Inferensys

Guide

How to Navigate Export Controls for AI Hardware and Software

A technical guide for developers and engineering leads to classify AI technology, apply for licenses, and design compliant supply chains under international export controls like the U.S. EAR and EU Dual-Use Regulation.
Get in touchLearn more
Supply chain manager using AI negotiator on laptop, supplier data visible, casual office afternoon setup.

A practical framework for understanding and complying with international export regulations on advanced AI technologies.

Export controls are legal restrictions on the international transfer of sensitive technologies, including advanced AI chips, foundational models, and specialized training software. Key regimes are the U.S. Export Administration Regulations (EAR) and the EU's Dual-Use Regulation. These rules exist to prevent strategic technologies from being used by adversarial nations for military or surveillance purposes. Your first step is conducting a technology classification to determine if your AI components fall under a controlled category, such as ECCN 3A090 for high-performance computing chips.

Navigating controls requires a proactive strategy: apply for an export license if needed, design compliant supply chains that avoid restricted entities and regions, and establish trusted partner networks. Mitigation includes using alternative hardware stacks not subject to controls and implementing strict end-use monitoring. For deeper context on building resilient, localized technology stacks, see our guides on Sovereign AI Cloud Architecture and managing AI Supply Chain Risks.

FOUNDATIONAL KNOWLEDGE

Key Concepts: Export Control Frameworks

Understanding these core frameworks is the first step to building compliant AI supply chains and avoiding severe legal penalties.

01

U.S. Export Administration Regulations (EAR)

The EAR is the primary U.S. framework controlling the export of dual-use items, including advanced AI chips and software. It is administered by the Bureau of Industry and Security (BIS).

  • Commerce Control List (CCL): AI hardware like NVIDIA's A100/H100 GPUs and certain training software are listed here under Export Control Classification Numbers (ECCNs).
  • Foreign Direct Product Rule (FDPR): Extends controls to foreign-made items that are the direct product of U.S. technology or software, impacting global supply chains.
  • Entity List: Specifies foreign companies, universities, or persons restricted from receiving U.S. exports without a license.
EXPLORE
02

EU Dual-Use Regulation

The EU's framework regulates the export, transit, and brokering of dual-use items within its member states. It aims to harmonize controls across Europe while allowing for national additions.

  • Annex I: The EU's control list, aligned with international regimes like the Wassenaar Arrangement. It includes specific entries for "software" and "technology" for the "development" or "production" of items like intrusion software or surveillance systems.
  • General Export Authorizations (GEAs): Simplify exports to certain trusted destinations, but national controls can impose stricter rules on AI items deemed critical for security.
  • Due Diligence: Exporters must screen end-users and end-uses to prevent diversion to weapons of mass destruction programs.
EXPLORE
03

Technology Classification (ECCN Determination)

The foundational step is classifying your AI technology. An incorrect classification can lead to illegal exports.

  1. Review the CCL/Annex I: Match your item's technical parameters (e.g., chip performance in TeraFLOPS, software functionality) against the control lists.
  2. Apply the Order of Review: Determine if your item is specifically listed. If not, evaluate under general categories for "software" or "technology."
  3. Seek a Commodity Jurisdiction (CJ): For ambiguous items, you can formally request a classification ruling from BIS (U.S.) or your national authority.
  • Example: AI training software designed to autonomously optimize chip manufacturing may be controlled under ECCN 3D006.
EXPLORE
04

De Minimis and Foreign-Direct Product Rules

These rules determine when non-U.S.-origin items are still subject to U.S. controls, a critical concept for global AI hardware manufacturing.

  • De Minimis Rule: If a foreign-made item contains more than a specified percentage (often 25%) of U.S.-origin controlled content by value, it may become subject to the EAR.
  • Foreign Direct Product (FDP) Rules: More expansive. They control foreign-made items that are the direct product of U.S.-origin technology or software, or produced by a plant that is itself a direct product. This is how U.S. controls can apply to chips made in Taiwan or South Korea.
  • Entity List FDP Rule: A specific, stringent rule that can restrict any item produced using U.S. technology from being sold to a listed entity.
EXPLORE
05

License Exceptions vs. Export Licenses

Not all exports require a full license application. Understanding the exceptions is key to efficient operations.

