First DOJ National Security Division Declination Under Updated Corporate Enforcement Policy Signals Export Control Disclosure Benefits

By Brett W. Johnson, James P. Melendres, T. Troy Galan, and Derrick Kyle

On June 17, 2026, the Department of Justice (DOJ) announced the first National Security Division declination under the Department-wide Corporate Enforcement and Voluntary Self-Disclosure Policy (CEP). The declination resolved DOJ’s investigation into Robert Bosch GmbH (Bosch) for potential criminal export control violations arising from technology sales by two non-U.S. subsidiaries to Huawei Technologies Co., Ltd. and certain Huawei affiliates on the Entity List.

The declination is significant for companies in the advanced technology sector because it illustrates both the extraterritorial jurisdiction reach of U.S. export controls to non-U.S. operations and the potential significant benefits of voluntary self-disclosure under the CEP. DOJ declined prosecution after Bosch voluntarily disclosed, cooperated, and remediated.

However, the resolution should not be read as a retreat from future enforcement efforts. DOJ emphasized that international trade compliance, including export control, sanctions, and tariff enforcement, remains a top priority and is central to its national security mission.

I. Background

According to DOJ, Bosch, through two non-U.S. subsidiaries, reexported more than $70 million worth of foreign-produced Micro-Electro-Mechanical Systems sensor products and foreign-produced software to Huawei and certain Huawei affiliates without the required authorization from the U.S. Department of Commerce’s Bureau of Industry and Security (BIS).

The conduct involved the Entity List Foreign Direct Product Rule (FDPR), one of the most complex and often-missed areas of U.S. export controls. In general, the FDPR can subject certain foreign-produced items to the Export Administration Regulations (EAR) when those items are (1) the direct product of specified U.S.-origin technology or software or (2) are produced by certain plants or major components of plants that are themselves the direct product of specified U.S.-origin technology or software.

The far-reaching jurisdiction of the FDPR was central to the enforcement action. Despite the transactions involving foreign-produced items, non-U.S. subsidiaries, and foreign sales, DOJ and BIS still found that the items were subject to the EAR under the Entity List FDPR. As such, companies cannot assume that foreign manufacture, foreign software, foreign subsidiaries, or non-U.S. sales eliminate U.S. export control jurisdiction.

DOJ also identified compliance program failures. DOJ stated that Bosch’s trade compliance personnel were not equipped to provide accurate FDPR guidance and that sales continued despite missed opportunities where third parties had identified potential FDPR issues.

Bosch voluntarily self-disclosed the matter to DOJ and BIS while its internal investigation remained ongoing. DOJ declined prosecution based on Bosch’s timely disclosure, cooperation, remediation, the absence of aggravating circumstances, and the adequacy of parallel civil remedies.

II. Declination Under the CEP

As discussed in the March 20, 2026, Legal Alert, “DOJ Unveils Uniform Corporate Criminal Enforcement Policy,” the CEP created a Department-wide framework for evaluating corporate voluntary self-disclosures, cooperation, and remediation in corporate criminal matters.

The Bosch resolution is the first National Security Division declination under that policy. It is notable because the underlying conduct involved Huawei, China-related export controls, and the FDPR, all sensitive areas of U.S. export control enforcement.

For companies evaluating whether to disclose potential export control, sanctions, or other national security violations, Bosch provides a concrete example of how the CEP may operate in practice.

III. Practical Implications

Integrated Criminal and Export Control Strategy – Potential export control violations can create parallel criminal and civil exposure. Companies should avoid treating these matters as only civil export issues or only criminal enforcement issues. In this case, Bosch’s coordinated disclosures to DOJ and BIS show the importance of aligning disclosure strategy, remediation, and government communications across both tracks.

Disclosure Timing and Cooperation – Bosch disclosed while its internal investigation remained ongoing. Companies do not always need to know every fact before evaluating disclosure. Waiting until the investigation is complete may create risk if the government learns of the conduct first or later questions whether the disclosure was timely. However, such disclosure may lead to far reaching compulsory demands for information that any company needs to be aware of prior to disclosure.

FDPR Analysis – U.S. export control jurisdiction can turn on technical facts across legal, engineering, product, supply chain, and sales teams. Companies with advanced technology, semiconductor, software, sensor, aerospace, defense, or China-facing business lines should understand how FDPR analysis affects their products, technology, and transactions. Although consultants may be helpful in such an analysis, it is important to consider the need for legal counsel to conduct such analysis under the attorney-client privilege.

Compliance Programs – DOJ noted that Bosch continued sales despite missed opportunities where third parties identified potential FDPR issues. That is a warning for companies that have not recently updated their export compliance programs. Companies should have escalation procedures that capture warnings from customers, suppliers, vendors, consultants, outside counsel, auditors, and other third parties.

Individual Exposure – The Bosch declination resolved DOJ’s investigation of the company. It did not provide protection for individuals. Companies evaluating disclosure should consider individual conduct, employee interviews, cooperation obligations, and attorney-client privilege issues related to any internal investigation from the beginning.

Mitigation – As referenced, voluntary disclosure is just one mitigation step. During the DOJ review process and eventual final disclosure, companies should consider what other mitigation steps are appropriate, including terminating contracts, disciplining employees that did not adhere to company policies or the law, updating outdated policies and procedures, and training stakeholders. Further, the importance of senior management, including board involvement, in the process is key, including the dedication of necessary resources to support the compliance program and the cooperation with the government agencies.

IV. Conclusion

The Bosch declination confirms that the CEP can provide meaningful benefits in export control matters when a company promptly discloses, cooperates, and remediates. It also reinforces DOJ’s continued focus on export controls and sanctions as national security priorities.

For companies, the practical lesson is broader than disclosure. Foreign activity can still fall within U.S. export control jurisdiction, and potential violations should be evaluated through both criminal and export control lenses from the outset.