Export Control Compliance for the Biotech and Pharma Industry: Practical Guidance for Global Expansion and International Joint Research (2026 Edition)

Hello, this is Hamamoto from TIMEWELL.

"We make drugs, not weapons." When we raise export control with a pharma or biotech team, nine times out of ten this is the first reaction. It is true that new-drug discovery is patient-centered work, and what leaves the plant is tablets, vaccines, or antibody therapeutics. From METI's export-control perspective, though, this industry sits squarely inside the regulated zone. Takeda Pharmaceutical's overseas-sales ratio reached 89.4%, and Daiichi Sankyo passed 60% in FY2024. As the business spills across borders, so do R&D, talent, and technical information, and every one of those flows turns into a checkpoint under FEFTA.

Entering 2026, the most common real-world situations we see include cross-border sharing of overseas clinical trial data, outsourcing to multinational CROs, hiring foreign postdocs, and running international joint research in gene editing or cell therapy. These are everyday activities for the industry, yet METI's FY2023 violation analysis found that 70% of violations stemmed from "failure to classify or incorrect classification"[^1]. "I didn't know" is no longer a defense, and a surprising number of companies have stepped across the line without noticing. In this article I want to unpack the issues that compliance, R&D planning, IP, and legal teams at pharma and biotech firms are most likely to struggle with, at a level of detail that matches day-to-day operations.

The three domains of export control in biotech and pharma

Export control for pharma and biotech breaks down most cleanly into three domains. Each has a different legal basis and a different level of impact if you get it wrong. Once you internalize the split, internal discussions start to align quickly.

The first is "physical (goods) export." Vaccine strains, cell lines, pathogens, toxins, protein-purification enzymes, and recombinants all qualify when they cross a border. Item 3-2 of Appended Table 1 of the Export Trade Control Order lists pathogenic microorganisms, animal toxins, and plant toxins based on commitments to the Australia Group, and it names specific agents such as novel influenza virus, Mycobacterium tuberculosis, Ebola virus, botulinum toxin, and ricin. Even research-grade shipments require a license. If a foreign university asks for "a small amount for research," you cannot simply drop it in a courier bag. Manufacturing equipment such as bioreactors, fermenters, and freeze-dryers may also fall under the same item depending on specifications, so engineering teams encounter it routinely when relocating equipment to a CDMO or exporting gear to an overseas plant.

The second is "provision of technical information." Under Article 25, Paragraph 1 of FEFTA, providing list-regulated or catch-all-caught technology to a non-resident requires a license from the Minister of Economy, Trade and Industry, just as a physical export does. For pharma and biotech, the typical cases are manufacturing methods, cell-line construction procedures, culture conditions, purification processes, quality-test methods, scale-up know-how, and the rationale behind formulation design. Some parts of a marketing-authorization dossier are disclosed as public information and fall outside the scope, but internal know-how that never makes it into the CMC (Chemistry, Manufacturing and Controls) section is not public. Verbal explanations to an overseas subsidiary lab, a screen-share in an online meeting with a joint partner, all of that qualifies as "provision of technology."

The third is "deemed export," meaning the provision of technology inside Japan to a foreign researcher or a person who meets one of the Specific Categories. Under the May 1, 2022 amendment to the Services Notification, even a Japanese resident is captured if they are under the command of a foreign government or foreign entity, receive 25% or more of their annual income from foreign government grants or scholarships, or act in Japan under the instruction of a foreign government. The pharma and biotech industry has an unusually high concentration of such profiles: national-scholarship postdocs, researchers seconded from an overseas parent, employees who sit on foreign biotech advisory boards. Nationality alone does not trigger coverage, but without a classification process you end up accumulating violations silently. Our explainer on deemed export, Understand the Specific Categories in Five Minutes, is useful for HR and legal teams who need quick reference.

Overseas clinical trial data and deemed export: handling cross-border electronic data

International joint clinical trials are now a prerequisite for new-drug development. Competing with Moderna, Pfizer, and BioNTech forced Japanese companies to run the same study design in Japan, Europe, North America, and Asia simultaneously. Takeda, Daiichi Sankyo, Astellas, Eisai, and Chugai all operate overseas clinical development through a combination of headquarters and local subsidiaries. The inescapable question is: who receives the trial data, and how?

