A Relatively Simple Guide for Companies Manufacturing and Providing Dual-Use Goods and Services

With ongoing conflicts around the world and rising defence budgets across Europe, many companies are exploring whether their products could be adapted for military use. When a product designed for civilian purposes can also serve a defence purpose, it is considered a dual-use good or service. Examples are everywhere, e.g. helicopters that are used for commercial purposes may be readily turned into use for military purposes when added with armaments, drones which can be used for surveillance of agricultural cops can be repurposed for use in wars, and  GPS or geolocation software that may be deployed in battlefield operations. Within the EU, some EU member states such as Poland are top exporters of weapons, according to the Observatory of Economic Complexity.[1] 

Dual-use items are tightly regulated in the EU[2]. The Dual-Use Regulation[3] provides a list of dual-use items that require export authorization. These include nuclear materials, facilities and equipment; special materials and related equipment; materials processing; electronics; computers; telecommunications and information security; sensors and lasers; navigation and avionics; marine; aerospace and propulsion systems. It also covers specific categories such as cybersurveillance equipment, stealth technology and strategic control.[4] The Dual-Use Regulation is regularly updated to reflect new technologies.[5]

With the increasing amount of countries pledging a higher amount of their GDP on defence[6] and conflicts draw closer to EU borders, this article intends to provide guidance to companies that are considering moving into the defence space. We outline three scenarios: (1) a manufacturer of a physical product or a developer of a software product; (2) an operator and owner of critical physical infrastructure; and (3) a startup.

Case Study 1: My company manufactures a physical or software product

If you are a manufacturer in the EU that wishes to repurpose an existing product, either physical or digital, for defence use, you should consider the following questions:

1. Does my product fall under the Dual-Use Regulation?
   
   The Dual-Use Regulation contains an extensive list covering everything from radioactive materials to surveillance software. Companies must confirm whether their products are listed prior to signing any defence-related sales.
    
2. Does my product fall under any sector specific rules?
   
   Certain products are regulated by specific regulations. For example, firearms are regulated with the relatively recent Firearms Regulation 2025/41, which governs marking, documentation, import and export. Civilian possession and use, however, fall under the Firearms Directive.
    
3. Am I allowed to export outside of the EU?
   
   Every country will have its own import restrictions. Companies must also check for export regulation, sanctions and prohibitions that could apply to their product.
    
4. Which civilian regulations may no longer apply?
   
   Products supplied for national security use can sometimes be exempt from rules such as the EU AI Act and the General Data Protection Regulation. Companies should carefully check to see which obligations are lifted and which remain.
   
   Before shifting into defence markets, companies should map their products against EU dual-use and sector-specific rules, verify export restrictions, and clarify which civilian obligations still apply. Early legal due diligence helps avoid costly compliance mistakes.

Case Study 2: I own critical infrastructure that may be adapted for military use

The Directive on the Resilience of Critical Entities (CER Directive),[7] requires EU member states to pass national laws protecting the critical infrastructure. Critical infrastructure is defined as an “asset, a facility, equipment, a network or a system [or part thereof]” that is “necessary for the provision of an essential service”.[8] Essential services are then services which are “crucial for the maintenance of vital societal functions, economic activities, public health and safety, or the environment”.[9] Examples of such infrastructure include power plants, railways, and ports.

1. Do you need new building or operating permits to cover defence-related activities?
   
   Defence or national security use may trigger a different legal regime than civilian use. In practice, this could mean applying for additional operating permits or modifying existing concessions, particularly where infrastructure is publicly regulated (e.g. energy or transport). Under EU law, such changes may also trigger compliance with sector-specific directives (e.g. the Electricity Directive or Gas Directive) or safety requirements under the CER Directive, which obligates EU member states to oversee resilience and impose specific risk management duties.
    
2. Are there any limitations on moving or storing goods intended for defence or national security purposes on you premises?
   
   National legislation may impose stricter requirements on storing or transporting military goods within ports, railways, or energy facilities. Operators should review customs, transport, and safety rules to confirm whether additional authorizations are needed. At EU level, the Dual-Use Regulation controls the transfer and transit of dual-use items, while the Common Position on arms exports (2008/944/CFSP) imposes binding criteria for military goods. Operators must verify whether storing or moving such goods within infrastructure requires additional EU export authorizations.
    
3. Are there foreign investment or ownership restrictions that apply when infrastructure is repurposed for national security use?
   
   Many EU member states[10] screen foreign direct investments (FDI) in critical infrastructure, particularly when linked to defence or security. Repurposing for military use could trigger mandatory notification or approval under national FDI screening rules.
    
