Your first cross-border sale is ready to close. The customer is in the other country. Your team has the invoice, the shipment details, and a signed statement of work. Then someone asks whether the software, design file, sample part, or technical support call is subject to export controls. That's usually the moment a founder realizes this issue isn't limited to military hardware or customs paperwork.
For small and mid-sized businesses operating between the U.S. and Canada, export control compliance is really about building a business process before a regulator forces one on you. In the U.S., the framework includes the EAR, ITAR, and OFAC sanctions rules, and controlled exports can include technology transfers and certain disclosures to foreign persons inside the U.S., not just physical shipments, as summarized by the U.S. Commercial Service overview of U.S. export controls. At Mayo Law, we help businesses in Toronto, the GTA, and across the border address these risks in matters that often touch both legal systems. Businesses expanding on both sides of the border should also think early about structure, ownership, and operations, especially when launch planning overlaps with trade compliance, as discussed in starting a business in both Canada and the U.S..
Introduction
An SME usually discovers export controls by accident. A bank flags a payment. A freight forwarder asks for a classification. A U.S. customer wants assurance that no restricted technology will be shared with its offshore team. A Canadian affiliate asks whether it can access a U.S. engineering repository.
That's the practical scope of export control compliance. It's the internal system a company uses to control shipments, software access, technical data, servicing, and counterparties before a transaction creates legal exposure.
A useful way to think about it is through a short operating checklist:
- Know the item before you quote, ship, or grant access.
- Know the parties before you onboard a customer, vendor, or reseller.
- Know the destination and end use before you rely on a routine workflow.
- Know the approval path if a license or internal escalation is required.
- Know what you decided by keeping records that explain why.
For U.S. and Canada businesses, this isn't just a legal exercise. It affects sales timing, hiring, IT access, procurement, and post-sale support.
What Is Export Control Compliance
Export control compliance is the internal discipline a business uses to decide what it can ship, share, service, disclose, or allow others to access across borders or across nationality lines. It covers goods, software, source code, technical data, and hands-on support. It also covers reexports and in-country transfers, which is where many SMEs miss risk in U.S.-Canada operations.
For a small or mid-sized company, this usually becomes real in ordinary business activity. A sales team sends product specifications to a prospect in Ontario. A U.S. engineer gives a Canadian affiliate access to a design folder. A support manager pushes a software patch to a reseller. None of that looks like arms trading. All of it can trigger export control analysis.
The core pillars
A workable program usually includes these pillars:
- Management commitment
- Risk assessment
- Product and technology classification
- Party screening
- License analysis
- Recordkeeping
- Training and auditing
These elements matter because export controls fail in handoffs. Legal may understand the rule, but the error usually happens in quoting, onboarding, engineering access, shipping, procurement, or after-sales support. SMEs do not need a large compliance department to address that problem. They need a repeatable workflow, clear ownership, and records that explain why a transaction was approved, stopped, or escalated.
In the United States, the main starting point for many commercial businesses is the EAR. ITAR applies to defense articles, defense services, and related technical data. In Canada, businesses also need to account for Canadian export controls and, in many cases, the fact that U.S.-origin goods, software, and technology can remain subject to U.S. reexport rules after they enter Canada. That cross-border overlap is where smaller companies often need a single operating process instead of separate U.S. and Canadian silos.
Practical rule: If your business shares software, source code, design files, technical know-how, or support instructions with a foreign person or across a border, review export controls before access is granted.
What is the difference between EAR and ITAR
The difference is mainly about scope and sensitivity.
ITAR usually covers defense-related items and services. EAR reaches a wider set of commercial and dual-use items, including products that were designed for civilian markets but still raise national security, intelligence, or foreign policy concerns.
For SME owners, the business issue is less about memorizing agency lines and more about setting the right intake question. Ask whether the product, software, data, or service has military, space, encryption, sensing, advanced manufacturing, or other controlled characteristics. If the answer may be yes, the file should move to classification and licensing review before the team ships, demos, uploads, or grants system access.
Why non-experts get caught off guard
Many owners still associate an export with a package leaving a warehouse. Regulators use a broader concept. File sharing, remote troubleshooting, cloud repositories, product updates, visual inspections, and technical discussions with foreign nationals can all matter.
A common U.S.-Canada example is a U.S. parent company that gives a Canadian subsidiary shared access to engineering documentation stored on a U.S. server. Another is a Canadian company distributing U.S.-origin software to customers in third countries. The legal question is not whether the transaction feels routine. The question is whether the item, recipient, destination, and end use were checked before access or transfer occurred.
That is why export control compliance is a business process, not just a legal definition. The companies that handle it well build one intake and approval system that sales, engineering, HR, IT, logistics, and support can all use.
