It's important to remember that US export control policy is irrelevant if the goods being exported are not from the US - you need to check (well, the company that you're buying from - it's their responsibility) that they're exporting stuff in accordance with
German (or whatever country) law.
Interestingly, Digi-Key will tell you the US Export Control Classification Number for every item on their printed invoices, but they don't provide a convenient way to check it before you order. I don't know about other distributors.
Most basic jellybean components are "EAR99" list without a separate entry in the Commerce Control List, which basically means the lowest class of control - so basically not a problem unless you're exporting to North Korea or something.
It's surprisingly common to find that the components you want to order are export controlled, just for common, everyday components in some cases.
For example, I have ordered some cheap, fairly ordinary 16 MHz SMD crystals, which are classed as 3A001B10.
Now, let's look up what 3A001B10 actually says in the list:
b.10. Oscillators or oscillator assemblies, specified to operate with all of the following:
b.10.a. A single sideband (SSB) phase noise, in dBc/Hz, better than -(126+20 log 10 F -20 log 10 f) anywhere within the range of 10 Hz<F<10 kHz; and
b.10.b. A single sideband (SSB) phase noise, in dBc/Hz, better than -(114+20 log 10 F-20 log 10 f) anywhere within the range of 10 kHz <F< 500 kHz;
Technical Note: In 3A001.b.10, F is the offset from the operating frequency in Hz and f is the operating frequency in MHz.
It is not hard to find a generic crystal that is export controlled, under those phase noise criteria.
As another example, Atmel ATmega128RFA1 microcontrollers have an ECCN of 5A002A1. It's quite common to encounter microcontrollers and comms/networking devices that are export controlled in category 5A - all of Atmel's 802.15.4 wireless microcontrollers, the TI CC3000 and the TI CC2538, the WizNet W5200 Ethernet MAC/PHY chip are all in category 5A, to name just a few examples off the top of my head.
So what is in all these chips that is considered so sensitive that they need to export control it?
Yes, it's that naughty crypto.
The following, any any chip that implements the following, are just part of the "information security" list:
a.1.a. A “symmetric algorithm” employing a key length in excess of 56-bits; or
a.1.b. An “asymmetric algorithm” where the security of the algorithm is based on any of the following:
a.1.b.1. Factorization of integers in excess of 512 bits (e.g., RSA);
a.1.b.2. Computation of discrete logarithms in a multiplicative group of a finite field of size greater than 512 bits (e.g., Diffie-Hellman over Z/pZ); or
a.1.b.3. Discrete logarithms in a group other than mentioned in 5A002.a.1.b.2 in excess of 112 bits (e.g., Diffie-Hellman over an elliptic curve);
Technical Note: Parity bits are not included in the key length.