• On September 30, 2025, the U.S. Department of Commerce’s Bureau of Industry and Security (“BIS”) published a long-anticipated interim final rule expanding U.S. export licensing requirements to certain non-U.S. affiliated parties designated on the Entity or Military End-User (“MEU”) Lists of the Export Administration Regulations (“EAR”) or the Specially Designated Nationals (“SDN”) List maintained by the U.S. Treasury Department’s Office of Foreign Assets Control (“OFAC”).
• Under the interim final rule, any foreign entity owned 50% or more, directly or indirectly, individually or in aggregate, by one or more entities on any of the Entity, MEU or SDN List are subject to such licensing requirements.
• Comments on the interim final rule are due on October 29, 2025.

Introduction

On September 30, 2025, the U.S. Department of Commerce’s Bureau of Industry and Security (“BIS”) published a long-expected expansion of U.S. export licensing requirements that now capture certain non-U.S. affiliates of parties designated on the Entity or Military End-User (“MEU”) Lists of the Export Administration Regulations (“EAR”) or on the Specially Designated Nationals List maintained by the U.S. Treasury Department’s Office of Foreign Assets Control (“OFAC”). BIS also made related updates to its Entity List FAQs.

The new requirements, known as the “Affiliates Rule,” are a rough equivalent to OFAC’s long-standing “50 Percent Rule,” which extends U.S. sanctions automatically to most legal entities owned 50% or more by one or more designated targets of U.S. sanctions. As such, the Affiliates Rule now establishes similar counterparty due diligence requirements—namely the need to assess counterparty ownership information—for transactions subject to U.S. export controls.

The Affiliates Rule was issued as an interim final rule, which means that, although comments may be submitted until October 29, 2025, the restrictions imposed under the rule change are now fully in effect.

The New Rule

Broadly described, the Entity and MEU Lists are supplements to the EAR’s end-user licensing requirements.

The Entity List identifies parties determined to be, or that pose a significant risk of being or becoming, involved in activities that are contrary to the national security or foreign policy interests of the United States. Parties designated on the Entity List may be subject to a range of licensing requirements, with the most restrictive being a licensing requirement for all items subject to the EAR coupled with a presumption of denial.

The MEU List includes certain entities that BIS has determined fall within EAR end-user licensing requirements that target the militaries of Burma, Cambodia, China, Nicaragua, and Venezuela. Entities designated on the MEU List are subject to licensing requirements, under a presumption of denial, for a range of particular items identified in the EAR.

For both lists, BIS historically applied a “legally distinct” standard under which licensing requirements applied only to the listed entity. Consequently, prior to the Affiliates Rule, undesignated subsidiaries and other close affiliates did not trigger the same licensing requirements as entities actually designated on the Entity or MEU Lists. In the Affiliates Rule, BIS explained that this treatment “can enable diversionary schemes” by listed entities and that, prior to the new rule, BIS had “to expend substantial efforts to address the tactics that listed entities would adopt to circumvent their placement on the Entity List.”

As such, the Affiliates Rule appears to be a meaningful revision to U.S. policy by introducing a new presumption that certain close affiliates of an entity determined by U.S. authorities to be involved in activities contrary to the national security or foreign policy of the United States are effectively at significant risk themselves of becoming involved in the same (e.g., diversion to their designated affiliate), merely because of their corporate relationship with the designated entity.

Key points of the Affiliates Rule and its implications include:

• Scope. Licensing requirements now apply to any foreign entity that is owned 50% or more, directly or indirectly, individually or in aggregate, by one or more entities on any of the Entity List, MEU List or Specially Designated Nationals List (“SDN List”). Note that ownership aggregates across all of these lists, meaning that companies performing counterparty diligence for export compliance must now screen intermediate and ultimate owners against all three lists.

• Potentially Rebuttable Presumption. Requests for case-by-case exceptions for particular entities that otherwise would be captured by the new rule because of ownership by an Entity or MEU List designee will be considered; presumably, the requesting party must credibly demonstrate that the particular entity subject to the exception request does not present a risk of acting contrary to the national security or foreign policy of the United States.

• Rule of Most Restrictiveness. Where multiple designees hold relevant ownership interests, the most restrictive requirements apply. For example, if only one of several owners on the Entity List qualifies for a license exception under the EAR, that exception will not extend to transactions involving the owned entity.

• License Review Policy. Similarly, this rule of most restrictiveness means that license applications generally will be reviewed under the most restrictive license review policy applicable to the designated owner of an entity that is owned 50% or more by entities on the Entity, MEU or SDN List.

