Australia's Defence Trade Controls Act: AUKUS Compliance for Australian Companies

Australian defence companies operating in the AUKUS supply chain face a compliance challenge that is structurally different from what their US counterparts deal with. They must simultaneously satisfy Australia’s Defence Trade Controls Act 2012 (DTCA) and the US compliance frameworks — ITAR, DFARS, and CMMC 2.0 — that attach to any technology shared under the trilateral partnership. Neither framework was designed with the other in mind, and the convergence creates obligations that are more than the sum of their parts.

This guide covers the DTCA’s requirements, how AUKUS changes the compliance landscape for Australian companies, and what the dual compliance burden looks like in practice.

The Defence Trade Controls Act 2012

The DTCA is Australia’s primary legislation controlling the export of defence and strategic goods and technology. It is administered by the Defence Export Controls (DEC) branch within the Department of Defence.

What the DTCA controls

The DTCA regulates the supply of goods and technology listed on the Defence and Strategic Goods List (DSGL). The DSGL is organised into two parts:

• Part 1: Munitions List — military goods and technology, broadly aligned with the Wassenaar Arrangement Munitions List
• Part 2: Dual-Use List — goods and technology with both civilian and military applications, aligned with the Wassenaar Arrangement Dual-Use List and the Nuclear Suppliers Group, Australia Group, and Missile Technology Control Regime lists

“Supply” under the DTCA has a broad definition. It includes:

• Physical export of controlled goods from Australia
• Providing controlled technology to a person outside Australia (including by electronic means)
• Providing controlled technology to a person in Australia who is not an Australian citizen or permanent resident (the Australian equivalent of the US deemed export concept)
• Publication of controlled technology (with exemptions for fundamental research and public domain information)
• Brokering the supply of controlled goods or technology between two foreign countries

Permit requirements

Supplying DSGL-controlled goods or technology requires a permit from the Minister for Defence (delegated to DEC). There are several permit types:

• Individual permits: for specific transactions with identified end-users
• Open permits: for ongoing supply relationships, allowing multiple shipments over the permit period
• Treaty permits: established under the Australia-US Defence Trade Cooperation Treaty, these provide streamlined authorisation for approved community members

Permit applications require detailed information about the goods or technology, the end-user, the end-use, and any intermediate consignees. Processing times vary but typically run four to eight weeks for straightforward applications. Complex applications involving sensitive destinations or technologies take longer.

Intangible supply of technology

The DTCA’s control of intangible technology supply is where most compliance complexity lies. Sending an email containing DSGL-controlled technical data to a colleague in the UK is a controlled supply. Uploading controlled design files to a cloud server accessible from outside Australia is a controlled supply. Presenting controlled technical information at an international conference is a controlled supply.

The intangible supply provisions require companies to implement:

• Classification procedures for all technical data against the DSGL
• Access controls that restrict controlled data to authorised recipients
• Transmission security for electronic transfers
• Awareness training for all personnel who handle or generate potentially controlled technical data

Penalties

DTCA violations carry penalties of up to 10 years imprisonment and significant fines. The Australian Government has signalled increased enforcement focus, particularly as AUKUS increases the volume and sensitivity of controlled technology flowing through Australian companies.

How AUKUS changes the picture

AUKUS creates new pathways for defence technology sharing between Australia, the UK, and the US. For Australian companies, this means:

Increased access to US defence technology

Australian companies participating in AUKUS programmes will receive technical data that is controlled under both ITAR and the DTCA. The AUKUS ITAR exemption (amendments to 22 CFR 126) allows licence-free transfer of most USML items between AUKUS nations, but with conditions that create their own compliance obligations.

Dual-origin technical data

A significant practical challenge emerges when Australian engineers work with US-origin technical data and generate derivative works. A design modification made in Australia to a US-origin ITAR-controlled component creates technical data that is simultaneously:

• ITAR-controlled (as a derivative of US-origin technical data, subject to the AUKUS ITAR exemption conditions)
• DTCA-controlled (as technology listed on the DSGL, subject to Australian permit requirements)

The company must comply with both control regimes for the same piece of information. The authorisation pathways, record-keeping requirements, and reporting obligations are different under each framework.

CMMC certification requirement

US defence primes are requiring CMMC Level 2 certification from Australian subcontractors handling CUI. This means Australian companies must implement all 110 NIST SP 800-171 security requirements and undergo third-party assessment — in addition to meeting whatever cybersecurity requirements apply under Australian frameworks like the Information Security Manual (ISM).

Personnel screening complexity

The AUKUS ITAR exemption restricts access to ITAR-controlled data to nationals of AUKUS countries (Australia, UK, US) or persons with appropriate security clearances. For Australian companies with multinational workforces, this creates a personnel screening and access control requirement that must be layered on top of existing DTCA nationality-based controls.

