Thought Leadership

Christopher Salmon

Chief Executive

TLDR

This article explores why encryption has transformed export controls from a technical compliance issue into a senior-level strategic risk. We’ll examine how software, cloud services, and embedded cryptography are regulated, why missteps attract sharper enforcement protocols, the questions leadership teams must ask to safeguard market access and maintain trust, and how to integrate legal, engineering, and product functions into global trade governance.

The practice of encryption – and how it materially changes the logic of export controls – is a reality trade regulators have been grappling with for the past decade.

Export controls were originally designed for visible, finite goods crossing physical borders – but the advance of technology, including digital encryption, has evolved that logic. It is intangible, embedded by default, continuously updated, and distributed globally, in real time.

Undeniably, encryption helps to protect data, intellectual property, and commercial trust. However, it also potentially removes state visibility over how information is secured, transferred, and accessed. That loss of visibility – more than the mere presence of “security features” – is what places encryption squarely in the sights of export control regimes worldwide.

Today, encryption is no longer confined to specialist products, as it sits inside widely-used enterprise software, cloud platforms, connected devices, development tools, and internal systems. Regulators in the UK, EU, US, and allied jurisdictions increasingly view encryption as strategic infrastructure; and it is that shift which explains why enforcement, licensing expectations, and disclosure obligations have tightened, even as digital trade accelerates.

Encryption export compliance now sits at the intersection of national security, data governance, market access, and trust in global digital trade. Organisations that understand this reality are better equipped to unearth exposure before a transaction, collaboration, or product launch triggers regulatory scrutiny.

Why this matters

No longer a niche technical concern, encryption is a structural factor shaping global trade governance. Mismanaged or misclassified encryption can expose organisations to regulatory penalties, market restrictions, and reputational damage. Unlike tangible goods, software and embedded cryptography move instantaneously across borders, magnifying oversight gaps; leadership teams must understand where encryption resides in products, cloud services, and R&D collaborations, and ensure classification, licensing, and risk management processes keep pace with real-world usage. 

Treating encryption strategically – integrating legal, engineering, product, IT security, and trade compliance – transforms export compliance from a reactive obligation into a tool for market access, operational resilience, and trust in the digital supply chain.

Seeking assistance with export controls compliance?

Contact the clearBorder team today →

What counts as encryption under export control rules

(It’s broader than you might think)

Encryption export compliance does not apply only to companies that “sell cryptography.” 

Controls extend to any technology that performs encryption functions, regardless of how incidental they may appear to the commercial offering. This includes: 

  • Software
  • Firmware
  • Source code that encrypts data
    • At rest or in transit
  • Hardware products with embedded cryptographic modules
  • Cloud-based services or APIs that provide: 
    • Secure communications
    • Authentication
    • Key management

Crucially, even partial or supporting elements of cryptography (that is, the technical practice of encoding information into an unreadable format) can fall within scope. For instance, key generation, key exchange, identity verification, and access-control mechanisms are all routinely assessed alongside core encryption functions. In practice, the assertion that “we don’t sell encryption!” is likely to collapse under regulatory scrutiny, once a product’s architecture is examined end-to-end. For trade leaders, the risk lies less in intent and more in capability.

Compliance grey zones | Open source, updates, configuration choices
Myth  Reality Impact
“Open source is automatically exempt” Open-source encryption can still be controlled, depending on functionality and distribution False assumptions here can lead to uncontrolled releases or cross-border access
“Mass market means low risk” Mass-market status reduces licensing friction, not compliance responsibility Ongoing reporting and governance obligations remain
“Updates and patches are operational noise” Technical updates can materially change encryption strength or scope Classification can shift without commercial teams noticing
“Only enabled features matter” Regulators assess what a product can do, not just what is switched on Architecture decisions create export exposure upstream

 

The key takeaway? Product architecture increasingly defines export compliance risk. Encryption decisions made by engineering or product teams can, quietly, reshape regulatory obligations long before legal or trade teams are consulted.

Encryption export compliance codes (without legalese)

ECCNs, dual-use codes, and what boardrooms need to know

Encryption export compliance can often become clouded by dense classification frameworks, but the commercial implications are relatively straightforward (in theory, at least). 

