ITAR and EAR: Export Control Compliance for Space Companies in 2026

For space companies working across borders, one wrong move with a satellite part, a software file, or even a technical drawing can trigger a federal investigation, massive fines, or worse - losing your ability to do business altogether. Two U.S. regulations, ITAR and EAR, are the gatekeepers of what can leave the country, and they’re not optional. They’re mandatory. And as of 2026, the rules have changed - again.

What’s the difference between ITAR and EAR?

Think of ITAR and EAR as two different security doors leading out of the U.S. One is a vault. The other is a checkpoint with varying levels of scrutiny.

ITAR is the International Traffic in Arms Regulations, managed by the U.S. Department of State’s Directorate of Defense Trade Controls (DDTC). It controls items specifically designed for military use - things like rocket engines for ICBMs, satellite imaging systems for reconnaissance, or guidance systems for missiles. If it’s on the U.S. Munitions List (USML), it’s ITAR. And once it’s ITAR, it’s locked down. No exceptions. Not even for allies.

EAR is the Export Administration Regulations, run by the Bureau of Industry and Security (BIS) under the Commerce Department. It covers dual-use items - things that can be used for civilian and military purposes. Think GPS chips, high-speed data processors, or advanced composite materials used in both commercial satellites and military drones. These are listed on the Commerce Control List (CCL) and assigned an ECCN - an Export Control Classification Number.

The key? You can’t have both. An item is either ITAR or EAR. Never both. Getting this wrong means you’re breaking the law before you even ship anything.

Why does this matter for space companies?

Space companies aren’t just launching rockets. They’re building global supply chains. A sensor made in Germany might end up in a satellite built in Texas. A software update for a launch control system might be sent to a partner in Japan. Every transfer - even an email - could be an export.

Here’s the real problem: many space startups assume their tech is "just commercial." But if that satellite has a camera that can resolve objects smaller than 30 centimeters from orbit, it’s likely ITAR-controlled. If it uses a processor that runs at 10 teraflops, it’s probably EAR-controlled. And if you don’t know which, you’re already in violation.

Before 2024, nearly every satellite component fell under ITAR. That made international collaboration nearly impossible. Now? A major shift happened.

What changed in 2024-2025?

The U.S. government realized its own rules were strangling innovation. So in late 2024, the EAR Interim Final Rule came in - and it changed everything for space.

  • License exceptions expanded: Exports of certain space items to the 40 Wassenaar countries (including Canada, Japan, Australia, and most of Europe) no longer require licenses - if they’re under the new ECCN 9A515.x and 9A004.v, .x, .s. This covers things like commercial communications satellites, non-sensitive ground station tech, and lower-tier propulsion systems.
  • New ECCN 9A515.w: This was created to catch items that are still too sensitive to be eased. If your tech used to be under 9A515.x but still poses a risk, it’s now under 9A515.w - and still needs a license.
  • License Exception CSA: Proposed in 2025, this new exception allows U.S. companies to export certain space-related tech without a license - if it’s for civil purposes. Think space tourism, scientific research, or commercial launch services. As long as it’s not military, and you’re not sending it to a banned country, you’re covered.

ITAR didn’t sit still either. Categories IV and XV - which cover spacecraft and launch systems - were revised to move some items from ITAR to EAR. That means fewer companies now need DDTC approval just to talk to their international partners.

An engineer reviewing ECCN classifications and compliance alerts for satellite components in a high-tech workspace.

But don’t celebrate yet

Just because some rules got looser doesn’t mean compliance got easier. In fact, it got more complex.

Now you have to:

  • Classify every component - not just the final product
  • Track which ECCN applies to each part
  • Know if your customer is in a Wassenaar country
  • Verify if your tech is truly "civilian" under CSA
  • Update your internal documentation every time the CCL or USML changes

And if you’re working with the U.S. government? You’re now also under CMMC Level 2.

