The Current Situation
The Bundeswehr is in the midst of a paradigm shift. Under the guiding term “Software Defined Defense,” software is becoming the central driver of military capabilities - from AI-supported reconnaissance and drone swarms to tactical situational awareness on tablets. Already today, around 80% of the capabilities of modern weapon systems are defined by software. At the same time, the Bundeswehr - as reflected in the new Procurement Acceleration Act - is increasingly relying on commercial off-the-shelf (COTS) products from the civilian market rather than expensive in-house developments.
For companies in the defense sector, this is an enormous opportunity. But it also raises a challenging question: Which regulatory requirements actually apply to our products when we supply both the civilian and military sectors?
The Problem: Three Legal Acts, Three Different Exemption Logics
With the AI Regulation, the CRA, and the NIS2 Directive (implemented in Germany since December 2025), the EU has created a comprehensive framework for cybersecurity and the responsible use of digital products. All three legal acts contain exemptions for the defense sector, although their underlying approaches differ in part: While the CRA and AI Regulation are based on the product’s intended use, the NIS2 Directive focuses on the nature of the company. In practice, it has become clear that many defense companies overestimate the protection these exemptions provide.
CRA: The scope of the exemption is tied to the manufacturer’s intended purpose
Article 2(7) of the CRA states: “This Regulation does not apply to products with digital elements developed or modified exclusively for national security or defence purposes or to products specifically designed to process classified information.”
The key word here is “exclusively.” The exception applies only if the manufacturer has developed or modified the product exclusively for defense purposes. It depends solely on the manufacturer’s subjective intent - that is, the use for which the product was developed and placed on the market. This represents a significant difference from the objective classification of dual-use goods under export control law.
This has far-reaching practical consequences: A network monitoring tool developed for the civilian mass market that the Bundeswehr purchases as a standard product remains subject to CRA requirements. Military use does not exempt the manufacturer from CRA obligations.
The intended use becomes particularly relevant under the new Act on Accelerated Planning and Procurement for the Bundeswehr (in effect since February 14, 2026): Section 7 requires the Bundeswehr to consider civilian markets during market research and to identify commercially available products. More COTS (Commercial Off-The-Shelf) products in the Bundeswehr means more products whose intended use also encompasses the civilian market—and thus greater CRA relevance.
AI Act: Similar logic, but with additional complexity due to a change in intended purpose
Article 2(3) of the AI Regulation excludes AI systems that are placed on the market or put into service “exclusively for military, defense, or national security purposes”. Additional complexity arises from Recital 24 of the AI Regulation, which clarifies three scenarios:
(1) An AI system developed for military purposes is subsequently used for civilian purposes: The AI Regulation applies. Whoever changes the purpose must fulfill the obligations of a provider. (2) A system placed on the market for civilian purposes is used for military purposes: The military use does not fall under the AI Regulation—but the civilian use remains subject to the AI Regulation. (3) AI systems for mixed purposes (civilian and military): These generally fall within the scope of the AI Regulation.
In practice, this means: Any provider offering an AI system both on the civilian market and to the Bundeswehr must comply fully with the AI Regulation. Although the operator’s (Bundeswehr) military use is not subject to supervision under the AI Regulation, the provider’s obligations - risk management, data governance, transparency, and conformity assessment - remain in effect.
NIS2: A fundamentally different approach
The NIS2 Directive takes a completely different approach than the CRA and the AI Regulation. It does not focus on the intended use of the product, but rather on the type of entity: After all, NIS2 regulates cybersecurity for specific entities across various sectors - including sectors relevant to the military, such as vehicle manufacturing and digital infrastructure.
“Public administration entities” operating in the defense sector are not affected by NIS2. However, private defense companies are not included in this exemption. Article 2(8) of NIS2 does give Member States the option to exempt private entities that provide services “exclusively” to the military. However, Germany has not fully implemented this option in the BSI Act. The Federal Ministry of the Interior (BMI) is merely authorized to issue exemption notices for individual military suppliers, provided that cybersecurity and oversight are ensured to an equivalent standard (Section 37 BSIG).
Result: A defense company with 60 employees and EUR 15 million in revenue manufacturing electronic sensor systems is subject to NIS2 obligations (risk management, 24-hour reporting requirement, registration with the BSI) - regardless of whether its products are used for military or civilian purposes. And even SMEs below the thresholds can be indirectly affected as suppliers in the supply chain of companies subject to NIS2 requirements.
Conclusion: What defense companies should do now
Private defense companies that also serve civilian customers or whose products are available on the civilian market must, as a general rule, comply with all obligations under the CRA, AI Regulation, and NIS2. The sectoral exemptions apply only within the narrow scope of exclusively military end-use - and even then, NIS2 must generally still be observed.
Three specific measures are essential:
1. Assess the intended use: Does your product truly fall under one of the sector-specific exemptions? Or is it dual-use? This classification determines the scope of compliance efforts.
2. Determine NIS2 applicability: Check whether your company exceeds the thresholds and operates in a regulated sector.
3. Review potential exemptions: The obligations under “civilian” laws sometimes conflict with the confidentiality obligations in the Bundeswehr’s procurement contracts. Therefore, it should be examined whether the scope of the laws can be addressed through a adjusted product policy, and, if necessary, whether an exemption authorization should be requested from the BMI.
—
This article is based on the webinar “Cyber Defense & Tech Law for Defense Startups and Software Providers” held in March 2026. A more in-depth discussion of the conflicts between civilian reporting obligations and military confidentiality obligations, as well as the impact of statutory and contractual cybersecurity obligations on contracts within the military supply chain, will follow in the next articles in this series.
Dr. André Schmidt is an attorney and partner, specialist in IT law, and heads the Tech Law practice group. Niklas Vogt is an attorney and senior associate, specialist in IT law.