Export Controls · EAR · BIS · AI Hardware

IOR and US Export Controls: What Importers Need to Know About EAR and BIS

Export controls sound like a problem for the company doing the shipping. The importer just receives the goods. In practice, Importer of Record providers sit inside the compliance chain for US-controlled technology, not outside it. Entity List screening, product classification, the Foreign Direct Product Rule, and red flag awareness are part of IOR due diligence on advanced technology shipments. This article explains how US Export Administration Regulations touch IOR operations, what the current AI chip control framework means for data center imports, and what TFTIOR checks before accepting controlled technology.

Veyis Taskin Founder & CEO, TFTIOR · LinkedIn · Published May 2026

Why Export Controls Touch IOR Operations

The standard picture of export controls goes like this: the exporter applies for a license, BIS reviews the application, the license is granted or denied, and the goods move or they do not. The importing side receives the goods and is not really part of the story.

That picture is incomplete, and in practice it misses where the compliance risk actually sits for an IOR provider.

Three things change the picture. The first is facilitation liability. US law prohibits knowingly facilitating an export transaction that violates EAR, regardless of whether you are the named exporter. If an IOR provider accepts a shipment of advanced AI hardware bound for an Entity List party, without checking, the fact that the export license obligation sat with the shipper does not automatically resolve the IOR's exposure.

The second is the Foreign Direct Product Rule. Products manufactured entirely outside the United States can still be subject to US export jurisdiction if they were produced using US-origin technology, software, or manufacturing equipment controlled under EAR. Servers built in Taiwan, AI accelerators assembled in South Korea, networking equipment manufactured in Europe these can all fall under EAR depending on the specific manufacturing chain and destination. The IOR in the receiving country is part of that transaction.

The third is documentation accountability. The IOR controls the import-side documentation file. If a shipment of controlled goods arrives with a product description that does not reflect the actual classification of the hardware, and the IOR accepted and declared it, the IOR has a compliance problem that is difficult to separate from the broader export control violation.

None of this means an IOR provider is responsible for determining export license requirements that is the exporter's obligation. What it means is that IOR providers handling advanced technology are inside the compliance chain, not watching from a distance.

EAR: The Framework IOR Providers Need to Understand

The Export Administration Regulations (EAR), codified at 15 C.F.R. Parts 730 through 774, are administered by the Bureau of Industry and Security (BIS) within the US Department of Commerce. They govern the export, re-export, and in-country transfer of a defined list of dual-use goods, software, and technology.

The controlled list is the Commerce Control List (CCL), organized by Export Control Classification Numbers (ECCNs). Each ECCN describes a category of goods, software, or technology and specifies which destinations require a license and for what reasons. Items not listed on the CCL fall into a catch-all category: EAR99. EAR99 goods can generally move without a license to most destinations, but not all EAR99 items cannot go to sanctioned countries, Entity List parties, or be used in certain prohibited end-uses even without an ECCN license requirement.

The EAR enforcement mechanisms that matter most for IOR operations:

This is the framework IOR providers are operating inside when they accept shipments of servers, networking hardware, AI accelerators, or telecom equipment that originates from or was manufactured using US-origin technology.

The Foreign Direct Product Rule and Non-US IOR Providers

The Foreign Direct Product Rule is the provision that most surprises IOR providers outside the United States. The intuitive assumption is that a shipment from Germany to Saudi Arabia, manufactured in South Korea, has nothing to do with US export law. In many cases that assumption is correct. In others it is not, and the consequences of getting it wrong are real.

The FDPR, first established in 1959 and substantially expanded in 2020, 2022, and 2023, extends US export jurisdiction to foreign-made items if those items are the direct product of US-origin technology or software controlled under EAR, or if they were produced on equipment that is itself a direct product of controlled US technology. In practice, this means that a product manufactured in Taiwan using US semiconductor fabrication equipment, or designed using US-origin electronic design automation software listed on the CCL, may be subject to EAR restrictions when it is re-exported to a restricted destination even if it never touched US soil.