• Strict Liability. Under the EAR, exporters, reexporters and transferors face enforcement action on a strict liability basis for unauthorized exports, reexports or in-country transfers. This was less of a concern under the former “legally distinct” standard, as diligence to determine a counterparty’s designation on the Entity, MEU or SDN List was limited to identifying information of the counterparty itself and did not require acquiring and reviewing information on potentially numerous persons in the ownership chain. However, parties now face potential liability if they fail to conduct adequate ownership diligence and screening i.e., there is no regulatory safe harbor that recognizes attempts at diligence).

• Diligence Required. Exporters are now expected to conduct due diligence and implement appropriate compliance processes with respect to the ownership of relevant counterparties, including that exporters must (i) “act with caution” when dealing with entities in which listed persons hold less than a 50% interest and (ii) pursuant to a new “red flag” requirement in the EAR, seek a license prior to transacting if they are aware of potential ownership by a listed person but cannot determine if that ownership falls below the 50% threshold

Exceptions and Exclusions

The Affiliates Rule has limitations, including:

• U.S. Affiliates. Consistent with its general focus on transactions involving foreign countries, the Affiliates Rule targets only non-U.S. entities. It is not clear if this exclusion then extends to non-U.S. entities that may be owned by a U.S. affiliate.

• Unlisted MEUs. Only designated entities—those placed on the MEU List—are relevant under the Affiliates Rule; the ownership interests of non-listed MEUs are not considered.

• Other Designated Parties. The Affiliates Rule does not apply to parties on other BIS maintained lists, including the Unverified List, those subject to Denial Orders or those that merely share an address.

• Address Only Matches. The Affiliates Rule does not require extension of Entity List restrictions to persons that merely share an address with an Entity List designee (co-location with a designee on the Entity List is a red flag warranting additional diligence, but such concerns may not flow down to entities owned by the counterparty co-located with an Entity List designee).

• Temporary General License. BIS issued a Temporary General License (“TGL”) permitting certain transactions until December 1, 2025, if they involve only non-listed entities and certain jurisdictions or nationals thereof.

Practical Considerations

The greatest compliance burden will, of course, fall on parties directly engaged in export, re-export or transfer activities. Appropriate next steps include reviewing and updating relevant risk assessments and re-calibrating risk-based screening controls, including reviewing whether current screening providers are capable of addressing the newly expanded requirements, as necessary for exporters to comply with the Affiliates Rule.

However, meaningful implications of the rule change extend beyond these strict compliance requirements and include further considerations:

• Contractual Commitments. Increasingly, we have seen parties reference U.S. export control compliance in corporate agreements for a variety of risk-focused purposes, ranging from permitted activities for joint ventures to authorized use of credit proceeds and general representations about compliance with the EAR. In some cases, the new Affiliates Rule may substantially expand the scope of export-related representations or commitments.

• Policies and Procedures. Companies should assess their policies and procedures for conducting diligence on counterparties. Entities with opaque ownership structures or for which there is limited access to ownership data pose significant risk to exporters, reexporters and transferors (see the note above regarding the new red flag requirement to seek a license where a company knows that a counterparty has Entity, MEU or SDN List ownership but cannot determine the exact percentages).

• Other Regulatory Regimes. U.S. national and economic security regulations increasingly intersect, in some cases through explicit cross-references. We expect current cross-references to the Entity List, such as those found in the Outbound Investment Security Program and the regulations of the Committee on Foreign Investment in the United States (the “CFIUS”), to be updated in the near term to account for the broader scope of the Affiliates Rule. Such an update would result in the considerable expansion of these other rules as they relate to entities captured by the Affiliates Rule—e.g., a non-U.S. acquirer could be required to disclose to CFIUS whether it, any of its parents, or any entity of which it is a parent is subject to Entity List requirements.

• Financial Institutions. In October 2024, BIS issued guidance to financial institutions that included recommendations that “presence on a BIS restricted-party list” should inform a customer’s overall risk profile and that if, on review of a customer’s transactions, a bank identifies restricted-party involvement, additional due diligence on the customer should be conducted. Accordingly, the scope of banks’ export-related screening and diligence expectations have now greatly expanded.

It is difficult to overstate the implications of this change. Going forward, exporters and their intermediaries can no longer rely on “bright line” screening practices that focus on legal entity identification. At the same time, a number of international markets are making it more difficult to conduct counterparty screening, including as it relates to beneficial owners.

Taken together, companies should move quickly to ensure their risk assessments and related risk-based controls are appropriate for the changing circumstances. We think it likely that U.S. authorities will be eager to demonstrate the importance of compliance with these new rules through significant enforcement actions in the near term.

This publication is for general information purposes only. It is not intended to provide, nor is it to be used as, a substitute for legal advice. In some jurisdictions it may be considered attorney advertising.