  • License Exceptions: Pre-authorizations for specific scenarios. For AI, relevant exceptions may include:
    • ENC (Encryption Commodities and Software): For certain mass-market encryption software.
    • TSU (Technology and Software Unrestricted): For the release of "technology" or "source code" via teaching or conference.
  • Export Licenses: Required when no exception applies. The process involves:
    1. Detailed technical disclosure.
    2. End-use and end-user statements.
    3. Government review, which can take weeks or months and may be denied.
  • Deemed Export: Releasing controlled technology to a foreign national within your country is deemed an export to that person's home country.
06

Compliance Program Essentials

A robust internal compliance program is your best defense against violations. Core elements include:

  • Management Commitment: Documented policy and dedicated resources.
  • Risk Assessment: Regularly classify products and screen customers/partners against denied parties lists.
  • Training: Mandatory for all employees in engineering, sales, and shipping.
  • Recordkeeping: Maintain all classification determinations, license applications, and shipping documents for five years.
  • Audits: Conduct internal or third-party audits to test the program's effectiveness.
  • Mitigation Strategy: Design your AI stack with export controls in mind, such as using alternative hardware stacks or establishing trusted partner networks within allowed regions, as detailed in our guide on How to Manage AI Supply Chain Risks with Localized Sourcing.
FOUNDATIONAL FRAMEWORK

Step 1: Classify Your AI Technology

The first and most critical step in navigating export controls is to accurately determine the regulatory classification of your AI technology. This classification dictates which licenses you need and which countries you can ship to.

Begin by mapping your technology against the relevant control lists. For U.S. exports, this is the Commerce Control List (CCL) under the Export Administration Regulations (EAR). Key categories for AI include ECCN 3A090 for high-performance AI chips and ECCN 3D001/3E001 for related software and technology. For the EU, consult the EU Dual-Use Regulation list. You must classify not just hardware but also foundational models, training software, and the underlying technical data ('technology') that enables development or production. Misclassification is the most common and costly mistake.

To classify, answer these questions: What is the performance threshold (e.g., Total Processing Performance or TPP for chips)? What is the intended end-use? Who is the end-user? Use tools like the U.S. BIS SNAP-R platform or consult a specialized legal firm. This classification forms the basis for your license determination (NLR, License Exception, or formal application) and informs your entire compliant supply chain design. Proper classification is non-negotiable for legal operations and is the first pillar of a sovereign AI strategy.

COMPLIANCE ARCHITECTURE

Mitigation Strategies: Technical Alternatives

Comparison of technical approaches to design AI systems that comply with export controls by reducing dependency on restricted components.

Technical FeatureAlternative Hardware StackSoftware Substitution & ObfuscationTrusted Partner Network Model

Core Compute (e.g., NVIDIA A/H100)

Use non-restricted chips (e.g., AMD Instinct MI300, Intel Gaudi 3, Cerebras CS-3)

Implement model parallelism to distribute load across lower-tier GPUs

Access compliant hardware via accredited partners in allowed regions

Training Framework Control

Switch to open-source frameworks (e.g., PyTorch, JAX) with custom kernels

Obfuscate sensitive algorithmic code; use runtime encryption

License pre-trained base models from allied-nation providers (e.g., Mistral AI)

Model Weights Export Risk

Implement model quantization & pruning to reduce strategic value

Serve via encrypted API endpoints; never transfer raw weights

Establish a federated learning consortium within allowed jurisdictions

Performance Impact

~15-40% slower training time on alternative hardware

< 5% inference latency overhead for obfuscation layers

Variable; depends on partner network latency and bandwidth

Compliance Verification

Hardware attestation via TPM/SEV; maintain auditable Bill of Materials (BOM)

Generate software attestations and activity logs for regulators

Rely on partner's certified infrastructure and audit reports

Implementation Complexity

High (requires porting and optimization for new silicon)

Medium (integrates into existing CI/CD and MLOps pipelines)

Low to Medium (contractual and integration overhead)

Strategic Resilience

High (reduces single-vendor and geopolitical lock-in)

Medium (adds a layer of protection but doesn't eliminate core dependency)

High (builds redundant, jurisdictionally compliant capacity)

Cost Impact

Higher CapEx for new hardware; potential long-term savings

Low OpEx for software tools; potential development cost

Recurring OpEx for partner services; shared infrastructure costs

EXPORT CONTROL NAVIGATION

Tools and Resources

These tools and frameworks help you classify technology, apply for licenses, and build compliant AI supply chains under U.S. EAR, EU Dual-Use, and other international regulations.