For advanced semiconductor and AI hardware specifically, the FDPR has become the primary tool BIS uses to extend control beyond the US border. High-end GPUs and AI accelerators manufactured in Taiwan by TSMC on behalf of US chip companies are subject to FDPR coverage. A shipment of those chips from Singapore to a restricted destination is an EAR re-export, not a transaction that the US lacks jurisdiction over simply because Singapore is the shipping point.

IOR providers in Europe, the Middle East, Southeast Asia, and Central Asia who handle data center and AI hardware imports should not assume that the country-of-export field on the shipping documents defines whether EAR applies. The relevant question is whether the goods are US-origin, or are the product of US-controlled manufacturing technology, and whether the destination and end user are within the scope of current EAR restrictions.

AI Chip Controls: What Changed and What It Means for IOR

Before October 2023, US export controls on advanced semiconductors applied to chips above a specific threshold of computing performance and data transfer capability, with China and a small number of other destinations as the primary targets. The framework had gaps. Chips slightly below the threshold could be aggregated in large numbers to build AI capability that approached what the controlled chips could do. Data centers in restricted countries were exploiting the gap.

The October 2023 BIS rule closed that gap and extended the reach of controls significantly. The revised framework introduced ECCN 3A090 for advanced integrated circuits above new, tighter performance thresholds, and added a broader set of destinations to the licensing requirements. The rule was not only about China. It created a tiered structure affecting a range of countries in ways that required IOR providers in those regions to take notice.

The practical question for IOR operations: if you are importing advanced AI accelerators, high-performance GPUs, or custom AI compute modules into any country outside the United States, that hardware may be subject to EAR licensing requirements depending on the destination and the end user. The list of affected destinations and the specific performance thresholds that trigger controls have continued to evolve since October 2023. As of May 2026, the Biden-era AI Diffusion Rule has been rescinded, but controls on advanced computing hardware continue through ECCN-specific licensing, the FDPR, and end-use and end-user restrictions. The current framework should be confirmed with qualified US export counsel rather than assumed from any static source, including this one.

What is not going to change is the structure of the problem. Advanced AI infrastructure hardware is now a controlled technology category under US export law. IOR providers importing that category of hardware across international borders are handling goods that sit inside the EAR framework, and their documentation and screening practices need to reflect that.

Red Flags: What IOR Providers Are Looking For

BIS publishes a specific red flag list in 15 C.F.R. Part 732, Supplement 3. These are not abstract compliance concepts invented by lawyers. They are patterns that appear in real transactions involving controlled goods diversion, documented across BIS enforcement cases.

The red flags relevant to IOR operations include:

• A customer or consignee who is reluctant to provide information about the intended use of the goods, the destination, or the end user
• A delivery address that does not match the business type of the consignee a residential address for a server cluster, or a forwarding address for equipment with no obvious downstream destination
• Requests to omit technical specifications from shipping documents, to describe goods differently than their actual classification, or to undervalue the shipment
• Payment terms or financing structures that are unusual for the product type or transaction size
• Routing through a third country that is not a logical commercial stop between origin and final destination
• A shipper or consignee that is recently formed, has no verifiable business history, or cannot be found through standard commercial verification
• Requests to ship via a country or port that is inconsistent with the stated delivery destination
• A mismatch between the product type, the quantity, and the business scale of the purchaser

Encountering a red flag does not mean a transaction is illegal. It means the IOR has an obligation to ask questions and not proceed until those questions are answered satisfactorily. The standard under EAR is "reason to know" if the red flags are visible and the IOR proceeds without inquiry, BIS treats that as constructive knowledge of the compliance problem.

What Screening Looks Like in Practice

Denied party screening for an IOR provider is not a single database check at the start of a client relationship. It is a transaction-level check, run against the current list, for every party that appears in the shipment: the shipper, the consignee, the end user if different from the consignee, freight forwarders or intermediaries identified in the transaction, and any other party whose identity is known.

