Bosch agreed to pay more than $43 million in penalties and disgorgement to resolve allegations that it illegally exported products and software to Huawei in violation of U.S. export control laws. The significant enforcement action, announced jointly by the Bureau of Industry and Security (BIS) and the Department of Justice (DOJ), highlights the continuing risks associated with the Foreign Direct Product (FDP) Rule, the consequences of compliance failures involving Entity List parties, and the substantial benefits available to companies that voluntarily disclose violations and undertake meaningful remediation.

The recent enforcement action against Bosch serves as another stark reminder that export control compliance failures can arise not only from intentional misconduct, but also from misunderstandings of complex regulations, inadequate compliance resources, and a failure to challenge incorrect assumptions. In a coordinated resolution announced by BIS and DOJ, Bosch agreed to pay more than $43 million for violations involving exports of products and software to Huawei, while DOJ simultaneously issued the first declination under its revised National Security Division Corporate Enforcement Policy.

The facts underlying the case are particularly instructive. Between 2020 and 2024, Bosch subsidiaries sold approximately $72 million worth of sensors and automotive software to Huawei and affiliated entities that were subject to stringent restrictions under the Export Administration Regulations (EAR). Although the products were classified as EAR99 items, the transactions nevertheless required BIS authorization because Huawei was subject to the Foreign Direct Product Rule.

The Bosch case demonstrates one of the most significant compliance challenges facing multinational companies today: understanding the broad extraterritorial reach of U.S. export controls. Many organizations incorrectly assume that foreign-made products classified as EAR99 fall outside U.S. jurisdiction. The Huawei FDP Rule restrictions fundamentally altered that analysis by imposing licensing requirements on certain foreign-produced items manufactured with specified U.S. software, technology, or production equipment.

According to BIS, Bosch’s compliance failures stemmed largely from a lack of expertise and resources. At the relevant time, Bosch’s U.S. export compliance function consisted of only two employees, with a single individual responsible for advising global business units on U.S. export control requirements. BIS found that compliance personnel repeatedly confused the FDP Rule with the EAR’s De Minimis Rule, resulting in incorrect advice that Huawei-related transactions could proceed without licenses.

Perhaps most troubling was Bosch’s continued reliance on that advice despite multiple warning signs. Suppliers specifically informed Bosch personnel that Huawei transactions implicated the FDP Rule. Contract manufacturers required certifications acknowledging Huawei’s Footnote 1 Entity List status. Industry attention surrounding BIS’s landmark Seagate enforcement action should have prompted additional scrutiny. Yet Bosch continued its sales activities for years without reassessing its legal conclusions.

This aspect of the case carries an important lesson. Compliance programs must not only provide guidance but also establish mechanisms for reviewing, challenging, and updating compliance determinations. When business partners, suppliers, or customers raise concerns regarding regulatory requirements, organizations should treat those concerns as potential red flags requiring escalation and independent review.

The DOJ declination is equally significant. Although Bosch admitted to more than 100 export control violations, DOJ declined criminal prosecution because the company voluntarily disclosed the conduct, fully cooperated with investigators, and implemented substantial remediation measures. According to DOJ, Bosch preserved evidence, proactively disclosed relevant facts, expanded compliance resources, disciplined responsible personnel, and strengthened internal controls.

This declination represents the first application of DOJ’s revised National Security Division Corporate Enforcement Policy and provides a roadmap for companies seeking favorable treatment when compliance failures occur. The message from DOJ is clear: organizations that promptly identify violations, self-disclose, cooperate, and remediate can substantially reduce criminal enforcement risk.

Several practical lessons emerge from the Bosch resolution.

First, companies must ensure that export compliance personnel possess sufficient expertise regarding complex regulatory developments, particularly those involving Entity List restrictions and the FDP Rule.

Second, organizations should periodically reassess prior legal conclusions when regulations evolve or external parties raise concerns.

Third, compliance programs require adequate staffing and resources to support global operations.

Fourth, supplier certifications, customer communications, and industry enforcement actions should be incorporated into ongoing risk assessments.

Finally, companies should recognize the substantial benefits available through voluntary self-disclosure and meaningful cooperation when violations are discovered.

The Bosch enforcement action reinforces a reality that compliance professionals increasingly face: export controls have become one of the most dynamic and aggressively enforced areas of regulatory compliance. As national security concerns continue to drive enforcement priorities, companies operating globally must ensure that their compliance programs are capable of identifying and managing increasingly complex export control risks before they become costly enforcement matters.