In the United States, most encryption technologies fall under the Export Administration Regulations (EAR), typically within ECCNs such as 5A002 / 5D002 (more sensitive encryption) or 5A992 / 5D992 (mass-market encryption). That distinction determines where products can be sold, whether licences are required, and what disclosures must be made to regulators.

Across the EU, encryption is governed under the Dual-Use Regulation (EU) 2021/821, while in the UK it sits within the Export Control Order and Strategic Export Controls framework. While terminology and procedures may differ on certain points, the underlying logic is aligned, through widely-accepted prioritisation of nations’ security.

→ Ultimately, classification decisions shape market access: affecting licensing timelines, potentially restricting sales into certain jurisdictions or triggering reporting obligations, and influencing how products can be bundled, deployed, or updated. 

Why “mass market” and licence exceptions still carry risk

Licence exceptions and “mass-market” classifications are often misunderstood as a green light for frictionless global distribution. In reality, they reduce licensing burden; they do not remove compliance responsibility. 

Exceptions such as ENC in the US still require ongoing reporting, record-keeping, and internal controls, particularly when products evolve or encryption functionality changes.

Regulators are also shifting focus: instead of asking whether a company technically qualifies for an exception, enforcement increasingly examines whether the organisation operates a mature, repeatable export compliance programme. Weak change management, poor documentation, or lack of oversight around updates and releases can attract scrutiny even where legal eligibility exists.

Where compliance often breaks down

Cloud tech and SaaS at the border

In digital environments, exports don’t happen at the shipping terminal. Remote access to encrypted software, cloud platforms, or administrative interfaces can constitute an export at the moment an overseas user is granted access. Cross-border permissions, DevOps pipelines, support tools, and even monitoring dashboards increasingly fall within export control scope.

As a result, encryption compliance intersects directly with: 

  • Identity management
  • Access management
  • Cloud architecture
  • Vendor permissions

Decisions made by IT and engineering teams (often for speed or resilience) can invisibly create regulated export events, without anyone labelling them as such.

R&D, collaboration, and the spread of controlled code

Encryption exposure can also expand through collaboration: joint ventures, academic partnerships, outsourced development, and distributed engineering teams may all routinely share source code, test builds, and technical documentation across borders. When that code includes controlled encryption functionality, even temporary access for “review” or “testing” can trigger deemed export or re-export obligations.

These risks are frequently overlooked because they sit outside traditional trade workflows. However, regulators increasingly expect organisations to be proactive, and to understand how controlled code moves within their ecosystems – not just how finished products are sold.

The strategic fallout: why regulators treat encryption failures differently

Invariably, encryption failures are not viewed by regulators as isolated hiccups, glitches, or contained technical errors. Rather, they are seen as more profound structural breakdowns in governance. When encryption is misclassified, shared without control, or deployed without oversight, for instance, the regulatory concern is a tangible loss of state visibility into how sensitive technologies move across borders (not simply “non-compliance.”)

From an enforcement perspective, poorly governed encryption can enable sanctions evasion, frustrate lawful interception, and amplify downstream risk across supply chains, platforms, and jurisdictions. A single lapse may scale globally in minutes, not in shipments. This is why penalties in encryption cases are often framed as governance failures rather than administrative mistakes.

There is also a deeper trust dimension. Encryption sits close to the heart of digital sovereignty and national security. Failures, therefore, erode confidence that organisations can be relied upon to self-govern powerful, often-opaque technologies. In that sense, encryption compliance breaches are treated more like breaches of institutional responsibility – which explains the sharper tone, higher penalties, and lower tolerance for “we didn’t realise” defences.

Questions for the boardroom 

Encryption export compliance should not be delegated wholesale to technical or engineering teams. It directly affects governance, risk, and strategy – and therefore deserves boardroom-level visibility. Leadership teams should be asking:

  • Where is encryption embedded across our products and services, including default, inherited, or third-party components?
  • Who can access controlled code, keys, or administrative functions, and from which jurisdictions?
  • How do product updates, patches, or configuration changes alter our export classification or licensing posture?
  • Are acquisitions, partnerships, or joint ventures introducing new encryption exposure we have not mapped?