After subject de-identification, raw data is treated as "trial results" and submitted to regulators as a matter of course. The calculus changes once process parameters, cell-line origin information, or formulation ingenuity are embedded in the dataset. Examples include CMC optimization data, bioreactor culture conditions, the lipid-nanoparticle composition of an mRNA drug, and the modification design of a CAR-T product. Though packaged as trial-related material, the substance is manufacturing know-how. A loosely configured permissioning structure in a cloud EDC (Electronic Data Capture system) can expose data scientists at an overseas affiliate to areas they were never meant to access, and technology transfer is formed at that moment.

The first thing we ask a client for is the access matrix of the trial data-management system. Which folders and files can be seen by the domestic R&D team, the global development function at headquarters, project managers at each country's CRO, the outsourced statistical analysis vendor? When we walk through the inventory, we almost always find files that contain technical information set to "viewable by everyone." ICH-GCP (the international quality standard for joint clinical trials) tends to favor broader access to safeguard study quality, but export control points in the opposite direction. The two sit in tension, and the practical answer is to agree on a permissioning design at the CRO-contracting stage that balances both.

Another tricky situation is access from a resident of Japan who falls under a Specific Category, in addition to access from overseas bases. A Japanese researcher viewing the headquarters server from a Japanese office is fine, but if the same server is accessed by a Japan-based resident who meets a Specific Category, "provision of technology" can be established even within the company. The JPMA Compliance Program Guideline also requires "compliance with FEFTA and other relevant laws" for system linkage with overseas bases[^2], though it does not prescribe detailed access design. That is where each company has to innovate. Running an export-control audit on a separate axis from GCP audits is becoming more common. On top of electronic access controls, companies increasingly set a minimum five-year retention period for access logs to support post-incident review.

Running international joint research: AMED, Horizon Europe, and NIH

Joint research between academia and pharma companies has grown by an order of magnitude in the last few years. AMED (Japan Agency for Medical Research and Development) international-collaboration calls, the EU's Horizon Europe, and NIH grants give Japanese researchers direct contracting channels with overseas universities and corporates. Of the three pharma companies for whom I led external export-control reviews in 2025, all said the same thing: "our internal review flow for international calls is not keeping up."

The first trip-up in international joint research is the contract-drafting stage. If you fail to map out the partner lab's membership, funding, facilities, and resulting IP before signing, a violation is born the moment strategy is shared at the kick-off meeting. The model CP published by CISTEC (Center for Information on Security Trade Control) explicitly requires classification and partner screening before the joint-research contract is signed[^3], yet in practice the sequence is often reversed: the researcher brings a contract that is already drafted, and export control reviews it afterwards. Simply restoring the correct order removes most of the risk upfront.

Checking the partner lab's membership is another zone where Japanese business culture tends to hesitate. "What is their nationality?" and "Where does the funding come from?" can feel like awkward questions, and the researcher will often ask if this is discriminatory. METI's "Casebook of Near-Miss Events in Security Trade Control at Universities and Research Institutions" (updated September 2023) contains several cases, including one where a partner turned out to hold a joint affiliation with a government research institute of a country of concern, and another where joint-research results were later published as technology with potential military applications in the partner's country[^4]. Reading those, you understand that not asking is by far the greater risk. You can choose how to ask, and if you add a clause to the standard template requiring disclosure of "affiliated institutions and funding sources of participating researchers," everyone settles in quickly.

International shipment of samples and biological materials is another pharma/biotech-specific theme. For pathogens and genetically modified organisms, the Australia Group controls noted above stack on top of the Cartagena Act (the Act on the Conservation of Biological Diversity through Regulations on the Use of Living Modified Organisms and Other Related Matters). If you send a CRISPR/Cas9-engineered cell line to an overseas joint partner, you may need prior approval from both the Ministry of the Environment and the Ministry of Health, Labour and Welfare, in addition to the METI export license. Vaccine-candidate strains and biopharmaceutical intermediates face the same stacked structure. The laws sit in layers, so export control, regulatory affairs, and quality assurance must co-design the procedure. Few companies have unified this. In my experience, even among the top ten pharma firms only about half maintain a cross-functional procedure map.