01

U.S. Export Administration Regulations (EAR) Commerce Control List (CCL)

The Commerce Control List (CCL) is the primary tool for classifying AI hardware and software under U.S. law. You must map your technology to an Export Control Classification Number (ECCN). For AI, key categories include:

  • ECCN 3A090: Advanced computing integrated circuits (e.g., NVIDIA A100, H100).
  • ECCN 3D001 & 3E001: Software and technology for the development or production of controlled chips.
  • ECCN 4A003 & 4D001: Computers and software for information security.

Use the Bureau of Industry and Security (BIS) website to search the CCL and determine if your item requires a license for export to specific countries.

EXPLORE
02

EU Dual-Use Regulation Control List

The EU Dual-Use Regulation maintains a harmonized list of controlled items, aligned with international regimes like the Wassenaar Arrangement. For AI, focus on:

  • Category 4 - Computers: Controls on computing equipment, electronic assemblies, and related software.
  • Category 5 - Telecommunications and Information Security: Covers cryptology and systems designed to defeat intrusion detection.
  • General Software Note: Understand exclusions for "mass market" software and encryption.

Conduct a technology classification against the EU list. If your item is controlled, you must apply for an export license from the competent authority in your EU member state.

EXPLORE
03

Automated Export System (AES) & SNAP-R

For U.S. exporters, these are the mandatory platforms for filing and licensing.

  • Automated Export System (AES): File Electronic Export Information (EEI) for shipments. Required for most exports where a license is needed.
  • Simplified Network Application Process - Redesign (SNAP-R): The online portal to submit export license applications, commodity classification requests, and license exception notifications to BIS.

Integrating these systems into your supply chain workflow is critical for compliance. Failure to file in AES can result in significant penalties.

EXPLORE
04

Denied Persons & Entity Lists Screening

You must screen all parties in your transaction against government lists of restricted entities. This is a core Know Your Customer (KYC) requirement.

  • U.S. Consolidated Screening List (CSL): Aggregates lists from BIS, OFAC, and others.
  • EU Sanctions Map: Provides details on EU restrictive measures.

Automate this screening using compliance software or APIs. A single transaction with a listed party can lead to severe penalties, even if the underlying technology is not controlled. This is a key step in designing a compliant supply chain.

EXPLORE
05

Technology Classification Frameworks

Use a structured framework to systematically classify your AI assets. This involves:

  1. Product Teardown: Document technical specifications (e.g., chip performance in Total Processing Performance, Interconnect Bandwidth).
  2. Software Analysis: Review source code and capabilities against control list descriptions.
  3. Jurisdictional Analysis: Determine if U.S.-origin content is present, triggering de minimis and foreign direct product rule considerations.

Create an internal Technology Control Plan (TCP) that documents classification decisions, access controls, and training procedures for engineers. This plan is your first line of defense in an audit.

06

Mitigation: Alternative Hardware & Sovereign Stacks

When export controls block access to preferred technology, implement mitigation strategies:

  • Alternative Hardware: Evaluate chips from vendors in allied nations (e.g., Groq, Cerebras, or European initiatives) not subject to the same controls.
  • Sovereign AI Stacks: Adopt full-stack solutions from sovereign cloud providers that guarantee compliance with local regulations, such as OVHcloud or Scaleway in Europe.
  • Trusted Partner Networks: Establish development and testing partnerships within allowed regions to keep sensitive work onshore.

These strategies reduce single-point-of-failure risks and align with the principles of geopatriation and localized cloud migration.

Enabling Efficiency, Speed & Accuracy

Intelligent Analysis, Decision & Execution

We build AI systems for teams that need search across company data, workflow automation across tools, or AI features inside products and internal software.

Talk to Us

Search across company data

Give teams answers from docs, tickets, runbooks, and product data with sources and permissions.

Useful when people spend too long searching or get different answers from different systems.

Enterprise searchRAGPermissions
Read more

Automate internal workflows

Use AI to route work, draft outputs, trigger actions, and keep approvals and logs in place.

Useful when repetitive work moves across multiple tools and teams.

AI agentsWorkflow automationGovernance
Read more

Add AI to products and internal tools

Build assistants, guided actions, or decision support into the software your team or customers already use.

Useful when AI needs to be part of the product, not a separate tool.

