct Product Rule, and due to this fact topic to U.S. jurisdiction, and take acceptable compliance steps if that’s the case.
Key takeaway #3
Each U.S. and non-U.S. corporations ought to consider their export controls coaching to make sure compliance personnel have sufficient assets and sufficiently perceive the scope of the FDPR and related prohibitions.
On June 17, 2026, the U.S. Division of Justice’s (DOJ( Nationwide Safety Division (NSD) introduced that it had issued a declination for Robert Bosch GmbH (Bosch) regarding potential violations of the Export Management Reform Act, 50 U.S.C. § 4819 (ECRA). Particularly, the DOJ declined to criminally prosecute Bosch’s violations of the Export Administration Rules’ (EAR) International Direct Product Rule (FDPR), which apparently resulted from two Bosch subsidiaries’ export of merchandise and software program manufactured with tools that was the direct product of U.S. software program or know-how to Huawei Applied sciences Co., Ltd. and its “Entity Listing” associates, together with Huawei Tech. Funding Co., Ltd., Hong Kong (collectively, Huawei). The identical day, the U.S. Division of Commerce Bureau of Trade and Safety (BIS) introduced a parallel civil administrative settlement with Bosch.
That is the primary time that NSD has declined the prosecution of an organization beneath the department-wide Company Enforcement Coverage (CEP) launched by DOJ on March 10, 2026. Assistant Lawyer Common for Nationwide Safety John A. Eisenberg underscored the advantages which will inure to corporations that voluntarily disclose potential violations to the DOJ, remarking that “[t]his declination displays the clear advantages for corporations that promptly disclose potential violations and absolutely help in our investigations.”
Bosch is a German-based know-how and companies firm. Between September 2020 and September 2024, Bosch, by two non-U.S. subsidiaries — Bosch Sensortec GmbH (BST) and ETAS GmbH (ETAS) — exported over $70 million price of foreign-produced Micro-Electro-Mechanical Methods sensor merchandise and CycurHSM software program to Huawei and not using a requisite license or authorization from BIS. In consequence, Bosch made roughly $11.4 million in pre-tax income.
Upon discovering these unauthorized exports, Bosch performed an inside investigation and voluntarily self-disclosed the matter to NSD and BIS. NSD in the end declined to prosecute the matter, citing the next components beneath the CEP: (1) Bosch’s well timed voluntary self-disclosure; (2) Bosch’s cooperation in NSD’s investigation, together with provision of related details and paperwork, and immediate, voluntary responses to requests; (3) Bosch’s remediation efforts, together with the addition of 66 workers to its commerce compliance group, the enlargement of its U.S. commerce compliance assets, and updates to inside insurance policies and procedures; and (4) the adequacy of the BIS civil penalty.
NSD’s declination is conditioned upon Bosch’s disgorgement of the $11.4 million in pre-tax income.
In a concurrent enforcement motion, BIS alleged Bosch engaged in 109 violations of the EAR linked to its export of sensor merchandise and software program to Huawei. BIS decided that BST’s commerce compliance personnel “didn’t have adequate experience or assets” to handle the FDPR, culminating in an worker erroneously advising administration that BST merchandise weren’t topic to the FDPR restrictions.
Critically, the BIS charging letter documented a sample of repeated missed alternatives: between 2020 and 2024, at the least 5 separate third-party corporations warned Bosch or BST concerning the potential applicability of the FDPR — together with by compliance certifications, direct correspondence, and, in a single occasion, an express reference to the $300 million penalty BIS imposed on Seagate Know-how LLC for related Huawei-related FDPR violations. In every case, BST personnel both dismissed the warnings or didn’t comply with up.
In a single notable occasion, a senior BST supervisor deflected a request for data from Bosch’s personal U.S. commerce compliance staff, citing a “dire allocation scenario,” and a BST managing director instructed the identical BST supervisor to “guarantee that solutions listed here are managed by you” when inside compliance steerage was flagged as probably related. Individually, Bosch commerce compliance personnel erroneously concluded that the FDPR utilized solely to bodily items and to not software program, resulting in incorrect recommendation that the FDPR restrictions didn’t apply to ETAS’s CycurHSM automotive firmware.
On June 16, 2026, BIS and Bosch entered right into a settlement settlement to resolve these violations. Underneath the settlement, Bosch agreed to pay a civil penalty within the quantity of $36,184,680, which was half the full income generated from these gross sales. Within the settlement, BIS credited Bosch for (1) instantly halting associated transactions upon identification of the conduct; (2) well timed submitting a voluntary self-disclosure; (3) absolutely cooperating with BIS’s Workplace of Export Enforcement; and (4) dedicating vital assets to remediation. Although not explicitly acknowledged, BIS’s affirmation that Bosch made a voluntary self-disclosure and the full penalty quantity means that BIS didn’t deal with Bosch’s violations as “egregious” beneath the BIS Penalty Tips.
