Cadence case signals DOJ and BIS priorities in export control compliance

Cadence Design Systems Inc. (Cadence) simultaneously resolved criminal charges brought by the Department of Justice’s (DOJ) National Security Division (NSD) and the United States Attorney for the Northern District of California, and a civil enforcement action brought by the US Department of Commerce, Bureau of Industry and Security (BIS) on July 28, 2025.

The charges were regarding the unlawful export of electronic design automation (EDA) hardware, software, and semiconductor design technology to Chinese military end users. The coordinated resolutions, which impose an aggregate net monetary liability exceeding USD140 million and require extensive remedial measures, underscore the heightened focus that the Trump Administration is placing on export controls and other national security- and white-collar crime-related matters.

The case marks the first corporate guilty plea coordinated among DOJ and BIS after the issuance of the NSD’s revised Enforcement Policy in March 2024. This case offers an early window into how that policy may shape future enforcement expectations and negotiations under the second Trump Administration’s DOJ and BIS.

We explore the case’s outcome and key considerations for businesses below.

Summary of conduct and settlement terms

Cadence, through its wholly owned Chinese subsidiary Cadence Design Systems Management (Shanghai) Co. Ltd. (Cadence China), maintained a long-standing relationship with Central South CAD Center (CSCC), an alias for the National University of Defense Technology (NUDT). NUDT has appeared on BIS’s Entity List since 2015 due to its role in developing supercomputers used for nuclear weapons and other prohibited military applications.

According to the criminal information and plea agreement with DOJ, as well as the settlement agreement with BIS, Cadence China admitted that from 2015 through 2020 it:

• Exported or caused the export of more than USD45 million in EDA hardware, software, and semiconductor design intellectual property (IP) to CSCC/NUDT on 56 occasions without required BIS licenses
• Loaned additional emulation hardware and associated software to the same end user, and
• Concealed CSCC’s affiliation with NUDT, and later facilitated an attempted transfer of those items to Tianjin Phytium Information Technology (Phytium), another Chinese entity later added to the Entity List.

When Cadence eventually suspended sales to CSCC, it failed to stop the misconduct, and instead approved the assignment of outstanding contracts to Phytium – thus transferring certain IP and software with knowledge that the items had previously been exported in violation of US law.

Employees were found to have used euphemisms and Chinese characters to disguise dealings with NUDT, and Cadence’s internal compliance processes failed to detect or adequately escalate multiple red flags. The company was found to have failed to act on numerous indicia that the exports were ultimately destined for a restricted military end user, including shared personnel, installation of equipment on NUDT’s campus, and direct communications referencing NUDT.

Under the criminal resolution with DOJ, Cadence agreed to plead guilty to one count of conspiracy, violating the Export Administration Regulations (EAR). The agreement requires:

• A criminal fine and forfeiture totaling nearly USD118 million, subject to a cross-credit with the BIS penalty
• Continued cooperation with US authorities, and
• Enhancement of an export-compliance program consistent with NSD's Enforcement Policy.

Cadence also admitted to 61 violations of the EAR pursuant to a civil resolution with BIS, under which Cadence consented to:

• A USD95,312,000 civil penalty, with USD47,656,000 payable within 30 days, and the balance suspended pending payment of the DOJ fine
• Two mandatory third-party internal audits covering export compliance through 2028, with detailed reports to BIS, and
• Ongoing conditions on the company’s export privileges, including potential denial if it fails to satisfy payment or audit obligations.

After crediting cross-payments, Cadence will pay more than USD140 million in combined penalties and forfeiture.

DOJ and BIS compliance obligations

Under the DOJ plea agreement, and consistent with resolutions in previous administrations, Cadence must ensure its compliance program and internal controls adequately detect and deter violations of US export control laws and sanctions regulations. Cadence’s compliance program must include:

• Strong, visible support from senior management, clear written policies and procedures, and the application of those policies and procedures to all employees, relevant third parties, and customer onboarding procedures
• Compliance measures, including due diligence, periodic risk-based reviews, prohibitions on business with restricted entities, independent audits, whistleblowing mechanisms, technological controls, and training
• Proper oversight by senior executives with sufficient autonomy and resources, effective internal reporting and investigation systems, consistent enforcement and discipline, regular monitoring and testing, and specific procedures for mergers and acquisitions to ensure rapid integration of compliance standards

As part of its reporting obligations to DOJ, Cadence must also:

• Report to DOJ at least annually over a three-year term regarding its remediation efforts and the implementation of its compliance program
• Submit an initial report within one year of the agreement, detailing remediation to date and proposals for further improvement, followed by at least two additional follow-up reports that assess ongoing compliance and the effectiveness of internal controls

While certain DOJ divisions have suggested a reluctance to impose many compliance requirements on companies, the Trump Administration – particularly relating to issues consistent with its white-collar priorities of sensitive technologies, national security, and geopolitical adversaries – is calling for a robust and ever-evolving compliance program.

The Cadence case illustrates NSD’s measured position on the imposition of corporate compliance monitors in its Enforcement Policy. This is also consistent with the DOJ Criminal Division’s White Collar Enforcement Plan, which indicates that independent compliance monitors “must only be imposed when they are necessary.”

DOJ’s decision to not require a compliance monitor in the Cadence case illustrates greater restraint across DOJ in imposing “heavy-handed intervention” upon companies, but still requiring self-reporting compliance obligations to ensure a sufficient compliance program to protect US national security interests.

Cadence’s settlement with BIS also imposes a demanding suite of post-resolution compliance and reporting requirements. Under the terms of the agreement, Cadence must perform two comprehensive, independent internal audits of its global export-control compliance program – including the activities of its Shanghai subsidiary. Each audit must conform “in substantial compliance” with BIS’s Export Compliance Program sample audit module and assess adherence to the EAR (including recordkeeping). Any actual or potential violations uncovered must be promptly disclosed.