These are questions of accountability, market access, and regulatory resilience… and they become considerably harder to answer once enforcement begins.

Encryption: a new fault line in global trade governance

Code now moves faster than goods, updates outpace licensing cycles, and access permissions matter more than fact-of-ownership. As a result, encryption export compliance sits uniquely at the intersection of legal interpretation, engineering design, product strategy, IT security, and trade governance.

Organisations that are able to smoothly integrate these functions (rather than managing encryption in silos) are best-positioned to reduce operational friction, protect global market access, and move faster with confidence and capability. 

Those that do not risk discovering – usually, too late – that software now carries significant geopolitical weight.

Safeguard your technological export control compliance with clearBorder →

Other interesting reads

Visit Our Insights Hub
Thought Leadership

Building commercial resilience with geopolitical risk forecasting

TLDR As we move towards 2030, and cross-border boardrooms face increasing turbulence, geopolitical risk forecasting has become a key capital allocation tool. Tariff volatility, sanctions layering, export control expansion, ESG enforcement, and maritime instability are all reshaping commercial decision-making. Firms that translate geopolitical signals into pricing, sourcing, contracting, and governance choices build structural resilience – while those that treat geopolitics as background noise risk absorbing avoidable shocks. Among executive teams, there may be a temptation to treat geopolitical disruption as cyclical. We see some executive teams interpret turbulence in the trading world as a troublesome, but temporary, condition. A conflict flares, a tariff is introduced, a sanction list expands, markets react and stability, eventually, returns. But the pattern of the past five years suggests that instability is not episodic, but enduring and cumulative. For instance: Trade policy is routinely deployed as a tool of leverage and statecraft. International regulatory systems are diverging, not converging.  Industrial policy is being weaponised in pursuit of strategic autonomy. Maritime and logistics routes are politically exposed.  Compliance regimes are branching into ESG, forced labour, and beneficial ownership transparency. Within this environment, geopolitical risk forecasting is much more nuanced than simply spotting news headlines early. It is about identifying the potential for structural shifts early enough to adjust strategy proactively, and thereby protect commercial positioning. Why this matters Geopolitical turbulence shapes margin, liquidity, market access, and investor confidence. Integrating geopolitical risk forecasting into governance protects capital and preserves optionality, while only responding after disruption materialises opens the door to compounding shocks that can erode competitiveness and long-term resilience.   Real-world lessons The rapid reconfiguration of U.S. tariff authority The collapse of the IEEPA tariff regime and its replacement with Section 122, and then 301, demonstrate how quickly duty exposure can change. Pricing assumptions that were valid in January were rendered obsolete by March. The lesson → legal foundations matter as much as headline rates, and statutory fragility translates into pricing fragility. Maritime vulnerability in focus Shipping diversions around the Cape of Good Hope, combined with renewed tensions affecting the Strait of Hormuz, have reintroduced physical geography into corporate risk modelling. Freight premiums rise before vessels are blocked, and insurance markets can tighten before cargo is delayed. Energy pricing volatility ripples through chemicals, aviation, agriculture, and heavy industry. The lesson → risk often manifests through secondary effects (such as insurance, financing, or fuel) before it appears in delivery schedules. Export controls as industrial policy Semiconductor, end-use, and dual-use controls are instruments of competitive positioning. Derivative rules increasingly pull third-country firms into regulatory scope: a product assembled in one jurisdiction may inherit restrictions from a component sourced elsewhere. The lesson → jurisdictional exposure is now embedded in bills of materials. Cyber disruption As we saw in the case of the Jaguar Land Rover cyberattack, manufacturing can be halted and logistics interrupted by threats rooted in the digital world. Cyber incidents such as this show that, today, commercial systems are deeply interdependent. A compromised supplier, customs intermediary, or third party can disrupt trade flows just as much as a port closure. The lesson → even for firms dealing in physical goods, digital fragility is commercial fragility. Ethics enforcement as border enforcement Forced labour detentions and ESG-driven scrutiny reveal that reputational and regulatory exposure increasingly converge at the border. Governance lapses can freeze inventory in transit. The lesson → morals and values-based regulation has operational consequences. The horizon as of March 2026: where stress may emerge next   Tariff layering and statutory creativity With multiple trade statutes now in use (as in the U.S.), the