Bosch's $36 Million Huawei Fine Should Worry Every Multinational Supplier.

Most supply chain teams treat export control compliance as a legal department problem. The Bosch settlement with US authorities this week is a useful reminder that a compliance gap inside one subsidiary can take four years to surface and tens of millions of dollars to resolve, even when the underlying violation was, in the company's own words, unintentional.

The United States this week penalised Bosch, the major German engineering and technology company, more than $40 million after the company admitted to illegally sending export-controlled products and software to Huawei, violating licence requirements under the foreign direct product rule. Bosch must pay about $32.5 million as part of a settlement agreement with the Bureau of Industry and Security, and agreed to give up over $11 million in profits it earned from sales to Huawei and its affiliates, all of which were on the Entity List and subject to FDP restrictions at the time. 

DOJ said it declined to bring criminal charges against Bosch because the company voluntarily disclosed the issues and cooperated with the agency. 

How a sensor maker ended up shipping to a sanctioned company for four years

BIS said Bosch, through its subsidiary Bosch Sensortec, committed 103 violations of the Export Administration Regulations from September 2020 to September 2024 when it sold about $70 million worth of micro-electro-mechanical systems and sensors for use by Huawei in consumer and automotive applications. Bosch also committed six further violations through its ETAS subsidiary, selling about $1.9 million worth of CycurHSM automotive firmware used for data transmission in vehicles. 

The root cause was not a deliberate evasion scheme. It was a compliance team that was undersized and operating on bad internal advice for years. BIS attributed the violations to a lack of expertise among Bosch's compliance staff, who for over four years relied on erroneous compliance guidance stating the products did not need licences, despite multiple indications from business partners that the guidance was incorrect. 

Bosch's US export control compliance team at the time mainly consisted of two employees, with only one tasked with advising the company's businesses in Germany and outside the US on export control compliance. The team lacked sufficient expertise or resources to adequately address the 2020 rule change that made Huawei subject to expanded FDP restrictions. 

The warning that was ignored

What makes this case instructive rather than simply unfortunate is the documented evidence that Bosch had clear signals the advice was wrong and did not act on them. In June 2023, Bosch Sensortec was onboarding a contract semiconductor manufacturer that informed them they would not be able to provide products to Huawei without first obtaining a BIS licence, and specifically referenced the record $300 million penalty BIS had imposed on Seagate Technologies three months earlier for the same type of violation. A Bosch trade compliance official in Germany erroneously dismissed this as the manufacturer's internal policy rather than a US export requirement, and the relevant Bosch managing director labelled that manufacturer an unsuitable supplier as a result. 

BIS said there was no evidence that Bosch Sensortec management, procurement, or trade compliance personnel made appropriate efforts to understand why the FDP rule restrictions cited by that manufacturer would not affect its other suppliers or its ability to sell sensors to Huawei. A supplier raised the exact regulatory concern, cited a nine-figure precedent penalty, and Bosch's internal response was to flag the supplier as the problem. 

Why the declination matters as much as the fine

John Eisenberg, chief of DOJ's National Security Division, said the declination was offered because of Bosch's cooperation and timely remediation, which met the high standards of the agency's recently updated corporate enforcement policy. This was the first declination the National Security Division issued under that new policy.

Bosch cooperated by preserving and proactively disclosing relevant facts, information, and documents to DOJ, and made organisational changes including disciplinary action, additional trade compliance employees, expanded US trade compliance resources, and updated internal policies and procedures. The settlement is, in effect, a template for how multinational manufacturers can limit the damage from a self-discovered compliance failure, provided remediation happens quickly and transparently. 

The exposure for European and Asian companies

A Bosch spokesperson said the civil violations outlined in the settlement were unintentional and noted that the company has enhanced its trade compliance programme and implemented remedial measures to prevent future violations.

For any European or Asian manufacturer selling sensors, components, firmware, or embedded software into automotive or consumer electronics supply chains that touch Chinese entities on the Entity List, the Bosch case is a direct warning about how export control exposure compounds quietly inside large organisations. A two-person compliance team relying on outdated internal guidance, ignoring warnings from business partners, and signing certifications without fully understanding what they meant, produced $70 million in prohibited sales before anyone caught it.

The disruption does not arrive as a shipping delay or a tariff notice. It arrives as a four-year compliance gap that surfaces all at once, with a fine, a profit disgorgement, and a remediation programme attached.