India Export Controls and Sanctions Checklist for Multinational Tech Firms

The India SCOMET Compliance Checklist

A robust internal compliance program prevents unauthorized technology transfers that trigger severe penalties under India's Foreign Trade Policy. Use this comprehensive checklist to audit your multinational tech firm's export control protocols and identify immediate compliance gaps.

Technology Classification & Licensing

• Assign a dedicated compliance officer to monitor updates to the SCOMET regulatory list.
• Audit all dual-use technologies, software, and source code against the updated 2026 SCOMET categories (specifically Category 8 for software and technology).
• Document the exact SCOMET alphanumeric classification for every product in your global portfolio.
• Apply for DGFT export authorizations before executing any cross-border technology transfers.

Data Transfer & Cloud Security

• Map internal data flows to identify where Indian-origin technical data crosses international borders.
• Restrict access to SCOMET-controlled software hosted on Indian servers so foreign nationals and overseas branches cannot download it without authorization.
• Obtain required DGFT licenses before migrating restricted software or encryption technology to foreign cloud servers.

Partner Verification & Documentation

• Implement automated sanctions screening for all cross-border tech partners, vendors, and end-users.
• Require original, properly authenticated End-User Certificates (EUCs) for all hardware shipments.
• Verify that the EUC explicitly states the goods will not be used for chemical, biological, or nuclear weapons development.
• Store all export licenses, EUCs, and screening records in a centralized database for a minimum of five years.

Incident Response & Disclosures

• Establish a secure internal reporting channel for employees to flag potential export violations.
• Prepare standard operating procedures for drafting voluntary disclosure documentation in the event of an accidental breach.

How to Classify Dual-Use Technologies Under the SCOMET List

SCOMET classification requires matching your hardware, software, and technology against the DGFT's specific alphanumeric categories to determine exact export licensing requirements. Tech firms must rigorously and continuously audit their portfolios against the updated SCOMET regulatory list to remain compliant.

India's SCOMET list governs dual-use items-technologies designed for commercial use that could be repurposed for military or proliferation applications. For multinational tech firms, Category 8 (Special Materials and Related Equipment, Material Processing, Electronics, Computers, Telecommunications, Information Security, Sensors and Lasers, Navigation and Avionics, Marine, Aerospace and Propulsion) is usually the most critical.

To properly classify your assets, follow these steps:

1. Analyze Technical Specifications: Gather the complete technical parameters, capabilities, and encryption strengths of the software or hardware.
2. Consult the Master List: Compare these specifications against the current SCOMET list published by the Directorate General of Foreign Trade (DGFT).
3. Determine the Export Control Classification Number (ECCN): Assign the exact alphanumeric code (e.g., 8A501 for certain telecommunications equipment) to the product.
4. Document the Rationale: Maintain an internal record explaining exactly why a product falls into a specific category or why it is exempt, serving as your defense during regulatory audits.

Rules for Transferring Restricted Software to Foreign Servers

Uploading restricted software to cloud servers located outside India constitutes an export, requiring prior authorization from the DGFT. Failing to secure this license before a cross-border data transfer is a severe compliance violation known as an unauthorized Intangible Technology Transfer (ITT).

Multinational firms frequently trigger ITT violations by treating data transfers as standard IT operations rather than regulated exports. Under Indian law, an export occurs the moment controlled technology leaves Indian territorial jurisdiction, regardless of whether it is shipped on a physical hard drive or transmitted via the internet.

To manage cloud and server compliance:

• Geofence Controlled Data: Ensure controlled software is hosted on servers physically located in India.
• Implement Access Controls: Use strict identity and access management (IAM) protocols to block unauthorized IP addresses from foreign countries from accessing the software.
• License Intra-Company Transfers: Obtain DGFT licenses even when transferring software from your Indian subsidiary to your foreign parent company's servers.

Preparing End-User Certificate (EUC) Documentation

An End-User Certificate (EUC) is a mandatory legal document that verifies the final recipient and intended use of controlled hardware shipped from India. Multinational firms must collect correctly formatted EUCs from their foreign buyers to secure DGFT export licenses and prevent illegal diversion.

The Indian government relies on the EUC to ensure sensitive technology does not end up in the hands of sanctioned entities or unauthorized military programs. A flawed or incomplete EUC will result in immediate license denial and shipment delays.

A valid EUC must explicitly include:

• The full legal name, physical address, and corporate details of the ultimate end-user.
• A detailed description of the technology being exported, including quantities and technical specifications.
• A legally binding declaration that the technology will only be used for the stated civilian purpose.
• A commitment that the goods will not be re-exported or transferred to a third party without prior written consent from the Government of India.

