← All Field Notes

Field Notes

Export Controls Are Now a Geostrategic Supply-Chain Problem

Share via Email →

In April 2023, the Bureau of Industry and Security imposed a $300 million penalty on Seagate Technology for selling hard drives to Huawei after the company appeared on the Entity List, the largest standalone BIS administrative penalty on record. Seagate's legal team had reviewed every transaction. The company argued the drives were commodity items containing no sensitive technology. The argument failed, and at $300 million, a single enforcement action now exceeds the annual revenue of many mid-sized suppliers.

Hard disk drives on a customs inspection table under industrial fluorescent lighting, referencing the 2023 BIS enforcement action
Hard disk drives on a customs inspection table under industrial fluorescent lighting, referencing the 2023 BIS enforcement action

Why the conventional export control structure is now a geostrategic liability

Most companies still route export control decisions through legal counsel, isolated from procurement, supply chain, and workforce planning. The enforcement record shows that structure can no longer absorb the geopolitical risk now embedded in ordinary sourcing decisions.

  • BIS Entity List scale. The list expanded from approximately 130 entities in 2014 to nearly 1,200 by mid-2024, with BIS adding over 465 entities in 2023 alone, the highest single-year total on record.¹ ²
  • Subsidiary coverage extension. A September 2025 rule extended Entity List controls to entities majority-owned at 50 percent or above by a listed parent.⁴ A tier-two supplier owned 51 percent by a restricted Chinese state enterprise now triggers the same controls as the listed entity itself, regardless of whether the buyer has any direct relationship with that parent.
  • Penalty trajectory. The 2023 enforcement record included the $300 million Seagate penalty, a $36.2 million Robert Bosch LLC settlement, and OFAC civil penalties exceeding $1.5 billion across the financial sector.⁵ This is not a baseline. It is a direction.
  • Compliance function isolation. FTI Consulting's 2023 survey of trade compliance officers at multinationals found export control functions concentrated in legal, with no systematic link to procurement or supply chain decision-making.¹⁰
Organisational chart on a dark desk, department boxes disconnected, showing structural gaps in compliance-to-procurement data flow
Organisational chart on a dark desk, department boxes disconnected, showing structural gaps in compliance-to-procurement data flow

How the deemed export doctrine and control velocity compound geopolitical risk

The Entity List creates exposure through sourcing relationships. The deemed export doctrine creates a second exposure that runs through the workforce, and the rate at which new controls appear has created a third through planning cycle mismatch.

  • Deemed export definition. Export Administration Regulations §734.2(b)(ii) treats releasing controlled technology to a foreign national on US soil as an export to their country of citizenship or permanent residence, with no physical transfer required.⁶ A company whose engineers access export-controlled technical specifications may be in violation without any product leaving the building.
  • Workforce exposure gap. Most companies maintain no inventory of which technical roles involve access to export-controlled specifications, how those roles map against employee citizenship, or what Technology Control Plans apply. The gap is not typically the result of bad intent. It results from treating export control as a legal checklist rather than an operational process.
  • Control velocity risk. When BIS introduced advanced computing chip controls in October 2022, Nvidia took a $400 million inventory charge for chips destined for China that could no longer ship.⁷ Nvidia redesigned the A800 and H800 chips to fall below the new performance thresholds. BIS updated its rules within a year to close that approach.⁸ Each regulatory cycle outpaced a standard quarterly planning model.
  • Supply chain self-reinforcement. CSIS documented a structural feedback loop in which US controls on advanced chips accelerated Chinese domestic substitution investment, with state-backed entities including SMIC and HiSilicon receiving government funding precisely because US controls made American-designed chips uncertain.⁹ Companies sourcing from both sides of that divide carry exposure on two fronts.
Procurement and compliance teams reviewing shared supply chain maps and regulatory screens, early morning light through office blinds
Procurement and compliance teams reviewing shared supply chain maps and regulatory screens, early morning light through office blinds

What geostrategic supply-chain risk management requires

The response this demands is not more compliance headcount. It is moving export control data into the risk calculus that procurement and supply chain teams already run, before sourcing and hiring decisions are made.