probability of overlapping or sector-specific tariffs is high. Retaliatory measures by affected partners remain plausible. Even modest rate changes are likely to compress margins when stacked on existing duties and customs compliance costs. Sanction expansions in increments Rather than sweeping embargoes, recent patterns point towards gradual additions targeted at individuals, sectors, financial restrictions, or shipping designations. The commercial impact can accumulate quietly, in narrowing payment channels, shifts in insurance availability, or counterparties becoming higher-risk. Semiconductor concentration and technology bifurcation Tensions affecting semiconductor supply chains are unlikely to resolve in the near future. Advanced manufacturing and AI-related hardware are particularly sensitive to export licensing regimes. Fragmentation of technology ecosystems could increase compliance complexity for firms operating across multiple blocs. Energy corridor risk Escalation in the Gulf region continues to create volatility risk for LNG, oil, and petrochemical flows. For energy-intensive sectors, this becomes a forward margin issue rather than a spot-price issue, because markets price based on geopolitical probability – even in cases where physical disruption is absent. Regulatory divergence in ESG and SPS Environmental, social, and governance obligations are expanding across jurisdictions. Equally, SPS measures are divergent depending on region, particularly in agri-food and biotech sectors. This creates non-identical compliance architectures, and the potential for cost asymmetry between markets. Industrial overcapacity and protectionism Allegations of excess manufacturing capacity in steel, chemicals, renewables, and EV components may translate into further investigations and trade remedies. Protectionist responses tend to arrive quickly, with limited time for firms to pivot strategy.   From intelligence to decision architecture The difference between monitoring and forecasting lies in application. Where monitoring asks: what’s happening, or already happened? Forecasting (or horizon scanning) asks: if this happens, what changes inside our business? Therefore, the value in geopolitical forecasting is in the way it informs: Sourcing strategy: where are we overexposed to single jurisdictions? How quickly can we reconfigure suppliers? Contract design: do pricing structures account for tariff variability? Are force majeure clauses calibrated for regulatory intervention? Capital allocation: does planned investment assume regulatory convergence that may not materialise? Market prioritisation: are certain jurisdictions becoming structurally less predictable? Where commercial exposure can accumulate For a firm to assume they are diversified simply because they operate globally is laden with risk. In reality, risk concentration can hide in plain sight. For instance: A critical subcomponent sourced from one politically sensitive region. Dependence on a single export market vulnerable to retaliatory tariffs. Licensing reliance on evolving export control classifications. Contracts dependent on stable cross-border payment channels. It’s worth underscoring again that – while these exposures might not be critical in isolation – they compound exponentially when layered. Modern trade disruption is compound because tariffs can coincide with sanctions, energy volatility can overlap with cyber incidents, and regulatory divergence might intersect with ESG enforcement. Truly effective forecasting, therefore, must model correlation as well as probability.  Building geopolitical forecasting into governance For cross-border boardrooms, forecasting should include elements such as: Structured exposure mapping: product-level tariff sensitivity, sanctions touchpoints, licensing dependencies, supplier geography. Integrated external intelligence: policy tracking across major jurisdictions, not just home markets. Scenario stress-testing: modelling margin, liquidity, and delivery performance under multi-variable shocks. Clear oversight: defined risk appetite and escalation thresholds. Forecasting must have decision authority, not advisory ambiguity. Volatility is inevitable, while fragility is optional No firm can realistically insulate itself from geopolitical shocks completely. However, they can reduce the fragility of their position by: Diversifying input exposure Embedding compliance upstream Designing flexible contracts Aligning procurement incentives with risk-adjusted outcomes Integrating political risk into financial modelling The strategic dividend of foresight In a fragmenting global economy, predictability is valuable. Governments favour suppliers that deliver despite turbulence. Investors favour firms with visible governance discipline. Customers favour counterparties who do not pass on sudden shocks. In short, effective risk forecasting is preparedness translated into commercial advantage. For boardrooms then, the central question is: are geopolitical developments informing our strategy in real time, or being identified after already exerting an influence on our balance sheet? Ultimately, commercial resilience does not begin at the border, but is rooted in proactive horizon scanning. Contact clearBorder today for independent, expert horizon scanning and advisory → 