Assessing Your Company's Export Control Risk Profile
Treating export controls as a niche issue leads to expensive mistakes. For an SME, the problem usually starts with an ordinary business decision: giving a Canadian engineer access to a U.S. repository, sending product data to a reseller, or enabling remote diagnostics for a customer outside North America. If the item, software, or technical data is controlled, that routine step can trigger U.S. or Canadian export rules before anyone in the company calls it an export.
The legal exposure is real. U.S. agencies can impose civil penalties, criminal penalties, denial of export privileges, and debarment in the right case. Penalty amounts change over time, so companies should rely on the current primary sources rather than summaries. For example, the U.S. Department of State publishes current civil monetary penalty adjustments for ITAR matters in the Federal Register, and the U.S. Department of Commerce does the same for EAR matters through BIS penalty notices and regulations. For business owners, the practical point is simpler: even one bad transfer can create a problem far larger than the value of the shipment or contract.
Where SMEs usually have real exposure
Risk rises when the business model creates frequent cross-border transfers, limited visibility into end use, or loose control over technical information. In practice, I see higher exposure in companies that:
- Build or customize technical products such as software, electronics, sensors, aerospace parts, telecom tools, or advanced manufacturing components
- Share technical data across borders between U.S. and Canadian affiliates, contractors, developers, or support teams
- Use distributors, integrators, or resellers without a clear process to verify end users, destinations, and end uses
- Provide remote service through screen sharing, file transfer, patches, cloud access, or troubleshooting sessions
- Handle technology rights loosely, especially where product support overlaps with software and technology licensing arrangements
- Scale sales quickly before anyone assigns responsibility for classification, screening, approvals, and records
The key trade-off is speed versus control. Fast-growing SMEs often centralize sales and decentralize engineering access because it helps close deals and support customers. That approach saves time in the short term and creates compliance blind spots later.
Who is responsible for export control compliance in a company
Responsibility is shared. Accountability starts with management.
A workable program does not require a large legal department, but it does require clear ownership. Someone has to decide who classifies products, who screens parties, who reviews restricted destinations and end uses, who approves access to controlled technical data, and who keeps the records. If those tasks are scattered informally across sales, operations, and IT, gaps appear quickly.
Here is a practical allocation model for SMEs:
| Function | Typical role |
|---|---|
| Leadership | Approves policy, sets risk tolerance, and gives escalation authority |
| Legal or compliance | Interprets rules, reviews edge cases, and documents decisions |
| Sales | Flags destination, end-user, reseller, and unusual end-use issues |
| Engineering and product | Identifies controlled features, technical data, and product changes |
| IT | Controls system access, permissions, and audit logs |
| Operations and shipping | Confirms approvals before release, shipment, or transfer |
That structure matters in U.S.-Canada operations because many transfers happen through shared systems rather than physical shipments. If HR onboards a foreign national, IT grants repository access, and engineering uploads controlled files without a review gate, the company has already created risk.
A cross-border scenario that surprises people
A Canadian manufacturer sells industrial equipment into the U.S. and later offers remote diagnostics from Toronto. The equipment contains U.S.-origin software, and a customer asks for access credentials for its maintenance affiliate in Asia. Sales sees a service upgrade. Engineering sees a support ticket. Compliance should see at least three separate questions: how the item is classified, who the end users are, and whether the software or related technical data can be released to that affiliate.
The same pattern appears in the other direction. A U.S. software company hires a developer in Canada and gives that developer access to code repositories, test environments, and technical documentation on day one. If any part of that material is controlled, the issue is whether access was reviewed and authorized before credentials were issued.
For SMEs, risk assessment works best as a short operational checklist, not an abstract legal exercise. Map what you sell, where it goes, who can access the technical information, whether U.S.-origin content is embedded in Canadian operations, and which teams can release data or product updates without a second review. That combined U.S.-Canada map will show where your real exposure sits, and where controls need to be added first.
Your Core Compliance Workflow Classify Screen and License
The most reliable workflow is simple in concept and demanding in execution. Classify first, screen second, analyze licensing third, then document the reasoning. That sequence reflects repeated compliance guidance, and exporters remain responsible for their own classifications even when a supplier provides a code, as summarized in this export control workflow guidance.
A useful companion issue is ownership and use rights around technical materials. If your export analysis overlaps with software rights, technical data permissions, or commercialization terms, the legal treatment often sits close to broader technology licensing issues.
How do I classify my product for export
Start by answering one question clearly. What exactly are you exporting?
That sounds basic, but many errors begin with a vague product description. “Industrial controller,” “AI software,” or “engineering support” isn't enough. You need a concrete description of the hardware, software, technology, and technical data involved.
