DOJ’s National Security Division Announces First Declination Under New Corporate Enforcement Policy With Parallel BIS Settlement

On June 17, 2026, the U.S. Department of Justice’s (DOJ( National Security Division (NSD) announced that it had issued a declination for Robert Bosch GmbH (Bosch) relating to potential violations of the Export Control Reform Act, 50 U.S.C. § 4819 (ECRA). Specifically, the DOJ declined to criminally prosecute Bosch’s violations of the Export Administration Regulations’ (EAR) Foreign Direct Product Rule (FDPR), which apparently resulted from two Bosch subsidiaries’ export of products and software manufactured with equipment that was the direct product of U.S. software or technology to Huawei Technologies Co., Ltd. and its “Entity List” affiliates, including Huawei Tech. Investment Co., Ltd., Hong Kong (collectively, Huawei). The same day, the U.S. Department of Commerce Bureau of Industry and Security (BIS) announced a parallel civil administrative settlement with Bosch.

This is the first time that NSD has declined the prosecution of a company under the department-wide Corporate Enforcement Policy (CEP) released by DOJ on March 10, 2026. Assistant Attorney General for National Security John A. Eisenberg underscored the benefits that may inure to companies that voluntarily disclose potential violations to the DOJ, remarking that “[t]his declination reflects the clear benefits for companies that promptly disclose potential violations and fully assist in our investigations.”

Bosch’s Alleged Violations

Bosch is a German-based technology and services company. Between September 2020 and September 2024, Bosch, through two non-U.S. subsidiaries — Bosch Sensortec GmbH (BST) and ETAS GmbH (ETAS) — exported over $70 million worth of foreign-produced Micro-Electro-Mechanical Systems sensor products and CycurHSM software to Huawei without a requisite license or authorization from BIS. As a result, Bosch made approximately $11.4 million in pre-tax profits.

NSD’s Declination

Upon discovering these unauthorized exports, Bosch conducted an internal investigation and voluntarily self-disclosed the matter to NSD and BIS. NSD ultimately declined to prosecute the matter, citing the following factors under the CEP: (1) Bosch’s timely voluntary self-disclosure; (2) Bosch’s cooperation in NSD’s investigation, including provision of relevant facts and documents, and prompt, voluntary responses to requests; (3) Bosch’s remediation efforts, including the addition of 66 employees to its trade compliance organization, the expansion of its U.S. trade compliance resources, and updates to internal policies and procedures; and (4) the adequacy of the BIS civil penalty.

NSD’s declination is conditioned upon Bosch’s disgorgement of the $11.4 million in pre-tax profits.

Parallel BIS Enforcement Action

In a concurrent enforcement action, BIS alleged Bosch engaged in 109 violations of the EAR connected to its export of sensor products and software to Huawei. BIS determined that BST’s trade compliance personnel “did not have sufficient expertise or resources” to address the FDPR, culminating in an employee erroneously advising management that BST products were not subject to the FDPR restrictions. 

Critically, the BIS charging letter documented a pattern of repeated missed opportunities: between 2020 and 2024, at least five separate third-party companies warned Bosch or BST about the potential applicability of the FDPR — including through compliance certifications, direct correspondence, and, in one instance, an explicit reference to the $300 million penalty BIS imposed on Seagate Technology LLC for similar Huawei-related FDPR violations. In each case, BST personnel either dismissed the warnings or failed to follow up. 

In one notable instance, a senior BST manager deflected a request for information from Bosch’s own U.S. trade compliance team, citing a “dire allocation situation,” and a BST managing director instructed the same BST manager to “make sure that answers here are controlled by you” when internal compliance guidance was flagged as potentially relevant. Separately, Bosch trade compliance personnel erroneously concluded that the FDPR applied only to physical goods and not to software, leading to incorrect advice that the FDPR restrictions did not apply to ETAS’s CycurHSM automotive firmware.

On June 16, 2026, BIS and Bosch entered into a settlement agreement to resolve these violations.  Under the agreement, Bosch agreed to pay a civil penalty in the amount of $36,184,680, which was half the total revenue generated from these sales. In the settlement, BIS credited Bosch for (1) immediately halting related transactions upon identification of the conduct; (2) timely filing a voluntary self-disclosure; (3) fully cooperating with BIS’s Office of Export Enforcement; and (4) dedicating significant resources to remediation. Though not explicitly stated, BIS’s confirmation that Bosch made a voluntary self-disclosure and the total penalty amount suggests that BIS did not treat Bosch’s violations as “egregious” under the BIS Penalty Guidelines. 