Building commercial resilience with geopolitical risk forecasting
Thought Leadership

Implementing trade ethics in a fragmented global economy

TLDR Trade ethics is no longer a reputational accessory; it is structural governance. In a world of sanctions expansion, forced labour enforcement, and geopolitical fragmentation, implementing trade ethics policies requires embedded oversight into procurement, classification, export controls, and supply chain design. Firms that treat ethics as infrastructure (not aspiration) protect revenue, reputation, and market access. In 2026, global trade is defined by fragmentation. Sanctions regimes expand with political tension. Forced labour prohibitions reshape sourcing strategies. Export controls are deployed as tools of statecraft. ESG disclosures expose supply chain blind spots that once remained buried in tier-three opacity. Perhaps more to the point, such fledgling ESG disclosure obligations are pulling trade governance into the sustainability spotlight. Under frameworks such as the EU Corporate Sustainability Reporting Directive (CSRD), the German Supply Chain Act, and emerging IFRS sustainability standards, companies must evidence not only environmental positioning, but human rights due diligence, sanctions exposure, and supply chain traceability. For sustainability leaders, this means that trade ethics is no longer peripheral to ESG reporting, but embedded within it. Export classifications, supplier vetting, and sanctions screening now sit alongside carbon accounting and climate disclosures as auditable governance artefacts. ESG reporting, in other words, is becoming a proxy lens for trade integrity. In such a rapidly-intensifying, regulated environment, trade ethics is not a soft, “nice-to-have” discipline – it is governance architecture. If trade compliance ensures you are operating legally, trade ethics determines whether you are operating responsibly… and whether your governance systems can withstand scrutiny from regulators, investors, customers, and civil society simultaneously. Among executive teams, the key challenge is no longer just defining corporate morals and values, but implementing trade ethics policies in ways that are operationally real, auditable, and commercially aligned. Contemporary events illustrate this clearly: tariff authorities are shifting in Washington; Section 301 investigations are expanding across allied and competitor economies alike; and forced labour enforcement continues to tighten across transatlantic markets. Being perceived as “on the right side of history” is not always straightforward. Political narratives move quickly, regulatory expectations shift, and alliances can evolve – what endures is not ideological alignment, but demonstrable neutrality, transparency, and procedural integrity. Firms that can evidence consistent, rules-based decision-making (rather than reactive positioning) are the ones most likely to withstand scrutiny from all angles. Why this matters Trade ethics have the potential to shape market access, investor confidence, and regulatory exposure. As sanctions expand and supply chain scrutiny intensifies, firms without embedded ethical governance may face operational disruption and reputational damage. Implementing trade ethics policies turns compliance into structural resilience; protecting revenue, safeguarding partnerships, and strengthening long-term competitiveness even in volatile global markets. Seeking assistance with trade compliance governance? Contact clearBorder today → What exactly do we mean by “trade ethics”? In essence, trade ethics refers to the structured governance of how a company conducts cross-border business beyond minimum legal thresholds. It includes: Ethical supply chain management Anti-corruption controls across intermediaries Human rights due diligence Responsible sourcing and procurement standards Sanctions integrity and diversion prevention Transparent reporting of trade exposure Where compliance answers the question: Is this legal? Trade ethics asks: Is this defensible? That distinction matters. Many enforcement actions in recent years have not emerged from outright criminality, but from governance gaps: reliance on third-party assurances, insufficient supplier vetting, or failure to interrogate beneficial ownership structures. Trade ethics, therefore, sits squarely within corporate governance in global trade. It is not an add-on to compliance. It is its strategic extension. Why trade ethics is now a boardroom-level issue Regulatory convergence is raising the required standard Across major economies, governments are converging on stricter expectations: Expanding export control lists and derivative rules Forced labour import bans Enhanced sanctions enforcement Mandatory human rights due diligence legislation ESG reporting requirements tied to supply chains As such, trade governance is not confined to logistics or customs teams. It intersects with legal, finance, procurement, sustainability, and investor relations. That intersection elevates the issue to board oversight. Reputational risk travels faster than goods Digital transparency has eliminated the concept of “plausible deniability.” Investigative reporting, NGO scrutiny, and social media amplification mean supply chain controversies escalate rapidly. Where ethical oversight is weak, reputational damage compounds financial exposure. It’s for this reason that trade ethics has become a reputational risk management discipline as much as a regulatory one. Investors are watching governance signals Capital allocation increasingly reflects governance maturity. Weak trade ethics signals fragility: exposure to sanctions breaches, forced labour findings, or corruption investigations. On the other hand, strong and ethical trade governance signals resilience. In a fragmented trade environment, resilience is investable. Trade