Crucially, BIS has made the full and timely payment of the civil penalty, completion, and submission of both audits, and Cadence’s ongoing compliance with its DOJ agreement signifies conditions precedent to the granting, restoration, or continued validity of all US export licenses and related privileges. This means that any lapse could trigger immediate license denial or suspension of all export privileges.

Alignment with DOJ and BIS enforcement priorities

The Cadence case underscores the US government’s willingness to pursue aggressive, coordinated criminal and civil enforcement against companies that could compromise national security through export control violations, particularly where sensitive technology is concerned.

Consistent with DOJ’s NSD Enforcement Plan and the Criminal Division’s White Collar Enforcement Plan, the Cadence enforcement action aligns with DOJ’s broadly stated priorities to investigate and enforce criminal conduct that threatens US national security and economic interests, with particular emphasis on the unlawful transfer of sensitive technology to foreign adversaries and entities engaged in military and weapons of mass destruction programs. In the Cadence case, the export of advanced semiconductor design tools to Chinese military-linked entities directly implicated these national security concerns, falling squarely within DOJ’s stated focus on high-impact threats.

The Cadence case also aligns with stated BIS enforcement priorities, where US Commerce Secretary Howard Lutnick signaled a “dramatic increase” in enforcement and fines for violations of US export control laws during the annual Update Conference on Export Controls and Policy in March 2025 (BIS Update Conference). Secretary Lutnick described BIS as the “frontline” of a “reemerging great power conflict.” As such, BIS enforcement resources appear focused upon export and diversion of items to foreign adversaries, including China, Iran, Russia, and certain military end users.

During the BIS Update Conference, BIS leadership also described diversion of items to foreign adversaries as a top enforcement priority, particularly with respect to diversion of items via China and Hong Kong to Russia, Iran, and North Korea. The Cadence case puts these policy positions into action, exemplifying BIS enforcement focuses on export controls involving foreign adversaries, particularly with respect to the export of military technology or advanced technologies to, or for the benefit of, China, Iran, and Russia.

The Cadence case also raises a key issue from an EAR compliance standpoint: how to decide when a party is an “alias” or a front company for a party on the Entity List, even though it is not listed as an “aka” on the Entity List entry. Exporters have operated under guidance from BIS, which emphasizes analysis of the corporate forms for affiliated entities. However, the Cadence case may prompt exporters to refresh their review of exports to affiliated entities more closely – including ones that may not trigger a hit in screening – by looking at factors like shared employees and co-location to assess whether an entity is an “alias” or front company for a listed company.

Key takeaways

These combined enforcement actions demonstrate the risks of companies failing to act on identified red flags, the importance of effective compliance oversight of foreign subsidiaries, and the severe consequences of willful or reckless disregard of export control laws. The case also signals that US authorities may scrutinize indirect transfers, assignments, and attempts to circumvent restrictions through aliases or related entities.

Moreover, both DOJ and BIS policies emphasize transparency in enforcement and the importance of robust, proactive compliance programs. The Cadence case highlights the risks companies may face if they fail to maintain effective compliance oversight, particularly in high-risk sectors such as technology and defense. The government’s use of both criminal and civil enforcement mechanisms sends a message that DOJ encourages companies to self-disclose, cooperate fully, and remediate any deficiencies in their compliance programs in order to mitigate potential enforcement consequences. Cadence’s willingness to accept responsibility, enhance its compliance program, and cooperate with the government’s investigation was likely a significant factor in the resolution and the calculation of penalties. It may have also demonstrated that an external compliance monitor was not required, and compliance self-reporting was sufficient.

In light of this enforcement action, companies – particularly those dealing in sensitive technologies such as semiconductors and advanced computing – may consider:

• Vigilant screening: Rigorously and routinely screen all distributors, customers, end users, and counterparties – including aliases and affiliates – against US restricted party lists
  
  
• Reevaluating potentially risky transactions: Consider taking additional steps to review parties that may not have triggered a hit in screening to confirm whether they are an “alias” or front company for a listed party, including assessment of shared employees, co-location, and communications referencing listed parties
  
  
• Red flag escalation: Promptly investigate and escalate any red flags indicating potential links to restricted or sanctioned entities, especially where there is evidence of shared personnel, addresses, or project collaboration
  
  
• Subsidiary oversight: Ensure robust compliance oversight and training for foreign subsidiaries and affiliates, with clear reporting lines to US compliance personnel
  
  
• Export control program audits: Regularly audit, preferably under privilege, all export control compliance programs, including recordkeeping and transaction monitoring, and promptly remediate any identified gaps. Audits should also reflect an assessment of the potential risk of diversion
  
  
• Self-disclosure and cooperation: Consider voluntary self-disclosure of potential violations to enforcement authorities, as cooperation and remediation can significantly impact enforcement outcomes
  
  
• Combining investigation and compliance enhancements: When conducting an investigation that could end up before any enforcement agency, begin compliance assessments, root cause analysis, and potential enhancements to align with the investigation
  
  
• Contractual safeguards: Include strong export control representations, warranties, and audit rights in contracts with foreign partners and customers
  
  
• Continuous training: Provide ongoing export control training to all relevant employees, with special attention to sales, technical, and management personnel operating in high-risk jurisdictions
  
  
• Thorough documentation and transparency: Maintain thorough documentation of due diligence, compliance decisions, and communications regarding export control matters

This case serves as an important reminder that US authorities are aggressively enforcing export control laws, and that companies with vigilant, well-resourced compliance programs may be better suited to avoid similar outcomes.

For more information, please contact the authors.