Skip to content
Magist
AnalyzeRegulationsVendorsCounselUpdatesCompareAbout
← All Controls

End-use / end-user controls tracking

end-use-controls-trackingDomain: trade-sanctionsType: process

Description

End-use and end-user controls are the tier of export-control law that operates above and beyond the destination-country sanctions list. The premise is that even a transaction with a non-sanctioned counterparty in a non-sanctioned country becomes prohibited if the goods, software, or technology are destined for a prohibited end use (military, nuclear, missile, biological, chemical, or cyber-intrusion applications, with the specific scoping varying by regime) or for a prohibited end user (a Specially Designated National, an Entity List party, or a person known or reasonably suspected to be acting on behalf of one). Country-level screening is necessary but not sufficient. End-use screening is the layer that catches the otherwise-legal export that the regime intended to prohibit on the basis of where it actually goes rather than where it nominally goes. The rules sit in three parallel regimes that an export-active operator usually has to satisfy together. Under the US Export Administration Regulations the controls live in 15 CFR Part 744 and the supplemental Entity List, with the deemed-export rules at 15 CFR 734.13 reaching foreign-national-engineer access to controlled technology inside the US, and the Foreign Direct Product Rule at 15 CFR 734.9 reaching items produced abroad using US-origin tools. The EU Dual-Use Regulation 2021/821 carries equivalent end-use catch-alls in Article 4: weapons-of-mass-destruction concern (Article 4(1)(a) to (c)) and the newer cyber-surveillance catch-all (Article 4(1)(d)) that was the headline change in the 2021 recast. The UK Export Control Order 2008 expresses the same logic through Article 4 and Schedule 4, plus the UK-specific Security and Human Rights List that reaches items beyond the multilateral baseline. The operational decomposition is four steps. The intake form captures end-use and end-user information at the order-intake stage, in enough detail to support the screening (purpose of acquisition, ultimate end user, geographic location of end use, whether the item will be re-exported or incorporated into a downstream product). The screening evaluates the answers against the catch-all categories and against the relevant restricted-party lists at the time of the transaction; the timestamp matters because Entity List additions take effect on publication. The red-flag review catches the cases where the answers themselves are facially compliant but the surrounding context raises concern (a freight forwarder in a third country, an end user with no apparent legitimate use for the item, a route that is consistent with diversion). And the licensing or refusal decision documents the resolution, including the reasoning behind any decision to proceed without a license. The knowledge standard is the part that trips operators up. The rules attach not only to actual knowledge of a prohibited end use but also to reason-to-know, which the agencies construe broadly: BIS guidance treats a red flag that was not investigated as equivalent to knowledge of the underlying concern, and OFAC's enforcement framework operates on the same principle for sanctions-list circumvention. The documentation of what was asked, who answered, and what red flags were assessed therefore matters as much as the answer itself; "is-informed" letters from BIS to specific exporters are an extreme example of the same logic, but the same evidentiary burden applies whenever an export decision is reviewed after the fact. The cheapest operational pattern is to run the end-use screening as a documented checklist alongside the SDN screening, with the checklist captured per transaction rather than per customer; the per-customer model is faster but does not capture the changes in end use that frequently occur between orders.

Applicability

Applies when: markets include US, EU, or UK.

How predicates are evaluated

Required by (3 regulations)

  • US EAR

    15 CFR §744 + §734.13 — deemed-export rules for foreign-national engineer access; FDPR (§734.9) end-use evaluation for advanced-computing exports.

    15 CFR §744 + §734.13

    Source →

  • EU Dual-Use

    Regulation (EU) 2021/821, Article 4 catch-all triggers — non-Annex licensing required where end-use signals WMD, military, or human-rights concern (Article 4(1)(d) cyber-surveillance catch-all).

    Regulation (EU) 2021/821, Article 4 catch-all triggers

    Source →

  • UK Export Control

    Export Control Order 2008 Article 4 + Schedule 4 — UK Security and Human Rights List captures items beyond the multilateral baseline; cyber-tools end-use evaluation.

    Export Control Order 2008 Article 4 + Schedule 4

    Source →

Fulfilled by (1)

  • In-house build · high effort

Magist does not accept payment from vendors. Methodology.

Evidence formats

  • end-use certifications
  • red-flag log
  • is-informed letters

Magist provides legal information based on publicly available regulatory sources. It does not constitute legal advice and does not create an attorney-client relationship. Consult a licensed attorney in your jurisdiction before making compliance decisions.

Magist

Pre-launch regulatory analysis for product teams. Built by a lawyer, designed for PMs.

Tools

  • Analyze
  • Guided walkthrough
  • Vendors
  • Find counsel
  • Saved analyses

Reference

  • Scope by business model
  • Scope by jurisdiction
  • App ratings
  • Regulations
  • Compare regulations
  • Enforcement
  • Browse Controls
  • Vendor coverage
  • Radar
  • Pulse
  • Changelog
  • Guides
  • Regulatory updates
  • Open data
  • Corpus license
  • Ontology
  • State of Compliance

Solutions

  • For legal teams
  • For engineering
  • For executives
  • For law firms
  • For investors
  • For teams →

About

  • About Magist
  • Methodology
  • Editorial standards
  • Reviewers
  • Coverage status
  • Corrections
  • Trust
  • Coverage scope
  • How we handle data
  • Sub-processors
  • FAQ

Built by Neel Patel, a practicing in-house games attorney. Games touch more compliance domains at once than anything else in tech — Magist was designed around that.

Magist provides legal information based on publicly available regulatory sources. It does not constitute legal advice and does not create an attorney-client relationship. Consult a licensed attorney in your jurisdiction before making compliance decisions. Operated by a Washington-licensed attorney. Not licensed in California or other US states. Magist provides legal information; consult a licensed attorney in your jurisdiction.

Magist is an instrument, not a consultancy. It does not sell compliance services or take payment from vendors for placement; the analysis is the same for everyone. No vendor, sponsorship, or referral fees, ever.

MethodologyLimitationsDisclosures

© 2026 Magist
TermsLicensePrivacySecurityLinkedIn