ethics vs trade compliance: understanding the difference Trade compliance is reactive. It ensures adherence to customs law, export controls, sanctions regimes, and licensing frameworks. Trade ethics is anticipatory. It recognises that regulatory expectations evolve, and that ethical “failures” often precede legal enforcement. For example: Screening a counterparty satisfies sanctions compliance. → Investigating beneficial ownership and political exposure reflects trade ethics. Applying correct tariff classification satisfies customs compliance. → Interrogating whether a supply chain relies on exploitative labour practices speaks to trade ethics. Ethics extends compliance from technical accuracy to strategic integrity, and a truly mature trade risk management framework integrates both. Core pillars of an ethical trade framework Implementing trade ethics policies requires structure. At a minimum, companies should consider five interlocking pillars. Ethical supply chain mapping Visibility is foundational. Companies should map suppliers beyond tier one, identify jurisdictional risk exposure, and assess vulnerability to sanctions, forced labour allegations, or corruption risk. Without supply chain transparency, ethics becomes little more than rhetoric. Robust sanctions and export control governance Sanctions compliance governance must extend beyond automated screening. Key elements include: Escalation pathways for high-risk matches Clear ownership of licensing decisions End-use and diversion risk analysis Oversight of re-exports and intermediary arrangements Ethical governance recognises that compliance failures often occur through complacency, not intent. Anti-corruption and intermediary controls Cross-border trade frequently relies on agents, distributors, and customs brokers. These intermediaries introduce bribery and facilitation risk. Implementing trade ethics policies, therefore, requires: Structured third-party due diligence Clear contractual anti-corruption clauses Payment transparency controls Periodic audit rights Ethical procurement policy must extend beyond price competitiveness to behavioural standards. Procurement-embedded classification discipline Ethical trade begins upstream. Product classification, origin determination, and ECCN identification should occur at procurement stage… not at shipment stage. ERP systems should record: Part-level classification Origin traceability Supplier validation records Licence inheritance risks When classification is embedded early, downstream compliance becomes defensible. Governance and accountability Trade ethics cannot function without ownership. Boardrooms should be asking: Who holds ultimate accountability for trade ethics? Is there a defined ethical trade risk appetite? How are ethical trade breaches escalated? Is ethical performance reported alongside financial risk metrics? Without governance clarity, policies are only ever aspirations. Implementing trade ethics policies: a practical framework Translating ethics into practice requires operational discipline. Step 1: Define your position Establish clear red lines: Jurisdictions where trade is restricted beyond legal minimums Categories of goods requiring enhanced scrutiny Counterparty risk thresholds This definition should align with corporate values and risk appetite. Step 2: Embed controls into systems Policies must be reflected in operational workflows. This includes: Integrated ERP controls linking procurement to export classification Automated but supervised sanctions screening Supplier onboarding protocols with documented due diligence Contractual safeguards addressing labour standards and diversion Systems create consistency. Consistency creates defensibility. Step 3: Align ethics with commercial incentives Ethical trade cannot sit in tension with commercial KPIs. If procurement is rewarded solely on cost reduction, ethical sourcing may erode under margin pressure. Governance structures ensure ethical metrics carry operational weight. Step 4: Monitor, audit, adapt Regulatory fragmentation ensures that today’s compliant structure may become tomorrow’s exposure. Continuous monitoring – including periodic internal audits, horizon scanning, and supplier reviews – is critical. Ethical trade governance is iterative, not static. The commercial case for trade ethics Among many firms, we see a persistent misconception that trade ethics slows growth. In reality, it is actually poorly governed trade that hinders business success. Firms without structured trade ethics may face: Shipment delays from sanctions misalignment Contract termination following reputational fallout Retrospective enforcement exposure Investor scepticism Market exclusion in high-standard jurisdictions By contrast, firms that implement trade ethics policies effectively unlock optionality. They can: Enter sensitive markets with confidence Engage in strategic sectors without governance blind spots Absorb regulatory shocks with less disruption Demonstrate resilience to investors and partners Ultimately, ethical trade governance reduces volatility, and reduced volatility enhances long-term value. Final thought: ethics is infrastructure Trade ethics should function much like customs infrastructure: largely invisible when designed correctly, but foundational to everything that moves across borders. In a fragmented global economy – where tariffs, sanctions, export controls, and ESG scrutiny evolve continuously – senior decision-makers must decide whether ethics will be inspected at the border… or engineered at source. The former invites exposure. The latter builds resilience. For boardrooms navigating geopolitical volatility, trade ethics has moved beyond moral aspiration towards structural commercial defence. And, in 2026 and beyond, defensibility is strategy. Contact clearBorder today for independent, expert governance advisory →