Conducting Sanctions Screening for Cross-Border Tech Partners

Internal sanctions screening involves checking all international partners, vendors, and clients against Indian and international restricted party lists before initiating transactions. Maintaining comprehensive records of these screenings is crucial for proving compliance and avoiding liability during government audits.

Tech firms cannot legally do business with individuals, companies, or state entities sanctioned by the United Nations Security Council or the Indian government. Multinational companies must also frequently navigate overlapping jurisdictions, screening against the US OFAC lists or EU sanctions to protect their global banking relationships.

Effective screening protocols require:

• Pre-Transaction Checks: Run the names of all new clients, distributors, and freight forwarders through updated sanctions databases before signing contracts.
• Continuous Monitoring: Rescreen existing partners periodically, as sanctions lists are updated dynamically based on global geopolitical events.
• Audit Trails: Save time-stamped screenshots or automated logs of every screening result to prove that due diligence was performed prior to the technology transfer.

Drafting Voluntary Disclosure Documentation for Accidental Breaches

If your company accidentally violates export controls, filing a voluntary disclosure with the DGFT can significantly mitigate potential penalties. This documentation must transparently detail the breach, the root cause, and the immediate corrective actions taken.

Attempting to hide an accidental export of SCOMET-controlled technology will lead to compounded financial penalties, confiscation of goods, and potential criminal liability for company directors under the Foreign Trade (Development and Regulation) Act. A proactive voluntary disclosure demonstrates corporate accountability.

When preparing a voluntary disclosure, include:

• Incident Summary: A clear explanation of what technology was exported, when the transfer occurred, and who received it.
• Root Cause Analysis: A transparent assessment of why the internal compliance program failed (e.g., employee error, misclassification, system glitch).
• Remediation Plan: The specific, immediate steps the company has taken to stop the violation and prevent it from happening again, such as new software access controls or mandatory employee training.

Common Misconceptions About Indian Export Controls

Misconception: Intangible software downloads are not regulated exports. Many tech executives believe export controls only apply to physical hardware shipped in containers. In reality, emailing source code, providing access to a cloud repository, or sharing technical data over a Zoom call with a foreign national constitutes a heavily regulated Intangible Technology Transfer (ITT).

Misconception: Intra-company transfers are automatically exempt. Global companies often assume that moving technology between their own global offices (e.g., from an R&D center in Bangalore to a headquarters in California) does not require compliance checks. SCOMET regulations apply fully to intra-company transfers crossing international borders, requiring valid licenses regardless of corporate ownership.

Frequently Asked Questions

What happens if we export SCOMET technology without a license?

Exporting controlled technology without DGFT authorization can result in severe financial penalties up to five times the value of the goods, suspension of the company's Importer-Exporter Code (IEC), and potential criminal prosecution.

How long does it take to get a SCOMET export license in India?

Processing times typically range from 45 to 90 days, as applications are reviewed by an Inter-Ministerial Working Group (IMWG) comprising members from multiple government security and trade agencies.

Do Indian export controls apply to open-source software?

Generally, software that is entirely in the public domain and available without restrictions is exempt from SCOMET controls. However, modified proprietary versions or software involving robust encryption may still require classification and licensing.

How long must we keep our export compliance records?

Under Indian foreign trade regulations, multinational firms must retain all commercial documents, EUCs, and export licenses for a minimum of five years from the date of the export transaction.

When to Hire a Sanctions and Export Controls Lawyer

Engaging legal counsel is necessary when navigating complex SCOMET classifications, structuring global cloud architectures, or responding to a DGFT inquiry. An experienced trade lawyer ensures your multinational operations do not trigger devastating regulatory penalties or business interruptions.

If your firm is expanding its Indian R&D operations, planning large-scale cross-border data migrations, or has uncovered an accidental technology transfer, you should consult sanctions and export controls lawyers in India immediately. Legal experts can interface with regulatory authorities on your behalf and draft legally sound voluntary disclosures.

Next Steps for Tech Compliance Officers

1. Execute an Immediate Audit: Use the checklist above to review your current technology portfolio against the updated SCOMET categories.
2. Halt Unverified Transfers: Temporarily suspend cross-border data flows or hardware shipments for unclassified products until their ECCN is confirmed.
3. Upgrade Screening Software: Ensure your internal vetting systems automatically pull the latest restricted party lists to prevent accidental business with sanctioned entities.
4. Train Technical Staff: Conduct mandatory compliance training for engineers and IT staff so they understand how cloud uploads and code sharing trigger Indian export laws.