Lab Manager | Run Your Lab Like a Business

Risky Business

Managing Export Control Compliance in the Biotechnology Industry

by Eric R. McClafferty,Brooke M. Ringel
Register for free to listen to this article
Listen with Speechify

Many companies have systems to deal with the alphabet soup of agencies and regulations that govern the handling and transfer of products and technology in the U.S. Yet few biotechnology companies have the compliance systems necessary to handle export control risks involved in their international operations.

Why care about export controls?

Most companies work hard to protect their intellectual property and institutional knowledge when collaborating with labs outside the U.S. Beyond the business interests involved, the U.S. government has national security interests in certain types of information and goods that may cross borders and exercises those interests through export controls. Understanding the export control rules related to products, equipment, and know-how is critical for U.S. biotechnology companies, and proper compliance is the only way to protect the company and its employees. As the proliferation of biological and chemical weapons rises, regulating agencies and their enforcement arms are taking a close look at how and where materials and equipment are being sent internationally, how information is shared, where it is stored, and who has access to data. Electronic export records and a new export control certification requirement for new hires make it easier than ever for the U.S. government to track these statistics and find violations.

Get training in Lab Quality and earn CEUs.One of over 25 IACET-accredited courses in the Academy.
Lab Quality Course

What if we don’t comply?

With over 60 companies in the biotechnology, chemical, and equipment industry penalized in the last five to six years, more companies are making sure they are compliant with export regulations. Penalties for violating export control rules include criminal charges against companies and individuals (including jail time of up to 20 or more years) and civil penalties up to $1 million per export or technology release. Beyond civil or criminal penalties, companies that violate the regulations risk being denied all export privileges. Companies put on so-called “denied party lists” can have trouble buying equipment from the increasing number of suppliers who screen their customers against those lists. Companies can also lose the ability to sell to the U.S. government.

Working without an export compliance system is, in many ways, just as risky as not having a health and safety compliance program. And, with some guided effort, a good export compliance system is not difficult or costly to implement.

What do the export control rules cover?

Export control regulations govern shipments of military items and a variety of less-sensitive dual-use chemicals and biological materials, including certain human, animal and plant pathogens; toxins; and genetically modified organisms. The regulations also cover export of equipment (for example, certain storage tanks, reactors, agitators, valves, and pumps).

In addition to physical exports, the transfer of know-how (referred to as “technology” or “technical data” in the regulations) to non-U.S. persons can trigger export controls. Technology sharing can occur by sending documents attached to emails, in-person demonstrations or lab visits, or oral transmission through a phone call or in-person conversation. Without proper training it is easy to unwittingly share export-controlled technology in violation of the regulations.

Finally, international sales is a key area where export controls may affect your company. Many biotechnology companies are expanding to new sales territories. Places such as India and China are not only becoming popular sites for biotechnology manufacturing and research (and technology exports) but also growing as profit centers due to upward trends in income and population levels.

Handle with CareU.S export control regulations overview

The U.S. Department of Commerce’s Bureau of Industry and Security (BIS) and the U.S. Department of State’s Directorate of Defense Trade Controls (DDTC) are the two agencies primarily responsible for control of most biotechnology goods and technology exports from the U.S.

BIS administers the Export Administration Regulations (EAR). The EAR cover dual-use products, software, and technology that can be used for commercial and military (or terrorist) end uses.1 For example, a hammer is a dual-use item because it can be used by a construction worker to build a house or by the military to repair a tank. Items requiring BIS authorization for export to a particular destination are indicated on a list of items, software, and technology called the Commerce Control List (CCL). EAR also control exports to certain individuals or entities and for certain end uses, including use of any item for the development of chemical or biological weapons.

DDTC administers the International Traffic in Arms Regulations (ITAR), which control military products (“defense articles”), software, and technology.2 DDTC also maintains a list of controlled items called the U.S. Munitions List (USML), but anything specifically designed or modified for military end use (whether in the U.S. or for a foreign military) is also controlled as a defense article. A license from DDTC is required to export virtually all USML items.

Industry-specific controls: products

BIS regulates certain dual-use microorganisms, toxins, biological equipment, and related technology identified by the Australia Group, an international association that seeks to stem the development of biological and chemical weapons through export controls. BIS also controls the export of select agents. Licenses are required to export these products to many countries.