The convergence challenge

The core challenge for Australian defence companies is that DTCA compliance and US compliance (ITAR/DFARS/CMMC) must be managed as a single integrated programme, not as two separate efforts. The areas of convergence and divergence include:

Technology classification

Under the DTCA, goods and technology are classified against the DSGL. Under ITAR, they are classified against the USML. The two lists overlap significantly but are not identical. A component that falls under DSGL Part 1, Category 11 (Military Electronics) may correspond to USML Category XI — but the specific controlled parameters and thresholds may differ.

Companies must classify their products and technical data against both lists and understand where the control boundaries diverge. An item controlled under ITAR but not the DSGL still requires ITAR compliance when US-origin data is involved. An item controlled under the DSGL but outside USML jurisdiction requires a DTCA permit but not an ITAR licence.

Record-keeping

Both the DTCA and ITAR impose record-keeping requirements, but with different specifications:

• DTCA: records of permits, supply of controlled goods, and relevant communications must be retained
• ITAR: 22 CFR 122.5 requires retention of all records relating to defence trade activities for a minimum of five years

The retention periods, record formats, and access requirements differ. Companies should implement a unified record-keeping system that satisfies the more stringent requirement in each area.

Incident and violation reporting

The reporting obligations differ substantially:

• DFARS 252.204-7012 requires cyber incident reporting to DC3 within 72 hours
• ITAR requires disclosure of violations to DDTC
• DTCA requires notification of breaches to DEC

A single incident — for example, unauthorised access to a system containing dual-controlled technical data — may trigger reporting obligations under all three regimes, to different agencies, with different timelines and formats.

Access controls

Both ITAR and the DTCA impose nationality-based access restrictions on controlled technology. However, the permissible nationalities differ depending on the specific authorisation:

• AUKUS ITAR exemption: restricts access to AU/UK/US nationals (with some exceptions for cleared personnel)
• DTCA permits: may specify particular permitted recipients based on the permit conditions
• CMMC: does not impose nationality restrictions directly but requires that access controls be implemented per NIST 800-171

A company must implement access controls that satisfy the most restrictive applicable requirement for each category of technical data — and those restrictions may differ by data set.

Practical steps for Australian companies

1. Unified classification programme

Establish a single classification programme that maps your products, services, and technical data against both the DSGL and the USML simultaneously. Do not operate parallel classification processes — the interaction between the two lists must be managed at the classification stage.

2. Integrated compliance management

Build a compliance management system that tracks obligations across DTCA, ITAR, DFARS, and CMMC in a single view. Obligation-level tracking is essential because the same operational control may satisfy requirements from multiple frameworks. AuditDSS covers both Australian DTCA and US defence regulations, enabling cross-framework mapping that identifies these overlaps and highlights where distinct treatment is required.

3. Personnel and access management

Implement a personnel security programme that accounts for both DTCA and ITAR nationality requirements. This includes:

• Citizenship and residency verification for all personnel with access to controlled technology
• Technology control plans that segment access by data classification and applicable regulatory regime
• Visitor management procedures that account for both frameworks
• Subcontractor personnel screening requirements

4. Cybersecurity alignment

Map your cybersecurity controls against both NIST SP 800-171 (for CMMC) and the Australian ISM. Identify common controls and areas of divergence. In most cases, implementing NIST 800-171 at Level 2 will meet or exceed ISM requirements for CUI-equivalent data — but verify this for your specific control environment.

5. Prepare for C3PAO assessment

If you’re in the AUKUS supply chain and handle CUI, CMMC Level 2 certification is effectively mandatory. Engage with the C3PAO process early. Assessment availability for Australian companies is still limited, and wait times for scheduling assessments may be longer than for US-based companies.

6. Engage with DEC proactively

The Defence Export Controls branch has been expanding its guidance and outreach for AUKUS-related compliance. Engage with DEC early on complex classification questions and permit applications — particularly for dual-controlled items where the interaction between DTCA and ITAR is unclear.

The timeline pressure

AUKUS contracts are moving now. Pillar I submarine programme activities are generating controlled technology flows between all three nations. Pillar II advanced capabilities programmes in quantum, AI, and hypersonics are entering development phases that require active technology sharing.

Australian companies that have not begun integrating their DTCA and US compliance programmes are already behind. The companies that will maintain and grow their position in AUKUS supply chains are those that can demonstrate — not just claim — compliance with both regimes simultaneously.

---

AuditDSS covers both Australia’s Defence Trade Controls Act and US defence regulations (ITAR, DFARS, CMMC 2.0) with obligation-level decomposition and cross-framework mapping. Assess your dual compliance posture across both regulatory systems. Start your assessment.