Your compliance perimeter just got bigger. The latest EAR update doesn’t just cover who’s named on U.S. export control lists—it now extends restrictions to the companies they own.
The Bureau of Industry and Security (BIS) has adopted what’s called the Affiliates Rule, extending restrictions to affiliates that are 50% or more owned by entities on the Entity List or Military End User (MEU) List. Not sure what this means for your organization? Below, we’ll walk through how the rule works, why it matters, and what your team needs to stay compliant.
Understanding the Entity and MEU lists
Before we get into the new rule, it helps to understand the two lists it builds on:
- Entity List: Identifies foreign companies, organizations, and individuals subject to U.S. export restrictions. For instance, a biotech firm linked to prohibited research may appear here.
- Military End User (MEU) List: Flags parties that support military end-use activities. For example, a manufacturer supplying parts to a foreign defense program could be included.
These lists guide which people and organizations U.S. workplaces are allowed to engage.
How the Affiliates Rule changes compliance—and expands your screening obligations
The new Affiliates Rule builds on the Entity and MEU lists by extending restrictions to subsidiaries and affiliates that meet ownership thresholds. This means compliance teams must go beyond parent companies to identify potential risks.
Here’s what that looks like in practice:
- Automatic restrictions. Any entity 50% or more owned, directly or indirectly, by a listed party now falls under EAR restrictions
- Minority stakes as red flags. Even minority ownership can signal risk and trigger enhanced due diligence
- Immediate impact. The rule took effect immediately, though BIS issued a temporary 60-day general license to give organizations time to adjust
In short, screening parent companies alone isn’t enough. You need to trace ownership through subsidiaries and affiliates and evaluate whether they meet the 50% threshold to stay compliant.
Protect your workplace from hidden affiliate risks with Envoy
Envoy makes this process manageable. With automated screening, customizable watchlists, and integrations, you can identify subsidiaries or affiliates tied to listed entities—empowering you to escalate or deny access before it becomes a risk. Missing these connections can lead to penalties, operational disruptions, or reputational damage.
How it works in practice: Flag a visitor connected to a subsidiary of a listed party. Envoy automatically escalates the access request for review before approval, keeping your workplace secure and your compliance program audit-ready.
—
The Affiliates Rule may widen your compliance obligations—but it doesn’t have to complicate your workplace operations. Envoy helps you with workplace safety and compliance so you stay ahead of evolving regulations to protect your people, your data, and your reputation.
Ready to dive deeper into how Envoy can help your team stay audit-ready and compliant with evolving regulations? Explore more articles.
Read more
Let’s break down a practical operational risk assessment framework, from how to identify risks, score them, and prioritize the follow-up actions.
Get a breakdown of OSHA’s four types of workplace violence—with examples and practical steps to reduce risk.
CZI's Kristine Banda shares how security teams close the gaps between visitor, access, and notification systems so everyone's accounted for in an emergency.
In this post, we’ll cover what a muster point is, how it works and what a well-run mustering process actually looks like.
Learn how to build an effective workplace violence prevention program—including how to plan, build threat awareness, and establish operational processes.
Do you know where organizations are most often exposed when it comes to duty of care? We’ll break that down and discuss how to reduce risk.

