Export Controls for Hardware Startups: When EAR and ITAR Reach Your Product, Your Engineers, and Your Investors

EAR and ITAR export controls can restrict who hardware startups hire, where they ship, and what they can publish. Here is what Texas founders need to know about deemed exports, semiconductor rules, and BIS enforcement.

Export Controls for Hardware Startups: When EAR and ITAR Reach Your Product, Your Engineers, and Your Investors
Loading AudioNative Player...

If you are building a connected device, a semiconductor, a drone, or any hardware product in Texas, you are operating in one of the most export-controlled technology ecosystems in the country. Texas is home to Samsung's massive Austin fabrication facility, Texas Instruments, NXP Semiconductors, and Qualcomm's Texas operations. The CHIPS Act has poured billions into domestic semiconductor manufacturing, and the Commerce Department's Bureau of Industry and Security (BIS) has tightened export controls on advanced computing and semiconductor items dramatically — first in October 2022, and again in October 2023.

Most hardware founders we work with have never heard of the Export Administration Regulations (EAR) or the International Traffic in Arms Regulations (ITAR) until something goes wrong: a foreign-national engineer needs access to controlled technical data, a customer in China wants to buy a product, or an investor's diligence team asks about export compliance and the founders realize they have no answer. We have written about the DOJ Data Security Program, which restricts data transfers to Countries of Concern. The EAR and ITAR are the parallel regimes that restrict where your physical goods, software, and technical data can go — and who can receive them.

This guide covers what every hardware founder needs to know: which regulatory regime applies to your product, how deemed exports can restrict who you hire, which countries are off-limits, and what compliance steps you should take before you ship, hire, or raise.

Two Regimes: EAR and ITAR

U.S. export controls operate through two primary frameworks. Understanding which one applies to your product is the first step in compliance.

The Export Administration Regulations (EAR), codified at 15 CFR Parts 730-774, are administered by BIS within the Commerce Department. The EAR controls dual-use items — goods, software, and technology that have both commercial and military applications. If your product is a semiconductor, an IoT device, a drone component, or advanced computing hardware, it likely falls under the EAR. The EAR Commerce Control List (CCL), found in 15 CFR Part 774, classifies items into Export Control Classification Numbers (ECCNs) that determine what license requirements apply based on the item, the destination country, the end-user, and the end-use.

The International Traffic in Arms Regulations (ITAR), codified at 22 CFR Parts 120-130, are administered by the Directorate of Defense Trade Controls (DDTC) within the State Department. ITAR controls defense articles and defense services — items specifically designed for military applications — through the United States Munitions List (USML). If your product is a military drone, a targeting system, a night-vision device, or certain space-qualified components, it may be ITAR-controlled. ITAR is significantly more restrictive than the EAR: it bars foreign nationals from accessing ITAR-controlled technical data without specific authorization, and violations carry both civil and criminal penalties.

Which One Applies to Your Product?

The classification question is not always intuitive. A commercial drone used for agriculture may fall under the EAR. That same drone equipped with a military-grade sensor may trigger ITAR. A semiconductor designed for consumer electronics is typically EAR-controlled, but if it is incorporated into a military system, the end-use can trigger additional EAR licensing requirements — or push the integrated product into ITAR territory.

The practical approach: start with the CCL. If your item has an ECCN, it is subject to the EAR. If it does not fit any ECCN, it may be designated EAR99 — subject to the EAR but generally eligible for export without a license to most destinations. If your item is specifically designed for military use and appears on the USML, it is ITAR-controlled. When the answer is not clear — and for hardware startups, it frequently is not — an export classification determination from counsel is essential.

The Semiconductor Export Control Shift

Hardware founders in the semiconductor space need to understand that the regulatory landscape changed fundamentally in October 2022. On October 7, 2022, BIS implemented new export controls restricting the People's Republic of China's ability to obtain advanced computing chips, develop and maintain supercomputers, and manufacture advanced semiconductors. The rule added certain advanced computing chips to the Commerce Control List, imposed new license requirements for items destined for supercomputer or semiconductor development end-uses in China, and expanded the scope of the EAR over certain foreign-produced advanced computing items.

In October 2023, BIS issued updated rules that tightened the October 2022 controls further, narrowing the parameters that exempt advanced computing items from controls and expanding the foreign direct product rule reach. As Skadden noted in its analysis, the 2023 updates closed loopholes that companies had identified in the original rules and broadened the scope of items subject to licensing requirements.