The parallel DOJ and BIS resolutions with Bosch supply a number of takeaways for corporations, significantly overseas know-how corporations and producers that use tools or know-how with a U.S. origin:
- Voluntary self-disclosure stays the clearest path to a positive final result. Bosch’s voluntary self-disclosure, full cooperation, and well timed remediation certified it for a declination beneath DOJ’s CEP given the absence of aggravating circumstances. BIS credited related details in its settlement settlement with the corporate, which probably result in a “non-egregious” BIS settlement. To attenuate potential penalties, corporations that uncover potential export controls violations ought to retain counsel accustomed to export controls and nationwide safety issues so they might contemplate whether or not to self-disclose to 1 or each of DOJ and BIS and any potential cooperation.
- Corporations ought to deal with third-party warnings concerning export controls and provider compliance certifications as actionable pink flags. The Bosch case illustrates that dismissing warnings from suppliers, contract producers, and even an organization’s personal inside compliance personnel — significantly when these warnings reference recognized enforcement precedents — can considerably compound an organization’s publicity. Corporations ought to set up procedures to escalate and independently consider third-party communications about compliance and export controls reasonably than counting on prior inside steerage which may be outdated or misguided. A greater observe can be assessing the validity of such communications on a case-by-case foundation.
- The FDPR applies broadly, together with to non-U.S. producers, and noncompliance could result in legal enforcement. Notably, this seems to be the primary enforcement motion by DOJ involving the FDPR. The FDPR imposes a license requirement on foreign-produced gadgets (together with commodities, software program, and know-how) when (a) the “product scope” is met; and (b) the “finish person/vacation spot/finish use” scope is met. The “product scope” is met if the gadgets concerned are a sure Export Management Classification Quantity (ECCN) and they’re both (i) the direct product of sure pre-described software program or know-how that’s topic to the EAR (together with if through the de minimis rule) or (ii) they’re produced by any plant or main element of a plant (e.g., testing tools) the place the plant or main element of the plant is the direct product of sure pre-described U.S.-origin know-how or software program. The “finish person/vacation spot/finish use” is met if there’s information (together with purpose to know) the related finish person, vacation spot, or finish use is concerned. There are 11 lively iterations of the FDPR, however most embrace finish customers, locations, or finish makes use of that contain Chinese language individuals on the Entity Listing, Russia, Belarus, Crimea, or Iran, and/or finish makes use of involving superior computing, supercomputers, semiconductor manufacturing tools, navy, or area gadgets (typically with the final 5 targeted on China or different arms-embargoed international locations). Because the Bosch settlement and declination display, the FDPR doesn’t flip on whether or not a product accommodates U.S.-origin content material; it activates whether or not U.S.-origin know-how and tools are used within the manufacturing course of. In different phrases, U.S. export controls could apply to a wholly foreign-made product if U.S. software program or know-how is used to make the product, even when no elements are from america. The FDPR has a broad attain and non-U.S. corporations ought to evaluation their manufacturing processes and know-how to find out if the FDPR applies to their merchandise, together with by the usage of U.S. software program or know-how.
- There are a number of extraterritorial export controls which may apply to an organization. BIS defined within the settlement that one of many errors Bosch made was in commingling the idea of the de minimis rule, which will depend on a certain quantity of integrated managed U.S. origin content material, with the FDPR. The de minimis rule is a distinct however vital means that BIS can assert jurisdiction over an merchandise, however it’s distinct from the FDPR. Corporations ought to pay attention to the variations between the de minimis rule and the FDPR and methods to search for each.
- Export controls coaching should hold tempo with regulatory adjustments. The BIS settlement highlighted the insufficient assets and lack of knowledge of adjusting U.S. export laws and enforcement inside Bosch’s commerce compliance staff as direct contributors to the continued violations. Along with adequately staffing commerce compliance capabilities, corporations ought to spend money on periodic, substantive U.S. export controls coaching, significantly: (1) for sophisticated and altering areas just like the FDPR and BIS enforcement actions; (2) if they’ve common dealings with events on U.S. restricted celebration lists such because the Entity Listing; and (3) when dealing in essential know-how areas reminiscent of semiconductors, synthetic intelligence, quantum computing, and superior computing.
Anand Sithian, Caroline Brown, and Scott Clever are Companions and Kelsey Clinton is an Affiliate at Crowell & Moring. This text first appeared on the agency’s weblog.
The views, opinions and positions expressed inside all posts are these of the writer(s) alone and don’t signify these of the Program on Company Compliance and Enforcement (PCCE) or of the New York College College of Regulation. PCCE makes no representations as to the accuracy, completeness and validity or any statements made on this web site and won’t be liable any errors, omissions or representations. The copyright of this content material belongs to the writer(s) and any legal responsibility on the subject of infringement of mental property rights stays with the writer(s).



