The lists that matter:

• BIS Entity List (updates multiple times per year)
• BIS Denied Persons List
• BIS Unverified List
• OFAC Specially Designated Nationals (SDN) list (separate from BIS, administered by US Treasury sanctions exposure, not just export controls)
• BIS Military End User (MEU) List (15 C.F.R. Part 744, Supplement 7) -- parties subject to a license requirement for items that would otherwise qualify for a license exception for military end-use in certain countries; directly relevant for AI hardware, advanced computing, and dual-use networking equipment
• State Department AECA Debarred List (for defense-related items -- less common in commercial data center hardware but relevant for dual-use products with military application history)

A consolidated screening check against multiple lists simultaneously is standard practice. The frequency matters: the Entity List is not static. An entity that was not listed when the client relationship started may be listed six months later. Transaction-level checks, not account-level annual checks, are the correct model.

For TFTIOR, screening at the shipment level is standard for all advanced technology shipments. The check covers the parties identified in the shipper-consignee structure and any end user information provided. Where a screening hit occurs, the shipment is paused and not cleared until the hit is resolved either as a false positive (name match on a different entity) or as a confirmed issue requiring refusal.

ECCN Classification and Product Description Consistency

The IOR does not determine the ECCN classification of the goods that is the exporter's responsibility. But the IOR does control the import-side documentation, and that documentation needs to be consistent with whatever export control position the exporter has taken.

In practice, this means TFTIOR asks for documentation that reflects what the hardware actually is. For high-performance GPU shipments, AI accelerator modules, networking equipment with encryption capability, or telecom hardware with wireless functionality, the invoice description, packing list, and any supporting product files should describe the goods accurately. A commercial invoice that describes a shipment of ECCN 3A090-classified AI accelerators as "electronic components" or "IT spare parts" is internally inconsistent with a compliant export position and is a documentation problem TFTIOR will not accept into its import file.

Where shippers provide documentation that appears inconsistent with the actual product either based on technical specifications TFTIOR can review, or based on the obvious mismatch between invoice description and the equipment listed on the packing list the shipment is held pending correction or refused if the discrepancy cannot be resolved.

This is not about being difficult with clients. An import declaration filed with an inaccurate product description exposes the IOR to customs liability independent of any export control issue. Accurate documentation is a baseline requirement, not an optional enhancement.

Where This Matters Most: Regional IOR Markets

Export control exposure for IOR operations is not evenly distributed across markets. Some destination regions have become areas of focused BIS enforcement attention. Others are in the tier of countries where documentation and end-user clarity requirements have increased even though the destination is not itself subject to comprehensive sanctions.

The EOR Side of the Same Problem

When TFTIOR coordinates Exporter of Record services, the same export control logic applies in reverse. The EOR is the party responsible for the export declaration, for ensuring that a license exists where one is required, and for screening the IOR and end user in the destination country before the goods leave origin.

Re-routing US-controlled goods through a non-US intermediary to circumvent export restrictions is prohibited under EAR as evasion, diversion, or transshipment -- and more specifically under General Prohibition 10 (15 C.F.R. § 736.2(b)(10)), which prohibits proceeding with a transaction with knowledge that an EAR violation has occurred or is about to occur. This is distinct from the "deemed export" concept, which applies to disclosure of controlled technology to foreign nationals within the United States. EOR coordination that TFTIOR provides operates under the same compliance standard: the documentation file must be defensible at both ends of the transaction, and transactions that cannot be structured compliantly are not accepted on the EOR side either.

For technology companies exporting US-origin goods through TFTIOR's EOR service, the export license status of the goods is the starting point of the review, not an afterthought.

What TFTIOR Is Not

Worth stating directly: TFTIOR is not a US export counsel firm. We do not make export license determinations. We do not advise on ECCN classification of specific hardware as a legal matter. We do not manage BIS license applications.

What TFTIOR does is apply IOR-side due diligence to the shipments it handles. That means denied party screening, product description consistency checks, red flag awareness, and refusal where the compliance picture is unresolvable. It means requiring documentation from shippers that is internally consistent with a compliant export position. It means not accepting shipments where export control exposure is visible and unaddressed.

