Legal Update: DOJ Declination for Robert Bosch GmbH a First Under DOJ CEP Policy; Follows BIS $36 Million Penalty for Huawei Shipments

‍

‍

‍

‍

‍

‍

‍

‍

‍

‍

‍

June 23, 2026

‍

Key Takeaways:

‍

• Joint Enforcement: The U.S. Department of Justice (“DOJ”) National Security Division ("NSD") and U.S. Department of Commerce’s Bureau of Industry & Security (“BIS”) on June 17 announced significant penalties against Robert Bosch GmbH (“Bosch”) for alleged violations of U.S. export control prohibitions against China’s Huawei Technologies Co., Ltd. and related affiliates (collectively, “Huawei”).
  ‍
  
  • These violations resulted from a misreading of the scope of the Foreign Direct Product Rule (the “FDP Rule”) by company personnel, leading the company to incorrectly conclude that its non-U.S.-produced items were not subject to the jurisdiction of the Export Administration Regulations (“EAR”).
    ‍
  • This enforcement action involves severe penalties - $36 million in BIS penalties and an $11.4 million disgorgement of profits by the DOJ, $7.8 million of which was credited towards the BIS penalty. Bosch, a $90 billion company, has hired 66 additional compliance officers as part of its mitigation efforts (throughout most of the period at issue, the company had two employees in the U.S. serving in the compliance function).
    ‍
• First Declination of an NSD matter under the DOJ’s Corporate Enforcement and Voluntary Self-Disclosure Policy (“CEP”): DOJ made clear that Bosch received this declination after voluntarily self-disclosing the misconduct, fully cooperating with the government’s investigation, timely and appropriately remediating the root causes of the violations, and in the absence of aggravating factors, making it a first of its kind case under the CEP.
  ‍
• The Case for Refined Compliance Management: Expanding compliance as a mitigation and risk prevention strategy for future violations is commonplace. Despite being a $90 billion company with offices in over 60 countries, compliance was poorly managed. In addition to the dearth of adequate resources, management had failed to ensure consistent compliance across the group’s international operations. Spotty compliance can dramatically elevate the likelihood of compliance breaches even in the largest, most sophisticated companies with comprehensive policies.
  ‍

Background:

‍

An international technology and services company headquartered in Germany, Bosch produces sensors and software that were provided to Huawei, which was placed on the BIS Entity List in 2019. The items in question were produced outside of the U.S. but determined by BIS to be subject to the export control restrictions under the EAR. This was based on the timeline below:

‍

‍

Compliance Takeaways:

‍

1. The Bosch Declination could signal the NSD’s increased use of the CEP and reliance on the DOJ Principles of Federal Prosecution of Business Organizations
   ‍
   The Bosch declination may provide insight into how DOJ intends to apply both its new Department-wide CEP and the Principles of Federal Prosecution of Business Organizations in export controls and national security matters. The Department-wide CEP announced in March 2026 largely builds upon the Criminal Division's longstanding Corporate Enforcement Policy, which originated in the FCPA arena and rewards companies that voluntarily self-disclose misconduct, fully cooperate, and timely remediate compliance deficiencies.² Bosch, as the first NSD declination under the same policy, suggests DOJ is applying a consistent enforcement approach across traditionally separate enforcement areas. As a result, companies confronting potential export controls violations may increasingly evaluate disclosure decisions through a framework familiar to FCPA practitioners: absent significant aggravating factors, prompt self-disclosure, robust cooperation, and meaningful remediation may substantially reduce the risk of criminal prosecution. In Bosch’s declination letter, the NSD highlighted several remediation efforts taken by the company, demonstrating the substantial development of Bosch’s trade compliance policies. Following the investigation, the company hired 66 employees to its trade compliance team, broadly expanded U.S. trade compliance resources, and updated its internal policies to clarify when U.S. export control jurisdiction and licensing requirements apply to the business’s activities.
   
   According to the DOJ, these efforts, along with Bosch's voluntary self-disclosure and extensive cooperation throughout the investigation, weighed heavily in favor of a declination rather than criminal prosecution.³ As such, the matter may serve as an early roadmap for companies evaluating whether to voluntarily disclose potential export controls violations to DOJ, and what steps can be taken after the fact to mitigate the risk of prosecution. As U.S. export controls and broader economic policy continue adapting to meet evolving national security priorities, DOJ’s CEP encourages prompt disclosure, cooperation, and remediation efforts through sophisticated corporate compliance protocols and mechanisms.
   ‍‍
2. Businesses worldwide should develop a sophisticated understanding of FDP Rules
   ‍
   Importantly, the EAR’s jurisdiction can extend far beyond shipments originating from or transiting through the U.S., as can be seen in the FDP Rules. The Huawei FDP Rule covers Huawei and its non-U.S. affiliates (so-called “Footnote 1 entities”). In the Bosch case, the compliance team’s confusion in the product scope provisions of the August 2020 FDP Rule helped cause continuous violations.
   
   Broadly, the FDP Rules⁴ extend U.S. jurisdiction to foreign-made products that are direct products of certain export-controlled technology or software that is subject to U.S. jurisdiction or made on equipment that is itself a direct product of such technology or software. These rules continue to evolve in accordance with foreign policy objectives and strategies that companies use to evade export controls.
   ‍‍
3. Distinguish De Minimis Rule and the FDP Rule: Content vs. Technology
   ‍
   ‍Another key mistake Bosch’s compliance personnel made was conflating the de minimis rules, which was the long-established approach to determining whether a foreign-made product was subject to the EAR, with the FDP Rules, which substantially expanded the universe of foreign-made items subject to the EAR. One internal email erroneously determined that the products in question, Micro-ElectroMechanical Systems ("MEMS") sensor products and CycurHSM automotive firmware, were not subject to the EAR because the U.S.-origin content in each product fell below the de minimis threshold.
   
