Back to News
Industry News

BIS ENFORCEMENT BRIEFING When EAR99 Isn’t Safe: The Bosch–Huawei export-control case — summary of the U.S. BIS Final Order of 16 June 2026

·7 min read

About this summary. This briefing is drawn from the primary U.S. Bureau of Industry and Security (BIS) documents — the Order, Settlement Agreement and Proposed Charging Letter. It describes a settled civil enforcement action in which Bosch admitted the conduct. The suppliers referred to as “Company One” through “Company Five” are anonymized in the originals and are not accused of any wrongdoing — several of them in fact flagged the export-control issue. Individuals are referred to only by role and are not identified here.

BIS ENFORCEMENT BRIEFING When EAR99 Isn’t Safe: The Bosch–Huawei export-control case — summary of the U.S. BIS Final Order of 16 June 2026

At a glance

On 16 June 2026, BIS issued a final Order settling 109 violations of the U.S. Export Administration Regulations (EAR) by Robert Bosch GmbH. Between September 2020 and September 2024, two Bosch subsidiaries exported approximately US$72,369,361 of EAR99-classified products from outside the United States to Huawei — a party on the U.S. Entity List — without the licenses required by the Foreign-Produced Direct Product (FDP) Rule. Bosch admitted the conduct, agreed to a US$36,184,680 civil penalty, and had voluntarily disclosed the matter to the U.S. government.

The parties

Robert Bosch GmbH, headquartered in Stuttgart, is the respondent. The conduct involved two wholly-owned German subsidiaries: Bosch Sensortec GmbH (BST), which makes MEMS sensors, and ETAS GmbH, whose CycurHSM product is automotive security firmware. The buyer was Huawei Technologies Co., Ltd. and its affiliates, including Huawei Tech. Investment Co., Ltd. (Hong Kong); Huawei has been on the U.S. Entity List since 2019.

The documents also reference five suppliers, anonymized as “Company One” to “Company Five.” These are third parties, and none is accused of any violation. To the contrary, several raised the export-control issue with Bosch — one warned BST in writing, one required a compliance certification, and one declined to supply for Huawei (see below).

Why EAR99 goods were caught — the FDP Rule

The sensors and the CycurHSM software were classified EAR99, a category that is normally low-control. They became “subject to the EAR” under the FDP Rule because the equipment used to produce them — epitaxy machines, ASIC production tooling and test microcontrollers — was itself a direct product of U.S.-origin technology or software. Because Bosch knew that Huawei was the buyer (the regulatory “knowledge” element), each shipment required a BIS license. The records indicate Bosch did not obtain one, having erroneously concluded the rule did not apply — not that Bosch knew a license was required and proceeded regardless.

The conduct

Across 103 occasions, BST exported approximately US$70,423,230 of BST Sensors to Huawei; across six occasions, ETAS exported approximately US$1,946,131 of CycurHSM software and updates — 109 shipments in total, approximately US$72,369,361, between 16 September 2020 and 26 September 2024. Bosch admitted committing this conduct as part of the settlement.

Compliance failures and missed warnings

BIS attributed the violations to compliance shortcomings rather than deliberate evasion. In August 2020, as the FDP Rule was expanded, an internal email from a Germany-based trade-compliance employee wrongly advised that BST’s products were not affected — conflating the De Minimis Rule (which turns on incorporated U.S.-origin content) with the FDP Rule (which turns on the technology, software and equipment used to produce an item). BST relied on that advice for more than four years, despite a series of indications that it was wrong, including:

•     a September 2020 written warning from an outsourced assembly-and-test provider (“Company Four”) that its equipment triggered the FDP Rule;

•     a February 2021 end-user certification request from an equipment supplier (“Company One”) acknowledging the FDP-Rule licensing requirement;

•     internal U.S. trade-compliance guidance in 2023 flagging that the rule could apply; and

•     a June 2023 refusal by a prospective supplier (“Company Five”) to supply for Huawei, citing the FDP Rule and BIS’s US$300 million 2023 penalty against Seagate Technology LLC and its Singapore affiliate.

These third-party communications were attempts to comply; the documents do not allege wrongdoing by any of those companies.

Bosch’s response and remediation

Upon identifying the conduct, Bosch halted the related transactions, engaged external counsel to review the matter, and filed a voluntary self-disclosure with BIS. Bosch cooperated with the investigation and implemented remedial measures, including adding 66 employees to its trade-compliance organization, expanding its U.S. trade-compliance resources, and updating internal policies and procedures.

