Compliance for NATO Defence Contractors: Navigating US, UK, and EU Export Controls

NATO defence contracts create a compliance environment unlike any other in international trade. A European SME winning a subcontract on a NATO programme may find itself simultaneously subject to US ITAR, the Export Administration Regulations (EAR), the UK Export Control Act 2002, the EU Dual-Use Regulation, and its own national export control legislation — each with distinct classification systems, licensing requirements, and penalties.

This guide covers the compliance stack that NATO defence contractors face, with a focus on the cross-jurisdictional obligations that make NATO work uniquely challenging.

The NATO compliance stack

NATO procurement does not create a unified compliance framework. Instead, each member nation’s export control regime applies to the technology and articles originating from that nation. When a NATO programme involves technology from multiple member states, the contractors must comply with every originating country’s controls simultaneously.

The primary regimes encountered in NATO defence work are:

US: ITAR and EAR

US-origin defence articles, services, and technical data are controlled under ITAR (22 CFR 120-130). Dual-use items with military application are controlled under the EAR (15 CFR 730-774). The distinction matters because the licensing regimes, exemptions, and penalties differ.

For NATO contractors, ITAR is the more significant burden. Any NATO programme that incorporates US-origin defence technology — which includes most major platforms and weapons systems — triggers ITAR obligations for every company in the supply chain that handles that technology.

Key ITAR obligations for non-US NATO contractors:

• US-origin technical data cannot be re-exported to non-authorised destinations or end-users without DDTC approval
• Access to ITAR-controlled data must be restricted based on nationality
• Manufacturing of ITAR-controlled articles under licence (MLA) requires specific authorisation and ongoing reporting
• Record-keeping requirements apply for a minimum of five years
• ITAR obligations attach to the data permanently — they do not expire when the contract ends

UK: Export Control Act 2002

The UK controls exports of military goods under the Export Control Act 2002 and the Export Control Order 2008. The UK Military List is aligned with the EU Common Military List (which itself derives from the Wassenaar Arrangement Munitions List).

Post-Brexit, the UK operates its own licensing regime through the Export Control Joint Unit (ECJU). Key features for NATO contractors:

• Standard Individual Export Licences (SIELs): for specific shipments to identified end-users
• Open Individual Export Licences (OIELs): for ongoing relationships with pre-approved destinations
• Open General Export Licences (OGELs): pre-published licences covering specified items to specified destinations, available without application
• F680 clearance: required before promoting or marketing controlled goods or technology to foreign governments — this catches pre-contract marketing activities that many companies overlook

The UK also controls intangible transfers of technology, including electronic transmission and oral disclosure of controlled technical data. The definition of “transfer” captures cloud storage accessible from outside the UK.

EU: Dual-Use Regulation (2021/821)

The EU Dual-Use Regulation, recast in 2021, controls exports of dual-use items from EU member states. While military items are controlled under each member state’s national legislation (aligned with the EU Common Military List), dual-use items with military application fall under the EU regulation.

The 2021 recast introduced several provisions relevant to NATO contractors:

• Cyber-surveillance technology controls: expanded controls on items that can be used for surveillance and interception, affecting NATO intelligence and communications programmes
• Due diligence obligations: exporters must conduct due diligence even for items not on the control list if they are or may be intended for weapons of mass destruction or military end-use in embargoed destinations
• Catch-all provision: member state authorities can impose controls on non-listed items based on end-use concerns

EU member states implement the regulation through national legislation, which means licensing procedures, processing times, and enforcement practices vary across the EU. A German SME and a French SME on the same NATO programme may face different administrative requirements for the same items.

National variations within NATO

Beyond the major frameworks, each NATO member maintains its own export control legislation. Noteworthy variations include:

• France: operates its own military export control regime under the Code de la défense, with a specific focus on strategic technologies and a historically protective approach to defence industrial base sovereignty
• Germany: applies restrictive policies on arms exports through the War Weapons Control Act and Foreign Trade and Payments Act, with political sensitivity around exports to conflict regions
• Norway: as a non-EU NATO member, applies its own export control legislation aligned with but distinct from the EU framework
• Turkey: has been developing its domestic defence export control regime in parallel with growing indigenous defence production capabilities

European SMEs and US compliance requirements

The most significant compliance burden for European NATO contractors is US compliance. When a European SME wins a subcontract on a NATO programme involving US-origin technology, it inherits ITAR and potentially DFARS obligations regardless of where the SME is located.

How this happens in practice

A typical scenario: A medium-sized German electronics manufacturer wins a subcontract from a UK prime to supply avionics components for a NATO maritime patrol aircraft programme. The aircraft platform is US-origin, and the avionics interface specifications include ITAR-controlled technical data.

The German company now faces:

• ITAR: must implement controls on all ITAR-controlled technical data received from the UK prime, including nationality-based access restrictions, marking, storage, and transmission security
• German national controls: must comply with German export control requirements for any controlled goods or technology it supplies
• EU Dual-Use Regulation: must screen its own technology against the dual-use list for any re-exports
• DFARS 252.204-7012: if CUI is involved, must implement NIST SP 800-171 and report cyber incidents to DC3
• CMMC: may need certification if the US prime requires it as a flow-down condition

For a company with 50 employees and no prior US compliance experience, this is a formidable set of obligations. Many European SMEs discover these requirements only after winning the contract, leaving them scrambling to build a compliance programme under time pressure.

