DOJ's National Security Division Issues First-Ever Corporate Declination Under New Department-Wide Enforcement Policy
International Alert
On June 17, 2026, the Department of Justice's (DOJ) National Security Division (NSD) announced the first-ever declination pursuant to DOJ's newly issued Corporate Enforcement and Voluntary Self-Disclosure Policy (CEP). NSD's declination resolved the DOJ's criminal investigation into allegations that Robert Bosch GmbH (Bosch), a German-headquartered engineering and technology company, violated the Export Control Reform Act (ECRA), and, in particular, the Export Administration Regulations' (EAR) Foreign Direct Product Rule (FDPR), when two of its non-U.S. subsidiaries exported products and software manufactured with equipment that was the direct product of U.S. software or technology to Huawei Technologies Co., Ltd., and its affiliates on the U.S. Department of Commerce's Bureau of Industry and Security (BIS) Entity List. NSD's declination makes clear that the CEP is operational and that there are meaningful benefits for companies who proactively meet the CEP's conditions.
The Department-Wide CEP
On March 10, 2026, the DOJ announced the first-ever department-wide CEP. Prior to the CEP, DOJ components maintained a patchwork of corporate enforcement policies, including one that the U.S. Attorney's Office for the Southern District of New York (SDNY) had only recently announced. The DOJ's new CEP applies uniformly across all criminal matters handled by departments within the DOJ and U.S. Attorney's Offices nationwide.
Under Part I of the CEP, the DOJ will provide a declination when a company meets the following four criteria:
- The company voluntarily self-discloses misconduct to an appropriate component
- The company fully cooperates with the DOJ's investigation
- The company timely and appropriately remediates
- There are no aggravating circumstances relating to, among other things, the egregiousness or pervasiveness of misconduct or the severity of harm
Even when there are aggravating circumstances, under Part II of the CEP, DOJ prosecutors may recommend a declination. In either circumstance, the declination will require a company to disgorge ill-gotten gains and pay restitution and victim compensation resulting from the misconduct at issue. Where a company cooperates and remediates but falls short of meeting the requirements for declination in Part I, the company may still be eligible for a non-prosecution agreement (NPA) with meaningful fine reductions and no compliance monitor.
The Bosch Matter
Bosch is a German company that supplies services and technology, including microchips for automotive and consumer electronics. Between September 2020 and September 2024, Bosch, through two of its non-U.S. subsidiaries, Bosch Sensortec GmbH (BST) and ETAS GmbH, allegedly exported over $70 million worth of foreign-produced Micro-Electro-Mechanical Systems (MEMS) sensor products and software to Huawei Technologies Co., Ltd., and its affiliates on the BIS Entity List without the required licenses or authorizations from BIS. Specifically, the DOJ alleged that the items at issue were subject to EAR's FDPR, which imposes a license requirement on certain foreign-made items that are made with U.S.-origin software or technology. According to the DOJ, the actions resulted in approximately $11.4 million in pre-tax profits for Bosch.
According to the DOJ and a Bosch spokesperson, upon learning of the exports, Bosch initiated an internal investigation and voluntarily self-disclosed the matter to the DOJ and BIS during the course of the investigation. The DOJ ultimately issued the declination based on its consideration of the factors in the CEP and the Justice Manual, Section 9-28.300 (Principles of Federal Prosecution of Business Organizations), including:
- Voluntary self-disclosure: Bosch proactively and voluntarily disclosed the misconduct to the NSD.
- Full cooperation: Bosch preserved and proactively produced relevant facts, information, and documents, and promptly responded to NSD's subsequent investigative requests.
- Timely and appropriate remediation: Bosch made organizational changes, imposed disciplinary action on responsible personnel, expanded its trade compliance function with 66 additional staff and expansion of its U.S. trade compliance resources, and updated its internal policies and procedures.
- Adequacy of the remedy: Bosch will pay approximately $36 million for 109 civil violations in a parallel civil enforcement action by BIS. In connection with the declination, Bosch agreed to disgorge over $11.4 million in profits, the full amount of the pre-tax gain from the transactions at issue. A portion of that amount was credited against the $36,184,680 civil fine Bosch paid in the parallel BIS action.
Notably, the declination letter highlighted that Bosch's internal investigation uncovered "numerous mistakes" in Bosch's application of the FDPR in connection with its sales to Huawei, but that "Bosch does not believe those mistakes rose to the level of acting willfully, as required for criminal violations under 50 U.S.C. ยง 4819."
Although the DOJ declined to prosecute Bosch, its declination letter made clear that the declination would not protect implicated individuals from prosecution and that the DOJ could reopen the investigation if new information changed its assessment or if Bosch failed to timely satisfy the disgorgement obligations.
Key Takeaways
The Bosch declination provides an early indication of how the DOJ intends to apply the CEP and can help to inform companies' compliance programs, investigative procedures, and disclosure protocols.