For a Texas semiconductor startup, these rules have direct operational consequences. If your product meets the advanced computing thresholds defined in the rules, you need a BIS license to export it to China — and the licensing standard for many of these items is a presumption of denial. That means BIS starts from the position that the license will be denied, and the burden is on you to demonstrate why it should be granted. The rules also restrict the ability of U.S. persons to support the development or production of integrated circuits at certain China-located semiconductor fabrication facilities without a license.

Deemed Exports: When Hiring Becomes an Export

This is the provision that catches most hardware founders by surprise. Under the EAR, a deemed export occurs when you release controlled technology to a foreign national who is inside the United States. The regulations at 15 CFR 734.20 provide that the release of technology or source code subject to the EAR to a foreign national of another country is deemed to be an export to that country — even if the release happens entirely within the United States.

In practice, this means that if you hire a brilliant FPGA engineer who is a Chinese national and give that engineer access to controlled technical data — schematics, design files, manufacturing processes classified under an ECCN requiring a license for China — you may have just made an export to China without a license. The same applies to Indian, Russian, Iranian, and Venezuelan nationals, depending on the ECCN and the applicable country group. The EAR Country Groups organize destinations by risk level: Country Group D:1 includes nations of proliferation concern (China, Russia, Iran, North Korea, and others), and Country Group D:5 includes countries under U.S. arms embargoes.

ITAR deemed export rule is even stricter. Under 22 CFR 120.50, an export includes releasing ITAR-controlled technical data to a foreign person, whether in the United States or abroad. This means that if your drone startup is working on an ITAR-controlled component, you may need a license (or a Technical Assistance Agreement) before a foreign-national engineer can access the technical data — even if that engineer is a lawful permanent resident working in your Austin office.

The practical implication for hiring: before you extend an offer to a foreign national for any role involving access to controlled technology, you need to know whether that access constitutes a deemed export and whether a license is required. This analysis should happen during the hiring process, not after the engineer starts reviewing schematics.

Where You Can Ship: Country Restrictions

The EAR organizes countries into groups that determine licensing requirements. For most hardware products classified under the EAR, the critical distinction is between Country Group D:1 (national security concerns, including China, Russia, Iran, North Korea, and others) and Country Group D:5 (arms embargo countries). Items classified under certain ECCNs require a license for export to D:1 or D:5 countries, while the same items may ship freely to Group A:1 countries (close allies like the UK, Japan, and Australia).

The Entity List adds another layer. If your customer or end-user appears on BIS Entity List, a license is required for any item subject to the EAR — regardless of the ECCN. The Entity List includes hundreds of Chinese entities, particularly in the semiconductor, AI, and aerospace sectors. Huawei and its affiliates were added in 2019, and the foreign direct product rule was extended to cover them in 2020.

For a hardware startup, this means that before you ship internationally — or before you sell to a customer who might re-export your product — you need to screen the end-user against the Entity List and understand the licensing requirements for the destination country. A product that ships freely to Germany may require a license for China, and a product that is EAR99 (no specific license required) may still need a license if the end-user is on the Entity List.

What Enforcement Looks Like: The Seagate Precedent

The consequences of non-compliance are not theoretical. In April 2023, BIS imposed a $300 million civil penalty against Seagate Technology — the largest standalone administrative penalty in BIS history — for selling more than 7.4 million hard disk drives to Huawei in violation of the foreign direct product rule. Seagate continued selling to Huawei after its two competitors had stopped, becoming Huawei sole source provider, and even entered into a Strategic Cooperation Agreement naming Seagate as Huawei strategic supplier. The $300 million penalty was more than twice BIS estimate of Seagate net profits from the illegal exports. The settlement also included a multi-year audit requirement and a five-year suspended Denial Order.

For a hardware startup, the Seagate case illustrates two things. First, BIS enforcement is aggressive and well-resourced, and the penalties can exceed the profits from the violation. Second, the foreign direct product rule extends U.S. export controls to items manufactured abroad using U.S. technology — meaning that even if your product is made overseas, it may still be subject to the EAR if it incorporates U.S.-origin technology or software.

Investors and Export Compliance

Export controls also intersect with fundraising. If you are raising capital from investors with ties to Country Group D:1 nations, you need to consider whether the investor access to your company technical data constitutes a deemed export. Investor information rights — which typically include financial statements, operational metrics, and sometimes technical roadmaps — can trigger export control obligations if the investor is a foreign national from a restricted country and the information shared is controlled technology.

This is not a hypothetical concern. The Committee on Foreign Investment in the United States (CFIUS) has increasingly scrutinized foreign investments in U.S. technology companies, particularly in semiconductors, AI, and critical infrastructure. A hardware startup that accepts investment from a Chinese-affiliated fund without conducting export control due diligence may find itself in violation of the EAR — or facing a CFIUS review that could force unwinding the investment.