AI integrationDecision supportModel routing
Read more
EXPORT CONTROLS

Common Mistakes

Navigating export controls for AI is a complex, high-stakes compliance task. Developers and engineering leads often stumble on the same technical and procedural pitfalls. This section addresses the most frequent mistakes and provides clear, actionable guidance to avoid them.

The U.S. Export Administration Regulations (EAR) control the export of dual-use items—goods and software with both civilian and military applications. For AI, this includes specific high-performance computing chips, foundational models above certain parameter thresholds, and training software designed for these items.

Classification is the first critical step. You must determine the Export Control Classification Number (ECCN) for your hardware or software. Common mistakes include:

  • Assuming open-source models are exempt: The underlying technology, not the distribution model, determines control. A model's architecture or training software may still be controlled.
  • Misclassifying 'technology': The EAR controls not just physical goods but also the "technology" (e.g., blueprints, engineering knowledge) required for their "development," "production," or "use." Sharing model weights or training methodologies can be an export.
  • Ignoring the 'Foreign-Produced Direct Product Rule': Items manufactured abroad using U.S.-origin technology or software may still be subject to the EAR.

Start by consulting the Commerce Control List (CCL), specifically Category 3 (Electronics) and Category 4 (Computers), and seek legal counsel for a formal classification.

Prasad Kumkar

About the author

Prasad Kumkar

CEO & MD, Inference Systems

Prasad Kumkar is the CEO & MD of Inference Systems and writes about AI systems architecture, LLM infrastructure, model serving, evaluation, and production deployment. Over 5+ years, he has worked across computer vision models, L5 autonomous vehicle systems, and LLM research, with a focus on taking complex AI ideas into real-world engineering systems.

His work and writing cover AI systems, large language models, AI agents, multimodal systems, autonomous systems, inference optimization, RAG, evaluation, and production AI engineering.

LinkedIn
Limited slotsGet a Free AI Consultation

Partnered with leading AI, data, and software stack.

OpenAI
OpenAI
ChatGPT
ChatGPT
Claude
Claude
Anthropic
Anthropic
Google Gemini
Microsoft Azure
Microsoft Azure
Microsoft Copilot
Microsoft Copilot
Meta Llama
Meta Llama
Mistral AI
Mistral AI
LangChain
LangChain
LangGraph
LangGraph
AWS
OpenAI
OpenAI
ChatGPT
ChatGPT
Claude
Claude
Anthropic
Anthropic
Google Gemini
Microsoft Azure
Microsoft Azure
Microsoft Copilot
Microsoft Copilot
Meta Llama
Meta Llama
Mistral AI
Mistral AI
LangChain
LangChain
LangGraph
LangGraph
AWS
OpenAI
OpenAI
ChatGPT
ChatGPT
Claude
Claude
Anthropic
Anthropic
Google Gemini
Microsoft Azure
Microsoft Azure
Microsoft Copilot
Microsoft Copilot
Meta Llama
Meta Llama
Mistral AI
Mistral AI
LangChain
LangChain
LangGraph
LangGraph
AWS
Google Cloud
Google Cloud
Salesforce
ServiceNow
Snowflake
Snowflake
Databricks
Databricks
Postgres
Postgres
Pinecone
Pinecone
Elastic
Elastic
HubSpot
HubSpot
Slack
Slack
Jira
Jira
Stripe
Google Cloud
Google Cloud
Salesforce
ServiceNow
Snowflake
Snowflake
Databricks
Databricks
Postgres
Postgres
Pinecone
Pinecone
Elastic
Elastic
HubSpot
HubSpot
Slack
Slack
Jira
Jira
Stripe
Google Cloud
Google Cloud
Salesforce
ServiceNow
Snowflake
Snowflake
Databricks
Databricks
Postgres
Postgres
Pinecone
Pinecone
Elastic
Elastic
HubSpot
HubSpot
Slack
Slack
Jira
Jira
Stripe

How We Work

Custom AI workflows for your Business

One-fit-all AI don't work for modern businesses. At Inferensys, we aim to understand your business & custom requirements; which we use to define most efficient agentic workflows, the data, and the tools for your business.

01

Review the use case

We understand the task, the users, and where AI can actually help.

Read more

02

Pick the right approach

We define what needs search, automation, or product integration.

Read more

03

Build the first useful version

We implement the part that proves the value first.

Read more

04

Improve from there

We add the checks and visibility needed to keep it useful.

Read more

The first call is a practical review of your use case and the right next step.

Talk to Us