   The De Minimis Rule calculates the value of U.S.-origin content as a percentage over the total value of the product and establishes a threshold below which the product generally is not subject to the EAR (25% for the purposes of exports to most destinations).⁵ The FDP Rules and in particular the Entity List FDP Rule implemented in August 2020 and with certain modifications dedicated specifically to Huawei (so-called “Footnote 1 designations”), expanded U.S. jurisdiction by focusing not on the percentage of U.S.-origin content, but on whether the foreign-made product is a direct product of certain export-controlled technology or software that is subject to U.S. jurisdiction, or made on equipment that is itself a direct product of such technology or software. In Bosch’s case, some of the MEMS sensors were manufactured using epitaxy machines that were the direct product of U.S.-origin technology or software as defined in paragraph (e)(1)(i)(B) of the FDP rule, and the microcontrollers used to test the CycurHSM software were likewise determined to be direct products under the same rule.
   
   The Bosch enforcement underscores that compliance teams must assess both the de minimis and FDP Rules when evaluating EAR jurisdiction involving foreign-made products.
   ‍‍
4. Streamline organizational response to potential red flags or violations.
   
   ‍Bosch’s organizational response leading up to the violations highlights certain definitive lessons for businesses adapting their trade compliance practices to evolving regulatory landscapes and the complexity of their business practices.
   ‍
   
   • Prioritize staffing and coordination of trade compliance teams across regions.‍
     Bosch’s case highlights a common phenomenon of confusion over the U.S. export controls regime even among compliance personnel in major multinationals, and the imbalances of compliance program implementation and staffing know-how seen across global operations, even at some of the most prominent companies Multinational companies face continual challenges in equipping trade compliance teams with sufficient resources to adequately address new and complex regulatory changes. Such resources should include sufficient staffing as well as access to advanced legal expertise to check the internal interpretation of complex rules such as the FDPRs. While the particulars of training and guidance at Bosch are unclear, as a general matter, many multinationals’ foreign operations effectively function as islands, without central, top-down compliance directives and training. This can result in erratic “lone wolf” activity, dramatically expanding exposure to violations.
     ‍
   • Integrate compliance teams into relevant decision-making processes.
     Bosch’s violations resulted from information asymmetry between trade compliance professionals and executives from BST, a Bosch subsidiary. Had Bosch’s trade compliance team obtained information about the production equipment, suppliers, and end-users, they may have been able to properly complete the analysis for applicability of the FDP rule. Communication with trade compliance teams, including questionnaires, guidance, and warnings, should be given high regard in the decision making related to all stages of production and distribution of an item.
     ‍
   • Calibrate compliance processes to adequately respond to warnings and red flags.
     BIS’s release identified multiple warnings from outside vendors and supply chain partners to BST that were not properly addressed. Compliance teams should have clear authority to respond to such warnings while keeping senior management informed. Management, by contrast, should maintain internal review and accountability mechanisms to prevent reliance on incorrect or outdated guidance, which in this case contributed to continued violations of the export control rules. Management should ensure consistent training and resources across divisions as needed.
     ‍
   • Promptly investigate any potential compliance issues, disclose any violations and cooperate with BIS and other regulatory agencies.
     BIS expects proactive due diligence and internal investigatory protocols if and when a compliance concern arises. Bosch received significant credit from BIS and DOJ for eventually conducting a full investigation and submitting a VSD to the DOJ covering its violations.

‍

While the penalties were steep, by voluntarily self-disclosing and taking bona fide, earnest steps to remediate, Bosch materially mitigated what could have been a much larger punishment. The case for companies operating in sensitive sectors maintaining export control compliance is clear and not novel. More importantly, however, this particular matter highlights the need for comprehensive compliance maintenance, namely:

‍

1. adequate resource allocation;
   ‍
2. accurate and thorough advice; and very importantly
   ‍
3. proper compliance management and consistency of internal implementation and communication.

‍

In addition to typically having only two compliance employees tasked with providing U.S. export controls guidance to the entire global group, Bosch was also insufficiently advised and lacked proper mechanisms for implementing group-wide compliance. Beyond proper resource allocation, companies should strongly consider top-down and bottom-up compliance quality control and risk management policies adequately addressing new developments to avoid miscommunications and “compliance deserts” often found in cross-border operations within a group or conglomerate.

______________________________________________________________________

‍

Special thanks to John Kallas and Kristen Xiao for their assistance in preparing this Legal Update.

‍

This Legal Update is intended solely for informational purposes and should in no way be construed as legal advice, nor shall the information shared here result in or constitute the formation of an attorney-client relationship with anyone who reads it. If you have any questions or are unclear on any of the subject matters addressed or discussed in this Legal Update, please consult a licensed legal professional.

‍

______________________________________________________________________

‍

[1] Admitted in New York. Admission to the District of Columbia pending.

‍

[2] U.S. Dep't of Justice, Department of Justice Releases First-Ever Corporate Enforcement and Voluntary Self-Disclosure Policy for All Criminal Cases (Mar. 20, 2026), https://www.justice.gov/opa/pr/department-justice-releases-first-ever-corporate-enforcement-policy-all-criminal-cases.

‍

[3] Letter from the Department of Justice to Fenwick & West LLP (counsel to Robert Bosch GmbH), June 15, 2026, available at https://www.justice.gov/d9/2026-06/bosch_-_executed_declination.pdf (last accessed June 22, 2026).

‍

[4] 15 C.F.R. § 734.9.

‍

[5] 15 C.F.R. § 734.4(d).

‍