As we discussed in our guide to Texas regulatory compliance for startups, multi-jurisdiction compliance requires understanding where each obligation originates — not assuming your product-focused compliance covers your investor relationships.

Practical Compliance Steps for Hardware Startups

  1. Classify your product. Determine whether your item falls under the EAR (identify its ECCN or EAR99 designation) or ITAR (identify the USML category). If classification is ambiguous, request an advisory opinion from BIS or a Commodity Jurisdiction determination from DDTC. This is the foundation of everything else.
  2. Screen your end-users and destinations. Before any international shipment, screen the end-user against the Entity List and verify the destination country group designation. For items controlled for national security reasons, shipments to Country Group D:1 or D:5 may require a license.
  3. Conduct a deemed export audit of your workforce. Identify every foreign-national employee or contractor who has access to controlled technology. For each, determine whether the technology they access is controlled for their country of nationality and whether a deemed export license is required.
  4. Implement export compliance procedures for technical data. Control access to controlled technical data through access controls, ITAR/EAR labeling on documents, and segregated repositories. Not every engineer needs access to every schematic — and for ITAR-controlled data, foreign nationals should not have access until a license is in place.
  5. Review investor relationships for export exposure. If you have foreign investors or are raising from funds with international LPs, assess whether information rights or board access creates deemed export risk. Document your analysis.
  6. Build an Export Compliance Program (ECP). BIS recommends that companies subject to the EAR maintain a written ECP that includes management commitment, risk assessment, export authorization procedures, recordkeeping, training, and auditing. While not legally required for all exporters, a documented ECP is your best defense if BIS initiates an enforcement action.
  7. Consider voluntary self-disclosure for any potential violation. If you discover a potential export control violation, BIS Voluntary Self-Disclosure (VSD) program can significantly reduce penalties. The Seagate case demonstrated the consequences of failing to self-disclose; companies that proactively report violations typically receive substantially mitigated penalties.
  8. Engage export counsel before you ship, hire, or raise. The cost of a pre-shipment export classification and compliance review is a fraction of what a single BIS enforcement action will cost. If you are building hardware in Texas — especially semiconductors, drones, or connected devices — bring counsel into your product roadmap before the first international shipment.

Actionable Next Steps

Export control compliance is not a concern reserved for defense contractors. If you are building hardware in Texas semiconductor, IoT, or drone ecosystem, the EAR and ITAR can reach your product, your engineers, and your investors — and the penalties for getting it wrong are measured in the hundreds of millions. Here is what we recommend you do, in order:

  1. Get an export classification determination for every product you ship internationally. Whether it is an ECCN under the EAR or a USML category under ITAR, you cannot comply with controls you have not identified. If the classification is uncertain, request an advisory opinion.
  2. Audit your workforce for deemed export exposure. Map every foreign-national employee and contractor against the technology they can access. If any access constitutes a deemed export to a Country Group D:1 or D:5 nation, determine whether a license is required before that access continues.
  3. Screen every international customer against the Entity List. Shipping to an Entity List party without a license is a violation regardless of your product ECCN. Build Entity List screening into your sales process.
  4. Review investor agreements for export control provisions. Ensure that information rights, board observer rights, and technical data access do not create deemed export exposure with foreign investors.
  5. Adopt a written Export Compliance Program. BIS expects exporters to have structured compliance programs. A documented ECP is both a compliance tool and a mitigating factor if enforcement action occurs.
  6. Engage counsel before your first international shipment. Export control law is complex, fact-specific, and carries penalties that can exceed your company revenue. The cost of a compliance review is a fraction of the cost of a BIS enforcement action — and far less than the cost of a Denial Order that bars you from exporting at all.

Export controls are not going to loosen. The October 2022 and October 2023 semiconductor rules represent a fundamental shift in how the United States controls advanced technology exports, and enforcement is intensifying. For hardware founders in Texas — operating in one of the country most concentrated semiconductor and hardware ecosystems — export control compliance is not a future concern. It is a current operational requirement that touches product design, hiring, sales, and fundraising. The startups that treat it as a design constraint, not a legal afterthought, will be the ones that scale without regulatory disruption.

Building a semiconductor, drone, or connected device company and unsure whether the EAR or ITAR applies to your product, your engineers, or your investors? We help hardware founders classify their products, audit deemed export exposure, and build export compliance programs before the first international shipment.

Book a consultation