Classification usually requires looking at:
- The item itself and what it does
- Embedded software and whether updates change functionality
- Associated technical data such as drawings, source code, or manuals
- Performance characteristics that can move an item into a controlled category
- Origin and content if U.S.-origin components or technology are involved
A supplier's classification can help, but it doesn't shift responsibility. If the supplier is wrong and you rely on it without review, regulators won't treat that as a complete answer.
Working rule: Classify the product that actually ships or is accessed, not the marketing label on the quote.
Screen every party, not just the buyer
Once you know what the item is, the next question is who is involved.
Screening should cover more than the customer named on the invoice. It should also include distributors, resellers, freight intermediaries, ultimate end users, service recipients, and in some cases related parties that appear during onboarding or order changes.
Screening also shouldn't be a one-time checkbox. Transactions evolve. A customer may change the delivery address, substitute an affiliate as end user, or ask for post-sale support from a different country. Each change can alter risk.
A practical screening file should capture:
- Customer identity and ownership details where relevant
- End-user information and any intermediary parties
- Destination country and any alternate support locations
- Stated end use in enough detail to be meaningful
- Date of the screen and who reviewed it
Do I need an export license
Maybe. The answer depends on the combination of item, destination, end user, and end use.
That's why licensing cannot be assessed in the abstract. A product that can move without a license to one destination may require review or authorization for another. The same applies when a routine support call turns into a transfer of technical know-how.
Small companies often lose control of the process. Sales wants speed. Engineering wants to help the customer. IT grants access to a shared drive. No one pauses to ask whether the transaction changed.
Here is a workable internal decision path:
- Classify the item or technology
- Identify all parties and the actual end use
- Review the destination and any sanctions concerns
- Decide whether a license, exception, or escalation is needed
- Record the basis for the decision before release or shipment
What works and what doesn't
What works is a front-end intake gate. Quotes, shipments, software access, and technical support requests should trigger the same review questions every time.
What doesn't work is relying on tribal knowledge. I've seen companies say the same customer has bought the same item for years, so no one re-checks anything. Then the product changes, the customer's affiliate changes, or the support model changes. The legal answer changes with it.
Another weak approach is splitting the process across disconnected tools. If classification sits in one spreadsheet, screening in someone's inbox, and licensing notes in a shipping folder, you don't have a defensible record. You have fragments.
Building Your Export Management and Compliance Program (EMCP)
A transaction-by-transaction review helps, but it's not enough. A company needs a written system that tells people what to do before, during, and after a controlled activity. That's what an Export Management and Compliance Program, or EMCP, is for.
An EMCP matters for two reasons. First, it makes the business more consistent. Second, a documented EMCP can be treated as a mitigating factor in penalty decisions, and the benchmark includes management commitment, risk assessment, controls, training, recordkeeping, and continuous improvement, according to Kansas State University compliance guidance on EMCP elements.
Mayo Law works with businesses across the GTA and on cross-border matters. Joseph Mayo is licensed in Ontario and New York, so clients with U.S. ties can coordinate legal work in one place rather than juggling two firms. For companies assigning ownership internally, it also helps to define compliance officer responsibilities in writing before a problem tests the structure.
What should be in the written program
A usable EMCP should cover the following:
- Management commitment with a written statement and real authority
- Risk assessment tied to products, markets, users, and data access
- Written procedures for classification, screening, licensing, and escalation
- Training for people who touch sales, engineering, IT, support, and shipping
- Recordkeeping with a consistent retention and retrieval process
- Audit and improvement so the program changes when the business changes
- Reporting channels for potential violations or near misses
The strongest controls are often not glamorous. Access restrictions for technical data, repeat screening, and clear audit trails do more for risk reduction than a polished policy binder no one uses.
A tale of two companies
Company A receives a regulator inquiry about a historical transfer of controlled technical material. It has a written policy, transaction files, access logs, screening records, and named decision-makers. The review is still stressful, but the company can reconstruct what happened and why.
Company B gets the same inquiry and starts searching old emails. Engineering used shared folders. Sales kept customer notes in a CRM field no one standardized. A supplier's code was copied forward for years without review. The legal position may not even be worse, but the company looks unprepared and unreliable.
A regulator often learns as much from your records and response discipline as from the underlying transaction.
Why SMEs benefit operationally
A good EMCP isn't just a shield. It speeds cleaner approvals.
When classification decisions are maintained centrally, onboarding questions are standardized, and escalation thresholds are clear, fewer deals stall at the last minute. Teams know when to proceed and when to stop. That lowers internal friction.