CMMC Level 2 is the Cybersecurity Maturity Model Certification Level 2, required for any company handling Controlled Unclassified Information (CUI), which includes ITAR and EAR data. As of November 10, 2025, the Department of Defense enforces this. If you store, process, or transmit export-controlled data - even as a subcontractor - you must be audited by a C3PAO and prove you meet NIST SP 800-171 standards. No certification? No contracts.

What do you need to do right now?

Compliance isn’t a one-time project. It’s a system. Here’s what every space company must build:

  1. Item Classification: Run every part, software, and technical document through the Order of Review: Check USML first. If it’s not there, check the CCL. If it’s not on either, it’s not controlled. But don’t guess - use official BIS and DDTC classification tools.
  2. End-User Screening: Use the BIS Entity List and DDTC’s Debarred Parties List. If your customer is on either, stop. No exceptions. Even if they’re a university.
  3. License Management: Track every license application. Keep copies. Know the processing time - DDTC can take 60-90 days. BIS is faster, but still not instant.
  4. Training: Every employee who handles tech, emails, or export documents needs annual training. Not just legal. Engineers, project managers, even HR.
  5. Record Keeping: You must keep records for five years. Not "maybe." Five years. And they must be accessible for audit.

And if you’re unsure? Hire a specialist. Don’t rely on your in-house legal team. Export control is a niche field. Most lawyers don’t understand ECCNs. You need someone who’s done this before.

A rocket composed of export control documents launching into space, symbolizing compliance as the path to global collaboration.

What happens if you mess up?

Penalties aren’t just fines. They’re existential.

  • ITAR violations: Up to $1 million per violation, 20 years in prison, and debarment from U.S. government contracts.
  • EAR violations: Up to $300,000 per violation or twice the value of the transaction, whichever is higher. Debarment. Criminal charges.

And it’s not just about money. Your reputation is gone. Investors pull out. Partners walk away. And if you’re working with NASA or the DoD? Your contract is terminated. No second chances.

Final thought: Compliance is your competitive advantage

Most companies see export controls as a cost. The smart ones see them as a filter.

If you’ve built a system that handles ITAR and EAR correctly, you’re not just compliant - you’re trustworthy. You’re the company that can work with European partners. You’re the one that gets priority on U.S. government bids. You’re the one that can scale.

The space industry is growing. But only those who understand the rules will be left standing.

Are ITAR and EAR only for U.S. companies?

No. Any company - anywhere in the world - that uses U.S.-origin technology, software, or components must comply. That includes European satellite manufacturers, Australian launch providers, or Japanese component suppliers. If your product contains even a single U.S.-made chip or uses U.S. technical data, it’s subject to U.S. export laws. Ignorance isn’t a defense.

Can I export space tech to allies without a license?

Sometimes. Since late 2024, exports of certain lower-sensitivity space items to the 40 Wassenaar countries (like Canada, Japan, Germany, Australia) no longer require a license - if they fall under the new ECCN categories (9A515.x, 9A004.v, .x, .s). But if your item is on the new 9A515.w list, or if the end-user is military, you still need a license. Always check the latest CCL.

What’s the difference between a license exception and a license?

A license is a formal approval from DDTC or BIS to export a controlled item. A license exception is a pre-approved permission to export without applying for a license - but only if you meet strict conditions. For example, License Exception CSA allows exports for civil space activities without a license, but you must document the purpose, end-user, and ensure no military use. You still need to comply with all other rules.

Do I need CMMC Level 2 if I’m not working with the DoD?

Yes - if you handle ITAR or EAR-controlled information. CMMC Level 2 applies to any company that stores, processes, or transmits Controlled Unclassified Information (CUI), regardless of whether you have a DoD contract. If your satellite software is ITAR-controlled, and you email it to a partner, you’re handling CUI. You need CMMC Level 2 certification by law as of November 2025.

How often do ITAR and EAR rules change?

Constantly. The U.S. government updates the USML and CCL at least twice a year. Major changes - like the 2024-2025 space rule revisions - happen every 1-2 years. Companies that rely on outdated checklists are already non-compliant. Subscribe to BIS and DDTC updates. Set up alerts. Review your classification every quarter.

Tags:

© 2026. All rights reserved.