Bosch Case Provides First Glimpse of NatSec Application of Department-Wide CEP
Roberto Gonzalez and Sam Kleiner of Paul Hastings unpack the DOJ National Security Division’s declination in the Bosch case, the division’s first under the new March 2026 enforcement policy, and what it signals for companies weighing whether to self-report a potential national security violation.
In June, the DOJ’s National Security Division (NSD) announced it had declined to prosecute German-headquartered Bosch in connection with alleged violations of US export controls. Notably, this was the first declination by the division under the DOJ’s March 2026 corporate enforcement and voluntary self-disclosure policy (CEP) and provides a first look at how the division will apply the CEP in the enforcement of national security laws, including export controls. The assistant attorney general for national security stated that the declination “reflects the clear benefits for companies that promptly disclose potential violations and fully assist in our investigations.”
In parallel with the DOJ’s declination, the Department of Commerce’s Bureau of Industry and Security (BIS) entered into a settlement with Bosch for the same alleged conduct, which included a $36 million civil penalty. The assistant secretary of commerce for export enforcement noted that this “action should serve as a warning to embrace compliance and as an example of the benefits of voluntary self-disclosure.”
The new CEP
In March, the DOJ released its first-ever department-wide CEP for criminal matters. Whereas the prior CEP applied only to the DOJ’s Criminal Division, the 2026 CEP applies to all corporate criminal matters handled by the Justice Department excluding certain antitrust violations.
Under Part I of the CEP, the DOJ “will decline to prosecute a company for criminal conduct” if the following conditions are met: (1) the company “voluntarily self-disclosed the misconduct” to a criminal component of the department; (2) the company “fully cooperated” with the investigation; (3) the company “timely and appropriately remediated the misconduct;” (4) there are “no aggravating circumstances.” Under the CEP, the company “will be required to pay all disgorgement/forfeiture as well as restitution/victim compensation payments resulting from the misconduct at issue.” The National Security Division confirmed that it would apply the CEP and that “voluntary self-disclosures concerning potential criminal violations of US national security laws” should be sent to a dedicated NSD inbox.
The CEP supersedes the division’s prior enforcement policy for business organizations. Under the prior policy, if a company met these requirements, the division “generally will not seek a guilty plea,” and the company would be granted a “presumption” of receiving a non-prosecution agreement. Under the new department-wide CEP, the DOJ has stated that it will decline to prosecute a company if these requirements are met.
Bosch declination
On June 17, the National Security Division announced it had declined to prosecute Bosch for violations of the Export Administration Regulations by two German subsidiaries — Bosch Sensortec GmbH and ETAS GmbH. As described in the declination letter, these two Bosch subsidiaries had re-exported to Huawei Technologies Co. and its entity-listed affiliates (collectively, Huawei) foreign-produced micro-electro-mechanical systems sensor products and software that were subject to the entity list foreign direct product rule. The entity list foreign direct product rule is a rule that subjects certain foreign-produced items to US export controls if they are produced using US software, technology or production equipment and prohibits the export, re-export or in-country transfer of such products to entities on the Entity List, including Huawei, absent authorization from the BIS.
The NSD’s declination letter noted that from September 2020 to September 2024, the two Bosch subsidiaries had sold more than $70 million worth of these sensors and software to Huawei, which resulted in Bosch making more than $11.4 million in pre-tax profits. The division noted that “Bosch’s trade compliance personnel were ill-equipped to provide accurate guidance on the (foreign direct product rule)” and found the business had “several missed opportunities where third-party companies identified potential applications of the foreign direct product rule to their products or equipment used in the provision of their service.”
The division explained the decision to issue the declination under the principles in the CEP and principles of federal prosecution of business organizations:
- Self-disclosure: The National Security Division noted “Bosch’s timely and voluntary self-disclosure of the conduct,” which Bosch made both to the National Security Division and the BIS “while still conducting its internal investigation.”
- Cooperation: The NSD noted “Bosch’s cooperation in this matter, including its disclosure of relevant facts about the conduct, the preservation, collection, and disclosure of relevant documents and information, and its prompt and voluntary responses to [the counterintelligence section’s] requests following Bosch’s voluntary self-disclosure.”