The technical data trap

The most common failure point is ITAR technical data. European engineers working on NATO programmes routinely handle US-origin technical data without awareness of the specific controls that attach to it. Common violations include:

• Sharing ITAR-controlled specifications with subcontractors in non-authorised countries
• Allowing foreign national employees (from non-NATO countries) to access controlled data without proper authorisation
• Storing ITAR-controlled data on IT systems that do not meet the required security standards
• Failing to maintain the required records of transfers and access

These violations are often inadvertent but carry the same penalties as intentional conduct under ITAR’s strict liability framework.

CFIUS: foreign investment implications

The Committee on Foreign Investment in the United States (CFIUS) adds another layer of compliance concern for NATO contractors. CFIUS reviews transactions that could result in foreign control of, or foreign access to, US businesses — with particular scrutiny applied to businesses involved in defence and national security.

When CFIUS applies to NATO contractors

CFIUS review is triggered when a foreign person acquires control of a US business, or when a foreign person acquires certain non-controlling investments in US businesses involved in critical technology, critical infrastructure, or sensitive personal data (so-called “TID businesses”).

For NATO defence contractors, CFIUS becomes relevant in several scenarios:

• Acquisition of a US defence subcontractor: a European defence company acquiring a US company with ITAR-registered activities will almost certainly face CFIUS review and likely a mitigation agreement
• Joint ventures: establishing a joint venture with a US defence company where the foreign party gains access to controlled technology
• Non-controlling investments: even minority investments in US companies holding ITAR licences or classified contracts can trigger mandatory CFIUS filing requirements under the FIRRMA regulations

CFIUS mitigation

When CFIUS identifies national security concerns, it typically imposes mitigation measures rather than blocking transactions outright. Common mitigation conditions include:

• Appointment of a Government Security Committee with US board members who have security clearances
• Establishment of a Special Security Agreement (SSA) or Proxy Agreement
• Restrictions on the foreign parent’s access to classified and controlled information
• Annual compliance audits and reporting
• In extreme cases, divestiture of certain business lines

NATO-ally ownership is generally viewed more favorably than other foreign ownership, but it does not exempt the transaction from review or mitigation requirements.

Building a multi-jurisdictional compliance programme

NATO defence contractors operating across jurisdictions need a compliance programme that addresses the full stack. Key elements include:

Unified classification

Classify your products, technology, and technical data against every applicable control list simultaneously. A single component may have different classifications under the USML, the UK Military List, the EU Dual-Use List, and your national control list. You need to know all of them because the most restrictive classification governs.

Licence management across jurisdictions

Track all licences, agreements, and exemptions across every jurisdiction. A single shipment may require:

• An ITAR licence or agreement for the US-origin content
• A SIEL or OIEL from the UK ECJU for UK-origin content
• A national export licence for your country’s controlled content
• End-user certificates from the receiving country

Missing any one of these is a violation in the jurisdiction where the licence was required.

Supply chain compliance verification

Verify that your subcontractors at all tiers understand and comply with the applicable export control requirements. Flow-down of ITAR obligations is mandatory but meaningless if the receiving subcontractor lacks the capability to comply. Conduct compliance assessments of critical subcontractors, particularly those handling controlled technical data.

Cross-framework mapping

AuditDSS covers defence regulations across the US, UK, EU, and Australia, enabling compliance teams to map obligations across frameworks and identify where a single control satisfies multiple requirements. For NATO contractors operating across jurisdictions, this cross-mapping is essential for efficient compliance management — implementing separate, siloed compliance programmes for each regime is unsustainable for all but the largest contractors.

Incident response coordination

A cyber incident or compliance breach affecting multi-jurisdictional controlled data may trigger reporting obligations in multiple countries simultaneously. Your incident response plan must include:

• Identification of which jurisdictions’ data was affected
• Parallel notification to the relevant authorities in each jurisdiction
• Legal counsel with expertise in each applicable regime
• Coordination between your national legal team and US ITAR counsel

Training and awareness

Training must be tailored to the specific compliance obligations that apply to each role. Engineers handling ITAR-controlled data need different training from export compliance administrators processing licence applications. One-size-fits-all “export control awareness” training does not build the operational capability needed for multi-jurisdictional compliance.

The competitive dimension

Compliance capability is becoming a competitive differentiator in NATO defence procurement. Primes selecting subcontractors are increasingly evaluating compliance maturity alongside technical capability and price. A European SME that can demonstrate a functioning multi-jurisdictional compliance programme — with classification, licensing, access controls, and record-keeping already in place — will be selected over a technically equivalent competitor that cannot.

The companies that invest in compliance infrastructure before the contract award are the ones that will participate in the next generation of NATO programmes. Those that treat compliance as a post-award administrative burden will find themselves excluded from the supply chains where the most significant defence work is happening.

---

AuditDSS covers defence regulations across the US (ITAR, DFARS, CMMC), UK (Export Control Act), EU (Dual-Use Regulation), and Australia (DTCA), with obligation-level decomposition and cross-framework mapping. Assess your multi-jurisdictional defence compliance posture in a single analysis. Start your assessment.