The outcome

BIS assessed a civil penalty of US$36,184,680, of which US$3,601,029 is suspended as credit for disgorgement under a parallel resolution with the U.S. Department of Justice (DOJ). In that companion resolution, Bosch agreed to disgorge approximately US$11,430,098 in pre-tax profits, and the DOJ’s National Security Division declined to prosecute — its first corporate declination under the Department’s Corporate Enforcement Policy — citing Bosch’s voluntary self-disclosure, cooperation and remediation, and the absence of aggravating factors. BIS’s Assistant Secretary for Export Enforcement, David Peters, said Bosch “had several opportunities to avoid these violations” and framed the action as both a warning and an example of the benefits of voluntary self-disclosure.

Why it matters

An EAR99 classification is not a safe harbour, and Entity List screening alone is not enough. The FDP Rule can bring foreign-made goods — produced and shipped entirely outside the United States, and sold by a non-U.S. affiliate — within U.S. jurisdiction through the U.S.-origin technology, software or equipment used to make them. For companies with global production networks, the practical lessons are to analyse FDP-Rule exposure across subsidiaries, suppliers and product lines; to document that analysis; and to escalate and act on third-party warnings.

Important clarifications

•     Settled matter, admitted conduct. This was a civil settlement; Bosch admitted the conduct and BIS did not litigate the charges. The DOJ resolution reflects that the conduct was not found to be willful.

•     Suppliers are not accused. “Company One”–“Company Five” are anonymized third parties. None is charged with any violation, and several raised the export-control issue with Bosch.

•     Seagate reference. Seagate Technology LLC and its Singapore affiliate settled a separate US$300 million BIS penalty in 2023; it appears here only because a supplier cited it to Bosch.

•     Individuals. The internal Bosch personnel described in the source are referred to only by role and are not identified in this summary.

Key references & sources

All references below are official U.S. Government publications (BIS, the U.S. Department of Justice, the Federal Register and the e-CFR).

PRIMARY DOCUMENTS — THIS CASE

•     BIS Final Order — Robert Bosch GmbH (Order, Settlement Agreement & Proposed Charging Letter), 16 June 2026  — bis.gov

•     BIS press release — “Robert Bosch GmbH to Pay $36 Million Penalty”  — bis.gov

•     U.S. DOJ, National Security Division — executed declination letter  — justice.gov

THE RULES THAT APPLY

•     Foreign-Direct Product (FDP) Rule — 15 CFR § 734.9 (regulation text)  — e-CFR

•     FDP Rule — BIS reference page for § 734.9  — bis.gov

•     FDP Rules: Organization, Clarification, and Correction — Final Rule (2022)  — Federal Register

•     Entity List — 15 CFR Part 744 (incl. Supplement No. 4)  — e-CFR

•     Export Administration Regulations (EAR) — overview  — bis.gov

•     Determine what is “subject to the EAR”  — bis.gov

ENFORCEMENT & VOLUNTARY DISCLOSURE

•     BIS — Voluntary Self-Disclosure  — bis.gov

•     U.S. DOJ — Reporting Voluntary Self-Disclosures of National-Security Violations  — justice.gov

•     Seagate Technology — $300 million FDP-rule penalty (2023), the precedent cited in the Order  — bis.gov

 

Related Articles

Why a sanctions freeze is a data problem before it is a legal one
Industry News

Why a sanctions freeze is a data problem before it is a legal one

A data provider's perspective on Swiss Federal Supreme Court judgment 4A_537/2025 of 28 April 2026 In brief — four things to know • The trigger is suspicion, not proof. A Swiss financial institution must freeze and report assets as soon as it has reasonable suspicion they are directly or indirectly controlled by a sanctioned person — and the freeze applies automatically, by law, without waiting for an official order. • The risk hides in the relationships, not the name. The client company and its beneficial owner were on no list; the exposure ran through extended family — the owner was the spouse of the sanctioned person's nephew. Plain name-against-list screening catches none of this. • “Family” is defined differently everywhere. EU and UK PEP rules use a narrow, closed list (spouse, children, parents); Switzerland's PEP rule is open-ended (“persons close for family, personal or business reasons”); and sanctions regimes turn on control, not kinship — with US measures reaching furthest through the “acting on behalf of” and 50% rules. • For data providers, it is a balancing act. The job is to map relationships richly enough to support any of these tests, while respecting data-protection limits and keeping false positives manageable — and to leave the final call on “how close is too close” to the client. Sanctions screening is often imagined as a clean, binary exercise: a name either matches an entry on a list, or it does not. The reality our clients deal with every day is far messier — and a recent judgment from the Swiss Federal Supreme Court is a useful reminder of just how subtle the line can be. Very often the hard question is not whether someone is listed, but how far a chain of family and ownership links has to run before the assets at the other end of it are caught by a freeze. This case sits squarely on that line.

Read More
Polixis Assistant

Hi 👋, thanks for visiting Polixis!

How can we help?