Skip to content
Magist
AnalyzeRegulationsVendorsCounselUpdatesCompareAbout
← All Controls

EAR / CCL product classification process

ccl-classification-processDomain: trade-sanctionsType: process

Description

CCL classification is the entry-point determination for the US export-controls regime. Every exportable product, technology, or piece of software gets assigned an Export Control Classification Number (ECCN) on the Commerce Control List, or determined to be EAR99 (the residual category for items subject to the EAR but not specifically listed elsewhere). The classification then drives every downstream control: which destinations are licensable versus prohibited, which end users trigger additional review under the Entity List or military-end-use rules, which deemed-export rules apply to non-US-person employees during R&D activities, and what export-license exceptions (TSU for technology and software unrestricted, ENC for encryption, STA for strategic-trade authorization, others) are available. A working classification process has three layers. The technical analysis maps product features to CCL categories, and this is a substantive engineering-plus-legal exercise rather than a paperwork one, especially for encryption-bearing products that touch Category 5 Part 2 (information security): the cryptographic primitives, key lengths, modes of operation, and whether the encryption is the primary function or ancillary all affect the classification outcome, and the analysis typically draws on both the BIS Definitions and the technical-note structure of the CCL itself. The documented rationale records why the chosen ECCN is correct: regulators credit a documented self-classification decision more readily than an undocumented one, and the documentation also functions as forward-looking guidance for product teams who later modify features in ways that might trigger reclassification. The change-trigger discipline reclassifies when product features materially change; classification errors compound badly because a product misclassified as EAR99 that should have been 5A002 has typically been shipping under the wrong rules for the entire intervening period, and the resulting voluntary self-disclosure to BIS is materially more expensive (in legal cost and in penalty exposure) than an upfront proper classification with periodic reaffirmation. The statutory anchors are layered across three principal jurisdictions an exporter typically resolves in parallel. US: 15 CFR §738.2 establishes the classification framework, with the Commerce Control List itself in 15 CFR Part 774 Supplement No. 1 across the 10 categories. The CCATS process (Commodity Classification Automated Tracking System request via SNAP-R) is the route for items requiring a formal BIS ruling rather than self-classification. EU: Regulation (EU) 2021/821 Article 3 plus Annex I covers the 10-category Wassenaar-aligned dual-use list, with Section II cyber-surveillance items added in the 2021 recast and Article 5 catch-all controls reaching items not on Annex I where end-use concerns arise. UK: Export Control Order 2008 Schedules 2-3 covers the UK Strategic Export Control Lists (Military List, Dual-Use List, Security and Human Rights List), with the ECJU Goods Checker Tool as the self-classification surface. Evidence formats that satisfy a regulator inquiry include classification memos per product or product family with the supporting technical analysis, CCATS letters where the operator has obtained a formal ruling, and the change-log showing how classifications were reaffirmed or revised against material product changes.

Applicability

Applies when: markets include US.

How predicates are evaluated

Required by (3 regulations)

  • US EAR

    15 CFR §738.2 + Annex Part 774 Supp. No. 1 — classify products/software against the Commerce Control List; CCATS process for items requiring a formal BIS ruling.

    15 CFR §738.2 + Annex Part 774 Supp. No. 1

    Source →

  • EU Dual-Use

    Regulation (EU) 2021/821, Article 3 + Annex I — classify items against Annex I (10 categories largely Wassenaar-aligned) plus Section II cyber-surveillance items added in the 2021 recast.

    Regulation (EU) 2021/821, Article 3 + Annex I

    Source →

  • UK Export Control

    Export Control Order 2008 Schedules 2-3 — UK Strategic Export Control Lists (Military List, Dual-Use List, Security and Human Rights List); ECJU Goods Checker Tool for self-classification.

    Export Control Order 2008 Schedules 2-3

    Source →

Fulfilled by (2)

  • descartes · partial · high effort · $$$
  • In-house build · high effort
    Typically requires outside-counsel input for novel products.

Magist does not accept payment from vendors. Methodology.

Evidence formats

  • classification memos per product
  • CCATS letters where obtained

Magist provides legal information based on publicly available regulatory sources. It does not constitute legal advice and does not create an attorney-client relationship. Consult a licensed attorney in your jurisdiction before making compliance decisions.

Magist

Pre-launch regulatory analysis for product teams. Built by a lawyer, designed for PMs.

Tools

  • Analyze
  • Guided walkthrough
  • Vendors
  • Find counsel
  • Saved analyses

Reference

  • Scope by business model
  • Scope by jurisdiction
  • App ratings
  • Regulations
  • Compare regulations
  • Enforcement
  • Browse Controls
  • Vendor coverage
  • Radar
  • Pulse
  • Changelog
  • Guides
  • Regulatory updates
  • Open data
  • Corpus license
  • Ontology
  • State of Compliance

Solutions

  • For legal teams
  • For engineering
  • For executives
  • For law firms
  • For investors
  • For teams →

About

  • About Magist
  • Methodology
  • Editorial standards
  • Reviewers
  • Coverage status
  • Corrections
  • Trust
  • Coverage scope
  • How we handle data
  • Sub-processors
  • FAQ

Built by Neel Patel, a practicing in-house games attorney. Games touch more compliance domains at once than anything else in tech — Magist was designed around that.

Magist provides legal information based on publicly available regulatory sources. It does not constitute legal advice and does not create an attorney-client relationship. Consult a licensed attorney in your jurisdiction before making compliance decisions. Operated by a Washington-licensed attorney. Not licensed in California or other US states. Magist provides legal information; consult a licensed attorney in your jurisdiction.

Magist is an instrument, not a consultancy. It does not sell compliance services or take payment from vendors for placement; the analysis is the same for everyone. No vendor, sponsorship, or referral fees, ever.

MethodologyLimitationsDisclosures

© 2026 Magist
TermsLicensePrivacySecurityLinkedIn