1. The CEP Provides Meaningful Incentives for Timely Voluntary Self-Disclosure
The Bosch matter illustrates the DOJ's willingness to provide a declination where a company voluntarily self-discloses misconduct, fully cooperates, and undertakes timely and appropriate remediation. Although the underlying conduct involved significant export control violations over an extended period, the DOJ concluded that Bosch's self-disclosure, cooperation, and remediation warranted a declination with disgorgement rather than criminal prosecution.
Significantly, Bosch disclosed the conduct at issue to the DOJ and BIS even before it had completed its internal investigation. The CEP requires disclosures to be made within a "reasonably prompt" timeframe after the company becomes aware of misconduct. Delays in investigating and disclosing potential violations may affect a company's ability to obtain the full benefits available under the policy.
For companies confronting potential misconduct, the decision whether and when to self-disclose remains highly fact-dependent. However, as the Bosch case makes clear, companies should carefully evaluate potential disclosure obligations and opportunities whenever significant compliance concerns arise. Early involvement of experienced counsel can help preserve investigative integrity, maintain privilege where appropriate, and position the company to make informed decisions regarding disclosure.
2. Depth and Quality of Cooperation Matter
The CEP requires a level of cooperation that extends beyond responding to government requests. Companies seeking maximum credit are expected to proactively identify relevant facts, preserve and produce evidence, provide timely updates regarding investigative findings, and assist the government in understanding the scope and nature of the misconduct. This cooperation can be resource intensive, but passive cooperation or self-disclosure alone will not be sufficient for cooperation credit under the CEP.
At the same time, companies must carefully manage cooperation efforts to preserve applicable privileges and ensure that disclosures remain accurate and complete. Thoughtful coordination between internal stakeholders and counsel is essential throughout the investigative process.
3. Export Controls Enforcement Continues to Receive Significant Attention
Notably, the Bosch matter arose from alleged violations of the FDPR, a complex set of rules governing foreign-produced items. In May 2020, BIS expanded the FDPR to include certain foreign-produced products delivered to Huawei, and in August 2020, it further expanded the scope of the May 2020 controls due to continued national security and foreign policy concerns posed by Huawei and its non-U.S. affiliates.
The BIS settlement makes clear that Bosch's internal controls and trade compliance resources were insufficient to address the significant national security issues implicated by its international business lines. Specifically, during most of the relevant time period, Bosch's export controls compliance team in the U.S. primarily consisted of two employees who were responsible for advising Bosch's business entities regarding compliance with U.S. export controls regulations. According to BIS and the DOJ, Bosch's U.S. export controls compliance team did not have sufficient expertise or resources to adequately address or advise on the FDPR's application to Bosch's business practices, which resulted in incorrect guidance being issued to Bosch management, even after receiving warnings from service providers that the FDPR likely applied to certain products.
This resolution is an important reminder that U.S. export controls may apply to conduct by non-U.S. subsidiaries in connection with entirely foreign-made products if U.S. software or technology is used in the production process, even if no components are from the U.S.
Finally, this matter highlights that export controls, sanctions compliance, and other national security-related regulatory regimes remain key enforcement priorities. It is critical that companies with international operations, complex supply chains, or products subject to U.S. export controls stay informed on changing U.S. export controls and sanctions regimes and periodically assess whether their compliance programs are appropriately tailored to current regulatory risks and evolving enforcement expectations.
Conclusion
Although each matter will turn on its specific facts, the Bosch resolution suggests that companies that voluntarily self-disclose, cooperate fully, and undertake meaningful remediation may receive substantial credit under the policy.
Companies should review their compliance frameworks, investigative procedures, and escalation protocols to ensure that they are prepared to identify potential misconduct, preserve relevant evidence, conduct effective investigations, and evaluate disclosure decisions in a timely manner.
For more information, please contact:
Timothy P. O'Toole, totoole@milchev.com, 202-626-5552
Christina A. Clark, cclark@milchev.com, 202-626-5909
Leah Moushey, lmoushey@milchev.com, 202-626-5896
Summer associate Elinor McNamee assisted with this alert.
The information contained in this communication is not intended as legal advice or as an opinion on specific facts. This information is not intended to create, and receipt of it does not constitute, a lawyer-client relationship. For more information, please contact one of the senders or your existing Miller & Chevalier lawyer contact. The invitation to contact the firm and its lawyers is not to be construed as a solicitation for legal work. Any new lawyer-client relationship will be confirmed in writing.
This, and related communications, are protected by copyright laws and treaties. You may make a single copy for personal use. You may make copies for others, but not for commercial purposes. If you give a copy to anyone else, it must be in its original, unmodified form, and must include all attributions of authorship, copyright notices, and republication notices. Except as described above, it is unlawful to copy, republish, redistribute, and/or alter this presentation without prior written consent of the copyright holder.