Golden rule: if you are about to share technical details that would enable someone to design, produce, integrate, or improve the performance of a potentially sensitive item, stop and consult.
Export controls
- (ITAR/EAR, dual-use)
What is this in one sentence?
How we do it at SEIUM
Screening of individuals/entities and end uses.
Classification (ITAR? EAR/EU dual-use? not controlled?).
Technology Control Plan (TCP): who can see what, and how it is protected.
Licences or exemptions (where applicable).
Execution with evidence (logs, labelling, technical controls).
Closure and archiving.
,
Executive summary
To read in 2 minutes
Some technologies, software, and technical data are controlled by frameworks such as ITAR/EAR (US) and EU Dual-Use.
It also includes granting access to repositories, sharing details in a video call, uploading code, or presenting a poster if it contains controlled information.
Sharing controlled technology within the country with a foreign person also counts as an export.
First, classify and consult the Export Controls Office (OEC).
Essential glossary
The “traffic light” rule
,
The SEIUM process in 7 steps (clear and actionable)
Are you going to share anything outside your team, present at a conference, open a repository, upload a preprint, send a prototype, run a demo, or host visitors? → Activate the process.
- People/entities: we check sanctions and restricted-party lists.
- End use: what do they want it for? Where will it end up? If anything seems suspicious, we stop.
- Who has access (by role and nationality).
- Technical controls: IAM/MFA, geofencing, encryption, DLP, digital clean rooms, protected branches, no USB, no unauthorised mirrors.
- Physical controls: restricted lab, lockers/cages, no-photo in red zones.
Publications: export review before submitting any paper/poster/code.
If needed, it is requested by the OEC/Empowered Official.
If an exception applies, it is documented (verbal confirmation is not sufficient).
Publications: export review before submitting any paper/poster/code.
- If needed, it is requested by the OEC/Empowered Official.
- Export clauses in NDAs, subcontracts, purchasing, and collaboration agreements.
- Obligation to notify any changes in end user/end use.
Scope changes → reclassify.
Immutable logs, export markings on documents/files, controlled downloads, segregated repositories.
Remove access, sanitise data, inventory what has been returned, and archive classifications/licences/TCP/logs.
Typical examples (so you do not get it wrong)
A Git repository containing model weights that improve target tracking with radar or vision in extreme conditions → high risk. Do not publish without classification and a TCP.
Conference presentation: if it includes parameters, curves, and procedures that enable reproduction of sensitive performance → requires export review.
International lab visit: if they would see or photograph controlled test benches/drawings → restricted access, pre-briefing, no-photo policy, and escorted visit.
International student on your team: if they will work with controlled technology, it is a deemed export → TCP and, if applicable, a licence.
Portable demo (hand-carry): it may require a temporary authorisation and return documentation; coordinate with OEC before travelling.
Minimum technical controls (IT/OT) — “low-friction, but serious”
- Identities & access: MFA, role/nationality-based IAM, geographic blocking where appropriate.
- Classified/labelled (ITAR/EAR/DU/NC), encryption at rest and in transit, DLP on endpoints/email, visible markings on PDFs/drawings.
- Protected branches, code owners, private by default, and export review before making anything public.
- Isolated OT networks, air gaps where needed, serial-number inventory, and camera controls.
- Hardened laptops, access via VDI, no persistent local data.
- Evidence: centralised, immutable logs, retained in line with the applicable regime.
Roles at SEIUM (who does what)
- Empowered Official (EO): final authority, can stop a project and file licence applications.
- OEC (Export Controls & Research Compliance): classification, screening, contract support, templates, and record-keeping.
- Principal Investigator (PI): identifies risks, initiates classification, and implements the TCP.
- Lab/IT manager: applies technical controls, labels assets, and keeps evidence.
- Legal counsel: adds export clauses to NDAs/contracts and verifies flow-down obligations.
- DPO/Privacy: aligns export compliance with GDPR (international transfers of personal data).
Formación, auditoría y métricas
Mandatory annual training (all staff and students who operate in labs or handle technical data).
Advanced training for IPs, lab managers, purchasing, and project managers.
- Percentage of projects with documented classification.
- Average time from classification to decision.
- % training coverage (target ≥ 98%).
- Incidents and near misses (target: 0 critical).
- Leave times, where applicable.
Publications, open teaching, and open-source
Short FAQ Frequently Asked Questions
Yes, if you share controlled technology/data or detailed technical assistance.
Granting access to controlled technology to a foreign national within the country
Often yes, but you lose the exemption if there are restrictions on publication or participation based on nationality, or if you disclose critical technical details.
Only after export review. If sensitive, it is redacted/sanitized or kept closed.
Don't guess. Classify with the OEC: we have a decision matrix and examples of ECCNs by technology families.
Checklists listos para usar
- Have I activated the flow (Step 0)?
- Have I screened individuals/organizations and end use?
- Do I have classification (ITAR/EAR/DU/NC) in a document?
- If applicable, are there TCPs and are the technical controls configured?
- Do I need a license? If so, has it been processed/approved?
- Have I gone through export review if I am going to publish or present?
- Tagged assets (controlled/uncontrolled).
- Access by role/nationality, MFA.
- Active encryption and DLP.
- Private repositories by default; branches.
- No photos in red zones; accompanied visitors.
- Up-to-date logs and evidence.
Internal templates and resources
- Quick classification guide + decision matrix.
- TCP (Technology Control Plan) template.
- Checklist of publications and conferences (export-review).
- Travel/hand-carry protocol.
- Model clauses for contracts/NDAs and flow-downs
Consistency with other SEIUM policies
- Ethics, IHL, and human rights: we do not conduct operational/offensive training or bypass safeguards.
- GDPR and privacy: international transfers of personal data are also assessed under the GDPR (SCCs, minimization, DPAs).
- Safety & HSE: laboratories with integrated physical/operational security gates
- Transparency & good governance: we publish aggregate metrics, never sensitive data.
Contacts
This guide combines regulatory rigor with practical explanations. The philosophy is “compliance-by-design”: classify before sharing, control access, document decisions, and publish responsibly. This allows us to avoid risks and keep SEIUM's mission alive: to promote advanced engineering with security.