Controls affecting the biotechnology sector are primarily found in Categories 1 and 2 of the CCL. Each control is identified by an Export Control Classification Number (ECCN), which comes with specific instructions. Some key ECCNs for the industry include 1C351 (human pathogens), 1C352 (animal pathogens), 1C353 (genetically modified elements containing nucleic acid sequences of CCL-controlled organisms and other organisms containing those sequences), 1C354 (plant pathogens), 1C360 (select agents), and 1C991 (vaccines). The levels of control vary. For example, an export license from the Department of Commerce is required to export an ECCN 1C351 item to any destination. In contrast, ECCN 1C991 items, which are under a lower level of control, can be exported to more destinations without a license. Also, don’t forget the equipment controls on pumps, valves, reactors, agitators, piping, fermenters, and a wide variety of other lab equipment found in ECCNs 2B350 and 2B352. These categories provide only a sample of export controls that companies need to know about.

Industry-specific controls: Technology

Both the EAR and ITAR govern the export of export-controlled know-how (technology) required for the development, production, or (in some cases) use of an item listed on the CCL or USML.3 It is sufficient to know that technology is very broadly defined and can exist in virtually any format, including lab procedures, drawings, calculations, and test procedures. Controlled technology requires a license for export to certain destinations just as does the export of the product that the technology is used to design, make, or use.

Biotechnology companies should focus on ECCNs 1E001 and 1E351, which control technology for dual-use biological materials described above. ECCNs 2E001, 2E002, and 2E301 control technology for certain biological material handling equipment, as noted above. Similarly, USML Category XIV controls any technical data or defense services related to controlled biological agents.

U.S. export control enforcement authorities vigorously enforce rules relating to technology releases. Think of it this way: Shipping a vial of a controlled toxin gives someone one vial of toxin, but the release of sensitive production technology permits a potential enemy to produce that toxin on a much bigger scale.

Based on this policy, the rules prohibit the unauthorized transfer of technology to foreign persons even if they are company employees abroad or physically located in the U.S. A data release in the U.S. is called a “deemed export” because it is deemed to be an export to the recipient’s home country. The key to deemed export compliance is to consider that access—to shared computer network drives, data-sharing programs or websites, meeting and production areas, unsecured technology—by foreign persons must be restricted wherever they are located. Consider access to shared computer network drives, data-sharing programs or websites, meetings and production areas, and unsecured technology.

Human resources professionals in the scientific, technical, and complex manufacturing sectors are seeing the number of foreign-born applicants steadily increase. For a biotechnology company that develops or produces both products and technology likely controlled for export, working with foreign employees or contractors can create export licensing requirements.

The bottom line

Could collaborating with a lab outside the U.S. lead to an export violation with significant penalties? Yes. Could a lab visit by non-U.S. persons lead to an export control violation? Yes.

Could employing a non-U.S. person at a lab lead to technology export violations? Again, the answer is yes, if you are not careful about export compliance.

Certain license exceptions may be available for publicly available technology and “fundamental research.” Be aware, however, that many companies rely too heavily on these limited exceptions. If your company would not share particular know-how with its competitors, these exceptions probably do not apply.

Every company in the industry should implement an export compliance system to prevent violations. Get help from qualified export compliance counsel that can assist on a confidential and attorney-client-privileged basis as you develop your compliance system in the event a potential past issue is discovered.

What steps should we take?

Implement a basic set of compliance tools. Undertake a risk assessment. Use a systematic approach to accurately classify “core” and “noncore” products, equipment, and technologies. It is impossible to know whether an export license is needed without conducting this classification process.

Here are some other select key elements that a solid export compliance system needs:
• Export compliance policy and manual
• Identification of responsible individual(s)
• Technology control plan
• Training
• Internal review/audit program
• Plan to respond to enforcement visits or inquiries (e.g., Commerce, ICE, Customs, the FBI, and Homeland Security)


As the threat of proliferation rises, the U.S. government is paying more attention to the movement of biological materials, equipment, and technical information—not less. U.S. biotechnology companies and laboratories seeking to expand research, manufacturing, sales, and purchasing relationships outside the U.S., or that employ talented foreign nationals must ensure they have export compliance procedures in place to protect their business, managers, and employees.

1. 15 C.F.R. § 730, et seq.
2. 22 C.F.R. § 120, et seq.
3. See 15 C.F.R. Pt. 772; 22 C.F.R. § 120.10

Eric R. McClafferty is a partner in Kelley Drye & Warren LLP’s Washington, D.C., office. His international trade practice includes extensive experience in export controls and compliance and Foreign Corrupt Practices Act matters. He advises clients on export licensing and classification, performs due diligence export compliance reviews, and establishes company and product-specific compliance and training programs. Eric can be reached at 202-342-8841 or

Brooke M. Ringel is an associate in Kelley Drye & Warren LLP’s Washington, D.C., office. She has a particular focus on export controls, classification, and compliance, and substantial experience in advising clients on deemed export of controlled technology. Brooke helps companies design compliance materials, including practical desktop checklists. She can be reached at 202-342-8480 or