The US Department of Commerce’s Bureau of Industry and Security, the key regulator for US national security export controls, has recently implemented new rules that significantly expand the number of restricted counterparties and alter the compliance expectations placed on exporters operating across complex global supply chains, with particular relevance for technology, defense, and other dual-use sectors.
In this article, Felix Cook, Director of Americas Delivery at S-RM, examines how the new rules mark a structural shift towards a more sanctions-like model of export controls, requiring enhanced due diligence and greater counterparty ownership mapping, and making intelligence-led compliance essential in the current heightened enforcement environment.
New rule
At the end of last year, the US Department of Commerce’s Bureau of Industry and Security (BIS), the key regulator for US national security export controls, rolled out new rules that fundamentally alter the regulatory expectations and compliance burden on exporters of high technology and other sensitive products. Effective from September 29, 2025 the new BIS Affiliates Rule extends the control effects of two key watchlists, the Entity List and the Military End-User (MEU) List, as well as certain export-control-related sanctions restrictions, beyond the specifically listed parties to also encompass foreign entities owned 50 percent or more, directly or indirectly, by one or more restricted parties. A 60-day Temporary General License granted under the change expired on November 28, 2025, exposing exporters to new expectations of third-party due diligence, ownership mapping, and ambiguity resolution across global supply chains.
From entities to networks
Previously, BIS applied export controls to specifically named legal entities and legally indistinct subunits, such as offices and unincorporated branches. Those entities were named on the relevant list and compiled for screening purposes on a Consolidated Screening List (CSL). So long as it itself did not produce any compliance red flags, a separately incorporated entity was generally treated as “legally distinct” and therefore not automatically subject to the upstream entity’s export restrictions.
Now, any foreign entity that is 50 percent or more owned by one or more listed entities is automatically subject to the same export control restrictions as a listed upstream owner. Aggregation of ownership applies up the entity’s entire ownership chain: a company 25-percent owned by two separate restricted entities is captured in the same way as one50-percent owned by one restricted entity, and so forth.
This change shifts export-control compliance from an entity-based model to one based on understanding diffuse and often complex ownership networks, increasing risk for organizations and complexity for compliance functions. A counterparty that was apparently compliant under the previous rules – legally separate and clear of individual red flags – may now be severely restricted due to upstream ownership several layers removed.
Streamlining - with a sting
The new BIS ownership logic will be familiar to risk and compliance professionals who work with economic sanctions administered by the US Department of the Treasury’s Office of Foreign Assets Control (OFAC), which has long applied the same 50-percent ownership standard. At one level, the alignment of the two standards simplifies compliance, as it allows greater integration of sanctions and export-control analysis. Ownership mapping, aggregation, and attribution are now critical in both areas.
More immediately, however, the rule change significantly expands the universe of restricted counterparties, presenting challenges for existing export-control screening processes. Screening only against the CSL, or relying solely on traditional name-matching compliance databases, can no longer be treated as exhaustive or sufficient, as many newly restricted entities will not appear on government lists. Effective compliance will require more frequent enhanced due diligence and, in many cases, the use of third-party intelligence to assess upstream ownership structures. Ownership opacity — particularly in jurisdictions with limited corporate transparency —will increasingly complicate compliance decision-making, especially in sectors where joint ventures, minority investments, and layered holding structures are common. In these scenarios, the difference between 49-percent and 51-percent ownership now carries meaningful regulatory consequences.
The duty to know
Perhaps even more significantly than its changes to ownership calculation, the new BIS rule imposes a formal, affirmative ‘duty to know’ on exporters when assessing export-control compliance. Practically, this means that where ownership information is unavailable or ambiguous, the resulting lack of clarity constitutes a red flag that must be resolved through further diligence or by obtaining appropriate BIS licensing before proceeding.
The rule also expressly identifies other red flags that, while falling short of automatic restriction, materially increase the level of scrutiny expected of exporters. These include significant minority ownership by a restricted entity, as well as other indications of control, such as overlapping board memberships, parent-subsidiary relationships, signs of operational interdependence, or other forms of influence. While these factors do not automatically trigger license requirements, they require exporters to exercise careful judgment and assess potential diversion risk contextually, further underscoring the need for comprehensive, enhanced due diligence and intelligence-led compliance.
High stakes
Unhappily for exporters, this increase in export control compliance coincides with even higher enforcement stakes. BIS violations carry the risk of significant civil and criminal penalties, including substantial fines, imprisonment, and denial of export privileges.
More generally, the new rule coincides with heightened geopolitical competition in high technology and an increasingly assertive enforcement environment. In recent years, US authorities have demonstrated a willingness to pursue high-profile export control cases, particularly where diversion risk intersects with geostrategic competition in advanced technology sectors. Beyond the risk of formal investigation and penalties, companies face significant reputational and contractual consequences if they are perceived as insufficiently attentive to US export controls and national security priorities, particularly in sectors tied to AI, defense, and other dual-use technologies.
Summary
It is clear that ownership mapping, once primarily associated with sanctions screening and pre-transactional due diligence, has now become a standing compliance requirement for exporters and multinational businesses operating across complex supply chains. At the same time, the new BIS rule raises practical questions: how far upstream should diligence reasonably extend, what constitutes reasonable efforts in jurisdictions with limited ownership transparency, and how should companies document good-faith attempts to resolve ambiguity?
BIS does not prescribe fixed answers to these questions, instead placing responsibility on firms to build defensible, repeatable decision-making frameworks. Nonetheless, organizations that invest in intelligence-led compliance and enhanced due diligence, and cultivate institutional curiosity about counterparties, will be better positioned to withstand regulatory scrutiny in this new environment than those relying on formalistic screening alone.