Implementing trade ethics in a fragmented global economy
Thought Leadership

The “NLR” Mirage: What the £39M AOG Technics Fraud Reveals About Embedded Compliance

TLDR The £39M AOG Technics fraud shows how easily global supply chains can be exploited when exporters rely on “No Licence Required” assumptions. Vincent Gary Taylor argues that compliance cannot be inspected at the border – it must be embedded at procurement, with part-level classification, supplier verification, and robust digital traceability. Author: Vincent Gary Taylor, FCIEx Read more from Vincent here → https://vgts-thought-and-poems.ghost.io/ In the world of export controls, we often say that the paperwork is as important as the product. But what happens when the product is a fiction and the paperwork is a forgery? The AOG Technics scandal – a £39M fraud perpetrated by a “chancer” selling fake aircraft parts – is more than just a headline about aviation safety. For the clearBorder community, it is a massive wake-up call regarding the fragility of “No Licence Required” (NLR) status and the urgent need for embedded compliance. Why this matters The AOG Technics case highlights a structural vulnerability in modern export controls: trusted trade systems depend on accurate upstream data. When components classified as “No Licence Required” move through frictionless customs channels, weak procurement controls can allow falsified goods to enter global supply chains undetected. As export control regimes evolve – including the UK’s new 500-series listings – regulators are likely to place greater emphasis on traceability, supplier verification, and part-level classification. For aerospace primes and Tier-2 manufacturers alike, this means compliance expectations are shifting upstream. Governance must move beyond shipment-stage checks toward embedded controls within procurement, ERP systems, and Bills of Materials, where risk is first introduced. For more trade insight and independent horizon scanning, Contact clearBorder today → A Walter Mitty world with real-world consequences I first read about the sentencing of Jose Alejandro Zamora Yrala this week in The Independent. For many, it was a headline about aviation safety; for me, as an aviation specialist with 28 years in the Fleet Air Arm, it hit a visceral nerve. My transition from the Royal Navy to the civilian world saw me serving as an export licensing officer for the then-Export Control Organisation (ECO). This was back when the vetting officers were led by the Department of Trade and Industry (DTI), operating in the high-pressure wake of the Scott Report and the Matrix Churchill episodes. Those of us in the room during that era saw the “old guard” of the 1939 Emergency Powers fall away to make room for a new standard of accountability. I learned then that export control is not just an administrative hurdle; it is a frontline defence against those who would exploit the gaps in global trade. Zamora Yrala – an ex-techno DJ – operated in a “Walter Mitty” world of faked LinkedIn profiles and a shell company called AOG (ironically, an industry acronym for Aircraft On Ground). He bought old “Aircraft General Standard” (AGS) stock – the nuts, bolts, and washers we all know – and paired them with Certificates of Conformity (CofCs) manipulated on a home computer. On 23rd February 2026, he was sentenced to 4 years and 8 months for fraudulent trading. While the Serious Fraud Office (SFO) led the charge, the export implications are staggering. These parts moved through the UK border via the Customs Declaration Service (CDS), destined for global fleets and likely transported by unwitting Fast Parcel Operators. Why the border “stayed invisible” (until it didn’t) clearBorder believes in the “invisibility” of customs – where trade flows on a bed of trusted data. The EU is currently proposing a “Trust and Check” system, similar to AEO, to facilitate smoother movement across