How large Japanese pharma companies actually build their systems

Abstract theory only gets you so far. Looking at how real companies run their programs tends to be more useful. The patterns below blend publicly available information with what I have heard from industry counterparts, and capture four representative models.

Takeda Pharmaceutical, with its 89.4% overseas-sales ratio, runs a globally centralized model in which the head-office Global Compliance function oversees export control for the entire group. Through the post-Shire-acquisition integration, the company installed export-control leads across Japan, the US, and Europe, and built a three-layer structure that keeps a group-wide CP at the base while adapting to each jurisdiction. The strength is that a common global CP keeps decision-making fast. The weakness is that the Japan-specific concept of "deemed export" is hard to communicate back to headquarters, which makes local-adaptation calls heavy. For Japan-based R&D hiring, I am told the company maintains a local annex layering Japan-specific checks on top of the global CP.

Daiichi Sankyo, which has surged into overseas licensing through the Plexxikon acquisition and the antibody-drug conjugate collaboration with AstraZeneca, is growing its overseas workforce rapidly. Nikkei reports that the company has announced a plan to grow biologics talent by 1.5 to 2 times within a few years[^5], and hiring of foreign postdocs and researchers with overseas lab experience is expanding alongside. From an export-control perspective, the company has reinforced the onboarding-screening checklist in cooperation with R&D, and reportedly uses a form at the earliest stage of the hiring process to capture "receipt of scholarships or research funding from foreign governments or foreign entities." For acquisitions such as Plexxikon, export-control leads are involved from technical due diligence and pre-check the target's export history and technology classifications.

Astellas and Eisai are known for deep academic partnerships and heavy acceptance of international calls, and they are well-developed on the international-joint-research gateway. The contract-review workflow has export-control check items built in, so research planning, legal, IP, and export control perform review in parallel. Eisai in particular has heavy collaborations with Harvard and MIT in neurology, and maintains a direct channel between those institutions' compliance offices and the Japanese export-control lead. This pattern produces high per-case quality but increases cross-functional coordination cost, so the teams operate with internal SLAs promising "contract signed within three weeks."

Chugai Pharmaceutical, as a Roche group member, is among the few Japanese companies that maintain dedicated internal procedures even for intra-group technology transfers. Even between parent and subsidiary, technology exchanged between Roche (Switzerland) and Chugai (Japan) can qualify as "provision of technology to an overseas party" under Japanese law, and requires internal application and approval. The company has digitized this, running application, approval, and recording end-to-end on the group intranet. Biotech ventures that are direct subsidiaries of overseas parents, such as Moderna Japan, use similar mechanisms. Domestically founded biotech ventures tend to be short on the resources to build such systems, and increasingly lean on external consultants or systemization support.

Frankly, there is no single "correct" answer among these. The optimum depends on each firm's business mix, overseas exposure, and M&A strategy. What they share is that export control is not confined to legal and compliance. R&D, business development, HR, IP, and IT are all brought in as stakeholders. Companies that run this way perform noticeably better under METI on-site inspections and customs post-clearance audits.

Streamlining partner and research-counterparty compliance with TRAFEED

One of the most time-consuming tasks in pharma/biotech export control is counterparty screening. A new CRO, an overseas venture, a university joint-research partner, an acquisition target, an engineering individual contractor: each case requires matching against METI's Foreign User List and the sanctions lists of multiple jurisdictions. Major pharma companies handle hundreds of cases a month, and companies with heavy academic collaboration can approach a thousand. Running this manually with Excel, PDF lookups, and each vendor's proprietary database falls apart beyond a certain volume.

Our service, TRAFEED (formerly ZEROCK ExCHECK), integrates METI's Foreign User List, the various lists under the US EAR, EU/UK/UN sanctions lists, and PEP (politically exposed persons) lists, and uses AI to perform high-accuracy name resolution across multiple languages. Weak name resolution has long been a soft spot for legacy screening tools, and TRAFEED reduces both false positives and misses by combining multi-LLM voting with GraphRAG-based automatic expansion of related organizations. For pharma and biotech specifically, we prioritize coverage of Australia-Group-related entities of concern, overseas research institutes suspected of bioweapons programs, and sanctioned state-owned pharmaceutical companies.