4. Am I legally required to notify or coordinate with national authorities (e.g. defence or security ministries) before making such changes?
   
   Shifting from civilian to defence use often requires notifying the competent ministry (e.g. defence, transport, or interior) or national security authority. Failure to do so may result in administrative sanctions or operational delays. The CER Directive also obliges operators to cooperate with designated national authorities and may require them to undergo resilience testing or risk assessments if infrastructure is reclassified as essential for defence.
   
   Owners of critical infrastructure should treat any conversion to defence use as a regulatory shift that requires new permits, closer coordination with national authorities, and compliance with EU-level rules on resilience, investment, and liability.

Case Study 3: I am a startup developing a good or service that could be dual-use

For startups, regulatory strategy can shape business direction. Some additional questions to ask:

1. Which market path should I choose first: civilian or defence?
   
   From a legal perspective, starting with civilian applications may be simpler, since most consumer/commercial products fall under standard EU product safety, data protection, and consumer protection rules. Entering the defence market too early means navigating export controls under the EU Dual-Use Regulation, plus national authorizations, which can be slow and costly.
   
   A pragmatic approach is often to validate the technology in the civilian market before layering on defence use cases.
    
2. What are the implications for attracting investment?
   
   Some investors avoid defence-related technologies due to ESG restrictions, while others (including defence-focused funds) actively seek them out.
   
   Under EU law, if defence use is material to your business model, investors will expect you to have compliance policies in place (particularly export control screening procedures). Having even a basic compliance framework can make due diligence easier.
    
3. What compliance requirements apply from day one?
   
   If your product is on the EU dual-use control list (e.g. certain cybersecurity, encryption, or surveillance tools), you will need export authorization for sales outside the EU. Even if not listed, the “catch-all” clause under the Dual-Use Regulation can apply if the product may be intended for military use in sensitive countries. Startups must build in at least a minimal screening process (know-your-customer, sanctions checks). Failing to comply, even unintentionally, can lead to export bans or reputational damage that are disproportionately costly for young companies.
   
   Startups should map early whether their product could be classified as dual-use, set up a simple compliance framework (covering export controls, sanctions checks, and contract management), and decide strategically whether to pursue civilian or defence markets first. This preparation makes it easier to attract the right investors, avoid compliance pitfalls, and scale sustainably.

Which path should my company or startup take?

It is unsurprising that for the same product, a different set of regulations apply depending on its intended use. Companies seeking to pivot towards the defence sector may wish to consider in advance which key regulations they would need to comply with before entering into the market, as compliance with certain regulations may require additional time and costs. Conversely, companies should also note that the sale of products or software for defence use may also mean that they would not need to comply with other civilian-oriented regulations, e.g. the EU Artificial Intelligence Act (EU AI Act),[11] and the General Data Protection Regulation (GDPR).[12]

Therefore, in essence, a company should consider the basket of regulations or rules that would include regulations that they must comply with to export such goods for defence or military use, and the regulations or rules for civilian use that they would no longer need to comply with. Once such an analysis has been undertaken, companies would then be able to come up with a good estimation in terms of time and financial cost it takes to pivot from the civilian sector to the defence sector, or vice-versa.

[1] Military Weapons (HS: 9301) Product Trade, Exporters and Importers | The Observatory of Economic Complexity.

[2] Dual-use export controls | EUR-Lex

[3] Regulation (EU) 2021/821 of the European Parliament and of the Council of 20 May 2021 setting up a Union regime for the control of exports, brokering, technical assistance, transit and transfer of dual-use items (recast).

[4] Ibid.

[5] Ibid.

[6] Germany plans to double its defence spending within five years, see: Germany plans to double its defense spending within five years.

[7] Directive (EU) 2022/2557 of the European Parliament and of the Council of 14 December 2022 on the resilience of critical entities and repealing Council Directive 2008/114/EC.

[8] Ibid. Article 2.

[9] Ibid. Article 2.

[10] Regulation (EU) 2019/452 of the European Parliament and of the Council of 19 March 2019 establishing a framework for the screening of foreign direct investments into the Union.

[11] Regulation (EU) 2024/1689 of the European Parliament and of the Council of 13 June 2024 laying down harmonised rules on artificial intelligence and amending Regulations (EC) No 300/2008, (EU) No 167/2013, (EU) No 168/2013, (EU) 2018/858, (EU) 2018/1139 and (EU) 2019/2144 and Directives 2014/90/EU, (EU) 2016/797 and (EU) 2020/1828 (Artificial Intelligence Act), Article 2(3).

[12] Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation), General Data Protection Regulation, Article 23.