the 27 Member States and beyond. However, the AOG case proves that rogues rely on this very invisibility. Because AGS parts are typically designated as NLR, they often go through “on the nod” without a CDS challenge. The HS codes for these parts do not trigger restrictions like EX005 unless destined for a sanctioned country. This individual was clever; he didn’t target sanctioned states. He chose the EU and US airline industries, causing £39M in damage because the “system” saw no reason to stop him. This brings me to a critical development from December: the ECJU’s Notices to Exporters (NTE 2025/30 and 33). The UK has introduced new 500-series elements to the Strategic Export Control Lists, replacing several previous “PL” national entries. Currently, these primarily affect Category 3 (Electronics) and Category 4 (Computers). My concern? There is a glaring gap in Category 9 (Aerospace) and Category 8 (Marine). If a fraudster can dupe the world with fake bolts, surely these categories are the most prone to strategic fraud. The shift to embedded compliance In my 20+ years in the customs world, including achieving two AEO awards, I’ve learned that you cannot “inspect” compliance into a product at the border. It must be embedded at the point of procurement. If you are a Tier 2 manufacturer or an aerospace prime, the AOG scandal and the new 500-series listings require a change in appetite: Scrub Your SAP/ERP systems: ensure every ECCN is logged at the piece-part level. Do not rely on “blanket” NLR assumptions. Beware the “500-Series” inheritance: under new UK rules, if your finished component contains just one 500-series controlled article, the entire assembly may inherit that control status. Your once-safe “ML11a” electronics (say PCBAs) might now require a SIEL instead of an OGEL. I suspect the ECJU, in my next audit, will want a “back-to-birth” look at my Bills of Materials (BOMs) – proving the digital provenance of the part and that the supplier was vetted under a robust Know Your Customer (KYC) policy. The 500 vs 600 confusion We must beware of “false friends” in ECCN numbering. For example, if your BOM contains US ECCN 9A515.e.1, do not mistake that “5” for a low-level commercial classification. In the US eCFR system, the 515-series is a “Spacecraft” control – a legacy of Export Control Reform. While it sits on the Commerce list (EAR), it carries heavy “Regional Stability” and “National Security” baggage. I recall also that 600 series are also embedded in the US Commerce Control List , (CCL) so be aware of them if received by your procurement teams. The devil in the granularity Take US ECCN 3A001.a.5.a.5, for example. To a non-specialist, this is just a high-energy storage capacitor. However, once that component hits a specific technical threshold (like a repetition rate of 10 Hz or more), it moves from “standard” to “strategic.” If you ignore the dots and run the OGEL checker, you will find a match – but remember: military trumps dual-use. Building an export strategy on a foundation of supplier-provided “vague descriptions” is a recipe for disaster. Much like the AOG Technics “chancer,” relying on unverified data can turn a routine shipment into a major compliance breach the moment it hits the CDS. Final take: trust, but verify The SFO got their man because a maintainer in Portugal noticed a bolt didn’t fit. We cannot rely on “fitment” as our final compliance check. As I prepare for an upcoming ECJU audit in my “retirement” years, my advice is simple: extra due diligence is no longer optional. To keep the border invisible, our compliance must be visible, verified, and embedded in every purchase order. We must check the “trace” now, or we risk more than just our licenses – we risk the very trust our borders are built on. Expert & independent trade horizon scanning →

The “NLR” Mirage: What the £39M AOG Technics Fraud Reveals About Embedded Compliance
Secret Link