Companies exporting US-controlled technology particularly advanced semiconductor hardware, AI infrastructure, or encryption-capable telecom equipment should work with qualified US export counsel to determine license requirements before the shipment moves. That analysis is not something an IOR provider can substitute for, and TFTIOR does not try to.

What the pre-shipment review process does is catch the problems that are visible in the documentation: entity list hits, product description mismatches, red flags in the transaction structure, and destination-country risks that a standard freight process would not catch. That is where IOR-side compliance work sits, and that is where TFTIOR focuses its review.

Frequently Asked Questions

Does an IOR have export control obligations if they are only receiving the goods?

Yes, in a meaningful sense. The export license is the exporter's responsibility under US EAR, but facilitation liability under 15 C.F.R. § 764.2 applies to any party that knowingly assists a transaction violating EAR. For IOR providers, this means denied party screening, red flag awareness, and refusing shipments where the compliance position is unresolvable are not optional steps. An IOR that proceeds on a controlled technology shipment without basic due diligence cannot later claim ignorance as a defence.

What is the Foreign Direct Product Rule and how does it affect non-US IOR providers?

The FDPR extends US export jurisdiction to products manufactured outside the United States if those products were produced using US-origin technology, software, or equipment controlled under EAR. A server built in Taiwan using US semiconductor manufacturing equipment may be subject to EAR restrictions when re-exported from Europe or Singapore to a restricted destination. Non-US IOR providers handling shipments of advanced hardware should not assume that a non-US country of export removes EAR applicability. See also: IOR AI Due Diligence.

How does TFTIOR screen shipments for export control exposure?

TFTIOR's pre-shipment review for advanced technology hardware includes denied party screening against the BIS Entity List, Denied Persons List, and Unverified List, as well as OFAC SDN list checks. Product classification consistency is reviewed: if a shipment is described as ordinary IT hardware but contains components that appear to fall under controlled ECCNs, TFTIOR requests additional documentation before the import is accepted. Shipments with unresolvable export control exposure are refused before cargo moves.

What happens if a shipment involves controlled AI hardware like high-end GPUs?

TFTIOR requires documentation that accurately reflects the export control classification of the hardware. For shipments involving advanced AI accelerators or GPUs that fall under ECCN 3A090 or related classifications, the shipper must provide documentation consistent with a controlled export position. Shipments where the product description does not match the actual hardware, or where the end-user picture is unclear, are not accepted until the compliance file is complete. See: GPU and AI Hardware Import Guide.

Does EAR apply to shipments that do not originate in the United States?

Not automatically but the FDPR means the origin country alone does not resolve the question. Products manufactured outside the US using US-controlled technology or manufacturing equipment may still fall under EAR. For IOR providers, the relevant analysis is whether the goods are US-origin or FDPR-subject, and whether the destination and end user fall within current EAR restrictions.

Should I get an export license or does the IOR handle that?

The export license is the exporter's responsibility under EAR. The IOR does not obtain or hold the export license. The IOR's role is to ensure the import-side documentation is consistent with a compliant export, to screen the parties involved, and to refuse shipments where the compliance picture cannot be confirmed. Companies exporting US-controlled technology should work with qualified US export counsel before the shipment moves. TFTIOR is not a substitute for that analysis.

What are the consequences of ignoring export controls as an IOR provider?

Under 15 C.F.R. § 764.2, civil penalties for EAR facilitation violations reach $374,474 per violation (the inflation-adjusted ECRA maximum, subject to annual upward adjustment) or twice the transaction value, whichever is greater. Criminal penalties for wilful violations include substantial fines and imprisonment. An IOR that appears on a BIS denied export privilege list loses its ability to participate in US-regulated export transactions. The compliance risk is not abstract. The enforcement record includes cases involving non-US companies and non-US individuals who were parties to diversion transactions.

Related Resources