TRAFEED pays off in three common scenarios. First, pre-contract screening of international joint-research candidates in a single pass. Input the partner PI, co-investigators, affiliated institutions, and funding sources, and the system returns the match result against sanctions lists and the Foreign User List, along with links to past violation cases, in minutes. What used to consume several days of one analyst's time is effectively complete on the spot. Second, due diligence for new CRO/CDMO contracts. The chain-style investigation of the counterparty's country, shareholders, major customers, and affiliates is automated, and the workflow is increasingly used for early-stage M&A screening as well. Third, onboarding checks for foreign employees and postdocs. By entering career history and affiliation history, you get an initial read on ties to foreign government-related institutions and the likelihood of Specific-Category status.

TRAFEED adheres to METI's security trade control standards, and the logic of each decision is recorded in a form that can be disclosed during an audit. When METI or customs asks "what was the basis for concluding that a license was not required," the AI's reasoning and the version of the lists it referenced are automatically logged, which makes accountability easy to demonstrate. The areas where AI is strongest, such as multi-language transliteration, chain-of-affiliates discovery, and similarity to prior violation cases, map neatly onto the gaps humans miss. The final decision remains with the human export-control lead, of course, but letting AI handle high-volume initial filtering frees your people to concentrate on the gray zones and the judgment calls.

Summary: a three-step approach to building the program

Trying to achieve perfection in one go will exhaust the organization. When I consult on this, I recommend the following three-step sequence.

Step one is to build your company's "export-control map." Inventory all exports of drugs, reagents, and equipment, all cross-border sharing of technical information, all foreign-employee hiring, all international joint research, all CRO/CDMO outsourcing, and all M&A work. For each, capture frequency, financial scale, and risk level. Simply producing the map makes it visible who inside the company is doing what, and the priorities for systematization become self-evident.

Step two is to rebuild the pre-contract workflow. For any new hire, new contract, or new joint research, if you have a mechanism that blocks progress at the gate, you prevent 90% of the violations. Integrate the Specific-Category decision flow from METI Guideline Annex 1-3, the pledge form from Annex 1-4, and the classification form from the CISTEC model CP into your contract-management system so that "a contract without completed export-control checks cannot be signed" becomes a system-enforced rule. Once you reach this point, idiosyncratic judgment errors drop dramatically.

Step three is to systematize screening, recordkeeping, and auditing. Partner screening, classification, decision records, and internal approvals all run as one stop on a single system. This is the stage where AI tools such as TRAFEED earn their keep. With automatic recordkeeping in place, you can handle a METI on-site inspection or customs post-clearance audit with confidence. Companies with scattered records take a fatal hit at exactly this step.

Pharma and biotech stand at the intersection of the social mission of new-drug creation and the national agenda of economic security. You cannot stop global expansion, and you cannot abandon international joint research. That is exactly why export-control compliance should be designed not as "the cost of halting the business," but as "the foundation that keeps the business sustainable." The essentials are also covered in How to Build an Export Control Compliance Program and A Primer on List Regulation and Catch-All Regulation, both of which work as starter material for internal awareness programs.

[^1]: METI Security Trade Control Portal https://www.meti.go.jp/policy/anpo/ [^2]: Japan Pharmaceutical Manufacturers Association, "JPMA Compliance Program Guideline," March 2023 https://www.jpma.or.jp/basis/kensyo/compliance/lofurc0000001dks-att/20230313.pdf [^3]: METI, "Guidance on the Management of Sensitive Technologies under Security Trade Control (for Universities and Research Institutions)," 5th edition https://www.meti.go.jp/policy/anpo/law_document/tutatu/t07sonota/t07sonota_jishukanri03.pdf [^4]: METI, "Casebook of Near-Miss Events in Security Trade Control at Universities and Research Institutions," updated September 2023 https://www.meti.go.jp/policy/anpo/daigaku/jireishu.pdf [^5]: Nikkei, "Daiichi Sankyo and Fujifilm Train Biologics Talent, Chasing Overseas Rivals" https://www.nikkei.com/article/DGXZQOUC089040Y5A500C2000000/