For U.S.-Canada businesses, this also reduces the common cross-border mismatch where the U.S. side assumes Canada can take over a support function freely, while the Canadian side assumes the U.S. already cleared the issue. Written procedures close that gap.
Responding to Breaches and Auditing for the Future
Even disciplined companies find issues. A reseller may have provided incomplete end-use information. An employee may have granted access too broadly. A software update may have reached a destination that should have triggered review.
The first step is to stop the activity. Freeze the shipment, access, or support work that may be problematic. Then preserve records immediately, including emails, access logs, screening records, shipping files, contracts, and technical documentation.
What to do first
Use this order:
- Stop the relevant activity
- Preserve documents and system records
- Investigate under legal privilege where appropriate
- Determine scope and root cause
- Assess remedial action and disclosure options
If the facts suggest a serious issue, involve counsel early. A breach can become both a regulatory matter and, in some cases, an investigation issue. Where that risk rises, companies should understand how export problems can intersect with broader white collar defense concerns.
Why audits matter
Audits aren't punishment. They are stress tests.
A useful audit asks whether the written program still matches the business. New products, new code repositories, new service models, new countries, and new channel partners can all make an older process obsolete. The most useful audits also review near misses, not just confirmed violations.
Audit the handoffs. Most failures happen where sales, engineering, IT, and operations assume someone else checked.
Frequently Asked Questions
What is a deemed export
A deemed export is the release of controlled technology or technical data to a foreign person in circumstances where the law treats that release as an export, even if nothing physically crosses a border. For SMEs, this issue often appears through engineering access, source code repositories, technical training, or support discussions involving foreign nationals.
How much does building an export compliance program cost
There isn't a universal cost because the scope depends on your products, technology, customer base, markets, and internal systems. A simple reseller model costs less to assess than a business sharing software, design files, and post-sale support across borders. The better comparison is usually not legal spend versus zero. It's preventive spend versus disruption, delayed deals, and enforcement risk.
Can a Canadian company be liable for violating U.S. export laws
Yes, that can happen. U.S. export controls can affect non-U.S. companies when they handle U.S.-origin items, software, technology, or transactions with a sufficient U.S. nexus. That's why Canadian companies distributing U.S. products or accessing U.S.-controlled technical data shouldn't assume U.S. rules stop at the border.
What are the first steps after discovering a potential violation
Stop the activity, preserve records, identify who approved the transaction, and investigate the facts before anyone tries to “fix” the file informally. Internal chatter can make later review harder. If the issue touches confidential know-how, source code, or internal misuse of technical material, it can also overlap with trade secret misappropriation concerns.
Do small businesses really need formal export controls
If your business sells technical products, shares software or design files, works with foreign customers or affiliates, or employs foreign nationals with access to controlled information, then yes, some level of formal process is usually necessary. The system can be scaled, but it shouldn't be improvised.
Conclusion
Most SMEs start with one deal, one customer, and one practical question. Can we ship this, share this, or support this safely? Export control compliance gives you a repeatable way to answer that question before it becomes a problem.
The companies that handle this well don't memorize every rule. They build a disciplined process for classification, screening, licensing analysis, and documentation. That approach makes cross-border growth more controlled, more defensible, and much easier to manage over time.
How Mayo Law Can Help
A common SME scenario is straightforward on the surface. A U.S. company wants to send product data to a Canadian contractor, or a Canadian business wants to support a U.S. customer after shipment. The legal risk often sits in the handoff points, not just the shipment itself.
Mayo Law advises businesses that need a practical cross-border process, not a stack of rules with no operating plan. That work can include scoped risk reviews, product and technology transfer analysis, screening and licensing workflow design, recordkeeping standards, distributor and end-use review, and breach response when a transaction has already raised concerns.
For SMEs, the trade-off is usually time, cost, and internal capacity. A large company may have a dedicated trade team. Smaller businesses usually need a workable system that sales, operations, engineering, and leadership can follow without slowing every deal. Mayo Law helps clients build that system for U.S. and Canadian export control requirements together, so the business is not managing two disconnected compliance tracks.
To discuss your matter, visit Mayo Law's compliance practice as noted earlier.
Disclaimer
This article is for informational purposes only and does not constitute legal advice. Every situation is different. Consult a licensed lawyer about your specific circumstances. Mayo Law provides legal services through Mayo Law PC in Ontario and Joseph Mayo PLLC in New York.
Related Articles
Business owners handling U.S. and Canadian trade issues usually need more than a definition. They need adjacent guidance on investigations, cross-border operations, and how legal risk shows up in day-to-day decisions.
If your company is selling, shipping, or sharing controlled items, software, or technical data across the border, Mayo Law can help you assess the risk and set up a process your team can follow.