What Companies Can Learn From DOJ’s and BIS’ Continued Focus on Export Controls

The parallel DOJ and BIS resolutions with Bosch offer several takeaways for companies, particularly foreign technology companies and manufacturers that use equipment or technology with a U.S. origin:

• Voluntary self-disclosure remains the clearest path to a favorable outcome. Bosch’s voluntary self-disclosure, full cooperation, and timely remediation qualified it for a declination under DOJ’s CEP given the absence of aggravating circumstances. BIS credited similar facts in its settlement agreement with the company, which likely lead to a “non-egregious” BIS settlement. To minimize potential penalties, companies that discover potential export controls violations should retain counsel familiar with export controls and national security matters so they may consider whether to self-disclose to one or both of DOJ and BIS and any potential cooperation.
• Companies should treat third-party warnings regarding export controls and supplier compliance certifications as actionable red flags. The Bosch case illustrates that dismissing warnings from suppliers, contract manufacturers, and even a company’s own internal compliance personnel — particularly when those warnings reference known enforcement precedents — can significantly compound a company’s exposure. Companies should establish procedures to escalate and independently evaluate third-party communications about compliance and export controls rather than relying on prior internal guidance that may be outdated or erroneous. A better practice would be assessing the validity of such communications on a case-by-case basis.
• The FDPR applies broadly, including to non-U.S. manufacturers, and noncompliance may lead to criminal enforcement. Notably, this appears to be the first enforcement action by DOJ involving the FDPR. The FDPR imposes a license requirement on foreign-produced items (including commodities, software, and technology) when (a) the “product scope” is met; and (b) the “end user/destination/end use” scope is met. The “product scope” is met if the items involved are a certain Export Control Classification Number (ECCN) and they are either (i) the direct product of certain pre-described software or technology that is subject to the EAR (including if via the de minimis rule) or (ii) they are produced by any plant or major component of a plant (e.g., testing equipment) where the plant or major component of the plant is the direct product of certain pre-described U.S.-origin technology or software. The “end user/destination/end use” is met if there is knowledge (including reason to know) the relevant end user, destination, or end use is involved. There are 11 active iterations of the FDPR, but most include end users, destinations, or end uses that involve Chinese persons on the Entity List, Russia, Belarus, Crimea, or Iran, and/or end uses involving advanced computing, supercomputers, semiconductor manufacturing equipment, military, or space items (often with the last five focused on China or other arms-embargoed countries). As the Bosch settlement and declination demonstrate, the FDPR does not turn on whether a product contains U.S.-origin content; it turns on whether U.S.-origin technology and equipment are used in the production process. In other words, U.S. export controls may apply to an entirely foreign-made product if U.S. software or technology is used to make the product, even if no components are from the United States. The FDPR has a broad reach and non-U.S. companies should review their manufacturing processes and technology to determine if the FDPR applies to their products, including through the use of U.S. software or technology.
• There are multiple extraterritorial export controls that might apply to a company. BIS explained in the settlement that one of the errors Bosch made was in commingling the concept of the de minimis rule, which depends on a certain amount of incorporated controlled U.S. origin content, with the FDPR. The de minimis rule is a different but important way that BIS can assert jurisdiction over an item, but it is distinct from the FDPR. Companies should be aware of the differences between the de minimis rule and the FDPR and how to look for both.
• Export controls training must keep pace with regulatory changes. The BIS settlement highlighted the inadequate resources and lack of understanding of changing U.S. export regulations and enforcement within Bosch’s trade compliance team as direct contributors to the ongoing violations. In addition to adequately staffing trade compliance functions, companies should invest in periodic, substantive U.S. export controls training, particularly: (1) for complicated and changing areas like the FDPR and BIS enforcement actions; (2) if they have regular dealings with parties on U.S. restricted party lists such as the Entity List; and (3) when dealing in critical technology areas such as semiconductors, artificial intelligence, quantum computing, and advanced computing.

Crowell & Moring can assist companies in reviewing, strengthening, and updating export control compliance programs, navigating the complexities of the FDPR, and providing guidance related to potential violations and voluntary self-disclosures involving national security matters.