  • Supply chain screening integration. Entity List checks must run at supplier onboarding as a recurring function, not only at contract signing. The list now changes at a rate that makes annual reviews inadequate: additions in 2023 alone exceeded the list's entire size in 2014.
  • Workforce nationality mapping. Deemed export rules apply to technology access by foreign nationals inside your own facilities. HR, security, and trade compliance need a shared data process to identify which roles carry export-controlled access and who currently holds those roles.
  • Ownership structure visibility. Standard supplier risk systems track performance and financial stability. They do not cross-reference ownership structures against the Entity List. The September 2025 subsidiary rule has made building that data link urgent, not optional.
  • Controls expansion scenario planning. The Nvidia case shows that quarterly planning cycles cannot track a regulatory environment moving faster. Export control exposure must enter supply chain scenario planning on a rolling basis, not after a Federal Register notice triggers a reactive review.

Meridian Intell note: Meridian monitors BIS Entity List updates, OFAC designations, and export control regulatory developments as part of its geostrategic supply chain risk intelligence service. The analysis reflects publicly available regulatory records and independent research and does not constitute legal advice.

Methodology: Meridian Intell field notes draw on primary regulatory sources, peer-reviewed research, and direct analysis from practitioners with operational experience in the subject matter. Sources are cited for verifiability. Where analysis goes beyond available evidence, it is identified as such.


Footnotes

1 Bureau of Industry and Security, "Entity List," U.S. Department of Commerce, consolidated and updated at https://www.bis.doc.gov/index.php/policy-guidance/lists-of-parties-of-concern/entity-list. Growth tracked from approximately 130 entities in 2014 to approaching 1,200 by mid-2024.

2 Bureau of Industry and Security, Annual Report to Congress for Fiscal Year 2023, U.S. Department of Commerce, 2024. Federal Register additions publicly archived at https://www.federalregister.gov.

3 Bureau of Industry and Security, "Entities Added to the Entity List," Federal Register, November 2024 consolidation. China-specific count as reported by the Congressional Research Service, Export Controls: Overview and Issues for Congress, R46537, updated November 2024.

4 Bureau of Industry and Security, "Export Administration Regulations: Entity List Revisions," Federal Register, September 2025. Rule extends controls to entities with majority ownership of 50 percent or above by a listed party.

5 Bureau of Industry and Security, Administrative Enforcement Cases: Seagate Technology LLC, Case No. OEA-23-001, April 2023. Robert Bosch LLC settlement: BIS press release, August 2023. OFAC 2023 civil penalties: Office of Foreign Assets Control, 2023 Annual Report, U.S. Department of the Treasury, 2024.

6 Export Administration Regulations, 15 C.F.R. §734.2(b)(ii). Available at the Electronic Code of Federal Regulations, https://www.ecfr.gov.

7 Nvidia Corporation, Annual Report on Form 10-K for the Fiscal Year Ended January 29, 2023, filed with the U.S. Securities and Exchange Commission, February 24, 2023. The $400 million charge related to A100 and H100 inventory affected by October 2022 BIS advanced computing chip controls.

8 Bureau of Industry and Security, "Commerce Implements New Export Controls on Advanced Computing and Semiconductor Manufacturing," press release, October 17, 2023. Updated performance thresholds addressed the A800/H800 redesign approach.

9 Emily Benson and Gregory C. Allen, "The Hidden Risk of Rising U.S.-PRC Tensions: Export Control Symbiosis," Center for Strategic and International Studies, October 2023, https://www.csis.org/analysis/hidden-risk-rising-us-prc-tensions-export-control-symbiosis.

10 FTI Consulting, Global Trade Compliance Survey: Export Control Risk in the Supply Chain, FTI Consulting Intelligence, 2023. Survey of trade compliance officers at multinational companies with revenues above $500 million.

Run Free Scan →

About the author

Jay Bimbrah, Co-Founder & COO. A former Scotland Yard counter-terrorism investigator, Jay has advised EMEA tier-1 banks and Lloyd's market firms on distinguishing real exposure from theoretical risk.