- Remediation: The division noted “Bosch’s timely and appropriate remediation.” This included “organizational changes, the addition of 66 employees to its trade compliance organization, the expansion of its U.S. trade compliance resources, and updates to internal policies and procedures to provide a clearer explanation of U.S. export controls jurisdiction and licensing requirements.”
- Adequacy of regulatory remedies: While not a factor under the CEP, the principles of federal prosecution of business organizations provides that prosecutors should consider the availability of civil or regulatory alternatives. Here, the division determined that there were adequate regulatory remedies, specifically the estimated $36-million penalty imposed by the BIS in a parallel resolution.
While the declination did not include a dedicated discussion of the absence of aggravating circumstances, the National Security Division did note Bosch’s conclusion from its internal investigation that the violations were based on “numerous mistakes” but that “Bosch does not believe those mistakes rose to the level of acting willfully.”
As a condition of the DOJ declination, Bosch agreed to disgorge the full $11.4 million in pre-tax profits. The DOJ credited Bosch with more than $7.8 million paid in the BIS settlement, making the disgorgement amount approximately $3.6 million.
BIS consent order
As noted, the BIS entered into a parallel settlement agreement with Bosch for more than $36 million for the same alleged conduct. The consent order noted that “Bosch’s U.S. export compliance team did not have sufficient expertise or resources at the time to adequately address” the foreign direct product rule and that “Bosch’s failure to have an effective U.S. export controls compliance program in place . . . contributed directly to the violations at issue.” The BIS noted that Bosch received multiple “warnings” from third-party companies stating that Bosch would not be able to provide the products processed by those companies to Huawei under the foreign direct product rule, and Bosch did not heed those warnings.
The BIS settlement of $36.1 million reflected half of the $72.2 million in goods and software that were re-exported to Huawei in violation of the foreign direct product rule. While the order did not provide a detailed explanation for the settlement amount, this is well below the maximum of twice the value of the transactions that the BIS can impose, and the order referred to several of the factors cited by the DOJ in the declination, including that Bosch timely filed a voluntary self-disclosure with the BIS, remediated the misconduct including through committing “significant resources” to its compliance program and “fully cooperated” with the BIS investigation. Under BIS regulations, a voluntary self-disclosure is a “mitigating factor” and, notably, a company’s deliberate decision not to disclose significant apparent violations is an “aggravating factor.”
The BIS also credited the disgorgement of $3.6 million pursuant to the DOJ declination, making the amount due to the BIS approximately $32.5 million.
Key takeaways
The Bosch declination offers an early indication that the NSD intends to apply the CEP in a manner that rewards companies that voluntarily disclose, cooperate and remediate misconduct, even if the matter involves items worth a significant sum or conduct that extends over a significant period. The declination is notable in that it is in the context of sales to a high-profile Chinese company on the Entity List, which has been a priority enforcement area under this administration as well as the prior one.
While the National Security Division had issued a declination in 2024 to a company where export control violations were committed by a single employee who engaged in fraud and contravened the company’s compliance requirements, Bosch’s declination is notable because the conduct did not involve the actions of a rogue employee but instead was part of the company’s standard operating practices over an extended period.
Here, Bosch filed a voluntary self-disclosure even while its own investigation was ongoing, cooperated with the division’s investigation and remediated the misconduct through significant enhancements to its trade compliance function. The declination may be a positive signal for businesses weighing whether to voluntarily disclose a potential violation of US national security laws, though it remains to be seen how the division will apply the CEP to other fact patterns. In particular, the declination letter notes Bosch’s characterization that it committed “numerous mistakes” in applying the foreign direct product rule and Bosch’s belief that those mistakes did not rise to the level of acting willfully. The NSD may take a different approach on facts that involve more serious conduct that could be characterized as aggravating circumstances under the CEP.
The DOJ declination and the parallel BIS settlement also underscore the importance of the correct application of complex export control laws that can have extraterritorial applications, including the foreign direct product rule. These regulations have been a significant area of focus for the BIS in recent years. Both agencies have emphasized that “U.S. export control laws may extend to items subject to the (Export Administration Regulations) anywhere in the world and to foreign persons who deal with them” because “the law follows the goods.” The actions by the DOJ and the BIS demonstrate their continued focus on enforcing US export controls, including with respect to non-US companies.